How to detect antivirus installed on windows 2003 server and 2008 server 2003 server R2and 2008 server R2 using WMI or other then WMI in C++

Question

i have used WMI to detect that antivirus is present on OS, itz woking fine and display me information of antivirus like name and instance id on win xp and window7 by using N

Answer 1

That namespace is not available on Windows Server platforms an I think it might be deprecated for Workstation (i.e. going away).

You can probably use WscGetSecurityProviderHealth() to get the same result.

See http://msdn.microsoft.com/en-us/library/bb432506.aspx

Here's my trivial sample that seems to work:

#define _WIN32_WINNT _WIN32_WINNT_WIN7
#include <Windows.h>
#include <Wscapi.h>
#include <iostream>

#pragma comment(lib, "Wscapi")


int main(int argc, char* argv[])
{
   WSC_SECURITY_PROVIDER_HEALTH health;
   const DWORD dwAntivirus(WSC_SECURITY_PROVIDER_ANTIVIRUS);

   HRESULT hr = WscGetSecurityProviderHealth(dwAntivirus, &health);
   if (FAILED(hr))
   {
      std::cerr << "Error " << std::hex 
                << std::showbase << hr << "\n";
      return -1;
   }
   switch (health)
   {
      case WSC_SECURITY_PROVIDER_HEALTH_GOOD:
         std::cout << "Antivirus health is good\n";
         return 0;
      case WSC_SECURITY_PROVIDER_HEALTH_NOTMONITORED:
         std::cout << "Antivirus health is not monitored\n";
         return 1;
      case WSC_SECURITY_PROVIDER_HEALTH_POOR:
         std::cout << "Antivirus health is poor\n";
         return 2;
      case WSC_SECURITY_PROVIDER_HEALTH_SNOOZE:
         std::cout << "Antivirus health is snooze\n";
         return 3;
      default:
         std::cout << "Unexpected antivirus health value: "
                   << std::hex << std::showbase 
                   << health << "\n";
         return 4;
   }
}

Update 9 Dec 2012

Alex points out (below) that this does not work on Windows Server, only on Workstation versions of Windows. On reflection, it occurs to me that it is probably deliberate and, in fact, probably for the best.

Do application programs really need to know the status of a server? Most security programs for servers have mechanisms to set alarms when they fail. An admin will monitor those alarms and fix what is broken. Application programs should simply behave as if security is fully operational.

If you really must know about a particular program, you can look for its exe name amongst the processes and see if the process is running and is consuming cpu (not hung). Beyond that you might need to work with the security program's vendor: they may have an API to query the program.