Detect Antivirus on Windows Using C#

Detect Antivirus on Windows using C#

According to Microsoft, The Windows Security Center uses a two-tiered approach for detection status. One tier is manual, and the other tier is automatic through Windows Management Instrumentation (WMI). In manual detection mode, Windows Security Center searches for registry keys and files that are provided to Microsoft by independent software manufacturers. These registry keys and files let Windows Security Center detect the status of independent software. In WMI mode, software manufacturers determine their own product status and report that status back to Windows Security Center through a WMI provider. In both modes, Windows Security Center tries to determine whether the following is true:

An antivirus program is present.

The antivirus signatures are up-to-date.

Real-time scanning or on-access scanning is turned on for antivirus programs.

For firewalls, Windows Security Center detects whether a third-party firewall is installed and whether the firewall is turned on or not.

So in order to determine the presence of an antivirus software, you can use the WMI making a connection to the root\SecurityCenter namespace (starting with windows Vista you must use the root\SecurityCenter2 namespace), and then query for the AntiVirusProduct WMI class.

Look at this sample code

using System;
using System.Text;
using System.Management;

namespace ConsoleApplication1
{
  class Program
  {
    public static bool AntivirusInstalled()
    {

      string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter";
      try
      {
        ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
        ManagementObjectCollection instances = searcher.Get();
        return instances.Count > 0;
      }

      catch (Exception e)
      {
        Console.WriteLine(e.Message);
      }

      return false;
    } 

    public static void Main(string[] args)
    {
      bool returnCode = AntivirusInstalled();
      Console.WriteLine("Antivirus Installed " + returnCode.ToString());
      Console.WriteLine();
      Console.Read();
    }

  }
}

How to detect antivirus on Windows Server 2008 in C#?

I faced this problem some time ago for a client and I ended up performing a dictonary search on the local system drivers and processes looking for a pattern of know anti-virus signatures (such as folder names, processes names, etc...) it's not 100% sure because somewhere someone will donwload a brand new anti-virus that you're unware of, but that apart, it was very effective...

Check anti-virus status in C#

Sample can be found here using WMI as you mentioned. The poster states this is being done on a Win 7 machine; so the code below should get you started...

ConnectionOptions _connectionOptions = new ConnectionOptions();
//Not required while checking it in local machine.
//For remote machines you need to provide the credentials
//options.Username = "";
//options.Password = "";
_connectionOptions.EnablePrivileges = true;
_connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
//Connecting to SecurityCenter2 node for querying security details
ManagementScope _managementScope = new ManagementScope(string.Format("\\\\{0}\\root\\SecurityCenter2", ipAddress), _connectionOptions);
_managementScope.Connect();
//Querying
ObjectQuery _objectQuery = new ObjectQuery("SELECT * FROM AntivirusProduct");
ManagementObjectSearcher _managementObjectSearcher =
    new ManagementObjectSearcher(_managementScope, _objectQuery);
ManagementObjectCollection _managementObjectCollection = _managementObjectSearcher.Get();
if (_managementObjectCollection.Count > 0)
{
    foreach (ManagementObject item in _managementObjectCollection)
    {
        Console.WriteLine(item["displayName"]);
        //For Kaspersky AntiVirus, I am getting a null reference here.
        //Console.WriteLine(item["productUptoDate"]);

        //If the value of ProductState is 266240 or 262144, its an updated one.
        Console.WriteLine(item["productState"]);
    }
}

I need a better way to query installed antivirus. Something like this in c# Perhaps?

You can add a reference to System.Management. Then using ManagementObjectSearcher you can run a WMI query.

To find installed antiviruses you should search in SecurityCenter2. For example:

var path = string.Format(@"\\{0}\root\SecurityCenter2", Environment.MachineName);
var searcher = new ManagementObjectSearcher(path, "SELECT * FROM AntivirusProduct");
var instances = searcher.Get().Cast<ManagementObject>()
                        .Select(x => (string)x.GetPropertyValue("displayName"))
                        .ToList();

Note 1: For Windows XP, search in SecurityCenter.

Note 2: You can also read other properties of the AntiVirusProduct:

• displayName : string
• instanceGuid : string
• pathToSignedProductExe : string
• pathToSignedReportingExe : string
• productState : UInt32. (For information on how to parse the status, take a look at this post.)
• timestamp : string

Windows - How to trigger Anti Virus Updates via windows API / .NET / C# / WMI?

Most programs allow you to use a command-line prompt to execute updates etc.

For Windows Defender, it comes with a command-line utility that lets you run updates, scans, etc. through the command-line. See TN Run (and Automate) Windows Defender from the Command Line

Windows Defender:

MpCmdRun.exe -SignatureUpdate

AVG (Anti-Spam & Program/Virus DB Updates):

avgmfapx.exe /AppMode=UPDANTISPAM 
avgmfapx.exe /AppMode=UPDATE

Once you know the Command-line Command, you can Run Command Prompt Commands to execute the update etc.

Windows Defender Antivirus scan from C# [AccessViolation exception]

I couldn't identify the problem here. So I ended up with Antimalware Scan Interface (AMSI) available starting from Windows 10.

I have written a sample C# code here.

One thing I found is AMSI requires Windows defender/any antivirus to be turned on to verify the file passed to API. But triggering a scan through MpClient.dllwill trigger a defender scan even if defender is turned off.

Also ensure your project targets x64 platform.

public enum AMSI_RESULT
    {
        AMSI_RESULT_CLEAN = 0,
        AMSI_RESULT_NOT_DETECTED = 1,
        AMSI_RESULT_DETECTED = 32768
    }

[DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)]string appName, out IntPtr amsiContext);

[DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
public static extern void AmsiUninitialize(IntPtr amsiContext);

[DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiOpenSession(IntPtr amsiContext, out IntPtr session);

[DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
public static extern void AmsiCloseSession(IntPtr amsiContext, IntPtr session);

[DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string contentName, IntPtr session, out AMSI_RESULT result);
[DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiScanBuffer(IntPtr amsiContext, [In] [MarshalAs(UnmanagedType.LPArray)] byte[] buffer, uint length, [In()] [MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);

//This method apparently exists on MSDN but not in AMSI.dll (version 4.9.10586.0)
[DllImport("Amsi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
public static extern bool AmsiResultIsMalware(AMSI_RESULT result);

private void CallAntimalwareScanInterface()
{
    IntPtr amsiContext;
    IntPtr session;
    AMSI_RESULT result = 0;
    int returnValue;

    returnValue = AmsiInitialize("VirusScanAPI", out amsiContext); //appName is the name of the application consuming the Amsi.dll. Here my project name is VirusScanAPI.   
    returnValue = AmsiOpenSession(amsiContext, out session);
    returnValue = AmsiScanString(amsiContext, @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", "EICAR", session, out result); //I've used EICAR test string.   
    AmsiCloseSession(amsiContext, session);
    AmsiUninitialize(amsiContext);
}

---

Related Topics