Ad Widget

**Freaky** · 01-12-2014, 10:41

Anybody able to help me with this?

**aib** · 01-12-2014, 16:30

I have no problem to get information:

Code:

C:\Windows\System32>wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct
 GET /value


displayName=ESET Endpoint Antivirus 5.0
instanceGuid={77DEAFED-8149-104B-25A1-21771CA47CD1}
pathToSignedProductExe=C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
pathToSignedReportingExe=C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

productState=266240

Code:

C:\Windows\System32>wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct
 GET /value | find "displayName"
displayName=ESET Endpoint Antivirus 5.0

But I cannot find any detail information (like DB version, last update, amount of found viruses, etc)
What is your question?

**Freaky** · 02-12-2014, 11:48

Strange, the commands seem to work fine for me now..

How do i create an item/trigger out of this value? And is there a list of what the values mean?

I get this value aswel: 266240 My Antivirus is up to date so i gues this value means its up to date?

Thanks for your help!

**macaulay** · 02-12-2014, 14:24

Originally posted by Freaky

Strange, the commands seem to work fine for me now..

How do i create an item/trigger out of this value? And is there a list of what the values mean?

I get this value aswel: 266240 My Antivirus is up to date so i gues this value means its up to date?

Thanks for your help!

WMI, Query Windows SecurityCenter2

http://neophob.com/2010/03/wmi-query-windows-securitycenter2/

In Windows Vista, the WMI query to get anti-virus information has been changed. Pre-Vista clients used the root/SecurityCenter namespace, while Post-Vista clients use the root/SecurityCenter2 names...

Code:

266240 -> 0x041000:
ANTIVIRUS + active + dat_files_up_todate

266256 -> 0x041010:
ANTIVIRUS + active + dat_files_NOT_up_todate

397312 -> 0x061000:
ANTIVIRUS + AUTOUPDATE + active + dat_files_up_todate

397584 -> 0x061110 (Windows Defender started on Win7):
ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate

393488 -> 0x060110 (Windows Defender stopped on Win7):
ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate

Still best guess, but im working with the above information at the moment. Sophos also enters some info to the registry; YMMV.

Mac

**Freaky** · 02-12-2014, 15:03

Thanks for your help!

Good to know some of the values. Can you help me or link me to a similar thread to set up items/triggers?

**macaulay** · 02-12-2014, 15:28

Sure, my items are as follows;

service_state[SAVService]
; detects if service exists/installed and if its running

and a script written in AutoIt to return time since last succesful update (see UserParameters in the wiki)

Code:

#include <Date.au3>

Global $iDateCalc = _DateDiff('s', "1970/01/01 00:00:00", _NowCalc())
Global $lastUpdate = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\UpdateStatus","LastUpdateTime")
If @error Then ;cannot read reg key. May not exist?
	ConsoleWrite("ERROR") ;non-descript error
	Exit
EndIf

;Main
$result = $iDateCalc - $lastUpdate ;Now (in seconds) minus last update time (in seconds)
ConsoleWrite($result & @LF) ;returns result

I have been trying to extract whether onAccessScanning is enabled or not, but am only interested in Windows Servers, so WMI is a non starter...

Mac

**macaulay** · 02-12-2014, 15:44

Also, the following will report on Access Scanning status on Windows XP (desktop only; not Server compatible)

Code:

wmi.get[root\SecurityCenter,SELECT onAccessScanningEnabled FROM AntiVirusProduct]

and this;

Code:

C:\Windows\System32>wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct
 GET /value


displayName=ESET Endpoint Antivirus 5.0
instanceGuid={77DEAFED-8149-104B-25A1-21771CA47CD1}
pathToSignedProductExe=C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
pathToSignedReportingExe=C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

productState=266240

as a Zabbix item is

Code:

wmi.get[root\SecurityCenter2,SELECT productState FROM AntiVirusProduct]

Mac

**aib** · 02-12-2014, 16:11

1) Create "Value Mapping" for all possible value :

Code:

- 266240 -> ANTIVIRUS + active + dat_files_up_todate
- 266256 -> ANTIVIRUS + active + dat_files_NOT_up_todate
- 397312 -> ANTIVIRUS + AUTOUPDATE + active + dat_files_up_todate
- 397584 -> ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate
- 393488 -> ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate

2) Create UserParameter= on client's PC in Zabbix_agent.conf file

Code:

UserParameter=product_state,wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value | find "productState"

3) Create an Item in web-interface for client's Host description.

Code:

Name: Antivirus State
Type: Zabbix Agent
Key: product_state
Type of information: numeric(unsigned)
.....
Update Interval: 600 (or any one which you like more)
.....
Show value as: (select from list the previously created Value Mapping)

4) Create a trigger:

Code:

Name: Antivirus is OUT of date
Expression: ({client_pc:product_state.last(0)}<>266240) and ({client_pc:product_state.last(0)}<>397312)
Severity: DISASTER

Do you feel better now?

**Freaky** · 03-12-2014, 14:05

Thanks for the help guys!

Im trying to get your trigger to work @ aib.

Am i supposed to make 2 or 1 trigger(s) from the following line:

({client_pc: product_state.last(0)}<>266240) and {client_pc: product_state.last(0)}<>397312)

I tried both it either gives me this error:

Incorrect trigger expression. Check expression part starting from "<>266240) and ({Freek-pc: product_state.last(0)}<>397312)".

Or this:
Incorrect trigger expression. Check expression part starting from "<>266240)".

Im having a hard time figuring out how expressions exactly work. I will try to fix it myself but any help would be greatly appreciated!

Edit: I put a space in between : and product_state because it made a smiley:

**aib** · 03-12-2014, 15:32

may be (just maybe!) you are using not the freshest version of Zabbix.
In that case, the expression has to be written like:

Code:

({client_pc: product_state.last(0)}#266240) and ({client_pc: product_state.last(0)}#397312)

**Freaky** · 03-12-2014, 16:20

I got it working!

Thanks to everybody who helped me

**aib** · 03-12-2014, 16:56

Good job!

**pr0b3l** · 29-12-2016, 15:39

Heeeelp

wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value | find "productState"

if i do this issue, and i see:

FIND : parameter format not correct

whyy?!

upd.
I use windows 10 (if it need's

)

**troffasky** · 17-01-2017, 17:21

Download "WMI Explorer" and use that to identify the exact query.

Ad Widget

Monitoring Antivirus on Windows

Monitoring Antivirus on Windows

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment