Here is an updated version targeting Symantec Endpoint Protection on Windows 10 (thus also WSC2).
<blockquote>
'============================== Updating =============================
'-- this is Microsoft, they WILL change things - to check for current structure to query, try this powershell command
'-- Get-CimInstance -Namespace root/SecurityCenter2 -Class AntiVirusProduct | Get-Member -MemberType Property
'-- For more info:
https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage'-- archived:
https://archive.ph/PZLfq |
http://web.archive.org/web/20201027102228/https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguageOption Explicit
'* ------------------------- Global Variable Declarations ------------------------------
Dim iMsgMode, strComputer, oWMI, colAV, objAntiVirusProduct, strAVGuid, strAV, strProdExe, strRepExe, strRawState, strState, strStatus, strUpToDate, strTs, strMsg, objSWbemServices, strInstance, Err
'------------------------------------- Get Arguments ---------------------------------------------
If WScript.Arguments.count = 1 then '1
iMsgMode = WScript.Arguments.Item(0)
Else
iMsgMode = 0
End if
'============================== Main Script =============================
'--- Connect to WMI \root\SecurityCenter2\AntiVirusProduct
strComputer = "."
Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")
Set colAV = oWMI.ExecQuery("Select * from AntiVirusProduct")
'--- Check to see if any AV products are registered with Windows Security Center
If colAV.Count > 0 Then
' --- Start loop for each AV product
For Each objAntiVirusProduct In colAV
' -- Get the Guid
strAVGuid = objAntiVirusProduct.instanceGuid
' -- Select the AV product and get it's details
Set colAV = oWMI.ExecQuery("Select " & strAVGuid & " from objAntiVirusProduct")
strAV = objAntiVirusProduct.displayName
strProdExe = objAntiVirusProduct.pathToSignedProductExe
strRepExe = objAntiVirusProduct.pathToSignedReportingExe
strState = Hex(objAntiVirusProduct.productState)
strRawState = right("000000" & strState, 6)
If Mid(strState, 2, 2) = "10" Or Mid(strState, 2, 2) = "11" Then
strStatus = "Yes"
ElseIf Mid(strState, 2, 2) = "00" Or Mid(strState, 2, 2) = "01" Then
strStatus = "No"
End If
If Mid(strState, 4, 2) = "00" Then
strUpToDate = "Yes"
ElseIf Mid(strState, 4, 2) = "10" Then
strUpToDate = "No"
End If
strTs = objAntiVirusProduct.timestamp
strMsg = "This information was collected on: " & Date & " at " & Time & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "GUID: " & strAVGuid & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Product Name: " & strAV & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Product State (raw): " & strRawState & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Product Enabled: " & strStatus & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Product Up To Date: " & strUpToDate & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Path To Signed Product Exe: [" & strProdExe & "]" & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "Path To Signed Reporting Exe: [" & strRepExe & "]" & vbCrLf
strMsg = strMsg & vbCrLf
strMsg = strMsg & "WSC2 Data Timestamp: " & strTs & vbCrLf
strMsg = strMsg & vbCrLf
If iMsgMode = 1 Then
WScript.Echo strMsg
End If
' -- Check to see if the AntiVirusProduct.displayName = Symantec Endpoint Protection
If StrComp(strAV,"Symantec Endpoint Protection") = 0 Then
If iMsgMode = 1 Then
WScript.Echo "SEP Detected: " & strAVGuid & vbCrLf & " removing from WSC2!"
End If
' -- Setup a connection to Wbem then delete SEP Instance
strInstance = "AntiVirusProduct.instanceGuid='" & strAVGuid & "'"
Set objSWbemServices = GetObject("winmgmts:\\" & "." & "\root\SecurityCenter2")
objSWbemServices.Delete strInstance
If Err <> 0 Then ' -- Check if error deleting instance
If iMsgMode = 1 Then ' - Display error message
WScript.Echo "Error Deleting SEP Instance:" & vbCrLf & Err.Number & " " & Err.Description
End If ' - Display error message
Else
If iMsgMode < 2 Then ' - Display success message
WScript.Echo "Delete succeeded"
End If ' - Display success message
End If ' -- Check if error deleting instance
' Release SwbemServices object
Set objSWbemServices = Nothing
End If
next ' --- process next AV product
Else ' --- No AV products are registered
If iMsgMode = 1 Then ' - Display message
WScript.Echo "No Anti Virus Products registered"
End If ' - Display message
End If
' --- Release all resources
Set objAntiVirusProduct = Nothing
Set colAV = Nothing
Set oWMI = Nothing
If Err <> 0 Then
WScript.Quit(0) ' --- Quit, no errors
Else
WScript.Quit(1) ' --- Quit with errors
End If
</blockquote>
Original Message:
Sent: 09-15-2009 03:05 PM
From: Migration User
Subject: Remove SAV from Windows Security Center
Incase anyone else needs this, here is a vbs script to remove SAV from Windows Security Center. Thanks for pointing me in the right direction with Wbem!
