Powershell：如何获取防病毒产品详细信息

Question

我们有超过 1500 台服务器。Windows 2003、2008 和 2012。我必须在这些服务器上收集防病毒软件（产品名称和版本）的详细信息。可能有多种防病毒产品。我不确定 powershell 脚本是否可以在 2003 服务器上运行。

所以，到目前为止，我尝试了下面的脚本，但没有得到有用的信息。

$av = get-wmiobject -class "Win32_Product" -namespace "root\cimv2" `
              -computername "." -filter "Name like '%antivirus%'"

下面的脚本在客户端操作系统上运行良好。

$wmiQuery = "SELECT * FROM AntiVirusProduct"
$AntivirusProduct = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery  @psboundparameters # -ErrorVariable myError -ErrorAction 'SilentlyContinue'             
            Write-host $AntivirusProduct.displayName

有人可以就此给我建议吗？我正在尝试获取防病毒（产品和版本）的详细信息，我需要为 win server 2003 做什么？

Answer 1

您走在正确的道路上，以下 Powershell 脚本有效。

    function Get-AntiVirusProduct {
    [CmdletBinding()]
    param (
    [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
    [Alias('name')]
    $computername=$env:computername


    )

    #$AntivirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery  @psboundparameters # -ErrorVariable myError -ErrorAction 'SilentlyContinue' # did not work            
     $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct  -ComputerName $computername

    $ret = @()
    foreach($AntiVirusProduct in $AntiVirusProducts){
        #Switch to determine the status of antivirus definitions and real-time protection.
        #The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
        switch ($AntiVirusProduct.productState) {
        "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
            "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
            "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
            "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
            "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
            "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
            "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
        default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
            }

        #Create hash-table for each computer
        $ht = @{}
        $ht.Computername = $computername
        $ht.Name = $AntiVirusProduct.displayName
        $ht.'Product GUID' = $AntiVirusProduct.instanceGuid
        $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe
        $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe
        $ht.'Definition Status' = $defstatus
        $ht.'Real-time Protection Status' = $rtstatus


        #Create a new object for each computer
        $ret += New-Object -TypeName PSObject -Property $ht 
    }
    Return $ret
} 
Get-AntiVirusProduct

输出：

Product GUID                : {B0D0C4F4-7F0B-0434-B825-1213C45DAE01}
Name                        : CylancePROTECT
Real-time Protection Status : Enabled
Computername                : HOSTNAME
Product Executable          : C:\Program Files\Cylance\Desktop\CylanceSvc.exe
Reporting Exe               : C:\Program Files\Cylance\Desktop\CylanceSvc.exe
Definition Status           : Up to date

Product GUID                : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
Name                        : Windows Defender
Real-time Protection Status : Unknown
Computername                : HOSTNAME
Product Executable          : windowsdefender://
Reporting Exe               : %ProgramFiles%\Windows Defender\MsMpeng.exe
Definition Status           : Unknown

Answer 2

您可以查询注册表，而不是依赖正在运行的进程：

$computerList = "localhost", "localhost"
$filter = "antivirus"

$results = @()
foreach($computerName in $computerList) {

    $hive = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $computerName)
    $regPathList = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
                   "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

    foreach($regPath in $regPathList) {
        if($key = $hive.OpenSubKey($regPath)) {
            if($subkeyNames = $key.GetSubKeyNames()) {
                foreach($subkeyName in $subkeyNames) {
                    $productKey = $key.OpenSubKey($subkeyName)
                    $productName = $productKey.GetValue("DisplayName")
                    $productVersion = $productKey.GetValue("DisplayVersion")
                    $productComments = $productKey.GetValue("Comments")
                    if(($productName -match $filter) -or ($productComments -match $filter)) {
                        $resultObj = [PSCustomObject]@{
                            Host = $computerName
                            Product = $productName
                            Version = $productVersion
                            Comments = $productComments
                        }
                        $results += $resultObj
                    }
                }
            }
        }
        $key.Close()
    }
}

$results | ft -au

输出示例：

Host      Product              Version   Comments
----      -------              -------   --------
localhost Avast Free Antivirus 10.4.2233         
localhost Avast Free Antivirus 10.4.2233