Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 7:49 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
PostPosted: Wed Jan 13, 2010 12:44 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
Windows Security Center Registered Antivirus isn't populated with the registered antivirus for Windows 7 or Vista SP2. The way antivirus registers itself has changed with Vista SP1 and Windows 7. The old way registered under \\root\SecurityCenter. The new way registers under \\root\SecurityCenter2.

For example in Vista SP2 when I enumerate \\root\SecurityCenter is get this:

[quote]wmic /namespace:\\root\SecurityCenter PATH AntiVirusProduct GET /value
No Instance(s) Available.


When I enumerate \\root\SecurityCenter2 I get this:

[quote]wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value

displayName=Trend Micro OfficeScan Antivirus
instanceGuid={48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
pathToSignedProductExe=C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
pathToSignedReportingExe=C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
productState=266240


The available values under \\root\SecurityCenter are:

companyName
displayName
instanceGuid
onAccessScanningEnabled
pathToSignedProductExe
productHasNotifiedUser
productState
productUptoDate
productWantsWscNotifications
versionNumber

There are fewer under \\root\SecurityCenter2:

displayName
instanceGuid
pathToSignedProductExe
pathToSignedReportingExe
productState

Apparently, the newer antivirus products will register under \\root\SecurityCenter2 and the older under \\root\SecurityCenter.

I have modified audit.vbs to correctly report it no matter where it registers. I get the missing companyname and versionnumber directly from the file located at pathToSignedProductExe. "productState=266240" seems to indicated a properly updated and functional antivirus. Can someone verify?

[code]'''''''''''''''''
' AV Settings '
'''''''''''''''''

' Skipping if audited system is not WinXp SP2+, Vista, W2k8 or Seven
if ((SystemBuildNumber = "2600" AND CInt(ServicePack) > 1) OR (CInt(SystemBuildNumber) >= 6000)) then
comment = "AV - Security Center Settings"
Echo(comment)
Set objWMIService_AV = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter")
Set colItems = objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")
'
' If we have previously seen Anti-virus, and now the machine is re-imaged or whatever then
' we dont want to report the AV up to date when it no longer exists. Therefore we need to add an empty entry for AV if we find nothing.
'
' Thanks to acraiger for spotting this...
'
if colItems = "" then
av_prod = ""
av_disp = ""
av_vers = ""
av_up2d = ""
form_input = "system10^^^" & av_prod & "^^^" & av_disp & "^^^" _
& av_up2d & "^^^" & av_vers & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
end if

For Each objAntiVirusProduct In colItems
av_prod = Clean(objAntiVirusProduct.companyName)
av_disp = Clean(objAntiVirusProduct.displayName)
av_vers = Clean(objAntiVirusProduct.versionNumber)
av_up2d = Clean(objAntiVirusProduct.productUptoDate)
If av_up2d Then
av_up2d = "True"
Else
av_up2d = "False"
End If

form_input = "system10^^^" & av_prod & "^^^" & av_disp & "^^^" _
& av_up2d & "^^^" & av_vers & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next

Set objWMIService_AV = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter2")
Set colItems2 = objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")

For Each objAntiVirusProduct In colItems2
PathToSignedProductExe = Replace(objAntiVirusProduct.PathToSignedProductExe,"\","\\")
echo ("Path " & PathToSignedProductExe)
Set colFiles = objWMIService.ExecQuery ("Select * from CIM_Datafile Where name = '" & PathToSignedProductExe & "'",,48)
For Each itemFile In colFiles
av_prod = Clean(itemFile.Manufacturer)
av_vers = Clean(itemFile.Version)
av_disp = Clean(objAntiVirusProduct.displayName)
if objAntiVirusProduct.ProductState = "266240" then
av_up2d = "True"
Else
av_up2d = "False"
End If
Next
form_input = "system10^^^" & av_prod & "^^^" & av_disp & "^^^" _
& av_up2d & "^^^" & av_vers & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
end if[/code]

Here are some reference links:

[url]http://community.spiceworks.com/topic/72964[/url]

[url]http://blogs.msdn.com/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx[/url]

Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 13, 2010 9:07 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
I have the opposite of your situation: "wmic /namespace:\\root\SecurityCenter PATH AntiVirusProduct GET /value" get all values on Vista SP2, while querying \\root\SecurityCenter2 gets nothing. Probably it's due to my older AV product, registering under \\root\SecurityCenter only.
However, this was fixed at SVN rev. 1229. Thanks

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 28, 2010 11:58 pm 
I've been looking at this further, and have found a number of issues.
Securitycenter and securitycenter2 are client only products.
OS's before XP SP1 don't have either.
XP >+ SP1 has securitycenter
Vista SP1 has both, presumably which one the AV appears in is down to the AV product itself.
Server OS's don't have either, as far as I can tell.

Key to securitycenter2 is product state, I have been able to find no documentation about this, however the contents seem to be AV vendor specific, although they appear similar.

We use sophos, it doesn't seem to register all the fields, eg version, with security center.
To get round this I've changed to audit.vbs to check both securitycenter and securitycenter2 for AV products, and added a section to audit_custom_software.inc to read the sophos information from the registry, and then update the AV information in the table.
This has the advantage that it gets the Sophos AV info for all OSs, not just the ones that support securitycenter/securitycenter2.
I'll post the code if anyone else is interested.


Top
  
Reply with quote  
PostPosted: Mon Feb 01, 2010 12:34 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Always interested. 8)

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 02, 2010 1:12 am 
see attached zip file.
I've change date_virus_def in the system table to varchar(40), the date is entered in mysql format, but this allows values such as "failed" to be stored if necessary.
There is a change to admin_pc_add_2.php, as it didn't store the date_virus_def field.


Attachments:
av.zip [3.65 KiB]
Downloaded 484 times
Top
  
Reply with quote  
PostPosted: Tue Feb 02, 2010 6:12 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Thanks, time permitting, I'll take a look as soon as pos. (unless one of the other devs can fix this first)... just back after 4 days of horrendus flu, still coughing like an old goat... naturally nobody had stepped in to pick up the pieces at work. :evil:

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group