Jump to content


Photo

Server Alerts for no AntiVirus


  • Please log in to reply
12 replies to this topic

#1 andrew

andrew

    Member

  • Members
  • PipPip
  • 10 posts

Posted 04 December 2008 - 08:19 AM

We have found that our servers are reporting that we do not have any antivirus running on them (I can assure you we do!). If I look into the installed software list it picks up the AV program. Is this a bug in the current version or maybe we need to add our AV to a recognised list?. It seems to work fine with Clients just not servers. We are running Trend AV.

#2 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 04 December 2008 - 08:23 AM

What is the operating system on the server? Does it have "Windows Security Center"? If so, is your antivirus reported there?
Softinventive Lab support

#3 andrew

andrew

    Member

  • Members
  • PipPip
  • 10 posts

Posted 08 December 2008 - 05:16 AM

The servers all run Server 2003.

#4 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 08 December 2008 - 07:10 AM

Unfortunately detection of antiviruses is not possible for Server 2003, because it does not provide appropriate interface for the antivirus products to publish their information which is used by Security Center (which is also not available on this OS) and our program to detect them.
Softinventive Lab support

#5 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 11 December 2008 - 02:44 PM

Our software can recognize all antiviruses and firewalls (in Windows XP SP2/SP3 and Windows Vista) and antispyware (only in Windows Vista) that support Windows Security Center, that is if they are displayed by Security Center. The vendors of antivirus (firewall and antispyware) software should provide this support from their side, because they have to publish the product information and status to the system in a special way. Otherwise neither our product, nor Windows itself can recognize such software (in this case Windows Security Center should usually generate a message from time to time that the computer is not protected by antivirus).

Unfortunately this may not work on Windows 2000 (Professional and Server) and earlier and also on Server 2003 and Server 2008 systems, because they don't have Security Center, that is they don't provide an interface for the antivirus/firewall products to publish their status to the system and thus to other third-party applications.

We are going to add support for direct detection of the most popular antivirus products without Security Center interface in the future versions of our program.
Softinventive Lab support

#6 Marianne

Marianne

    Member

  • Members
  • PipPip
  • 16 posts

Posted 05 January 2009 - 11:02 AM

Adding AV detection without the need for Security Center would be a welcome addition....looking forward to it.

In the meantime, can you help me by letting me know what TNI is searching to determine if the antivirus is up to date?
and is there any way to be able to list a date for the AV definitions file?

Similar to how TNI currently lists the dates for Windows Updates.

Thanks in advance,
Marianne

#7 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 06 January 2009 - 02:12 AM

There is a non-documented namespace in the Windows Management Instrumentation service which allows antiviruses, firewalls and anti-spyware to publish information about their status (for Security Center and luckily for anybody else who might want to use it). Unfortunately the field for virus definitions date was not provided, only the boolean value - whether the program is up-to-date or not. So the antivirus itself knows exactly the date when it was updated, and if it was too long ago (for example more than 2 weeks), it sets this up-to-date flag to "false" by itself. Then Security Center or TNI read this info.
Softinventive Lab support

#8 Marianne

Marianne

    Member

  • Members
  • PipPip
  • 16 posts

Posted 08 January 2009 - 09:59 AM

There is a non-documented namespace in the Windows Management Instrumentation service which allows antiviruses, firewalls and anti-spyware to publish information about their status (for Security Center and luckily for anybody else who might want to use it). Unfortunately the field for virus definitions date was not provided, only the boolean value - whether the program is up-to-date or not. So the antivirus itself knows exactly the date when it was updated, and if it was too long ago (for example more than 2 weeks), it sets this up-to-date flag to "false" by itself. Then Security Center or TNI read this info.


In regards to the "True" or "False" flag on the AV being up to date......where can I get solid information on how the system reads a true or false.
For example....what is the time frame that would trigger a "False" in the up to date field, 1 week, 2 weeks, 1 month...etc?
Can you provide or is this something I need to question MS about?

#9 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 09 January 2009 - 01:10 AM

This is done via WMI, but it's not documented in MSDN. For example, it can be done using VBS script (for local machine):
strComputer = "."

