Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

Refer to the script below for checking the EPP status using Windows Security Center/WMI. This has been tested with the Apex One as a Service agent, but it should also be compatible with other Trend Micro Endpoint Protection products such as Deep Security and Cloud One Workload Security. Feel free to modify the script as necessary

# Specify the antivirus client name $avClient = 'Trend Micro Apex One Antivirus' # Create a summary object $avSummary = New-Object -TypeName PSObject # Retrieve the antivirus product information $avProduct = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Where-Object { $_.displayName -eq $avClient } | Select-Object -First 1 # Check if the antivirus product was found if ($null -eq $avProduct) { # If not found, populate the summary with error messages $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value 'Error: No Antivirus product found' $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value 'Error: No Antivirus product found' $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value 'Error: No Antivirus product found' } else { # If found, populate the summary with product information $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value $avProduct.displayName # Get the product state as a decimal number $decimalNumber = $avProduct.productState # Convert decimal to binary $binaryString = [Convert]::ToString($decimalNumber, 2) # Ensure the binary string is 24 bits long by padding with leading zeros $binaryString = $binaryString.PadLeft(24, '0') # If the binary string exceeds 24 bits, truncate it if ($binaryString.Length -gt 24) { $binaryString = $binaryString.Substring(0, 24) } # Select the third group (bits 8 to 11) $thirdGroup = $binaryString.Substring(8, 4) # Define the WSC_SECURITY_PRODUCT_STATE constants https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state $WSC_SECURITY_PRODUCT_STATE_OFF = '0000' $WSC_SECURITY_PRODUCT_STATE_ON = '0001' $WSC_SECURITY_PRODUCT_STATE_SNOOZED = '0010' # Set real-time protection status based on the third group value switch ($thirdGroup) { $WSC_SECURITY_PRODUCT_STATE_ON { $realTimeProtectionStatus = 'Enabled' } $WSC_SECURITY_PRODUCT_STATE_OFF { $realTimeProtectionStatus = 'Disabled' } $WSC_SECURITY_PRODUCT_STATE_SNOOZED { $realTimeProtectionStatus = 'Snoozed' } default { $realTimeProtectionStatus = 'Unknown State' } } $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value $realTimeProtectionStatus # Group the binary string in sets of 4 bits $groupSize = 4 $groupedBinary = "" # Loop through the binary string and group the digits for ($i = 0; $i -lt $binaryString.Length; $i++) { # Append the current character to the grouped binary string $groupedBinary += $binaryString[$i] # Add a space after every group of 4 bits if (($i + 1) % $groupSize -eq 0 -and $i -ne $binaryString.Length - 1) { $groupedBinary += " " } } # Output the grouped binary string Write-Output $groupedBinary # Select the fifth group (bits 16 to 19) for definition status $fifthGroup = $binaryString.Substring(16, 4) # Set definition status based on the fifth group value switch ($fifthGroup) { '0000' { $definitionStatus = 'Up to Date' } '0001' { $definitionStatus = 'Out of Date' } default { $definitionStatus = 'Unknown State' } } $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value $definitionStatus # Check if the fifth group indicates outdated definitions if ($fifthGroup -ne '0000') { Write-Output "The definitions are outdated." } } # Return the summary object as JSON return $avSummary | ConvertTo-Json -Compress #Sources: # https://www.igloo.co.kr/security-information/securitycenter2%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EB%B3%B4%EC%95%88-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8-%EC%83%81%ED%83%9C-%EC%A0%90%EA%B2%80%EB%B0%A9%EC%95%88/ # https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state

Creating a Powershell Script to verify status of agent via Windows Security Center.

Product / Version includes:

Trend Vision OneAll , Apex One as a ServiceAll

Last updated: 2025/04/07

Solution ID: KA-0019467

Category: Deploy

Summary

This PowerShell script enables customers to check the status of EPP (Endpoint Protection Platform) on their machines using WMI (Windows Management Instrumentation).

