locked
WMI Any Anti-Spyware Doesn't Seem To Work RRS feed

  • Question

  • I am trying to create a policy on the IAG that will check for anti-spyware software. It doesn't seem to work for anything other than windows defender. The list of software my project needs to find is: 

    McAfee*, Avaste, CA Internet Security Suite, Norton 360, KAS Internet Security, AVG 2009, NAV 2009, KAS 2009
    *The entire internet security suite, not just the anti-spyware app. 

    Anyway... I have everything under "anti-spyware" checked and it's not detecting any of these WMI or not (they arent in the list, except for McAfee). Has anyone else come across this? Is this a product issue? 
    Friday, June 19, 2009 7:31 PM

Answers

  • Hi Bryan. There are two ways to detect security software. First one is searching for the specific product and the second one is WMI. The first one is easy to understand, there are functions to read registry keys, installation paths and so on. Many times the searchs have to be adjusted to every single product version as software vendors don't follow a common pattern for the installation even in their own products (e.g Mcafee use NAI, McAfee, Network Associates in registry keys depending on the version of the product). This means the detection script can be able to detect a version but can fail with a newer one as the details of the product can vary. The way to fight against this is to check periodically the detection scripts provided by the support team. To troubleshoot this detection method you can use the client tracing and also check the endpoint report in Web Monitor.

    The second way is more universal. As you know, Microsoft introduced a service called Security Center that reports the security state of the machine (AV, AS and PFW). The way the security center is aware of the installed products and their updates is via WMI registration. There is a WMI space in root\securitycenter where the security software writes their existence. The security center checks this space and so does the IAG detection script. Notice that Windows XP can only report antivirus software but not anti-spyware via WMI. To troubleshoot this method you can use client tracing, security center, WMI querying (there are some wmi explorers with GUI out there) and the endpoint report in Web Monitor

    Hope it helps

    // Raúl
    // Raúl I love this game
    • Marked as answer by Erez Benari Wednesday, June 24, 2009 7:30 PM
    Sunday, June 21, 2009 9:52 AM

All replies

  • There have been some issues reported for a few of these listed products. Could you answer a few questions to help narrow down the issue? 

    1. What version, service pack, and update level are you at?
    2. Do you have this set to ANY_WMI_ANTI_VIRUS?
    3. What does Security center show?
    4. Can you clarify the versions of the listed A/V product? (x.y.z)
    5. What O/S and version is the end point?
    6. Are the results different if the user is an admin versus a regular user?
    7. Is detection running?

    Cheers,

    Dan

    Saturday, June 20, 2009 3:25 AM
  • Hi Bryan. There are two ways to detect security software. First one is searching for the specific product and the second one is WMI. The first one is easy to understand, there are functions to read registry keys, installation paths and so on. Many times the searchs have to be adjusted to every single product version as software vendors don't follow a common pattern for the installation even in their own products (e.g Mcafee use NAI, McAfee, Network Associates in registry keys depending on the version of the product). This means the detection script can be able to detect a version but can fail with a newer one as the details of the product can vary. The way to fight against this is to check periodically the detection scripts provided by the support team. To troubleshoot this detection method you can use the client tracing and also check the endpoint report in Web Monitor.

    The second way is more universal. As you know, Microsoft introduced a service called Security Center that reports the security state of the machine (AV, AS and PFW). The way the security center is aware of the installed products and their updates is via WMI registration. There is a WMI space in root\securitycenter where the security software writes their existence. The security center checks this space and so does the IAG detection script. Notice that Windows XP can only report antivirus software but not anti-spyware via WMI. To troubleshoot this method you can use client tracing, security center, WMI querying (there are some wmi explorers with GUI out there) and the endpoint report in Web Monitor

    Hope it helps

    // Raúl
    // Raúl I love this game
    • Marked as answer by Erez Benari Wednesday, June 24, 2009 7:30 PM
    Sunday, June 21, 2009 9:52 AM
  • Dan, 

    To address your questions: 
    1. What version, service pack, and update level are you at?
    SP2 Update1

    2. Do you have this set to ANY_WMI_ANTI_VIRUS?
    Yes. 

    3. What does Security center show?
    Not sure, I am doing this for a client. I don't have these products installed. 

    4. Can you clarify the versions of the listed A/V product? (x.y.z)
    See #3. 

    5. What O/S and version is the end point?
    Windows XP Professional SP3

    6. Are the results different if the user is an admin versus a regular user?
    Not sure, would have to test, but I don't think there will be (see below). 

    7. Is detection running?
    Yes, verified through the web monitor and client side tracing. 

    To add some information here for one of our MS contacts: 
    Anti-Spyware WMI detection is not supported on XP boxes since it's not a part of the Windows Security Center.
    Only legacy detection is working and unfortunately it's limited to only few AS vendors.


    Thursday, June 25, 2009 4:22 PM
  • Hi Bryan,
      To be clear, Raul's answer is correct, "Notice that Windows XP can only report antivirus software but not anti-spyware via WMI."  Since your client are running XP, WMI does not have a way to query Anti Spyware software.  For Anti Spyware on XP, only legacy detection is available and unfortunately it's limited to only few AS vendors.  There are two options

    1) Convince the customer that AS detection is not as important as the AV detection one since the most vendors are including all security software in a single product.

    2) You or your customer can open a support case with CSS for a specific DCR per implementation of each AS detection needed.  As with all DCRs there would need to be a business justification and the decision to implement the DCR would hinge on the prioritization of that justification.

    Regards,

    Dan Herzog
    Microsoft CSS IAG Support

     

    Friday, June 26, 2009 9:57 AM
  • Thank you for the clarification, Dan! It's much appreciated. 
    Friday, June 26, 2009 12:45 PM