Server Alerts for no AntiVirus
Posted 04 December 2008 - 08:19 AM
Posted 04 December 2008 - 08:23 AM
Posted 08 December 2008 - 07:10 AM
Posted 11 December 2008 - 02:44 PM
Unfortunately this may not work on Windows 2000 (Professional and Server) and earlier and also on Server 2003 and Server 2008 systems, because they don't have Security Center, that is they don't provide an interface for the antivirus/firewall products to publish their status to the system and thus to other third-party applications.
We are going to add support for direct detection of the most popular antivirus products without Security Center interface in the future versions of our program.
Posted 05 January 2009 - 11:02 AM
In the meantime, can you help me by letting me know what TNI is searching to determine if the antivirus is up to date?
and is there any way to be able to list a date for the AV definitions file?
Similar to how TNI currently lists the dates for Windows Updates.
Thanks in advance,
Posted 06 January 2009 - 02:12 AM
Posted 08 January 2009 - 09:59 AM
There is a non-documented namespace in the Windows Management Instrumentation service which allows antiviruses, firewalls and anti-spyware to publish information about their status (for Security Center and luckily for anybody else who might want to use it). Unfortunately the field for virus definitions date was not provided, only the boolean value - whether the program is up-to-date or not. So the antivirus itself knows exactly the date when it was updated, and if it was too long ago (for example more than 2 weeks), it sets this up-to-date flag to "false" by itself. Then Security Center or TNI read this info.
In regards to the "True" or "False" flag on the AV being up to date......where can I get solid information on how the system reads a true or false.
For example....what is the time frame that would trigger a "False" in the up to date field, 1 week, 2 weeks, 1 month...etc?
Can you provide or is this something I need to question MS about?
Posted 09 January 2009 - 01:10 AM
strComputer = "." Set wbemServices = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter") Set wbemObjectSet = wbemServices.InstancesOf("AntivirusProduct") For Each wbemObject In wbemObjectSet str1 = "AV name: " & wbemObject.displayName & vbCrLf str1 = str1 & "Vendor: " & wbemObject.companyName & vbCrLf str1 = str1 & "Version: " & wbemObject.versionNumber & vbCrLf str1 = str1 & "Up to date: " & wbemObject.productUptoDate & vbCrLf WScript.Echo str1 NextBut anyway neither we, nor Microsoft knows when and how the up-to-date flag is set, because as I've already said it is set by antivirus product itself. So if you need to know exact time, you should question the particular antivirus product manufacturer.
Posted 21 January 2009 - 02:02 PM
Posted 21 January 2009 - 02:12 PM
Posted 25 January 2009 - 02:21 AM
When the category was named "Antivirus", the information for it was collected in a very simple way: the list of installed software was scanned for matches with certain list of keywords which usually appear in antiviruses names (generic words like "virus" and some names of the software publishers like "Trend Micro") and in case of matching the item was included to Antiviruses list.
I hate to be a wet blanket... but We too are getting no AV installed. We are getting them on XP boxes that are peer to peer, Server boxes on the domain. AV is Symantec Corp Ed. AV reports just fine for servers and desktops in TNI versions 1.5.38 ( possibly some later ones too ) But the two more recent versions I have 1.6.6 and 1.6.7 Have emptiness in the AV portion.
When "Security" was introduced in 1.6.5, the system was changed and information started to be collected via undocumented interface in WMI, in the same way that Windows Security Center gets this info. Of course majority of antivirus vendors introduced support for this interface in their products and they should publish this info in special way to the system, so that Security Center show a user that his PC is protected. The way to publish this info is provided to antivirus vendors only under non-disclosure agreement, so that nobody else could fake the protection status of computer. And the way to collect this info is just not documented by Microsoft, but is discussed on some forums and its implementation is possible with this information.
However this way only works under two conditions. First is that Security Center interface should be present on the system (which is true only for XP and Vista), that's why it cannot be detected on any server system (and on any 2000 and earlier system). Second is that antivirus should support this interface. I don't know if this true for the particular product you use. Can you please check if Security Center on XP machines shows your antivirus name, version and up-to-date status?
Posted 25 January 2009 - 02:27 AM
As to the compatibility of versions. In case of forward moving, surely if you scan a computer with 1.6.0 or earlier version, there will be no information from this WMI interface which newer versions (1.6.5 and above) expect to find in the XML file and display. However in case of backward moving, if you take the newer file to older versions, they will not know about "Security" information, but nevertheless they will have installed software list and they will be able to find the antivirus product. It only can be that there is no specific keyword to detect particular product. You can add such keyword (it can be two words also with a space between that, that is any exact part of the name): in the file "config.ini" there is a parameter "antivirs", just add a comma and the part of antivirus product name (this is for 1.6.0 and earlier versions).
Ahhhhh I think I see whats going on now. We have backwards and forwards incompatability. If I take a scan with TNI 1.5 at work or a client, and bring it home to do some exporting to spreadsheets or whatnot and I use 1.6.6 or 1.6.7 on my desktop. I cannot see anything in the AV category. Such is true with scanning in 1.6.7 and viewing in 1.5 AV section is kaput. I would have hoped that data from prior scans would still be readable in newer versions without having to redo the scans.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users