Identifying Antivirus Engine State

by Sep 7, 2020

In the previous tip you learned how you can query WMI to find out the antivirus product present on your Windows machine:

$info = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

$info

The ProductState property encodes additional pieces of information, telling you whether the AV engine is operational and uses up-to-date signatures. Unfortunately, the information comes as a single number and is a bitflag:

 
PS> $info = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

PS> $info.productState
397568

To decipher the meaning of the individual bits inside the number, you can use PowerShell’s new support for enumerations. Define the bits and their meanings, and decorate the enum with the [Flags()] attribute (indicating that more than one bit may be set):

# define bit flags

[Flags()] enum ProductState 
{
      Off         = 0x0000
      On          = 0x1000
      Snoozed     = 0x2000
      Expired     = 0x3000
}

[Flags()] enum SignatureStatus
{
      UpToDate     = 0x00
      OutOfDate    = 0x10
}

[Flags()] enum ProductOwner
{
      NonMs        = 0x000
      Windows      = 0x100
}

# define bit masks

[Flags()] enum ProductFlags
{
      SignatureStatus = 0x00F0
      ProductOwner    = 0x0F00
      ProductState    = 0xF000
}

# get bits
$info = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct
[UInt32]$state = $info.productState

# decode bit flags by masking the relevant bits, then converting
[PSCustomObject]@{
      ProductState = [ProductState]($state -band [ProductFlags]::ProductState)
      SignatureStatus = [SignatureStatus]($state -band [ProductFlags]::SignatureStatus)
      Owner = [ProductOwner]($state -band [ProductFlags]::ProductOwner)
}

To check the state of bit groups, mask the bits that are relevant to what you are after, and convert these bits to the enum. The result are clear-text names of the bits currently set. The result looks like this:

 
ProductState SignatureStatus   Owner
------------ ---------------   -----
          On        UpToDate Windows

Provided you are using the built-in AV engine “Defender” on Windows 10, you don’t need to use the generic AV interface above. Instead, the built-in Get-MpPreference cmdlet provides much more detailed info.

Twitter This Tip! ReTweet this Tip!