Windows Monitor - AV Script

Problem Overview

Many organizations struggle to ensure reliable, ongoing antivirus protection on Windows systems, including those running third-party security tools. This script taps into Windows Security Center to confirm whether an AV product—be it Windows Defender or a properly registered third-party solution—is active, helping IT professionals and MSPs maintain a consistent layer of endpoint security.

Description

It queries Windows Security Center for any recognized antivirus product status, including real-time protection. If antivirus coverage is confirmed as active, the script returns a success. If not, or if real-time scanning is disabled, it exits with an alert code, enabling Level to trigger a notification or remediation task. By leveraging system-level permissions, it works seamlessly under the hood without additional user intervention, ensuring straightforward monitoring and compliance checks.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7Level Library
8https://level.io/library/script-windows-check-av
9#>
10
11# Initialize a variable to track if antivirus protection is active
12$antivirusActive = $false
13
14# Function to check the status of Windows Defender Antivirus
15function Check-AntivirusStatus {
16    $status = Get-MpComputerStatus
17    $antivirusEnabled = $status.AntivirusEnabled
18    $realTimeProtection = $status.RealTimeProtectionEnabled
19
20    if ($antivirusEnabled -eq $true -and $realTimeProtection -eq $true) {
21        Write-Host "Antivirus and real-time protection are ENABLED."
22        $global:antivirusActive = $true
23    }
24    elseif ($antivirusEnabled -eq $true) {
25        Write-Host "Antivirus is ENABLED, but real-time protection is DISABLED."
26    }
27    else {
28        Write-Host "Antivirus is DISABLED."
29    }
30}
31
32# Check antivirus status
33Check-AntivirusStatus
34
35# Determine script exit code based on antivirus status
36if ($antivirusActive) {
37    Write-Host "SUCCESS: Antivirus protection is active."
38    exit 0
39}
40else {
41    Write-Host "ALERT: Antivirus protection is not fully active."
42    exit 1
43}
44

Use Cases

• Checking if a third-party antivirus solution is active in Windows Security Center
• Verifying whether real-time scanning is disabled or bypassed
• Triggering alerts when no valid AV is found on endpoints
• Integrating into automated workflows to re-enable or install the correct antivirus

Recommendations

• Configure a script-based monitor in Level to run regularly, allowing immediate detection if antivirus coverage lapses
• Pair with an automation that attempts to re-enable or deploy the proper antivirus solution upon alert
• Validate in a test environment to confirm that third-party AVs register correctly with Windows Security Center
• Review additional logs if coverage isn’t recognized, as some AV vendors may require extra steps to appear in Security Center

FAQ

• Will this script detect antivirus solutions other than Windows Defender?
  ‍Yes, it checks Windows Security Center, which typically displays any properly registered antivirus product.

• Does it require elevated permissions to run?
  ‍No, Level handles system-level permissions, so you don’t need to elevate privileges manually.

• What if a vendor’s antivirus doesn’t show in Windows Security Center?
  ‍Some third-party AVs may not fully register. Ensure the product integrates with Windows Security Center or consult the vendor’s documentation.

• Can I add more robust checks for specific AV vendors?
  ‍Absolutely. You can modify or extend the PowerShell commands to retrieve product-specific details if needed.