Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Here's a PowerShell script that checks for security software, configurations, and related items on a Windows system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | # Run as administrator for best results # Save with .ps1 extension $OutputFile = "SecurityAudit_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" function Write-OutputSection { param($Title) Write-Output "`n===========$Title===========`n" | Tee-Object -FilePath $OutputFile -Append } # Start collecting information Write-Output "Security Audit Started: $(Get-Date)" | Tee-Object -FilePath $OutputFile # Check Windows Defender Status Write-OutputSection "Windows Defender Status" Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled, AntispywareEnabled | Format-List | Tee-Object -FilePath $OutputFile -Append # Check Running Security Services Write-OutputSection "Security-Related Services" Get-Service | Where-Object {$_.DisplayName -match "antivirus|firewall|security|defender"} | Select-Object DisplayName, Status, StartType | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append # Check Security-Related Processes Write-OutputSection "Security-Related Processes" Get-Process | Where-Object {$_.ProcessName -match "security|defender|firewall|antivirus|anti-virus|protection"} | Select-Object ProcessName, Id, Description | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append # Check Firewall Status Write-OutputSection "Windows Firewall Status" Get-NetFirewallProfile | Select-Object Name, Enabled | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append # Check Installed Security Software from Registry Write-OutputSection "Installed Security Software (from Registry)" $paths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" ) Get-ItemProperty $paths | Where-Object {$_.DisplayName -match "security|antivirus|anti-virus|firewall|defender"} | Select-Object DisplayName, DisplayVersion, Publisher | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append # Check Windows Update Settings Write-OutputSection "Windows Update Settings" $AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings $AUSettings | Select-Object NotificationLevel, ReadOnly | Format-List | Tee-Object -FilePath $OutputFile -Append # Check UAC Settings Write-OutputSection "User Account Control Settings" $UACRegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" Get-ItemProperty -Path $UACRegPath | Select-Object EnableLUA, ConsentPromptBehaviorAdmin, ConsentPromptBehaviorUser | Format-List | Tee-Object -FilePath $OutputFile -Append # Check BitLocker Status Write-OutputSection "BitLocker Status" try { Get-BitLockerVolume | Select-Object MountPoint, ProtectionStatus, EncryptionMethod | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append } catch { Write-Output "BitLocker cmdlet not available or access denied" | Tee-Object -FilePath $OutputFile -Append } # Check Security-Related Event Logs Write-OutputSection "Recent Security Events (Last 24 Hours)" try { Get-EventLog -LogName Security -After (Get-Date).AddDays(-1) -EntryType Error,Warning | Select-Object TimeGenerated, EntryType, Source, EventID, Message -First 10 | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append } catch { Write-Output "Unable to access Security Event Log or no events found" | Tee-Object -FilePath $OutputFile -Append } # Check Windows Security Center Status Write-OutputSection "Security Center Status" try { Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select-Object displayName, productState | Format-Table -AutoSize | Tee-Object -FilePath $OutputFile -Append } catch { Write-Output "Unable to access Security Center information" | Tee-Object -FilePath $OutputFile -Append } # Check System Security Policies Write-OutputSection "Security Policies" try { secedit /export /cfg "$env:TEMP\secpol.cfg" | Out-Null Get-Content "$env:TEMP\secpol.cfg" | Tee-Object -FilePath $OutputFile -Append Remove-Item "$env:TEMP\secpol.cfg" -Force } catch { Write-Output "Unable to export security policies" | Tee-Object -FilePath $OutputFile -Append } Write-Output "`nSecurity Audit Completed: $(Get-Date)" | Tee-Object -FilePath $OutputFile -Append Write-Output "Results have been saved to: $OutputFile" |
Testing if the previous output contains the string defender: True
Testing if the previous output contains the string security: True
Testing if the previous output contains the string firewall: True
Testing if the previous output contains the string antivirus: True
Testing if the previous output contains the string Win32_Product: False
Testing if the previous output contains the string Get-WmiObject: False
Testing if the previous output contains the string tasklist: False
Testing if the previous output contains the string Get-Process: True
Testing if the previous output contains the string -Class FirewallProduct: False
Testing if the previous output contains the string -Class AntiVirusProduct: False
