Auditing/AntiVirusInfo.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
Function Get-CSAVInfo
{
<#
.SYNOPSIS
 
This function enumerates the Anti Virus installed on a remote host and any helpful registry keys.
 
Author: Chris Ross (@xorrior)
License: BSD 3-Clause
 
.DESCRIPTION
 
Get-CSAVInfo uses the AntiVirusProduct WMI class to enumerate Anti Virus on a local or remote host. The name, executable, state, and registry keys are returned in a custom psobject.
 
.PARAMETER CimSession
 
Specifies the CIM session to use for this cmdlet. Enter a variable that contains the CIM session or a command that creates or gets the CIM session, such as the New-CimSession or Get-CimSession cmdlets. For more information, see about_CimSessions.
 
.EXAMPLE
 
Get-CimAVInfo
 
.EXAMPLE
 
Get-CimAVInfo -Session $CimSession
 
.OUTPUTS
 
CimSweep.AVInfo
 
Outputs custom objects representing the current AV configuration.
#>


    [CmdletBinding()]
    [OutputType('CimSweep.AVInfo')]
    param
    (
        [Alias('Session')]
        [ValidateNotNullOrEmpty()]
        [Microsoft.Management.Infrastructure.CimSession[]]
        $CimSession
    )


    BEGIN 
    {
        if (-not $PSBoundParameters['CimSession'])
        {
            $CimSession = ''
        }
    }

    PROCESS
    {
        foreach ($Session in $CimSession)
        {
            $ComputerName = $Session.ComputerName
            if (-not $Session.ComputerName) { $ComputerName = 'localhost' }

            $CommonArgs = @{}
            $InstanceArgs = @{}
            $InstanceArgs['ClassName'] = 'AntiVirusProduct'
            
            #Check if a session was specified
            if ($Session.Id) {$CommonArgs['CimSession'] = $Session}

            #Determine if the namespace exists
            if (Get-CimInstance -Namespace root -ClassName __NAMESPACE -Filter 'Name="SecurityCenter2"' @CommonArgs) 
            {
                $InstanceArgs['Namespace'] = 'root/SecurityCenter2'
            }
            elseif (Get-CimInstance -Namespace root -ClassName __NAMESPACE -Filter 'Name="SecurityCenter"' @CommonArgs) 
            {
                $InstanceArgs['Namespace'] = 'root/SecurityCenter'
            }
            else {
                Write-Error "[$ComputerName] Neither the SecurityCenter2 nor the SecurityCenter namespaces do not exist."
                break    
            }

            $AV = Get-CimInstance @InstanceArgs @CommonArgs

            if ($InstanceArgs['NameSpace'] -eq 'root/SecurityCenter2')
            {
                $ObjectProperties = [Ordered] @{
                    PSTypeName = 'CimSweep.AVInfo'
                    Name = $AV.displayName
                    Executable = $AV.pathToSignedProductExe
                    InstanceGUID = $AV.instanceGuid
                    ScannerEnabled = $null
                    Updated = $null
                    ExclusionInfo = $null
                }

                #parse the byte value of productstate
                $state = '{0:X6}' -f $AV.productState
                $scanner = $state[2,3] -join '' -as [byte]
                $updated = $state[4,5] -join '' -as [byte]
                
                if($scanner -ge (10 -as [byte]))
                {
                    $ObjectProperties.ScannerEnabled = $True
                }
                elseif($scanner -eq (00 -as [byte]) -or $scanner -eq (01 -as [byte]))
                {
                    $ObjectProperties.ScannerEnabled = $False
                }

                #Determine if the AV definitions are up to date
                if($updated -eq (00 -as [byte]))
                {
                    $ObjectProperties.Updated = $True
                }
                elseif($updated -eq (10 -as [byte]))
                {
                    $ObjectProperties.Updated = $False
                }

                if ($Session.ComputerName) { $ObjectProperties['PSComputerName'] = $Session.ComputerName }

                $AntiVirus = [PSCustomObject] $ObjectProperties
            }
            else
            {
                $ObjectProperties = [Ordered] @{
                    PSTypeName = 'CimSweep.AVInfo'
                    Name = $AV.displayName
                    Executable = $AV.pathToEnableOnAccessUI
                    InstanceGUID =  $AV.instanceGuid
                    ScannerEnabled = $AV.onAccessScanningEnabled
                    Updated = $AV.productUptoDate
                    ExclusionInfo = $null
                    PSComputerName = $Session.ComputerName
                }

                if ($Session.ComputerName) { $ObjectProperties['PSComputerName'] = $Session.ComputerName }

                $AntiVirus = [PSCustomObject] $ObjectProperties
            }


            #Get the exclusions if available
            $DefenderPaths = @{
                ExcludedPaths = 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\'
                ExcludedExtensions = 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\'
                ExcludedProcesses = 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\'
            }

            $McAfeePaths = @{
                Exclusions = 'SOFTWARE\McAfee\AVSolution\OAS\DEFAULT\'
                EmailIncludedProcesses = 'SOFTWARE\McAfee\AVSolution\OAS\EMAIL\'
                ProcessStartupExclusions = 'SOFTWARE\McAfee\AVSolution\HIP\'
            }

            if($AntiVirus.Name -match 'Windows Defender')
            {
                $ExclusionInfo = [PSCustomObject] @{}
                $DefenderPaths.GetEnumerator() | ForEach-Object {
                    $ExclusionInfo | Add-Member -NotePropertyName $_.Key -NotePropertyValue $(Get-CSRegistryValue -Hive HKLM -SubKey $($_.Value) @CommonArgs).ValueName
                }

            }
            elseif($AntiVirus.Name -match 'McAfee')
            {
                $ExclusionInfo = [PSCustomObject] @{}
                $McAfeePaths.GetEnumerator() | ForEach-Object {
                    $ExclusionInfo | Add-Member -NotePropertyName $_.Key -NotePropertyValue $(Get-CSRegistryValue -Hive HKLM -SubKey $($_.Value) @CommonArgs).ValueName
                }
            }

            $AntiVirus.ExclusionInfo = $ExclusionInfo

            $AntiVirus
        }
    }
}

Export-ModuleMember -Function Get-CSAVInfo