Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to detect if a virusscanner and/or firewall is installed? (And a few other security-related Q's.)

I have an application and I'm trying to make sure it's running in a secure environment. First of all, I check if Windows is genuine, which makes it more likely that the user keeps it up-to-date. If not, I just pop up a message warning the user there's a possible risk because he still needs to validate Windows.

Now, I want to do a bit more. I also want to check if the user has installed a virusscanner. I don't care which one, as long as he has installed one. Then the same for checking if a firewall is installed. And if possible, I want to check when the user updated his Windows/Scanner/Firewall the last time just to make sure it's not too old. So:

1) How do I check if a virusscanner is installed?
2) How do I determine when the virusscanner was updated?
3) How to detect when the virusscanner did it's last full-system check?
4) How do I detect if a firewall is installed and active?
5) How do I check when Windows received it's most recent update?

Basically, when my application starts I want to display a screen with warnings (just once per day) just in case any of these things have a problem. This because my application works with all kinds of sensitive information that the user collects from his clients. (Which includes bank account numbers, ID numbers of passports, NAW+DOB, income and a lot more.) Basically, if the system has a problem, the user must confirm that he's aware of these problems. It takes the possible liability away from my application if he continues while knowing his system is possibly insecure...


And language? Basically C++ or Delphi for WIN32 examples and C# for .NET examples. It's more about .NET/Windows API/.NET than language.
like image 871
Wim ten Brink Avatar asked Sep 22 '09 10:09

Wim ten Brink


2 Answers

I think you can do most of this via WMI

Something like this:

ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter", "SELECT * FROM AntiVirusProduct");
ManagementObjectCollection data = wmiData.Get();

foreach (ManagementObject virusChecker in data)
{
    // This is the virus checkers name.
    String virusCheckerName = virusChecker["displayName"];
}

[You didn't mention what language, so the sample above is in C#, but WMI can be done from pretty much anything]

[Edit: You can do the same but with "FirewallProduct" instead for firewall info. Also, for the anti virus, you can look at the "productUptoDate" property on the results for info on if it's up to date]

The WMI reference should help you find the others. (1, 2, 3, and 4 I'm pretty certain are available through WMI. 5 I'm not so certain about, but I think it probably should be)

You'll probably find WMI Code Creator helpful for testing and figuring out what queries/objects you need to use. Also Scriptomatic and WMI Admin tools might be useful.

like image 158
Simon P Stevens Avatar answered Oct 03 '22 21:10

Simon P Stevens


Since I was looking for a C++ and not .NET depended way, I mixed between this answer and MSDN example: Getting WMI Data from the Local Computer.

The commands that need to be changed in order to get the AV name are:

  • _bstr_t(L"ROOT\\CIMV2") to _bstr_t(L"ROOT\\SecurityCenter2"). Keep in mind that SecurityCenter2 is for Win 7, Vista SP2 and beyond according to this. Below Vista SP2, you need to use SecurityCenter.
  • bstr_t("SELECT * FROM Win32_OperatingSystem") to bstr_t("SELECT * FROM AntivirusProduct")
  • hr = pclsObj->Get(L"Name", 0, &vtProp, 0, 0); to hr = pclsObj->Get(L"displayName", 0, &vtProp, 0, 0);.

This changed code has been checked and fully working.

For a simpler method you can always iterate over this algorithm and look for your AV by name.

like image 25
OhadM Avatar answered Oct 03 '22 21:10

OhadM