Check for Third Party Firewalls on a Machine

Question

I am working on doing a check for Firewalls. The following code quite easily checks the status of the default Windows Firewall:

    INetFwMgr manager = GetFireWallManager();
    bool isFirewallEnabled = manager.LocalPolicy.CurrentProfile.FirewallEnabled;
    if (isFirewallEnabled == false)
    {
      Console.WriteLine("Firewall is not enabled.");
    }
    else
    {
      Consoe.WriteLine("Firewall is enabled.");
    }
    Console.ReadLine();

   private static INetFwMgr GetFireWallManager()
   {
     Type objectType = Type.GetTypeFromCLSID(new Guid(firewallGuid));
     return Activator.CreateInstance(objectType) as INetFwMgr;
   }

The question then becomes: How do I find the status of a non-Windows Firewall? If the Firewall is properly integrated, will the above check work just the same or is there a better method for doing this? I have checked this post: C# Windows Security Center Settings and this post: C# - How to chceck if external firewall is enabled? but both proved relatively unhelpful.

I have been looking into the WMI API but it is pretty confusing so far, and the documentation via MSDN hasn't been too promising. I have also tried messing around with SelectQuery but so far I have been unsuccessful. Can anyone assist me in a new starting point or to where I might be able to find better documentation/instructions concerning 3rd Party Firewalls?

EDIT: Currently I am exploring further into WMI, specifically the class FirewallProduct as suggested by a post.

UPDATE 2: I have been testing the following snippet:

  string wmiNameSpace = "SecurityCenter2";
  ManagementScope scope;
  scope = new ManagementScope(String.Format("\\\\{0}\\root\\{1}", "localhost", wmiNameSpace), null);
  scope.Connect();
  ObjectQuery query = new ObjectQuery("SELECT * FROM FirewallProduct");
  ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query);

But running this results in the following error: Exception Invalid namespace and it points to line 39 (scope.Connect()). I would not be at all surprised if I have simply missed a parameter or formatted something improperly, I just don't know what it is.

UPDATE 3 Switching from SecurityCenter2 to SecurityCenter still yields the same invalid namespace error.

UPDATE 4 I moved the console app over to a different box (win7 not winserver08r2) and it properly reported back as expected. So it may be an issue with the VM that I currently have been testing on. Next step is to parse out active/inactive status

UPDATE 5 It was tested on another Server08 box and the same invalid namespace error appears. Using SecurityCenter instead of SecurityCenter2 does not resolve the issue. Is there some underlying security feature Windows Server OS's use to prevent tampering with Firewalls, or do Server OS's not come with a specific key set of WMI features?

Answer 1

According to Microsoft Q: How does Windows Security Center detect third-party products and their status?

A: Windows Security Center uses a two-tiered approach for detection status. One tier is manual, and the other tier is automatic through Windows Management Instrumentation (WMI). In manual detection mode, Windows Security Center searches for registry keys and files that are provided to Microsoft by independent software manufacturers. These registry keys and files let Windows Security Center detect the status of independent software. In WMI mode, software manufacturers determine their own product status and report that status back to Windows Security Center through a WMI provider. In both modes, Windows Security Center tries to determine whether the following is true:

• An antivirus program is present.
• The antivirus signatures are up-to-date.
• Real-time scanning or on-access scanning is turned on for antivirus programs.
• For firewalls, Windows Security Center detects whether a third-party firewall is installed and whether the firewall is turned on or not.

So you can use the WMI to determine if a third-party firewall is installed, using the FirewallProduct class, sometime ago I wrote an article about this topic which explain how obtain this info using the WMI.

• Getting the installed Antivirus, AntiSpyware and Firewall software using Delphi and the WMI.

Try this sample C# to get the current Third-party firewall name and state installed.

using System;
using System.Collections.Generic;
using System.Management;
using System.Text;

namespace GetWMI_Info
{
    class Program
    {
        
        static void Main(string[] args)
        {
            try
            {
                //select the proper wmi namespace depending of the windows version
                string WMINameSpace = System.Environment.OSVersion.Version.Major > 5 ? "SecurityCenter2" : "SecurityCenter";
 
                ManagementScope Scope;
                Scope = new ManagementScope(String.Format("\\\\{0}\\root\\{1}", "localhost", WMINameSpace), null);

                Scope.Connect();
                ObjectQuery Query = new ObjectQuery("SELECT * FROM FirewallProduct");
                ManagementObjectSearcher Searcher = new ManagementObjectSearcher(Scope, Query);

                foreach (ManagementObject WmiObject in Searcher.Get())
                {
                    
                    Console.WriteLine("{0,-35} {1,-40}","Firewall Name",WmiObject["displayName"]);                      
                    if (System.Environment.OSVersion.Version.Major < 6) //is XP ?
                    {
                    Console.WriteLine("{0,-35} {1,-40}","Enabled",WmiObject["enabled"]);    
                    }
                    else
                    {
                        Console.WriteLine("{0,-35} {1,-40}","State",WmiObject["productState"]); 
                    }   
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(String.Format("Exception {0} Trace {1}",e.Message,e.StackTrace));
            }
            Console.WriteLine("Press Enter to exit");
            Console.Read();
        }
    }
}