Using BigFix for Antivirus Detection


Looking to validate that your endpoints have some kind of antivirus program running? Try this really long BigFix Relevance Statement designed to detect many major antivirus programs like Microsoft Security Essentials, Symantec, Trend Micro, Spohos, CA eTrust, McAfee, and AVG

(if name of operating system contains “Win” then exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates” of native registry or exists service “MsMpSvc” else false)
OR
((if name of operating system contains “Win” then exists service “Norton AntiVirus Server” OR exists service “defwatch” OR exists service “Norton AntiVirus Client” OR exists service “Symantec AntiVirus Server” OR exists service “Symantec AntiVirus Client” OR exists service “Symantec AntiVirus” OR exists service “navapsvc” else false) or (if name of operating system = “Mac OS X” then exists application “Symantec AntiVirus.app” whose (string “CFBundleShortVersionString” of dictionary of file (it as string & “/Contents/Info.plist”) as version >= “10.2” as version ) else false))
OR
(if name of operating system contains “Win” then (exists key “HKEY_LOCAL_MACHINE\Software\TrendMicro\PC-cillinNTCorp” of registry OR exists key “HKEY_LOCAL_MACHINE\Software\TrendMicro\OfficeScanCorp” of registry) or (exists service “SpntSvc”) else false)
OR
((not exists key “HKLM\Software\Sophos\SAVService” of registry) and (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT” of registry) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos-Sweep95” whose (exists value “DisplayName” whose (it as string contains “Sophos Anti-Virus” AND it as string contains “4.6”) of it) of registry) OR (exist values “DisplayVersion” of keys whose (exists value “DisplayName” whose (it = “Sophos Anti-Virus”) of it) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\” of registry))
OR
(((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustITM\CurrentVersion” of it) of (if (version of client >= “6.0”) then (native registry) else (registry))) OR ((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntiVirus\CurrentVersion” of it OR exists key “HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\InoculateIT\6.0” of it) of (if (version of client >= “6.0”) then (native registry) else (registry))))
OR
((exists service whose (service name of it = “McAfee GroupShield”)) OR ((exists key “HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx” of registry) OR (exists key “HKEY_LOCAL_MACHINE\Software\McAfee\AVEngine” of registry)) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\NetShield NT\CurrentVersion” of registry) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins” of registry))
OR
((exists service whose (service name of it = “AVG WatchDog”)) or (exists service whose (service name of it = “AVG E-mail Scanner”)) or (exists key “HKEY_LOCAL_MACHINE\Software\AVG” of registry))

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s