Jump to content

Server Alerts for no AntiVirus


Recommended Posts

We have found that our servers are reporting that we do not have any antivirus running on them (I can assure you we do!). If I look into the installed software list it picks up the AV program. Is this a bug in the current version or maybe we need to add our AV to a recognised list?. It seems to work fine with Clients just not servers. We are running Trend AV.

Link to comment

Our software can recognize all antiviruses and firewalls (in Windows XP SP2/SP3 and Windows Vista) and antispyware (only in Windows Vista) that support Windows Security Center, that is if they are displayed by Security Center. The vendors of antivirus (firewall and antispyware) software should provide this support from their side, because they have to publish the product information and status to the system in a special way. Otherwise neither our product, nor Windows itself can recognize such software (in this case Windows Security Center should usually generate a message from time to time that the computer is not protected by antivirus).

 

Unfortunately this may not work on Windows 2000 (Professional and Server) and earlier and also on Server 2003 and Server 2008 systems, because they don't have Security Center, that is they don't provide an interface for the antivirus/firewall products to publish their status to the system and thus to other third-party applications.

 

We are going to add support for direct detection of the most popular antivirus products without Security Center interface in the future versions of our program.

Link to comment
  • 4 weeks later...

Adding AV detection without the need for Security Center would be a welcome addition....looking forward to it.

 

In the meantime, can you help me by letting me know what TNI is searching to determine if the antivirus is up to date?

and is there any way to be able to list a date for the AV definitions file?

 

Similar to how TNI currently lists the dates for Windows Updates.

 

Thanks in advance,

Marianne

Link to comment

There is a non-documented namespace in the Windows Management Instrumentation service which allows antiviruses, firewalls and anti-spyware to publish information about their status (for Security Center and luckily for anybody else who might want to use it). Unfortunately the field for virus definitions date was not provided, only the boolean value - whether the program is up-to-date or not. So the antivirus itself knows exactly the date when it was updated, and if it was too long ago (for example more than 2 weeks), it sets this up-to-date flag to "false" by itself. Then Security Center or TNI read this info.

Link to comment
There is a non-documented namespace in the Windows Management Instrumentation service which allows antiviruses, firewalls and anti-spyware to publish information about their status (for Security Center and luckily for anybody else who might want to use it). Unfortunately the field for virus definitions date was not provided, only the boolean value - whether the program is up-to-date or not. So the antivirus itself knows exactly the date when it was updated, and if it was too long ago (for example more than 2 weeks), it sets this up-to-date flag to "false" by itself. Then Security Center or TNI read this info.

 

In regards to the "True" or "False" flag on the AV being up to date......where can I get solid information on how the system reads a true or false.

For example....what is the time frame that would trigger a "False" in the up to date field, 1 week, 2 weeks, 1 month...etc?

Can you provide or is this something I need to question MS about?

Link to comment

This is done via WMI, but it's not documented in MSDN. For example, it can be done using VBS script (for local machine):

strComputer = "."

Set wbemServices = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter")
Set wbemObjectSet = wbemServices.InstancesOf("AntivirusProduct")

For Each wbemObject In wbemObjectSet
 str1 = "AV name: " & wbemObject.displayName & vbCrLf
 str1 = str1 & "Vendor: " & wbemObject.companyName & vbCrLf
 str1 = str1 & "Version: " & wbemObject.versionNumber & vbCrLf
 str1 = str1 & "Up to date: " & wbemObject.productUptoDate & vbCrLf
 WScript.Echo str1
Next

But anyway neither we, nor Microsoft knows when and how the up-to-date flag is set, because as I've already said it is set by antivirus product itself. So if you need to know exact time, you should question the particular antivirus product manufacturer.

Link to comment
  • 2 weeks later...

I hate to be a wet blanket... but We too are getting no AV installed. We are getting them on XP boxes that are peer to peer, Server boxes on the domain. AV is Symantec Corp Ed. AV reports just fine for servers and desktops in TNI versions 1.5.38 ( possibly some later ones too ) But the two more recent versions I have 1.6.6 and 1.6.7 Have emptiness in the AV portion.

Link to comment

Ahhhhh I think I see whats going on now. We have backwards and forwards incompatability. If I take a scan with TNI 1.5 at work or a client, and bring it home to do some exporting to spreadsheets or whatnot and I use 1.6.6 or 1.6.7 on my desktop. I cannot see anything in the AV category. Such is true with scanning in 1.6.7 and viewing in 1.5 AV section is kaput. I would have hoped that data from prior scans would still be readable in newer versions without having to redo the scans.

Link to comment
I hate to be a wet blanket... but We too are getting no AV installed. We are getting them on XP boxes that are peer to peer, Server boxes on the domain. AV is Symantec Corp Ed. AV reports just fine for servers and desktops in TNI versions 1.5.38 ( possibly some later ones too ) But the two more recent versions I have 1.6.6 and 1.6.7 Have emptiness in the AV portion.

When the category was named "Antivirus", the information for it was collected in a very simple way: the list of installed software was scanned for matches with certain list of keywords which usually appear in antiviruses names (generic words like "virus" and some names of the software publishers like "Trend Micro") and in case of matching the item was included to Antiviruses list.

 

When "Security" was introduced in 1.6.5, the system was changed and information started to be collected via undocumented interface in WMI, in the same way that Windows Security Center gets this info. Of course majority of antivirus vendors introduced support for this interface in their products and they should publish this info in special way to the system, so that Security Center show a user that his PC is protected. The way to publish this info is provided to antivirus vendors only under non-disclosure agreement, so that nobody else could fake the protection status of computer. And the way to collect this info is just not documented by Microsoft, but is discussed on some forums and its implementation is possible with this information.

 

However this way only works under two conditions. First is that Security Center interface should be present on the system (which is true only for XP and Vista), that's why it cannot be detected on any server system (and on any 2000 and earlier system). Second is that antivirus should support this interface. I don't know if this true for the particular product you use. Can you please check if Security Center on XP machines shows your antivirus name, version and up-to-date status?

Link to comment
Ahhhhh I think I see whats going on now. We have backwards and forwards incompatability. If I take a scan with TNI 1.5 at work or a client, and bring it home to do some exporting to spreadsheets or whatnot and I use 1.6.6 or 1.6.7 on my desktop. I cannot see anything in the AV category. Such is true with scanning in 1.6.7 and viewing in 1.5 AV section is kaput. I would have hoped that data from prior scans would still be readable in newer versions without having to redo the scans.

As to the compatibility of versions. In case of forward moving, surely if you scan a computer with 1.6.0 or earlier version, there will be no information from this WMI interface which newer versions (1.6.5 and above) expect to find in the XML file and display. However in case of backward moving, if you take the newer file to older versions, they will not know about "Security" information, but nevertheless they will have installed software list and they will be able to find the antivirus product. It only can be that there is no specific keyword to detect particular product. You can add such keyword (it can be two words also with a space between that, that is any exact part of the name): in the file "config.ini" there is a parameter "antivirs", just add a comma and the part of antivirus product name (this is for 1.6.0 and earlier versions).

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...