PowerShell: Detecting Windows Antivirus

One of the initial tasks of a Windows user is to determine whether a computer has Antivirus enabled. For modern Windows 10 machines, Windows Defender has been doing a good job at protecting client machines. Often, enterprises opt to deploy 3rd party malware and ransomware protection in addition to Microsoft’s default safeguard. This paragraph is getting longer than I’m willing to write non-code stuff. Here goes the work-in-progress scripty for your entertainment and/or refactoring considerations.

# detectWindowsAntivirus.ps1
# Version: 0.0.1
# License: GPLv3
# What this does: you know.

# User provided variables:
$expectedAntivirusNames = "antivirus|endpoint|protection|defender|msmpeng|guard" #Edit this line to include additional antivirus names that are being used in your organization

function detectAntivirus{
    # First: try to obtain antivirus name from Security Center (this only works for Client OS)
                    $wmiQuery = "SELECT * FROM AntiVirusProduct" 
                    $securityCenter=Get-WmiObject -ComputerName $computername -Namespace "root\SecurityCenter2" -Query $wmiQuery @psboundparameters -ErrorVariable myError -ErrorAction Stop
                    return $securityCenter.displayName             
                        return $false;
    if($antivirusFromSecurityCenter){return $antivirusFromSecurityCenter}

    # Second: try to obtain product name from Applications List
    write-host "Unable to detect antivirus in namespace root\SecurityCenter2. Now querying AppWiz.cpl ..."
                                    $appWiz=Get-CimInstance -ClassName win32_InstalledWin32Program -ComputerName $computername -ErrorAction Stop | ?{$_.Name -match $keywords}|%{"$($_.Name)"}
                                    return $appWiz
                                    return $false
    if ($antivirusFromAppwiz){return $antivirusFromAppwiz}

    # Third: look into the registry
    write-host "Unable to detect antivirus in AppWiz. Now querying registry ..."            
                                        #Get-Service -ComputerName $computername -Name RemoteRegistry | Start-Service
                                        $hive = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $computername)
                                        write-host "unable to open remote registry of $computerName"
                                        return $false
                                    if ($hive){
                                        $regPathList = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
                                        foreach($regPath in $regPathList) {
                                            if($key = $hive.OpenSubKey($regPath)) {
                                                if($subkeyNames = $key.GetSubKeyNames()) {
                                                    foreach($subkeyName in $subkeyNames) {
                                                        $productKey = $key.OpenSubKey($subkeyName)
                                                        $productName = $productKey.GetValue("DisplayName")
                                                        $productVersion = $productKey.GetValue("DisplayVersion")
                                                        $productComments = $productKey.GetValue("Comments")
                                                        if (!$productName){$productName="";}
                                                        if (!$productComments){$productComments="";}
                                                        if(($productName.ToLower() -match $keywords) -OR ($productComments.ToLower() -match $keywords)) {                                                            
                                                            #$resultObj = [PSCustomObject]@{
                                                            #    Product = $productName
                                                            #    Version = $productVersion
                                    return $results
    if ($antivirusFromRegistry){return $antivirusFromRegistry}                                                                                                          
    # Finally: return nothing
    write-host "Unable to detect antivirus in registry ..."
    return $false

detectAntivirus localhost $expectedAntivirusNames

Leave a Reply

Your email address will not be published. Required fields are marked *