How Lansweeper scans anti-virus information

By default, Lansweeper includes a number of reports that provide information on your Windows computers' anti-virus setup, to help you identify vulnerabilities in your network. These reports can be found in the Reports menu of the web console. An individual computer's anti-virus information can also be found in the Summary and Software\Antivirus tabs of the computer's Lansweeper webpage. Lansweeper can detect both whether a Windows computer has anti-virus software installed and what the status of the anti-virus software is. This article explains how anti-virus detection works and how you can customize it.

Server: All servers with Anti-virus
Server: All servers without Anti-virus software
Workstation: All workstations with Anti-virus software
Workstation: All workstations without Anti-virus software
Workstation: Antivirus Disabled
Workstation: Antivirus Expired
anti-virus software reports
Windows computer's anti-virus software

 

Anti-virus status detection: enabled/disabled and up-to-date/out-of-date

Lansweeper pulls most Windows computer data from WMI (Windows Management Instrumentation), a management framework built into Windows operating systems. An anti-virus software's status is pulled from the AntiVirusProduct WMI class, found in the \root\SecurityCenter or \root\SecurityCenter2 (Windows Security Center) namespace. WMI stores bit (SecurityCenter) or hexadecimal (SecurityCenter2) values indicating whether the anti-virus software is enabled/disabled and up-to-date/out-of-date. Hex values are converted by Lansweeper to bit values as well. A value of 0 means that the anti-virus software is disabled/out-of-date; a value of 1 means that the anti-virus software is enabled/up-to-date.

Windows computer's anti-virus status
The anti-virus status is solely pulled from WMI. If WMI reports an incorrect status (in which case Lansweeper will as well), you can try rebuilding the AntiVirusProduct WMI class on the affected machines and rescanning them afterwards. Keep in mind that the AntiVirusProduct WMI class simply does not exist on Windows Server operating systems, which makes it impossible to retrieve the anti-virus status of these machines.

 

Anti-virus installations

Lansweeper uses two methods for detection of installed anti-virus software:

  • It pulls data from the AntiVirusProduct WMI (Windows Management Instrumentation) class, found in the \root\SecurityCenter or \root\SecurityCenter2 (Windows Security Center) namespace. In the Software\Antivirus tab of individual computer webpages, you can identify anti-virus records pulled from WMI by the little "bug" icon.
    anti-virus software pulled from AntiVirusProduct WMI class
  • It looks at the software list in the Software tab of a computer's webpage (which mimics Add/Remove Programs) and verifies whether an installed software package is part of the list of known anti-virus software found in the web console under Software\Anti-Virus Settings. If a software package listed in a computer's Software tab is part of the list of known anti-virus software, the computer is deemed to have anti-virus software installed.
    Anti-Virus Settings menu
    anti-virus software list
    anti-virus software pulled from Add/Remove Programs
    If neither method finds anti-virus software on a machine, but the machine does have anti-virus software installed, you can try:
    • If the software is listed in the Software tab of the machine's Lansweeper webpage, adding it to the list of known anti-virus software under Software\Anti-Virus Settings.
    Rebuilding the AntiVirusProduct WMI class.
    You can use the following as a wildcard under Software\Anti-Virus Settings: %
    • Avira% marks any software whose name starts with the word "Avira" as anti-virus.
    • %Avira marks any software whose name ends in the word "Avira" as anti-virus.
    • %Avira% marks any software whose name contains the word "Avira" as anti-virus.

Related Articles