How to detect antivirus on Windows Server 2008 in C#?

StackOverflow https://stackoverflow.com/questions/13732351

Question

I have seen code samples similar to the following numerous times in my search for an answer:

using System;
using System.Text;
using System.Management;

namespace ConsoleApplication1
{
  class Program
  {
    public static bool AntivirusInstalled()
    {

      string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter";
      try
      {
        ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
        ManagementObjectCollection instances = searcher.Get();
        return instances.Count > 0;
      }

      catch (Exception e)
      {
        Console.WriteLine(e.Message);
      }

      return false;
    } 

    public static void Main(string[] args)
    {
      bool returnCode = AntivirusInstalled();
      Console.WriteLine("Antivirus Installed " + returnCode.ToString());
      Console.WriteLine();
      Console.Read();
    }

  }
}

Unfortunately, it appears that Windows Server 2008 does not have the SecurityCenter or SecurityCenter2 namespace, so I get an Invalid namespace exception when trying this approach.

Does anyone know of a way to determine if there is antivirus software running on Windows Server 2008? Any help is appreciated!

Was it helpful?

Solution 3

I faced this problem some time ago for a client and I ended up performing a dictonary search on the local system drivers and processes looking for a pattern of know anti-virus signatures (such as folder names, processes names, etc...) it's not 100% sure because somewhere someone will donwload a brand new anti-virus that you're unware of, but that apart, it was very effective...

OTHER TIPS

Use the EICAR test virus.

  1. Have your application try to write one of these files on disk: http://www.eicar.org/85-0-Download.html
  2. Catch the exception

It will not only work on every anti-virus on earth, but it will also tell you if the anti-virus is active!

You may find it hard to download the test file if you have anti-virus active, so you may want to use this string instead:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Keep in mind, you probably want to keep the string encoded on your app and decode it just before you write it to disk. Otherwise you may risk your app being detected as a virus :)

On the EICAR site, they say:

Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long

However, I wouldn't count AV developers have read the spec, so better just keep the string encoded. In fact, I just tried to save the string on a .txt file on my desktop with some additional characters in it and Windows Defender started screaming.

Hmmm, I ended up playing around with PowerShell:

$avSoftware = get-wmiobject -class "Win32_Product" -namespace "root\cimv2" -computername "." -filter "Name like '%antivirus%'"
if ($avSoftware.Count -gt 0) {
    foreach ($av in $avSoftware) {
        write-host $p.Name
    }
} else {
    write-host "No AV software found"
}

It seems to be working both on our Windows Server 2008 and 2008 R2 instances...

More info here: https://serverfault.com/questions/12343/how-can-i-determine-whether-an-antivirus-product-is-installed

This is more of an idea than a perfect solution. With respect to the answer by Leonardo, how about using an actual piece of anti-virus software (link against it) in order to perform a search for other anti-virus software? ClamAV is opensource and a nice point to start. You "only" need to define a new and rather specific signature database.

According to most of the web, SecurityCenter and SecurityCenter2 are not available on Windows Server 2008 (as you have already worked out for yourself).

I found this SO article, which contains a workaround. How to detect antivirus installed on windows 2003 server and 2008 server 2003 server R2and 2008 server R2 using WMI or other then WMI in C++

Admittedly, this is a C++ implementation, but I see no reason that it cannot be ported to C#

Also found this page which suggests using the OESIS framework. http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/b0806608-fee0-413c-a34d-674aeb11be3c

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top