How do I ignore Windows Defender when calling SecurityCenter2?

Question

I'm working on a script to detect whether or not there is an antivirus solution running on a Windows machine. When running on Windows 8 I'm getting false positives that antivirus is disabled when running a third-party antivirus solution due to Windows Defender always being around, although disabled.

I can see the productState for the third-party antivirus software as valid and reporting correctly, however my script is only pulling Windows Defender entries.

I need to keep the entries for Windows Defender, however I'm only interested in Windows Defender if there isn't any other antivirus software installed. I ran the following command from a command prompt to retrieve the data, which shows two separate entries.

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get /Format:List

I would like to only grab the third-party antivirus software if it's installed, otherwise keep the Windows Defender information.

How I'm trying to do this is by calling the instanceGUID and compare it against the Windows Defender GUID, however I'm getting a few false positives. Is there a way for me to parse this data correctly and ideally only look at the third-party information?

I'm including the full script to show exactly what I'm looking at, and I can cut it down if needed:

Set objWMIServiceSC = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set colAVItems = objWMIServiceSC.ExecQuery("Select * from AntiVirusProduct")
For Each objAntiVirusProduct In colAVItems
    strinstanceGuid = (objAntiVirusProduct.instanceGuid)
    strWinDefGUID = "{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
    If strinstanceGuid <> strWinDefGUID Then
        AvStatus = Hex(objAntiVirusProduct.ProductState)
        If (objAntiVirusProduct.ProductState = "393472" _
            OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
            OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
                strproductState = "ENABLED"
        Else
            strproductState = "DISABLED"
        End If
    Else
        If Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
            OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11" Then
                strproductState = "ENABLED"
        Else
            strproductState = "DISABLED"
        End If
    End If
    If Mid(AvStatus, 4, 2) = "00" Then
        strdefinitionState = "CURRENT"
    ElseIf Mid(AvStatus, 4, 2) = "10" Then
        strdefinitionState = "OUTDATED"
    End If
Next

Just to reiterate, this is a Windows 8 issue.

Answer 1

I found a solution to my issue. Basically I ended up putting an If statement before my For statement looking at how many entries where in the Security Center WMI for AntiVirus. If there are 0 then it reports back none, If there is 1 installed then it reads the info, and if there are more than 1 it ignores Windows Defender and reads the rest. I'm including full code for future users.

Dim objWMIServiceSC,objAntiVirusProduct,colAVItems,AvStatus

Set objWMIServiceSC = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set colAVItems = objWMIServiceSC.ExecQuery("Select * from AntiVirusProduct")
If colAVItems.count = 0 Then
    strdisplayName = "No"
    errors("Acceptable AntiVirus software found ") = "NO"
ElseIf colAVItems.count = 1 Then
    For Each objAntiVirusProduct In colAVItems
        strdisplayName = (objAntiVirusProduct.displayName)
        AvStatus = Hex(objAntiVirusProduct.ProductState)
        If (objAntiVirusProduct.ProductState = "266240" _
        OR objAntiVirusProduct.ProductState = "331776" _
        OR objAntiVirusProduct.ProductState = "397568" _
        OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
        OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
            strproductState = "ENABLED"
        Else
            strproductState = "DISABLED"
            errors("Antivirus scanning is ") = "DISABLED"
        End If
        If Mid(AvStatus, 4, 2) = "00" Then
            strdefinitionState = "CURRENT"
        ElseIf Mid(AvStatus, 4, 2) = "10" Then
            strdefinitionState = "OUTDATED"
            errors("AntiVirus Definitions are ") = "OUTDATED"
        End If
    Next
ElseIf colAVItems.count > 1 Then
    For Each objAntiVirusProduct In colAVItems
        If (objAntiVirusProduct.displayName) <> "Windows Defender" Then
            strdisplayName = (objAntiVirusProduct.displayName)
            AvStatus = Hex(objAntiVirusProduct.ProductState)
            If (objAntiVirusProduct.ProductState = "393472" _
            OR objAntiVirusProduct.ProductState = "266240" _
            OR objAntiVirusProduct.ProductState = "331776" _
            OR objAntiVirusProduct.ProductState = "397568" _
            OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
            OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
                strproductState = "ENABLED"
            Else
                strproductState = "DISABLED"
                errors("Antivirus scanning is ") = "DISABLED"
            End If
                If Mid(AvStatus, 4, 2) = "00" Then
                    strdefinitionState = "CURRENT"
            ElseIf Mid(AvStatus, 4, 2) = "10" Then
                    strdefinitionState = "OUTDATED"
                    errors("AntiVirus Definitions are ") = "OUTDATED"
            End If
        End If  
    Next
End If

Answer 2

Doing all this string stuff looks a little complicated. You could also just do:

int bitmaskUpToDate = 0x000010;
bool upToDate = number & bitmaskUpToDate == bitmaskUpToDate;
int bitmaskEnabled = 0x001000;
bool isEnabled = number & bitmaskEnabled == bitmaskEnabled;

This is just a quick demo for the bitmask stuff. I did not doublecheck if I got the indices correct.