Set wbemServices = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter")
Set wbemObjectSet = wbemServices.InstancesOf("AntivirusProduct")

For Each wbemObject In wbemObjectSet
  str1 = "AV name: " & wbemObject.displayName & vbCrLf
  str1 = str1 & "Vendor: " & wbemObject.companyName & vbCrLf
  str1 = str1 & "Version: " & wbemObject.versionNumber & vbCrLf
  str1 = str1 & "Up to date: " & wbemObject.productUptoDate & vbCrLf
  WScript.Echo str1
Next
But anyway neither we, nor Microsoft knows when and how the up-to-date flag is set, because as I've already said it is set by antivirus product itself. So if you need to know exact time, you should question the particular antivirus product manufacturer.
Softinventive Lab support

#10 davelchgo

davelchgo

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 21 January 2009 - 02:02 PM

I hate to be a wet blanket... but We too are getting no AV installed. We are getting them on XP boxes that are peer to peer, Server boxes on the domain. AV is Symantec Corp Ed. AV reports just fine for servers and desktops in TNI versions 1.5.38 ( possibly some later ones too ) But the two more recent versions I have 1.6.6 and 1.6.7 Have emptiness in the AV portion.

#11 davelchgo

davelchgo

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 21 January 2009 - 02:12 PM

Ahhhhh I think I see whats going on now. We have backwards and forwards incompatability. If I take a scan with TNI 1.5 at work or a client, and bring it home to do some exporting to spreadsheets or whatnot and I use 1.6.6 or 1.6.7 on my desktop. I cannot see anything in the AV category. Such is true with scanning in 1.6.7 and viewing in 1.5 AV section is kaput. I would have hoped that data from prior scans would still be readable in newer versions without having to redo the scans.

#12 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 25 January 2009 - 02:21 AM

I hate to be a wet blanket... but We too are getting no AV installed. We are getting them on XP boxes that are peer to peer, Server boxes on the domain. AV is Symantec Corp Ed. AV reports just fine for servers and desktops in TNI versions 1.5.38 ( possibly some later ones too ) But the two more recent versions I have 1.6.6 and 1.6.7 Have emptiness in the AV portion.

When the category was named "Antivirus", the information for it was collected in a very simple way: the list of installed software was scanned for matches with certain list of keywords which usually appear in antiviruses names (generic words like "virus" and some names of the software publishers like "Trend Micro") and in case of matching the item was included to Antiviruses list.

When "Security" was introduced in 1.6.5, the system was changed and information started to be collected via undocumented interface in WMI, in the same way that Windows Security Center gets this info. Of course majority of antivirus vendors introduced support for this interface in their products and they should publish this info in special way to the system, so that Security Center show a user that his PC is protected. The way to publish this info is provided to antivirus vendors only under non-disclosure agreement, so that nobody else could fake the protection status of computer. And the way to collect this info is just not documented by Microsoft, but is discussed on some forums and its implementation is possible with this information.

However this way only works under two conditions. First is that Security Center interface should be present on the system (which is true only for XP and Vista), that's why it cannot be detected on any server system (and on any 2000 and earlier system). Second is that antivirus should support this interface. I don't know if this true for the particular product you use. Can you please check if Security Center on XP machines shows your antivirus name, version and up-to-date status?
Softinventive Lab support

#13 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 25 January 2009 - 02:27 AM

Ahhhhh I think I see whats going on now. We have backwards and forwards incompatability. If I take a scan with TNI 1.5 at work or a client, and bring it home to do some exporting to spreadsheets or whatnot and I use 1.6.6 or 1.6.7 on my desktop. I cannot see anything in the AV category. Such is true with scanning in 1.6.7 and viewing in 1.5 AV section is kaput. I would have hoped that data from prior scans would still be readable in newer versions without having to redo the scans.

As to the compatibility of versions. In case of forward moving, surely if you scan a computer with 1.6.0 or earlier version, there will be no information from this WMI interface which newer versions (1.6.5 and above) expect to find in the XML file and display. However in case of backward moving, if you take the newer file to older versions, they will not know about "Security" information, but nevertheless they will have installed software list and they will be able to find the antivirus product. It only can be that there is no specific keyword to detect particular product. You can add such keyword (it can be two words also with a space between that, that is any exact part of the name): in the file "config.ini" there is a parameter "antivirs", just add a comma and the part of antivirus product name (this is for 1.6.0 and earlier versions).
Softinventive Lab support




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users