如何在C＃中检测Windows Server 2008上的防病毒软件？

Question

I have seen code samples similar to the following numerous times in my search for an answer:

using System;
using System.Text;
using System.Management;

namespace ConsoleApplication1
{
  class Program
  {
    public static bool AntivirusInstalled()
    {

      string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter";
      try
      {
        ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
        ManagementObjectCollection instances = searcher.Get();
        return instances.Count > 0;
      }

      catch (Exception e)
      {
        Console.WriteLine(e.Message);
      }

      return false;
    } 

    public static void Main(string[] args)
    {
      bool returnCode = AntivirusInstalled();
      Console.WriteLine("Antivirus Installed " + returnCode.ToString());
      Console.WriteLine();
      Console.Read();
    }

  }
}

Unfortunately, it appears that Windows Server 2008 does not have the SecurityCenter or SecurityCenter2 namespace, so I get an Invalid namespace exception when trying this approach.

Does anyone know of a way to determine if there is antivirus software running on Windows Server 2008? Any help is appreciated!

Answer 1

Use the EICAR test virus.

1. Have your application try to write one of these files on disk: http://www.eicar.org/85-0-Download.html
2. Catch the exception

It will not only work on every anti-virus on earth, but it will also tell you if the anti-virus is active!

You may find it hard to download the test file if you have anti-virus active, so you may want to use this string instead:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Keep in mind, you probably want to keep the string encoded on your app and decode it just before you write it to disk. Otherwise you may risk your app being detected as a virus :)

On the EICAR site, they say:

Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long

However, I wouldn't count AV developers have read the spec, so better just keep the string encoded. In fact, I just tried to save the string on a .txt file on my desktop with some additional characters in it and Windows Defender started screaming.

Answer 2

Hmmm, I ended up playing around with PowerShell:

$avSoftware = get-wmiobject -class "Win32_Product" -namespace "root\cimv2" -computername "." -filter "Name like '%antivirus%'"
if ($avSoftware.Count -gt 0) {
    foreach ($av in $avSoftware) {
        write-host $p.Name
    }
} else {
    write-host "No AV software found"
}

It seems to be working both on our Windows Server 2008 and 2008 R2 instances...

More info here: https://serverfault.com/questions/12343/how-can-i-determine-whether-an-antivirus-product-is-installed

Answer 3

我前段时间遇到了一个客户问题，最后我在本地系统驱动程序和进程上执行了dictonary搜索，寻找已知的防病毒签名模式（例如文件夹名称，进程名称等等）。不是百分之百确定，因为某个地方有人会下载一个你不知道的全新的反病毒，但除此之外，它非常有效......

Answer 4

This is more of an idea than a perfect solution. With respect to the answer by Leonardo, how about using an actual piece of anti-virus software (link against it) in order to perform a search for other anti-virus software? ClamAV is opensource and a nice point to start. You "only" need to define a new and rather specific signature database.

Answer 5

According to most of the web, SecurityCenter and SecurityCenter2 are not available on Windows Server 2008 (as you have already worked out for yourself).

I found this SO article, which contains a workaround. How to detect antivirus installed on windows 2003 server and 2008 server 2003 server R2and 2008 server R2 using WMI or other then WMI in C++

Admittedly, this is a C++ implementation, but I see no reason that it cannot be ported to C#

Also found this page which suggests using the OESIS framework. http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/b0806608-fee0-413c-a34d-674aeb11be3c