| Description | This article describes how the Antivirus Software zero trust tagging rule works. |
| Scope | FortiClient EMS v7.0, v7.2. |
| Solution |
The Antivirus Software zero trust tagging rule applies to both FortiClient AV and 3rd party antivirus software that registers itself to the Windows Security Center (WSC).
For any status change as defined below, Antivirus will report them to WSC:
For Windows OS, it is possible to check the Antivirus status for both FortiClient and 3rd party. However, for macOS and Linux, the antivirus tagging rule is only applicable if FortiClient antivirus protection is enabled and it is not applicable to 3rd party antivirus.
As WSC monitors the state of each Antivirus software present in a Windows machine, it is crucial to know how to obtain the product state of each Antivirus provider.
This can be done by executing commands below with Powershell in either method as below:
Get-WmiObject -Namespace "root\SecurityCenter2" <----- Class AntiVirusProduct | Select-Object displayName, productState. Get-CimInstance -Namespace "root\SecurityCenter2" <----- ClassName AntiVirusProduct | Select-Object displayName, productState.
productstate is a numeric value. To understand what the value means, convert it to a binary string (bits) as each bit represents the specific status of the antivirus product.
For example, the productState for FortiClient is 266240. Converting the decimal value to a bit set will interpret the Antivirus product state.
266240 -->1000001000000000000
The above value means that FortiClient is enabled and the antivirus signature is up-to-date. |
