How to identify (detect and name) the antivirus software installed on the PC with C# on WinForms

How to identify (detect and name) the antivirus software installed on the PC with C# on WinForms

In the last days, i worked on a project of PC maintenance and one of the requirements of this application was basically to display the name of the antivirus installed on the PC if there's any. At first sight i though, this will be difficult. Fortunately, it isn't so difficult as it seems because windows already works on this feature, so you will need to access its APIs to retrieve the information (we are talking about the SecurityCenter). Windows Security Center is a reporting tool that is built into the operating system, since the release of service pack 2 for Windows XP, that monitors the health state of the endpoint in different areas, such as Windows updates, firewall settings and antivirus/anti-spyware settings.

In this article, we'll show you how to retrieve the current installed antivirus name accesing the AntiVirusProduct class of the security center.

1. Add reference to the System.Management class

In order to obtain information about the motherboard with C# in WinForms, you will need to have access to the System Management class:

using System.Management;

However, in some Visual Studio versions (specifically in 2010 and later) you'll need to add the reference (.DLL) in your project manually. To do that follow these steps:

  1. Right Click on Project, Add References

  2. Select the Assemblies (framework) Tab and Search for System.Management and finally add the reference and click OK.

Add System.Management reference visual studio manually

We need to add the System.Management to create queries in WMI Classes. Read more about retrieving WMI Classes in .NET in msdn here.

2. Retrieving information

To retrieve the information from the Management Object Searcher, we will query the root\SecurityCenter2 (root\SecurityCenter on version under Windows XP) class. The AntivirusProduct class which return information about the installed antivirus is not documented by Microsoft and only is supported in Windows Desktops editions (Windows XP, Windows Vista and Windows 7). Also depending of the Windows version the properties retrieved by the the this class can change, for example in Windows XP these properties are available:

Namespace : SecurityCenter

AntiVirusProduct-Properties

companyName
displayName
enableOnAccessUIMd5Hash
enableOnAccessUIParameters
instanceGuid
onAccessScanningEnabled
pathToEnableOnAccessUI
pathToUpdateUI
productUptoDate
updateUIMd5Hash
updateUIParameters
versionNumber

And in Windows 7 and above:

Namespace : SecurityCenter2

displayName
instanceGuid
pathToSignedProductExe
pathToSignedReportingExe
productState

So in this example, we're working in Windows 10, so the properties that we can retrieve are the properties included in the following snippet:

public void getAntivirusName()
{
    ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
    ManagementObjectCollection data = wmiData.Get();

    foreach (ManagementObject virusChecker in data)
    {
        Console.WriteLine(virusChecker["displayName"]);
        Console.WriteLine(virusChecker["instanceGuid"]); 
        Console.WriteLine(virusChecker["pathToSignedProductExe"]); 
        Console.WriteLine(virusChecker["productState"]);
    }
}

In our PC the code will generate the following output:

Windows Defender
{xxxxxxxx-831F-xxxx-9EE-DA111111146}
windowsdefender://
397568

Note that the productState property returns a number whose interpretation changes according to the antivirus you have, for example:

A. AVG Internet Security 2012 (from antivirusproduct WMI)

262144 (040000) = disabled and up to date

266240 (041000) = enabled and up to date

B. AVG Internet Security 2012 (from firewallproduct WMI)

266256 (041010) = firewall enabled - (last two blocks not relevant it seems for firewall)

262160 (040010) = firewall disabled - (last two blocks not relevant it seems for firewall)

C. Windows Defender

393472 (060100) = disabled and up to date

397584 (061110) = enabled and out of date

397568 (061100) = enabled and up to date

D. Microsoft Security Essentials

397312 (061000) = enabled and up to date

393216 (060000) = disabled and up to date

Happy coding !

This could interest you

Become a more social person