Testing if the previous output contains the string root\SecurityCenter2: False
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Here's a PowerShell script that checks for security software, configurations, and related items on a Windows system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | # Security Software Detection Script # Save with .ps1 extension and run with administrator privileges $OutputFile = "SecuritySoftwareReport_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" function Write-OutputToFile { param($Content) Add-Content -Path $OutputFile -Value $Content Write-Host $Content } Write-OutputToFile "=== Security Software Analysis Report ===" Write-OutputToFile "Generated: $(Get-Date)" Write-OutputToFile "`n" # Check Windows Defender Status Write-OutputToFile "=== Windows Defender Status ===" try { $DefenderStatus = Get-MpComputerStatus Write-OutputToFile "Antivirus Enabled: $($DefenderStatus.AntivirusEnabled)" Write-OutputToFile "Real-Time Protection Enabled: $($DefenderStatus.RealTimeProtectionEnabled)" Write-OutputToFile "Antivirus Signature Version: $($DefenderStatus.AntivirusSignatureVersion)" } catch { Write-OutputToFile "Unable to get Windows Defender status" } Write-OutputToFile "`n" # Check Running Security Processes Write-OutputToFile "=== Running Security-Related Processes ===" $SecurityProcesses = @( "MsMpEng", # Windows Defender "NisSrv", # Windows Defender Network Inspection Service "SecurityHealthService", "vsmon", # ZoneAlarm "mcshield", # McAfee "ekrn", # ESET "avguard", # Avira "avgnt", # Avira "bdagent", # Bitdefender "savservice", # Sophos "ccsvchst", # Norton "kavfsslp" # Kaspersky ) Get-Process | Where-Object { $SecurityProcesses -contains $_.Name } | ForEach-Object { Write-OutputToFile "Process: $($_.Name) (PID: $($_.Id))" } Write-OutputToFile "`n" # Check Installed Security Software (from Registry) Write-OutputToFile "=== Installed Security Software (Registry) ===" $RegPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" ) $SecurityKeywords = @( "antivirus", "security", "endpoint", "protection", "defender", "mcafee", "symantec", "norton", "kaspersky", "avast", "avg", "bitdefender", "eset", "f-secure", "trend micro" ) foreach ($RegPath in $RegPaths) { if (Test-Path $RegPath) { Get-ItemProperty $RegPath | Where-Object { $_.DisplayName -and ($SecurityKeywords | Where-Object { $_.DisplayName -match $_ })} | ForEach-Object { Write-OutputToFile "Software: $($_.DisplayName) - Version: $($_.DisplayVersion)" } } } Write-OutputToFile "`n" # Check Windows Firewall Status Write-OutputToFile "=== Windows Firewall Status ===" $FirewallProfiles = Get-NetFirewallProfile foreach ($Profile in $FirewallProfiles) { Write-OutputToFile "Profile: $($Profile.Name)" Write-OutputToFile "Enabled: $($Profile.Enabled)" Write-OutputToFile "Default Inbound Action: $($Profile.DefaultInboundAction)" Write-OutputToFile "Default Outbound Action: $($Profile.DefaultOutboundAction)" Write-OutputToFile "" } Write-OutputToFile "`n" # Check Security-Related Windows Services Write-OutputToFile "=== Security-Related Windows Services ===" $SecurityServices = @( "WinDefend", # Windows Defender "SecurityHealthService", "wscsvc", # Security Center "MpsSvc", # Windows Firewall "WdNisSvc", # Network Inspection Service "Sense" # Windows Defender Advanced Threat Protection Service ) foreach ($Service in $SecurityServices) { $SvcStatus = Get-Service -Name $Service -ErrorAction SilentlyContinue if ($SvcStatus) { Write-OutputToFile "Service: $($SvcStatus.DisplayName)" Write-OutputToFile "Status: $($SvcStatus.Status)" Write-OutputToFile "Start Type: $($SvcStatus.StartType)" Write-OutputToFile "" } } Write-OutputToFile "`n" # Check Security-Related Folders Write-OutputToFile "=== Security Software Directories ===" $SecurityPaths = @( "C:\Program Files\Windows Defender", "C:\Program Files\Microsoft Security Client", "C:\Program Files\McAfee", "C:\Program Files\Symantec", "C:\Program Files\Norton", "C:\Program Files\Kaspersky Lab", "C:\Program Files\Bitdefender", "C:\Program Files\ESET", "C:\Program Files\Avast Software", "C:\Program Files\AVG" ) foreach ($Path in $SecurityPaths) { if (Test-Path $Path) { Write-OutputToFile "Found: $Path" } } Write-OutputToFile "`n" # Check Windows Security Settings Write-OutputToFile "=== Windows Security Settings ===" try { $SecPolicy = secedit /export /cfg "$env:TEMP\secpol.cfg" $SecSettings = Get-Content "$env:TEMP\secpol.cfg" Write-OutputToFile "Password Policy:" $SecSettings | Select-String "PasswordComplexity", "MinimumPasswordLength", "PasswordHistorySize" | ForEach-Object { Write-OutputToFile $_ } Remove-Item "$env:TEMP\secpol.cfg" -Force } catch { Write-OutputToFile "Unable to retrieve security policy settings" } Write-OutputToFile "`n=== End of Report ===" Write-Host "Report has been saved to: $OutputFile" |
Testing if the previous output contains the string defender: True
Testing if the previous output contains the string security: True
