Skip to main content

Overview

The AntiVirus command enumerates all registered antivirus and security products on the system by querying WMI (Windows Management Instrumentation). This provides crucial information about the endpoint protection landscape, including product names, versions, and operational status. The command queries the SecurityCenter2 WMI namespace, which maintains a registry of security products installed on Windows systems.

Syntax

Seatbelt.exe AntiVirus

Remote Execution

Seatbelt.exe AntiVirus -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

The command returns details about registered antivirus products:
  • Product name
  • Product state (enabled/disabled)
  • Product executable path
  • Version information
  • Last update timestamp

Use Cases

  • Red Team
  • Blue Team
  • Identify security products before payload execution
  • Assess endpoint protection posture
  • Select appropriate evasion techniques based on AV vendor
  • Plan persistence mechanisms that avoid detection
  • Understand the security landscape of the target environment

Example Output

====== AntiVirus ======

Engine                 : Windows Defender
ProductEXE             : windowsdefender://
ReportingEXE           : %ProgramFiles%\Windows Defender\MsMpeng.exe
ProductState           : 397568 (Enabled)

Engine                 : Symantec Endpoint Protection
ProductEXE             : C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
ReportingEXE           : C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
ProductState           : 266240 (Enabled)

Remote Execution

This command supports remote execution using the -computername parameter.
Remote execution queries the SecurityCenter2 WMI namespace on the target system, making it ideal for rapid security posture assessment across multiple endpoints.

Detection Considerations

This command may generate the following detection opportunities:
  • WMI Queries: Queries to root\SecurityCenter2 namespace can be monitored
  • Event ID 5857-5861: WMI activity events in Microsoft-Windows-WMI-Activity/Operational log
  • Network Traffic: Remote WMI connections over RPC/DCOM
  • EDR Telemetry: Security products may flag enumeration of AV products
  • PowerShell Logging: If executed via PowerShell wrapper, script block logging may capture activity

Defensive Recommendations

  • Enable WMI logging via Group Policy
  • Monitor for queries to SecurityCenter2 namespace
  • Alert on multiple enumeration commands from single source
  • Track RPC connections to WMI service (135/tcp, dynamic high ports)
  • Correlate with process creation and authentication events
  • AMSIProviders - AMSI provider registration details
  • WindowsDefender - Windows Defender specific settings and exclusions
  • Sysmon - Sysmon configuration and status
  • Services - Running services including security products
  • Processes - Running processes that may include security tools