antivirus_status.ps1 - limehawk/rmm-scripts GitHub Wiki

antivirus_status.ps1

Checks for the presence and active status of third-party antivirus software on the system.

Overview

Checks for the presence and active status of third-party antivirus software on the system, excluding Windows/Microsoft Defender. Reports the active product name and boolean state to SuperOps custom fields for monitoring.

Purpose

Checks for the presence and active status of third-party antivirus software on the system, excluding Windows/Microsoft Defender. Reports the active product name and boolean state to SuperOps custom fields for monitoring.

Prerequisites

  • PowerShell 5.1 or later
  • Access to root\SecurityCenter2 namespace (requires local admin or equivalent)
  • SuperOps module available via $SuperOpsModule variable (provided by RMM)

Configuration

Required Inputs

$SuperOpsModule - Path to SuperOps module (injected by RMM; validated as non-empty string)

Settings

None configurable; all logic is fixed for third-party AV detection.

Data Sources & Priority

  1. Hardcoded values (defined within the script body)
  2. CIM instance query to root\SecurityCenter2\AntiVirusProduct for third-party AV
  3. Registry fallback if SecurityCenter2 is unavailable
  4. Get-MpComputerStatus for Windows Defender confirmation (informational only)

Behavior

  • Queries installed AV products and checks enabled state via productState bitmask
  • Falls back to registry detection if WMI/CIM fails
  • Ignores Windows Defender entries
  • Outputs third-party AV name (or detection message) and state (TRUE/FALSE)
  • Separately confirms Windows Defender status in console output
  • Pushes results to SuperOps custom fields: "Active Antivirus" (string) and "Active Antivirus State" (TRUE/FALSE for radio buttons)
  • On error, defaults state to FALSE and reports detection error

Security Notes

  • No secrets (API keys, passwords) are used or logged
  • Queries only local system data; no network calls

Exit Codes

  • 0 - Success
  • 1 - Failure

Example Output

[ INPUT VALIDATION ]
--------------------------------------------------------------
SuperOpsModule : C:\Program Files\SuperOps\Modules\SuperOps.psm1

[ OPERATION ]
--------------------------------------------------------------
Querying AntiVirusProduct...
Checking Windows Defender...

[ RESULT ]
--------------------------------------------------------------
Active Antivirus : No Active Third-Party Antivirus Detected
Active Antivirus State : FALSE
Windows Defender Enabled : True

[ FINAL STATUS ]
--------------------------------------------------------------
Third-party AV check completed successfully.

[ SCRIPT COMPLETED ]
--------------------------------------------------------------

Version History

  • v1.2.0 (2025-10-28) - Added registry fallback, WMI service checks, and better error handling for SecurityCenter2 provider failures
  • v1.1.0 (2025-10-28) - Improved AV detection with better productState logic, OS type checking, enhanced Defender filtering, and comprehensive logging
  • v1.0.0 (2025-10-27) - Initial version with third-party AV focus and SuperOps integration

Links