<blockquote>
'*******************************************************************************
'* Script: RmvSavWSC.vbs
'* Purpose: Removes Sav from Windows Security Center
'* Parameters:
'* 1 - iMsgMode
'* (0 = Minimal Messages ; 1 = Display Debug Messages;
'* 2 = Login Script No Msgs) - Default = Minimal Msgs
'* Returns: 0 - If sucessful Sav removed or sav not detected
'* 1 - If error removing sav
'* Created: 2009/09/15
'* Created by: Chris Thibeau
'* Supported OS: XP
'*******************************************************************************
Option Explicit
'* ------------------------- Global Variable Declarations ------------------------------
Dim iMsgMode, strComputer, oWMI, colAV, objAntiVirusProduct, strAVGuid, strCompany, strAV, strScanning, strUptodate, strMsg, objSWbemServices, strInstance, Err
'------------------------------------- Get Arguments ---------------------------------------------
If WScript.Arguments.count = 1 then '1
iMsgMode = WScript.Arguments.Item(0)
Else
iMsgMode = 0
End if
'============================== Main Script =============================
'--- Connect to WMI \root\SecurityCenter\AntiVirusProduct
strComputer = "."
Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
Set colAV = oWMI.ExecQuery("Select * from AntiVirusProduct")
'--- Check to see if any AV products are registered with Windows Security Center
If colAV.Count > 0 Then
' --- Start loop for each AV product
For Each objAntiVirusProduct In colAV
' -- Get the Guid
strAVGuid = objAntiVirusProduct.instanceGuid
' -- Select the AV product and get it's details
Set colAV = oWMI.ExecQuery("Select " & strAVGuid & " from objAntiVirusProduct")
strCompany = objAntiVirusProduct.companyName
strAV = objAntiVirusProduct.displayName
strScanning = objAntiVirusProduct.onAccessScanningEnabled
strUptodate = objAntiVirusProduct.productUptoDate
strMsg = "This information was collected on: " & Date & " at " & Time & vbCrLf
strMsg = strMsg & "GUID: " & strAVGuid & vbCrLf
strMsg = strMsg & "Manufacturer: " & strCompany & vbCrLf
strMsg = strMsg & "Product: " & strAV & vbCrLf
strMsg = strMsg & "Scanning Enabled? " & strScanning & vbCrLf
strMsg = strMsg & "Definitions UptoDate? " & strUptodate & vbCrLf
strMsg = strMsg & vbCrLf
If iMsgMode = 1 Then
WScript.Echo strMsg
End If
' -- Check to see if the AntiVirusProduct.companyName = Symantec
If StrComp(strCompany,"Symantec Corporation") = 0 Then
If iMsgMode = 1 Then
WScript.Echo "SAV Detected: " & strAVGuid & vbCrLf & " removing from WSC!"
End If
' -- Setup a connection to Wbem then delete Sav Instance
strInstance = "AntiVirusProduct.instanceGuid='" & strAVGuid & "'"
Set objSWbemServices = GetObject("winmgmts:\\" & "." & "\root\SecurityCenter")
objSWbemServices.Delete strInstance
If Err <> 0 Then ' -- Check if error deleting instance
If iMsgMode = 1 Then ' - Display error message
WScript.Echo "Error Deleting Sav Instance:" & vbCrLf & Err.Number & " " & Err.Description
End If ' - Display error message
Else
If iMsgMode < 2 Then ' - Display success message
WScript.Echo "Delete succeeded"
End If ' - Display success message
End If ' -- Check if error deleting instance
' Release SwbemServices object
Set objSWbemServices = Nothing
End If
next ' --- process next AV product
Else ' --- No AV products are registered
If iMsgMode = 1 Then ' - Display message
WScript.Echo "No Anti Virus Products registered"
End If ' - Display message
End If
' --- Release all resources
Set objAntiVirusProduct = Nothing
Set colAV = Nothing
Set oWMI = Nothing
If Err <> 0 Then
WScript.Quit(0) ' --- Quit, no errors
Else
WScript.Quit(1) ' --- Quit with errors
End If
</blockquote>