Windows Monitor - Security Center Script

Problem Overview

Many organizations struggle to ensure that essential security features, like antivirus and firewall protections, remain consistently enabled and up-to-date on all Windows endpoints. This script addresses that challenge by systematically detecting issues at the system level, allowing IT professionals and MSPs to fix vulnerabilities before they result in security incidents.

Description

The script queries the Windows Security Center for antivirus and firewall status, verifying if these protections are active and up to date. If an issue is detected—for example, an out-of-date antivirus or a disabled firewall—it sets a flag that triggers a non-zero exit code, ideal for generating alerts in Level. This output can then prompt a remediation workflow to re-enable or update these critical security products. By offering a simple “all-clear” or “problem-found” exit state, the script seamlessly integrates with your broader security monitoring strategy.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7Level Library
8https://level.io/library/script-windows-security-center
9#>
10
11# Initialize a variable to track the overall security health
12$securityHealthOk = $true
13
14# Function to check the security health status from the Security Center
15function Check-SecurityHealth {
16    try {
17        # Check Antivirus status
18        $antivirusProducts = Get-WmiObject -Namespace "ROOT\SecurityCenter2" -Class "AntiVirusProduct"
19        if ($antivirusProducts) {
20            foreach ($product in $antivirusProducts) {
21                Write-Host "Antivirus Name: $($product.displayName)"
22                # Interpret productState for demonstration; you may need specific checks here
23                if ($product.productState -match "262144" -or $product.productState -match "266240") {
24                    Write-Host "Antivirus Status: Enabled and up to date"
25                }
26                else {
27                    Write-Host "Antivirus Status: Disabled or out of date"
28                    $global:securityHealthOk = $false
29                }
30            }
31        }
32        else {
33            Write-Host "No Antivirus product detected."
34            $global:securityHealthOk = $false
35        }
36
37        # Check Firewall status
38        $firewallProducts = Get-WmiObject -Namespace "ROOT\SecurityCenter2" -Class "FirewallProduct"
39        if ($firewallProducts) {
40            foreach ($product in $firewallProducts) {
41                Write-Host "Firewall Name: $($product.displayName)"
42                # Example check; adjust based on actual requirements
43                if ($product.productState -match "262144") {
44                    Write-Host "Firewall Status: Enabled"
45                }
46                else {
47                    Write-Host "Firewall Status: Disabled"
48                    $global:securityHealthOk = $false
49                }
50            }
51        }
52        else {
53            Write-Host "No Firewall product detected."
54            $global:securityHealthOk = $false
55        }
56
57        # Check for other security products as needed...
58
59    }
60    catch {
61        Write-Host "An error occurred querying the Security Center."
62        $global:securityHealthOk = $false
63    }
64}
65
66# Execute the security health check
67Check-SecurityHealth
68
69# Determine script exit based on overall security health
70if ($securityHealthOk) {
71    Write-Host "SUCCESS: All security features are active and in good standing."
72    exit 0
73}
74else {
75    Write-Host "ERROR: One or more security features are disabled or in a bad state."
76    exit 1
77}
78

Use Cases

• Ensuring antivirus and firewall remain consistently enabled
• Automating security checks on remote endpoints
• Triggering an alert or remediation workflow in Level if a vulnerability is detected
• Periodically auditing security status to uphold compliance

Recommendations

• Configure a script-based monitor in Level to run this script regularly, ensuring prompt detection of any disabled or outdated security features
• Pair with an automation remediation workflow that attempts to re-enable antivirus or firewall if issues are discovered
• Test in a non-production environment to ensure the checks align with your antivirus product’s specific productState values
• Adjust productState checks in the script for any custom antivirus or firewall product that might report different codes

FAQ

• What if my antivirus or firewall uses different productState codes?
  ‍You can modify the matching logic in the script to account for the codes used by your specific security product.

• Does this script require elevated privileges?
  ‍It does not require manual elevation because scripts run via Level are executed with the necessary System-level privileges on Windows.

• Can I extend this script to check additional security products like anti-malware or intrusion detection systems?
  ‍Absolutely. Simply expand the logic to query more WMI classes or additional productState values within the script.

• How do I respond if the script exits with a non-zero code?
  ‍Level can automatically trigger alerts, send notifications, or run follow-up actions (e.g., re-enabling the firewall) when the script returns an error code.