Troubleshooting Antivirus/Antispyware reporting

 

Before we investigate this issue I should first explain how Rapidfire Tools Antivirus and Antispyware detection works and what type of data we report.

 

The data collector checks for 3 statuses when scanning endpoints for Antivirus and Antispyware. It checks whether it is installed, running, and up to date

It does this using the Windows protocol WMI which allows the data collector to check for each of these values in a computers Windows Security Center. Most all Antivirus and Antispyware products write to security center therefore we have found this to be the most reliable method to gather the AV's status.

Unfortunately, Server versions of Windows do not have Security Center therefore the data collector cannot determine whether it is up to date. It can although, determine if it is installed and running by checking the installed service.

 

If you are seeing Antivirus or Antispyware being reported incorrectly on workstations, chances are the AV/AS did not properly update the WMI database on the machine.
This can be easily validated by running the PowerShell Commands below on the machine(s) in question.

 

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

 

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct

 

The results of each of those commands should reflect what you see in the RapidFire Tools reports.

Here is an example of those commands compared to the results shown in the Network Detective Data Explorer. Notice the display name and the product state reflect what we are reporting.
 

Network Detective Data Explorer results for Endpoint Security:

PowerShell command results for Antispyware:

 

PowerShell command results for Antivirus:

 

If you run those same PowerShell commands on a machine where the results do not reflect the AV/AS that is actually installed, you can confidently assume the AV/AS has not registered itself properly on the machine in question. At this point you can opt to purge the WMI namespace storing those values and allow the AV to re-register itself OR you can use the Issue Exceptions Worksheet in Network Detective to add compensating control for the issue. This will prevent that issue from affecting your score.

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

 

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object{$_.Delete()}

NOTE: Running either of those commands will require a reboot to allow the AV to register itself in the WMI database.

 

 

Have more questions?

Contact us

Was this article helpful?
0 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section