Testing if the previous output contains the string firewall: False
Testing if the previous output contains the string antivirus: True
Testing if the previous output contains the string Win32_Product: False
Testing if the previous output contains the string Get-WmiObject: False
Testing if the previous output contains the string tasklist: False
Testing if the previous output contains the string Get-Process: True
Testing if the previous output contains the string -Class FirewallProduct: False
Testing if the previous output contains the string -Class AntiVirusProduct: False
Testing if the previous output contains the string root\SecurityCenter2: False
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Here's a PowerShell script that checks for various security software, configurations, and related items on a Windows system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 | # Script to gather security software information # Run as administrator for best results $OutputFile = "SecurityAudit_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" function Write-OutputWithBorder { param($Message) Write-Output "`n===========================================" Write-Output $Message Write-Output "===========================================`n" } # Start transcript Start-Transcript -Path $OutputFile -Append Write-OutputWithBorder "Windows Security Audit Report - $(Get-Date)" # Check Windows Defender Status Write-OutputWithBorder "Windows Defender Status:" Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled, AntispywareEnabled, AntivirusSignatureLastUpdated # Get installed security software from Windows Security Center Write-OutputWithBorder "Security Products from Windows Security Center:" Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiSpywareProduct # Check running security-related processes Write-OutputWithBorder "Running Security-Related Processes:" $SecurityProcesses = @( "MsMpEng", # Windows Defender "wscsvc", # Windows Security Center "SecurityHealthService", "FirewallService", "Norton", "McAfee", "avp", # Kaspersky "AVG", "Avast", "BitDefender", "ESET" ) Get-Process | Where-Object {$SecurityProcesses -contains $_.Name} | Select-Object Name, Id, Path # Check Windows Firewall Status Write-OutputWithBorder "Windows Firewall Status:" Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction # Check security-related services Write-OutputWithBorder "Security-Related Services Status:" $SecurityServices = @( "WinDefend", "SecurityHealthService", "mpssvc", # Windows Firewall "wscsvc", # Security Center "WdNisSvc" # Network Inspection Service ) Get-Service | Where-Object {$SecurityServices -contains $_.Name} | Select-Object Name, DisplayName, Status, StartType # Check security-related registry keys Write-OutputWithBorder "Security-Related Registry Keys:" $RegPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows Defender", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ) foreach ($Path in $RegPaths) { if (Test-Path $Path) { Write-Output "Checking $Path" Get-ChildItem -Path $Path -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { $_.DisplayName -match "security|antivirus|firewall|protection|defender|mcafee|norton|avg|avast|kaspersky|bitdefender|eset" } | Select-Object DisplayName, DisplayVersion, Publisher, InstallLocation } } # Check Windows Update status Write-OutputWithBorder "Windows Update Status:" Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" | Select-Object AUOptions, ScheduledInstallDay, ScheduledInstallTime # Check BitLocker Status Write-OutputWithBorder "BitLocker Status:" Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, VolumeStatus, ProtectionStatus # Check User Account Control (UAC) Settings Write-OutputWithBorder "UAC Settings:" Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | Select-Object EnableLUA, ConsentPromptBehaviorAdmin, PromptOnSecureDesktop # Check for installed security Windows Features Write-OutputWithBorder "Installed Security Windows Features:" Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -match "security|firewall|defender|bitlocker"} | Select-Object FeatureName, State # Stop transcript Stop-Transcript Write-Output "Report has been saved to $OutputFile" |
Testing if the previous output contains the string defender: True
Testing if the previous output contains the string security: True
Testing if the previous output contains the string firewall: True
Testing if the previous output contains the string antivirus: True
Testing if the previous output contains the string Win32_Product: False
Testing if the previous output contains the string Get-WmiObject: False
Testing if the previous output contains the string tasklist: False
Testing if the previous output contains the string Get-Process: True
Testing if the previous output contains the string -Class FirewallProduct: False
Testing if the previous output contains the string -Class AntiVirusProduct: False
Testing if the previous output contains the string root\SecurityCenter2: False
