Monitoring Windows security products

I came across the WMI namespaces ROOT\SecurityCenter (XP) and ROOT\SecurityCenter2 (Vista+) while doing some research. These namespaces provide the product and state for AntiVirus, AntiSpyware (SecurityCenter2 only), and Firewall as recognized by Windows.

Since WLS provides a generic interface for WMI logging, I created the entries and updated the configuration. I have both XP and Windows 7 systems and each has it’s own namespace, so I’ll need two AntiVirus and Firewall entries, but only one AntiSpyware, and I’d like the information reported every 24 hours. The update to the configuration looks like this:


The ROOT\SecurityCenter namespace may be invalid on Vista+, and the ROOT\SecurityCenter2 namespace is invalid on XP; WLS will report the error once at startup and disable the offending WMI entry.

The logs generated after applying the configuration look like this:

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”8″, MonitorName=”AntiSpyware2″, WLSKey=”3635″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{D8BEB080-B73A-17E3-1B37-B6B462689202}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\WSCSavNotifier.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe”, productState=”462848″

2013-09-04T16:08:31-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”2″, MonitorName=”AntiVirus”, WLSKey=”2″, companyName=”Symantec Corporation”, displayName=”Symantec Endpoint Protection”, instanceGuid=”{FB06448E-52B8-493A-90F3-E43226D3305C}”, onAccessScanningEnabled=”True”, productUptoDate=”True”, versionNumber=”11.0.7200.155″

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”10″, MonitorName=”AntiVirus2″, WLSKey=”3636″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{63DF5164-9100-186D-2187-8DC619EFD8BF}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\WSCSavNotifier.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe”, productState=”462848″

2013-09-04T16:08:32-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”5″, MonitorName=”Firewall”, WLSKey=”5″, companyName=”Symantec Corporation.”, displayName=”Symantec Endpoint Protection”, enabled=”True”, instanceGuid=”{BE898FE3-CD0B-4014-85A9-03DB9923DDB6}”, versionNumber=”10.0″

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”13″, MonitorName=”Firewall2″, WLSKey=”3638″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe”, productState=”266256″

The information from ROOT\Security center has fields defined such as “displayName”, “enabled”, “productUptoDate”, and “onAccessScanningEnabled”; whereas ROOT\SecurityCenter2 gives us “displayName” and “productState”. The productState is returned as a decimal representation of a hex value which contains the information we need, just encoded.

A bit more research turned up some helpful posts, notably, which lead to the creation of a `decodeProductState` macro. The macro converts the productState to hex, trims the leading “0x”, and adds a leading 0 to pad the result to 6 digits. Each pair of digits represents a state, so I split them that way for ease of reuse. Then specific values are checked for enabled and productUptoDate and assigned to enabled2 and productUptoDate2. Since there will be mixed results from ROOT\SecurityCenter and ROOT\SecurityCenter2, coalesce will be used to keep the first non-null value of enabled or enabled2, and productUptoDate or productUptoDate2, assigning the result back to enabled and productUptoDate.

eval productStateHex=”0″.substr(tostring(productState,”hex”),3)
| eval productStateHex1=substr(productStateHex,0,2)
| eval productStateHex2=substr(productStateHex,3,2)
| eval productStateHex3=substr(productStateHex,5,2)
| eval enabled2=if(substr(productStateHex2,1,1)=”1″,”True”,”False”)
| eval productUptoDate2=if(productStateHex3=”00″,”True”,”False”)
| eval enabled=coalesce(enabled,enabled2)
| eval productUptoDate=coalesce(productUptoDate,productUptoDate2)

Finally I created a simple dashboard to display the results. This will get more refined as it’s utilized, but it’s a good starting point. This data can also be used to drive alerts if more than a certain percent or count of your hosts has outdated definitions, or to check for hosts that don’t have any products installed at all.


Have other ideas for using the data WLS provides? Let me know in the comments below or via the contact form.

What is WLS?

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s