Antivirus Information

Overview

Evidence: Antivirus Information Description: Collect Information About Installed Antivirus Category: System Platform: Windows Short Name: avi Is Parsed: Yes - WMI data parsed into list Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Security Center tracks registered antivirus and antispyware products. Security software registers itself with Security Center to report its status to Windows.

This information helps investigators understand the security posture of the system and whether adequate protection was present during an incident.

Data Collected

Antivirus information is included in the System collector output as a comma-separated list:

Collection Method

This evidence is collected as part of the System collector by querying WMI:

• ROOT\SecurityCenter - For Windows XP (AntiVirusProduct, AntiSpywareProduct)

• ROOT\SecurityCenter2 - For Windows Vista+ (AntiVirusProduct, AntiSpywareProduct)

Queries both AntiVirusProduct and AntiSpywareProduct classes and extracts DisplayName.

Usage

Antivirus information helps assess security posture and detection capabilities. Investigators use this data to verify security software presence, identify detection gaps, correlate with malware infections, assess why threats weren't detected, and validate security controls.

Known Limitations

• Only shows registered products

• Some security software may not register properly

• Doesn't indicate if AV is active or updated

• Multiple entries may exist for same product

Notes

The absence of antivirus or presence of disabled/outdated AV can explain successful malware infections. Windows Defender is typically present on Windows 8+ systems.