Antivirus Information

Overview

Evidence: Antivirus Information Description: Collect information about installed antivirus Category: System Platform: windows Short Name: avi Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Security Center tracks registered antivirus and antispyware products. Security software registers itself with Security Center to report its status to Windows.

This information helps investigators understand the security posture of the system and whether adequate protection was present during an incident.

Data Collected

This collector gathers structured data about antivirus information.

Antivirus Information Data

Field

Description

Example

AntiVirus

Comma-separated list of AV products

Windows Defender,McAfee Endpoint Security

Collection Method

This evidence is collected as part of the System collector by querying WMI:

ROOT\SecurityCenter - For Windows XP (AntiVirusProduct, AntiSpywareProduct)
ROOT\SecurityCenter2 - For Windows Vista+ (AntiVirusProduct, AntiSpywareProduct)

Queries both AntiVirusProduct and AntiSpywareProduct classes and extracts DisplayName.

Forensic Value

Antivirus information helps assess security posture and detection capabilities. Investigators use this data to verify security software presence, identify detection gaps, correlate with malware infections, assess why threats weren't detected, and validate security controls.

PreviousAmmyAdmin Logs NextAnyDesk Logs

Last updated 3 days ago

Was this helpful?