How to Identify the Antivirus Software Installed on a PC Using C#

To gather information about the installed antivirus, you’ll need to use the System.Management class.

using System.Management;

For Visual Studio versions, you may need to manually add the reference.

1. Right-click your project and select Add References.
2. In the Assemblies (Framework) tab, search for System.Management and add it.
3. Click OK.

The System.Management class allows you to query WMI classes. For more details on WMI queries in .NET

We will query the root\SecurityCenter2 class (or root\SecurityCenter for versions older than Windows XP). The AntiVirusProduct class returns details about the installed antivirus, although it is undocumented by Microsoft and only available on Windows desktop editions like XP, Vista, and 7.

The available properties differ across versions. For example:

• Windows XP:

  • companyName
  • displayName
  • productUptoDate
  • and more...

• Windows 7 and above:

  • displayName
  • productState
  • pathToSignedProductExe
  • and more...

In this example, we’ll use Windows 10 properties:

public void GetAntivirusName()
{
    ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
    ManagementObjectCollection data = wmiData.Get();

    foreach (ManagementObject virusChecker in data)
    {
        Console.WriteLine(virusChecker["displayName"]);
        Console.WriteLine(virusChecker["instanceGuid"]);
        Console.WriteLine(virusChecker["pathToSignedProductExe"]);
        Console.WriteLine(virusChecker["productState"]);
    }
}

This code will output the antivirus name and additional information like this:

Windows Defender
{xxxxxxxx-831F-xxxx-9EE-DA111111146}
windowsdefender://
397568

The productState property returns a numeric value that varies depending on the antivirus. Here’s how to interpret it:

• AVG Internet Security 2012 (AntivirusProduct WMI):

  • 262144 (040000) = Disabled and up to date
  • 266240 (041000) = Enabled and up to date

• Windows Defender:

  • 393472 (060100) = Disabled and up to date
  • 397568 (061100) = Enabled and up to date

• Microsoft Security Essentials:

  • 397312 (061000) = Enabled and up to date
  • 393216 (060000) = Disabled and up to date

Each antivirus software may have its own productState interpretation, but generally, the number signifies whether the software is enabled or disabled and whether it is up to date.