LockDown32
asked on
Windows 10 Virus Software
In Windows 10 Is there a registry key that contains what virus software is registered and active?
If a command query is ok for you, use:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
ASKER
That is really close. It returns the providers but doesn't say which one is the active one. See attached screenshot. It is from the Security Center. The "Registered/Active" one is what I am looking to find.
Could you attach that screenshot, please?
In Windows 10, Windows Defender is enabled by default. If you install any other AV solution, Defender becomes inactive and your AV is your only running protection.
True, but how to query what's active? That's the question.
@LD32: look at https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage which shows that the command
@LD32: look at https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage which shows that the command
wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get /value
should list something that you can work with: the productState. However, the value for that item differs from scanner to scanner. So for defender, you should have productState=397568, for example.
ASKER
That is the problem. I install Webroot and it is "supposed" to turn Windows Defender off and itself on. It isn't. So I need a quick and dirty way to see which virus package is "active" so I know which ones I need to correct.
Now could you add the screenshot that you were talking of?
Please run
Please run
wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get /value
And quote the output.
Can you just disable Defender in the Local GPO?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Hello there
The Kaseya link is from 2010 and I wonder if the values still matter. My defender status is judged as unknown, since 397568 is not on their list.
We need something more basic.
The Kaseya link is from 2010 and I wonder if the values still matter. My defender status is judged as unknown, since 397568 is not on their list.
We need something more basic.
You can edit the list of values.
One question remains:
Why don't you disable Defender in the Local GPO?
One question remains:
Why don't you disable Defender in the Local GPO?
ASKER
@Hello There. The PowerShell worked. It showed the one that was enabled. I need to do this in a RMM package and want to collect the data. Thanks all for the help.
You are welcome.
Who can already tell that this script works for all AV versions and all windows versions and builds?
It didn't work for mine, as mentioned.
It didn't work for mine, as mentioned.
There is a value which can enable or disable the virus protection: HKEY_LOCAL_MACHINE\SOFTWAR
A DWORD value named DisableAntiSpyware and set for 0 or 1 can enable or disable the protection.