Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

Refer to the script below for checking the EPP status using Windows Security Center/WMI. This has been tested with the Trend Micro Apex One™ as a Service agent, but it should also be compatible with other Trend Micro Endpoint Protection products such as Trend Micro™ Deep Security™ and Cloud One Workload Security. Feel free to modify the script as necessary.

# Specify the antivirus client name $avClient = 'Trend Micro Apex One Antivirus' # Create a summary object $avSummary = New-Object -TypeName PSObject # Retrieve the antivirus product information $avProduct = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Where-Object { $_.displayName -eq $avClient } | Select-Object -First 1 # Check if the antivirus product was found if ($null -eq $avProduct) { # If not found, populate the summary with error messages $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value 'Error: No Antivirus product found' $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value 'Error: No Antivirus product found' $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value 'Error: No Antivirus product found' } else { # If found, populate the summary with product information $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value $avProduct.displayName # Get the product state as a decimal number $decimalNumber = $avProduct.productState # Convert decimal to binary $binaryString = [Convert]::ToString($decimalNumber, 2) # Ensure the binary string is 24 bits long by padding with leading zeros $binaryString = $binaryString.PadLeft(24, '0') # If the binary string exceeds 24 bits, truncate it if ($binaryString.Length -gt 24) { $binaryString = $binaryString.Substring(0, 24) } # Select the third group (bits 8 to 11) $thirdGroup = $binaryString.Substring(8, 4) # Define the WSC_SECURITY_PRODUCT_STATE constants https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state $WSC_SECURITY_PRODUCT_STATE_OFF = '0000' $WSC_SECURITY_PRODUCT_STATE_ON = '0001' $WSC_SECURITY_PRODUCT_STATE_SNOOZED = '0010' # Set real-time protection status based on the third group value switch ($thirdGroup) { $WSC_SECURITY_PRODUCT_STATE_ON { $realTimeProtectionStatus = 'Enabled' } $WSC_SECURITY_PRODUCT_STATE_OFF { $realTimeProtectionStatus = 'Disabled' } $WSC_SECURITY_PRODUCT_STATE_SNOOZED { $realTimeProtectionStatus = 'Snoozed' } default { $realTimeProtectionStatus = 'Unknown State' } } $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value $realTimeProtectionStatus # Group the binary string in sets of 4 bits $groupSize = 4 $groupedBinary = "" # Loop through the binary string and group the digits for ($i = 0; $i -lt $binaryString.Length; $i++) { # Append the current character to the grouped binary string $groupedBinary += $binaryString[$i] # Add a space after every group of 4 bits if (($i + 1) % $groupSize -eq 0 -and $i -ne $binaryString.Length - 1) { $groupedBinary += " " } } # Output the grouped binary string Write-Output $groupedBinary # Select the fifth group (bits 16 to 19) for definition status $fifthGroup = $binaryString.Substring(16, 4) # Set definition status based on the fifth group value switch ($fifthGroup) { '0000' { $definitionStatus = 'Up to Date' } '0001' { $definitionStatus = 'Out of Date' } default { $definitionStatus = 'Unknown State' } } $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value $definitionStatus # Check if the fifth group indicates outdated definitions if ($fifthGroup -ne '0000') { Write-Output "The definitions are outdated." } } # Return the summary object as JSON return $avSummary | ConvertTo-Json -Compress #Sources: # https://www.igloo.co.kr/security-information/securitycenter2%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EB%B3%B4%EC%95%88-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8-%EC%83%81%ED%83%9C-%EC%A0%90%EA%B2%80%EB%B0%A9%EC%95%88/ # https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state

Creating a Powershell Script to verify status of agent via Windows Security Center

Product / Version includes:

Trend Vision One All , Apex One as a Service All

Last updated: 2025/09/03

Solution ID: KA-0019467

Category: Deploy

Summary

This PowerShell script enables customers to check the status of EPP (Endpoint Protection Platform) on their machines using WMI (Windows Management Instrumentation).

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

 
# Specify the antivirus client name
$avClient = 'Trend Micro Apex One Antivirus'

# Create a summary object
$avSummary = New-Object -TypeName PSObject

# Retrieve the antivirus product information
$avProduct = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Where-Object { $_.displayName -eq $avClient } | Select-Object -First 1

# Check if the antivirus product was found
if ($null -eq $avProduct) {
   # If not found, populate the summary with error messages
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value 'Error: No Antivirus product found'
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value 'Error: No Antivirus product found'
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value 'Error: No Antivirus product found'
} else {
   # If found, populate the summary with product information
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value $avProduct.displayName

   # Get the product state as a decimal number
   $decimalNumber = $avProduct.productState

   # Convert decimal to binary
   $binaryString = [Convert]::ToString($decimalNumber, 2)

   # Ensure the binary string is 24 bits long by padding with leading zeros
   $binaryString = $binaryString.PadLeft(24, '0')

   # If the binary string exceeds 24 bits, truncate it
   if ($binaryString.Length -gt 24) {
       $binaryString = $binaryString.Substring(0, 24)
   }

   # Select the third group (bits 8 to 11)
   $thirdGroup = $binaryString.Substring(8, 4)

   # Define the WSC_SECURITY_PRODUCT_STATE constants https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state
   $WSC_SECURITY_PRODUCT_STATE_OFF = '0000'
   $WSC_SECURITY_PRODUCT_STATE_ON = '0001'
   $WSC_SECURITY_PRODUCT_STATE_SNOOZED = '0010'

   # Set real-time protection status based on the third group value
   switch ($thirdGroup) {
       $WSC_SECURITY_PRODUCT_STATE_ON { $realTimeProtectionStatus = 'Enabled' }
       $WSC_SECURITY_PRODUCT_STATE_OFF { $realTimeProtectionStatus = 'Disabled' }
       $WSC_SECURITY_PRODUCT_STATE_SNOOZED { $realTimeProtectionStatus = 'Snoozed' }
       default { $realTimeProtectionStatus = 'Unknown State' }
   }

   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value $realTimeProtectionStatus

   # Group the binary string in sets of 4 bits
   $groupSize = 4
   $groupedBinary = ""

   # Loop through the binary string and group the digits
   for ($i = 0; $i -lt $binaryString.Length; $i++) {
       # Append the current character to the grouped binary string
       $groupedBinary += $binaryString[$i]
       # Add a space after every group of 4 bits
       if (($i + 1) % $groupSize -eq 0 -and $i -ne $binaryString.Length - 1) {
           $groupedBinary += " "
       }
   }

   # Output the grouped binary string
   Write-Output $groupedBinary

   # Select the fifth group (bits 16 to 19) for definition status
   $fifthGroup = $binaryString.Substring(16, 4)

   # Set definition status based on the fifth group value
   switch ($fifthGroup) {
       '0000' { $definitionStatus = 'Up to Date' }
       '0001' { $definitionStatus = 'Out of Date' }
       default { $definitionStatus = 'Unknown State' }
   }

   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value $definitionStatus

   # Check if the fifth group indicates outdated definitions
   if ($fifthGroup -ne '0000') {
       Write-Output "The definitions are outdated."
   }
}

# Return the summary object as JSON
return $avSummary | ConvertTo-Json -Compress


#Sources: 
# https://www.igloo.co.kr/security-information/securitycenter2%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EB%B3%B4%EC%95%88-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8-%EC%83%81%ED%83%9C-%EC%A0%90%EA%B2%80%EB%B0%A9%EC%95%88/
# https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Creating a Powershell Script to verify status of agent via Windows Security Center

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

Creating a Powershell Script to verify status of agent via Windows Security Center

Product / Version includes:

Summary

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI