• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 538
  • Last Modified:

get antivirus information

Our client base runs many different brands and versions of antivirus software.  We would like to be able to harvest this information prior to updating them since we have known issues with some versions of some products.  Is there a generic way to find information about the default antivirus product installed?
This would be for XP and Vista, unmanaged c++
0
PhilC
Asked:
PhilC
  • 4
  • 4
  • 2
  • +2
1 Solution
 
SysExpertCommented:
Use any of the free programs that do software audits, or simply run

Winmsd in report mode, and scan the resulting text file for known antivirus programs.

I hope this helps !
0
 
PhilCAuthor Commented:
Thank you for your suggestion.  We currently run some system diagnostics and save a file with this information the first time a user logs on each day.  The time it takes to run Winmsd would be too long (very impatient clients I know!).  Parsing through all the installed apps would also be too time consuming.  I was hoping that there was a standard registry key or other quick access solution for determining the current antivirus setup.
If this is not the case I will award you the points since you did in fact answer my question.
Thanks again.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
MichelVDKCommented:
if you need to know what's going on then check out http://www.ocsinventory-ng.org/index.php?page=architecture
0
 
AxterCommented:
>>he time it takes to run Winmsd would be too long (very impatient clients I know!).  

If you just target the primary Antivirus vendors, you could quickly determine if and which AV is installed, by looking at the registry keys.
0
 
PhilCAuthor Commented:
Thanks Axter,
   that will likely be the way we will go, just wanted to check to see if there was some generic way that we were unaware of
Thank You
0
 
AxterCommented:
FYI:
I started working on some logic to do this, but never got around to finishing it.
Here's a section of the code that you might find useful:

struct Av_Descrp
{
      //enum RegBasekey{eLastItem, eHKCR, eHKCU, eHKLM, eHKU, eHKCC};
      struct RegKeyName
      {
            HKEY            m_RegBasekey;
            const char* m_KeyName;
            const char* m_KeyFieldName;
            bool            m_requiredValue;
            DWORD            m_DW_value;
            const char* m_STR_value;
            const char* m_ShouldIncludeSubStr[9];
      };

      const char* m_AV_Name; //User friendly name
      const char* m_ServiceName;
      const char*      m_RequiredServiceBeTurnedOff_Message;// Set to non-NULL for AV's that are not compatible with the application
      bool            m_AllowedToMakeChangesForUser;
      bool            m_RequiredServiceBeRestarted;
      RegKeyName      m_RegKeyNameList[9];
};

Av_Descrp Av_Descrp_list[] ={
      {"Sophos Anti-Virus", "SWEEPSRV.SYS", "Error:  Sophos AntiVirus is not 100% compatible with this application. Recommend turning the AV service off.", false, false,
      {
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Sophos\\SweepNT\\InterCheckClient", "Check Accessed Files", true, 2, NULL, {NULL}}, //Can be 2 or 6
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Sophos\\SweepNT\\InterCheckClient", "Recognise File By Type", true, 0, NULL, {NULL}},
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Sophos\\SweepNT\\InterCheckClient", "Check Remote Files", false, 0, NULL, {NULL}},
            {NULL}
      }
      },
      {"Symantec", "Symantec AntiVirus", NULL, false, false,
      {
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Intel\\LANDesk\\VirusProtect6\\CurrentVersion\\Storages\\Filesystem\\RealTimeScan", "Reads", true, 0, NULL, {NULL}},
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Intel\\LANDesk\\VirusProtect6\\CurrentVersion\\Storages\\Filesystem\\RealTimeScan", "Storage", false, 0, NULL, {NULL}},
            //Need a method to access all current logged on users to read HKEY_USER-sid
            {HKEY_CURRENT_USER, "Software\\Intel\\LANDesk\\VirusProtect6\\CurrentVersion\\Custom Tasks\\Default Scan Options", "DoOffline", true, 0x800000, NULL},
            {HKEY_CURRENT_USER, "Software\\Intel\\LANDesk\\VirusProtect6\\CurrentVersion\\Custom Tasks\\Default Scan Options", "CustomHSMVendorFlag1", false, 1, NULL},
            {NULL}
      }
      },
      {"McAfee Manage", "McShield", NULL, false, false, //Managed and Unmanaged, for manged, the display name is 'Network Associates McShield'
      {
            //HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration\Default\bScanOutgoing      SUCCESS      0x0      
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Network Associates\\TVD\\Shared Components\\On Access Scanner\\McShield\\Configuration\\Default", "bScanOutgoing", false, 0, NULL, {NULL}},
                  //HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration\Low
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Network Associates\\TVD\\Shared Components\\On Access Scanner\\McShield\\Configuration\\Low", "bScanOutgoing", true, 0, NULL, {NULL}},
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Network Associates\\TVD\\Shared Components\\On Access Scanner\\McShield\\Configuration\\Low", "bScanIncoming", true, 0, NULL, {NULL}},
            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Network Associates\\TVD\\Shared Components\\On Access Scanner\\McShield\\Configuration\\Low", "ProcessList", true, 0, NULL,
            {
                        NULL
            }
            },
                  //TODO:  Add method to retrieve value from HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Platform Information\ControlSet001(Machine-name)\WinFSDataMigrator\NoRecallPrivileges
                  //Above key should have McShield.exe
            {NULL}
      }
      },
            //      {"McAfee VirusScan 8.x", "McAfeeFramework", NULL, false, false, //Managed
            //      {
            //            //HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration\Default\bScanOutgoing      SUCCESS      0x0      
            //            {HKEY_LOCAL_MACHINE, "SOFTWARE\\Network Associates\\TVD\\Shared Components\\On Access Scanner\\McShield\\Configuration\\Default", "bScanOutgoing", true, 0, NULL},
            //            {NULL}
            //      }
            //      },
      {"Trend Micro", "", NULL, false, false,
      {
            {NULL}
      }
      },
      {"eTrust AntiVirus", "", NULL, false, false,
      {
            {NULL}
      }
      },
};
0
 
jkrCommented:
Check the registry key for the COM interface 'IVirusScanner' at HKEY_CLASSES_ROOT\Interface\{4589BEE0-B4B1-11CF-AAFA-00AA00B6015C} - if you find a subkey there, a virus scanner is installed.
0
 
PhilCAuthor Commented:
Kaspersky doesnt seem to put any subkey under that key, but I will look into for other programs.  Also it does not appear that the key exists for Vista.
Thank You,
0
 
AxterCommented:
jkr,
I would love to see a generic solution myself for my own project.

However, I just looked at a machine that has Sophos and a machine that has McAfee.
Neither of them had this key.

I also did a Google search on IVirusScanner, and that doesn't return anything.

Where is this information from?

0
 
AxterCommented:
>>  Delete with points refunded

I disagree, since the user stated in previous comment that he/she would likely go with one of the methods I suggested.
Moreover, I provided code that would help to that end.

I recommend awarding points. (I'm OK with a split).
0
 
PhilCAuthor Commented:
thank you all for your input, unfortunately it appears there is no solution as easy as I had hoped
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now