Skip to main content

Monitoring AntiVirus status with PowerShell

· One min read
Mikey O'Toole

Background information

Ninja doesn't currently support native AV monitoring via Windows Security Center, integrated AV packages are monitored but what if you need more?

Creating Fields

We're going to create one role custom field for devices with the Windows Desktop or Windows Laptop role:

Field NameField TypeDescription
Detailed AV StatusMulti-LineOutput for each configured AV on the system including name and status information.

The Script

Get-WindowsAVStatus.ps1
[CmdletBinding()]
param()

function ConvertTo-Hex ([Int]$StatusCode) {
    '0x{0:x}' -f $StatusCode
}
function Get-WindowsAVStatus {
    $CIMParameters = @{
        Namespace = 'root/SecurityCenter2'
        ClassName = 'AntivirusProduct'
        ErrorAction = 'Stop'
    }
    $AVProducts = Get-CimInstance @CIMParameters
    $Results = foreach ($AVProduct in $AVProducts) {
        Write-Verbose ('Found {0}' -f $AVProduct.DisplayName)
        $StatusHex = ConvertTo-Hex -StatusCode $AVProduct.ProductState
        $EnabledHex = $StatusHex.Substring(3, 2)
        if ($EnabledHex -match '00|01') {
            Write-Verbose ('{0} is not enabled' -f $AVProduct.DisplayName)
            $Enabled = $False
        } else {
          Write-Verbose ('{0} is enabled' -f $AVProduct.DisplayName)
            $Enabled = $True
        }
        $UpToDateHex = $StatusHex.Substring(5)
        if ($UpToDateHex -eq '00') {
            Write-Verbose ('{0} is up-to-date' -f $AVProduct.DisplayName)
            $UpToDate = $True
        } else {
            Write-Verbose ('{0} is not up-to-date' -f $AVProduct.DisplayName)
            $UpToDate = $False
        }
        @{
            Product = $AVProduct.DisplayName
            Enabled = $Enabled
            UpToDate = $UpToDate
            Path = $AVProduct.PathToSignedProductExe
        }
    }
    # This part is somewhat specific to NinjaOne - feel free to reach out to @homotechsual on MSPs R Us or MSP Geek if you want a hand getting this going for your RMM.
    Ninja-Property-Set detailedAVStatus ($Results | ConvertTo-Json)
    if (@($Results.Enabled -eq $False).Count) {
        Exit 1
    } elseif (@($Results.UpToDate -eq $False).Count) {
        Exit 2
    } else {
        Exit 0
    }
}

Get-WindowsAVStatus

Monitoring

The script includes support for two monitors.

AV Not Enabled

Setup a script result condition monitor that runs this script with a check for an exit code of 1.

AV Not Enabled Condition

AV Not Enabled Monitor

AV Not Up-To-Date

Setup a second script result condition monitor that runs this script with a check for an exit code of 2.

AV Not Enabled Condition

AV Not Enabled Monitor