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Here's a PowerShell script that checks for security software, configurations, and related items on a Windows system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | # Security Software Audit Script # Run as Administrator for best results $outputFile = "SecurityAudit_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" function Write-OutputToFile { param([string]$text) Write-Host $text Add-Content -Path $outputFile -Value $text } Write-OutputToFile "=== Security Software Audit ===" Write-OutputToFile "Date: $(Get-Date)" Write-OutputToFile "Computer Name: $env:COMPUTERNAME" Write-OutputToFile "================================`n" # Check Windows Defender Status Write-OutputToFile "`n=== Windows Defender Status ===" try { $defenderStatus = Get-MpComputerStatus Write-OutputToFile "Real-time Protection: $($defenderStatus.RealTimeProtectionEnabled)" Write-OutputToFile "Antivirus Enabled: $($defenderStatus.AntivirusEnabled)" Write-OutputToFile "Antispyware Enabled: $($defenderStatus.AntispywareEnabled)" Write-OutputToFile "Definitions Last Updated: $($defenderStatus.AntivirusSignatureLastUpdated)" } catch { Write-OutputToFile "Unable to get Windows Defender status" } # Check Running Security Software Processes Write-OutputToFile "`n=== Running Security Software Processes ===" $securityProcesses = @( "MsMpEng", # Windows Defender "wscsvc", # Windows Security Center "mpssvc", # Windows Firewall "avp", # Kaspersky "mcshield", # McAfee "ekrn", # ESET "avgnt", # Avira "avguard", # Avira "bdagent", # Bitdefender "savservice", # Sophos "vsserv", # TrendMicro "symantec", # Symantec "navapsvc" # Norton ) Get-Process | Where-Object { $securityProcesses -contains $_.Name } | ForEach-Object { Write-OutputToFile "$($_.Name) (PID: $($_.Id))" } # Check Installed Security Software Write-OutputToFile "`n=== Installed Security Software ===" $installedSoftware = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -match "security|antivirus|firewall|defender|mcafee|symantec|norton|kaspersky|avast|avg|bitdefender|eset|sophos" } $installedSoftware | ForEach-Object { Write-OutputToFile "$($_.Name) - Version: $($_.Version)" } # Check Windows Firewall Status Write-OutputToFile "`n=== Windows Firewall Status ===" $firewall = Get-NetFirewallProfile foreach ($profile in $firewall) { Write-OutputToFile "Profile: $($profile.Name)" Write-OutputToFile "Enabled: $($profile.Enabled)" } # Check Security-Related Services Write-OutputToFile "`n=== Security Services Status ===" $securityServices = @( "WinDefend", # Windows Defender "wscsvc", # Security Center "MpsSvc", # Windows Firewall "Sense", # Windows Defender Advanced Threat Protection "WdNisSvc" # Network Inspection Service ) Get-Service | Where-Object { $securityServices -contains $_.Name } | ForEach-Object { Write-OutputToFile "$($_.DisplayName) - Status: $($_.Status)" } # Check Security-Related Registry Keys Write-OutputToFile "`n=== Security-Related Registry Settings ===" $registryPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows Defender", "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SecurityCenter", "HKLM:\SOFTWARE\Microsoft\Security Center" ) foreach ($path in $registryPaths) { if (Test-Path $path) { Write-OutputToFile "Registry Path exists: $path" try { $keys = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue foreach ($prop in $keys.PSObject.Properties) { if ($prop.Name -notlike "PS*") { Write-OutputToFile " $($prop.Name): $($prop.Value)" } } } catch { Write-OutputToFile " Unable to read registry values" } } else { Write-OutputToFile "Registry Path does not exist: $path" } } # Check Windows Update Settings Write-OutputToFile "`n=== Windows Update Settings ===" try { $AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings Write-OutputToFile "Automatic Updates Enabled: $($AUSettings.NotificationLevel)" } catch { Write-OutputToFile "Unable to get Windows Update settings" } Write-OutputToFile "`n=== Audit Complete ===" Write-OutputToFile "Results saved to: $((Get-Item $outputFile).FullName)" |
Testing if the previous output contains the string defender: True
Testing if the previous output contains the string security: True
Testing if the previous output contains the string firewall: True
Testing if the previous output contains the string antivirus: True
Testing if the previous output contains the string Win32_Product: True
Testing if the previous output contains the string Get-WmiObject: True
Testing if the previous output contains the string tasklist: False
Testing if the previous output contains the string Get-Process: True
Testing if the previous output contains the string -Class FirewallProduct: False
Testing if the previous output contains the string -Class AntiVirusProduct: False
Testing if the previous output contains the string root\SecurityCenter2: False
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Create a script that I can natively run on a Windows system that gets a list of security software, configurations, etc. This should check for on-disk items, registry items, and running processes
