Hi all - Before starting from scratch, does anyone have/or willing to share the Retrieved Properties associated to the detection of latest McAfee antivirus and desktop encryption product suite ? The exact version isn’t an issue, but an indication of where to trawl the registry for pattern files/policy/encryption status would be great.
Any help appreciated.
1 Like
First of all, there are some AntiVirus related analyses already on https://bigfix.me/ specific to other products that could be a useful guide. I don’t think there is one for McAfee.
Second, there is actually a universal way to get a report of all AV products installed on a system. I have been meaning to put together an analysis and put it on https://bigfix.me/ for a while now, and haven’t gotten around to it.
This will give you the list of all installed security products:
unique values of string values of selects "displayname from AntiVirusProduct" of ((wmis "root\SecurityCenter2");(wmis "root\SecurityCenter"))
The RAW data:
selects "* from AntiVirusProduct" of ((wmis "root\SecurityCenter2");(wmis "root\SecurityCenter"))
The AV Product File: (version info, etc…)
(files it) of (expand x64 environment strings of it; expand environment strings of it) of string values of selects "pathToSignedProductExe from AntiVirusProduct" of ((wmis "root\SecurityCenter2");(wmis "root\SecurityCenter"))
The AV “ReportingEXE” file:
(files it) of (expand x64 environment strings of it; expand environment strings of it) of string values of selects "pathToSignedReportingExe from AntiVirusProduct" of (wmis "root\SecurityCenter2")
This might work to get the registry key of the AV product detected through WMI:
(values "DisplayName" of it, values "DisplayVersion" of it) of keys whose(exists (it, (pathnames of parent folders of (files it) of (expand x64 environment strings of it; expand environment strings of it) of string values of selects "pathToSignedProductExe from AntiVirusProduct" of ((wmis "root\SecurityCenter2");(wmis "root\SecurityCenter"))) ) whose(item 0 of it contains item 1 of it) of unique values of pathnames of (parent folders of files it; folders it) of (expand x64 environment strings of it; expand environment strings of it) of (preceding text of last "%22" of following text of first "%22" of it | it) of (it as string as trimmed string) whose(4 < length of it AND (it contains "\" OR it contains "/") AND it as lowercase does not start with "http" AND it as lowercase does not start with "msiexec") of values of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
References:
- http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
- http://neophob.com/2010/03/wmi-query-windows-securitycenter2/#comment-2644
- http://digirati82.com/2013/09/04/monitoring-windows-security-products/
- http://www.opswat.com/blog/windows-security-center-fooling-wmi-consumers
- http://stackoverflow.com/questions/7710027/detecting-anti-virus-on-windows-with-wmi-which-namespace
- Antivirus detection
Also, see these: They are the same post, one in the new forum without attachments, and one in the old forum with attachments.