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

 
# Specify the antivirus client name
$avClient = 'Trend Micro Apex One Antivirus'

# Create a summary object
$avSummary = New-Object -TypeName PSObject

# Retrieve the antivirus product information
$avProduct = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Where-Object { $_.displayName -eq $avClient } | Select-Object -First 1

# Check if the antivirus product was found
if ($null -eq $avProduct) {
   # If not found, populate the summary with error messages
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value 'Error: No Antivirus product found'
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value 'Error: No Antivirus product found'
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value 'Error: No Antivirus product found'
} else {
   # If found, populate the summary with product information
   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient" -Value $avProduct.displayName

   # Get the product state as a decimal number
   $decimalNumber = $avProduct.productState

   # Convert decimal to binary
   $binaryString = [Convert]::ToString($decimalNumber, 2)

   # Ensure the binary string is 24 bits long by padding with leading zeros
   $binaryString = $binaryString.PadLeft(24, '0')

   # If the binary string exceeds 24 bits, truncate it
   if ($binaryString.Length -gt 24) {
       $binaryString = $binaryString.Substring(0, 24)
   }

   # Select the third group (bits 8 to 11)
   $thirdGroup = $binaryString.Substring(8, 4)

   # Define the WSC_SECURITY_PRODUCT_STATE constants https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state
   $WSC_SECURITY_PRODUCT_STATE_OFF = '0000'
   $WSC_SECURITY_PRODUCT_STATE_ON = '0001'
   $WSC_SECURITY_PRODUCT_STATE_SNOOZED = '0010'

   # Set real-time protection status based on the third group value
   switch ($thirdGroup) {
       $WSC_SECURITY_PRODUCT_STATE_ON { $realTimeProtectionStatus = 'Enabled' }
       $WSC_SECURITY_PRODUCT_STATE_OFF { $realTimeProtectionStatus = 'Disabled' }
       $WSC_SECURITY_PRODUCT_STATE_SNOOZED { $realTimeProtectionStatus = 'Snoozed' }
       default { $realTimeProtectionStatus = 'Unknown State' }
   }

   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient real time protection enabled" -Value $realTimeProtectionStatus

   # Group the binary string in sets of 4 bits
   $groupSize = 4
   $groupedBinary = ""

   # Loop through the binary string and group the digits
   for ($i = 0; $i -lt $binaryString.Length; $i++) {
       # Append the current character to the grouped binary string
       $groupedBinary += $binaryString[$i]
       # Add a space after every group of 4 bits
       if (($i + 1) % $groupSize -eq 0 -and $i -ne $binaryString.Length - 1) {
           $groupedBinary += " "
       }
   }

   # Output the grouped binary string
   Write-Output $groupedBinary

   # Select the fifth group (bits 16 to 19) for definition status
   $fifthGroup = $binaryString.Substring(16, 4)

   # Set definition status based on the fifth group value
   switch ($fifthGroup) {
       '0000' { $definitionStatus = 'Up to Date' }
       '0001' { $definitionStatus = 'Out of Date' }
       default { $definitionStatus = 'Unknown State' }
   }

   $avSummary | Add-Member -MemberType NoteProperty -Name "$avClient definitions up-to-date" -Value $definitionStatus

   # Check if the fifth group indicates outdated definitions
   if ($fifthGroup -ne '0000') {
       Write-Output "The definitions are outdated."
   }
}

# Return the summary object as JSON
return $avSummary | ConvertTo-Json -Compress


#Sources: 
# https://www.igloo.co.kr/security-information/securitycenter2%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EB%B3%B4%EC%95%88-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8-%EC%83%81%ED%83%9C-%EC%A0%90%EA%B2%80%EB%B0%A9%EC%95%88/
# https://docs.microsoft.com/en-us/windows/win32/api/iwscapi/ne-iwscapi-wsc_security_product_state

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Creating a Powershell Script to verify status of agent via Windows Security Center.

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI

Creating a Powershell Script to verify status of agent via Windows Security Center.

Product / Version includes:

Summary

Creating a Powershell Script to verify status of agent via Windows Security Center/WMI