cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
acooney
Engaged Sweeper II
I have one desktop that is showing Bit Defender as disabled in Lansweeper. The machine itself and the Bit Defender console are showing this machine as having active Bit Defender. What does Lansweeper check to see if the AV is enabled or disabled? We have tried rebooting the machine and restarting the services.

10:30 Edit:

I'm now getting more machines doing this.
5 REPLIES 5
acooney
Engaged Sweeper II
so one of the machines is showing productState : 262144, another is showing productState : 266240.

It is odd that both are showing as fine, and are able to run AV scans though... I'm asking our security team to look further into it.
acooney
Engaged Sweeper II
Thank you. I will give that a try.
Esben_D
Lansweeper Employee
Lansweeper Employee
Looks to me like the WMI class says it is disabled.

What you can try is run the following command on the local machine in powershell:

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct


Then you can compare the result of productState to the following list:
  • "262144" {status = "Up to date" ;status = "Disabled"}
  • "262160" {status = "Out of date" ;status = "Disabled"}
  • "266240" {status = "Up to date" ;status = "Enabled"}
  • "266256" {status = "Out of date" ;status = "Enabled"}
  • "393216" {status = "Up to date" ;status = "Disabled"}
  • "393232" {status = "Out of date" ;status = "Disabled"}
  • "393488" {status = "Out of date" ;status = "Disabled"}
  • "397312" {status = "Up to date" ;status = "Enabled"}
  • "397328" {status = "Out of date" ;status = "Enabled"}
  • "397584" {status = "Out of date" ;status = "Enabled"}
acooney
Engaged Sweeper II
Charles:

I'm attaching screenshots of the AV screens on these devices. These are Windows 7 and Windows 10 desktop machines.



Esben_D
Lansweeper Employee
Lansweeper Employee
You can find a general explanation of AV scanning here: https://www.lansweeper.com/kb/123/managing-anti-virus-software-reports.html

  • Firstly, Lansweeper can retrieve antivirus information and status from the WMI (Windows Management Instrumentation) protocol on your Windows computers. Keep in mind that the WMI class that stores the antivirus information and status does not exist on Windows servers, which makes it impossible to detect the status (enabled/disabled and up to date or not) of anti-virus packages on Windows servers. You can identify anti-virus records pulled from WMI based on the little "bug" icon.

  • Alternatively, when your anti-virus software can't be found in WMI, Lansweeper also looks at the software list in the Software tab of a computer's web page (which mimics Add/Remove Programs) and verifies whether an installed software package is part of the list of known anti-virus software found in the web console under Software\Anti-Virus Settings. Keep in mind that you will not be able to get a status (enabled/disabled and up to date or not) via this method.
    The fact that your antivirus software is showing as not up to date, means that the status is stored as such in WMI. As Lansweeper pulls this information from WMI there is no way to manipulate this status.