Here's a PowerShell script that checks for security software, configurations, and related items on a Windows system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | # Security Software Audit Script # Run as Administrator for best results $OutputFile = "SecurityAudit_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" function Write-OutputToFile { param([string]$Text) Write-Host $Text Add-Content -Path $OutputFile -Value $Text } Write-OutputToFile "Security Software Audit Report" Write-OutputToFile "Generated on: $(Get-Date)" Write-OutputToFile "Computer Name: $env:COMPUTERNAME" Write-OutputToFile "----------------------------------------`n" # Check Windows Defender Status Write-OutputToFile "`n=== Windows Defender Status ===" try { $DefenderStatus = Get-MpComputerStatus Write-OutputToFile "Real-time Protection Enabled: $($DefenderStatus.RealTimeProtectionEnabled)" Write-OutputToFile "Antivirus Enabled: $($DefenderStatus.AntivirusEnabled)" Write-OutputToFile "Antispyware Enabled: $($DefenderStatus.AntispywareEnabled)" Write-OutputToFile "Last Scan Time: $($DefenderStatus.LastFullScanTime)" } catch { Write-OutputToFile "Unable to get Windows Defender status" } # Check Installed Security Software Write-OutputToFile "`n=== Installed Security Software ===" $SecurityProducts = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ErrorAction SilentlyContinue foreach ($product in $SecurityProducts) { Write-OutputToFile "Name: $($product.displayName)" } # Check Running Security Processes Write-OutputToFile "`n=== Running Security-Related Processes ===" $SecurityProcesses = @( "MsMpEng", # Windows Defender "NortonSecurity", "mcshield", # McAfee "vsmon", # ZoneAlarm "avgfwsvc", # AVG "bdagent", # Bitdefender "ekrn", # ESET "avguard" # Avira ) Get-Process | Where-Object { $SecurityProcesses -contains $_.Name } | ForEach-Object { Write-OutputToFile "Process: $($_.Name) (PID: $($_.Id))" } # Check Windows Firewall Status Write-OutputToFile "`n=== Windows Firewall Status ===" $FirewallProfiles = Get-NetFirewallProfile -ErrorAction SilentlyContinue foreach ($profile in $FirewallProfiles) { Write-OutputToFile "Profile $($profile.Name): $($profile.Enabled)" } # Check Security-Related Services Write-OutputToFile "`n=== Security-Related Services ===" $SecurityServices = @( "WinDefend", "MpsSvc", # Windows Firewall "SecurityHealthService", "Wscsvc" # Security Center ) Get-Service | Where-Object { $SecurityServices -contains $_.Name } | ForEach-Object { Write-OutputToFile "Service: $($_.DisplayName) - Status: $($_.Status)" } # Check Security-Related Registry Keys Write-OutputToFile "`n=== Security-Related Registry Keys ===" $RegPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows Defender", "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate", "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" ) foreach ($path in $RegPaths) { if (Test-Path $path) { Write-OutputToFile "Registry path exists: $path" try { $keys = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue foreach ($prop in $keys.PSObject.Properties) { if ($prop.Name -notlike "PS*") { Write-OutputToFile " $($prop.Name): $($prop.Value)" } } } catch { Write-OutputToFile " Unable to read registry values" } } else { Write-OutputToFile "Registry path not found: $path" } } # Check Windows Update Settings Write-OutputToFile "`n=== Windows Update Settings ===" try { $AutoUpdateSettings = (New-Object -ComObject Microsoft.Update.AutoUpdate).Settings Write-OutputToFile "Auto Update Enabled: $($AutoUpdateSettings.NotificationLevel)" } catch { Write-OutputToFile "Unable to get Windows Update settings" } # Check UAC Settings Write-OutputToFile "`n=== User Account Control (UAC) Settings ===" try { $UACLevel = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -ErrorAction SilentlyContinue Write-OutputToFile "UAC Level: $($UACLevel.ConsentPromptBehaviorAdmin)" } catch { Write-OutputToFile "Unable to get UAC settings" } Write-OutputToFile "`n=== End of Report ===" Write-Host "`nReport has been saved to: $OutputFile" |
1 2 | .\SecurityAudit.ps1 |
Testing if the previous output contains the string defender: True
Testing if the previous output contains the string security: True
Testing if the previous output contains the string firewall: False
Testing if the previous output contains the string antivirus: False
Testing if the previous output contains the string Win32_Product: False
Testing if the previous output contains the string Get-WmiObject: True
Testing if the previous output contains the string tasklist: False
Testing if the previous output contains the string Get-Process: True
Testing if the previous output contains the string -Class FirewallProduct: False
Testing if the previous output contains the string -Class AntiVirusProduct: True
Testing if the previous output contains the string root\SecurityCenter2: True