ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Enumerate
  • Registry Location

Was this helpful?

  1. Windows
  2. System Ops
  3. Security

Antivirus

Enumerate

sc queryex type= service | find /i "Antivirus"

Lists services related to antivirus.

net start | find "Antivirus"

Lists started services filtering for "Antivirus".

tasklist | findstr /i "antivirus"

Lists processes and filters for antivirus.

Get-Service | Where-Object {$_.DisplayName -like "*antivirus*"}

Filters services with "antivirus" in their name.

Get-Process | Where-Object {$_.ProcessName -like "*antivirus*"}

Filters processes related to antivirus by name.

Retrieves antivirus name and state:

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

Gets antivirus info via PowerShell and Get-CimInstance:

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

Runs PowerShell command in CMD to get antivirus info using Get-WmiObject.

powershell "Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct"

Retrieve antivirus product name and state using WMIC from the SecurityCenter2 namespace.

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list

Lists the antispywareproduct class from the root/security instance (Can't get this to work...):

Get-CimInstance -Namespace root\\securitycenter2 -ClassName antispywareproduct

Registry Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Contains information about all installed software, including antivirus applications. Each application has its own subkey with details about the installation.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

On 64-bit Windows, this key contains information about 32-bit applications installed on the system, including 32-bit antivirus software.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av

Used by older versions of Windows to store information about registered antivirus products.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Providers

In newer versions of Windows, this key and its subkeys contain information about security providers, including antivirus software.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Holds information about all system services, including those related to antivirus software. Each antivirus service will have a subkey here with configuration details.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

May contain entries for antivirus software that is set to run at startup. This location is often used for applications to configure themselves to start with Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Similar to the HKCU version, this key is used to launch programs automatically at startup, including potentially antivirus software, but applies to all users on the system.

PreviousPageNextFirewall

Last updated 1 year ago

Was this helpful?

🪟