Link to home
Start Free TrialLog in
Avatar of LockDown32
LockDown32Flag for United States of America

asked on

Windows 10 Virus Software

In Windows 10 Is there a registry key that contains what virus software is registered and active?
Avatar of noxcho
noxcho
Flag of Germany image
Are you talking about Windows Defender?
There is a value which can enable or disable the virus protection: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
A DWORD value named DisableAntiSpyware and set for 0 or 1 can enable or disable the protection.
Avatar of McKnife
McKnife
Flag of Germany image
If a command query is ok for you, use:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

Open in new window

Avatar of LockDown32
LockDown32
Flag of United States of America image

ASKER

That is really close. It returns the providers but doesn't say which one is the active one. See attached screenshot.  It is from the Security Center. The "Registered/Active" one is what I am looking to find.
Avatar of McKnife
McKnife
Flag of Germany image
Could you attach that screenshot, please?
Avatar of Hello There
Hello There
In Windows 10, Windows Defender is enabled by default. If you install any other AV solution, Defender becomes inactive and your AV is your only running protection.
Avatar of McKnife
McKnife
Flag of Germany image
True, but how to query what's active? That's the question.

@LD32: look at https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage which shows that the command
wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get /value

Open in new window

should list something that you can work with: the productState. However, the value for that item differs from scanner to scanner. So for defender, you should have productState=397568, for example.
Avatar of LockDown32
LockDown32
Flag of United States of America image

ASKER

That is the problem. I install Webroot and it is "supposed" to turn Windows Defender off and itself on. It isn't. So I need a quick and dirty way to see which virus package is "active" so I know which ones I need to correct.
Avatar of McKnife
McKnife
Flag of Germany image
Now could you add the screenshot that you were talking of?
Please run
wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get /value

Open in new window

And quote the output.
Avatar of Hello There
Hello There
Can you just disable Defender in the Local GPO?
ASKER CERTIFIED SOLUTION
Avatar of Hello There
Hello There
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife
McKnife
Flag of Germany image
@Hello there
The Kaseya link is from 2010 and I wonder if the values still matter. My defender status is judged as unknown, since 397568 is not on their list.
We need something more basic.
Avatar of Hello There
Hello There
You can edit the list of values.

One question remains:
Why don't you disable Defender in the Local GPO?
Avatar of LockDown32
LockDown32
Flag of United States of America image

ASKER

@Hello There. The PowerShell worked. It showed the one that was enabled. I need to do this in a RMM package and want to collect the data. Thanks all for the help.
Avatar of Hello There
Hello There
You are welcome.
Avatar of McKnife
McKnife
Flag of Germany image
Who can already tell that this script works for all AV versions and all windows versions and builds?
It didn't work for mine, as mentioned.