How do you tell which AV is active?
I'll cut straight to the point, If you have a windows machine in front of you, and open 'Action Center' you can see under security several options showing whats 'On' and 'Off'.
If i Pick one of these options 'Virus Protection' it tells me its 'On' and give me an option to see what AV is installed and which one is active.
so on my current system shows;
AV 1 ON
AV 2 OFF
AV 3 OFF
is it possible to see these settings forensically? to easily identify the active AV? so i can priority my searches in the files which make that AV opposes to searching each AV's logs etc to identify which one is active?
Create an EICAR txt file and access it. A good modern AV should intercept that kind of stuff, so if the file gets deleted then the AV is active, it will probably also create an eventlog entry probably one that screams "EICAR TEST FILE".
Hi,
In my opinion, there is no easy way to find which AV is on. But you could do two things to verify.
1. Live forensics - that means you could use Live View to boot your evidence file(E01 or dd), and the suspect's computer is alive again in front of you. You could log in and browse his/her computer. Which one is active, browser it and you could figure it out.
2. Timeline forensics - that means you should use forensics software to take a look at timeline. For example, you want to know which AV is on yesterday. You have to sort MACE times stamp to focus yesterday file activities. If some AV log is touched yesterday(MACE is changed..), and you could take a look at that log content to see the details.
Rick
Maybe the OP question was more around checking the contents of
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center
in the Registry.
See also
http//
http//
jaclaz