Antivirus Information
Overview
Section titled “Overview”Evidence: Antivirus Information
Description: Collect information about installed antivirus
Category: System
Platform: windows
Short Name: avi
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows Security Center tracks registered antivirus and antispyware products. Security software registers itself with Security Center to report its status to Windows.
This information helps investigators understand the security posture of the system and whether adequate protection was present during an incident.
Data Collected
Section titled “Data Collected”This collector gathers structured data about antivirus information.
Antivirus Information Data
Section titled “Antivirus Information Data”| Field | Description | Example |
|---|---|---|
AntiVirus | Comma-separated list of AV products | Windows Defender,McAfee Endpoint Security |
Collection Method
Section titled “Collection Method”This evidence is collected as part of the System collector by querying WMI:
ROOT\SecurityCenter- For Windows XP (AntiVirusProduct, AntiSpywareProduct)ROOT\SecurityCenter2- For Windows Vista+ (AntiVirusProduct, AntiSpywareProduct)
Queries both AntiVirusProduct and AntiSpywareProduct classes and extracts DisplayName.
Forensic Value
Section titled “Forensic Value”Antivirus information helps assess security posture and detection capabilities. Investigators use this data to verify security software presence, identify detection gaps, correlate with malware infections, assess why threats weren’t detected, and validate security controls.