Forum Discussion

michaelmcdonald's avatar
michaelmcdonald
Copper Contributor
Jun 22, 2020

Product still listed as enabled in Antivirusproduct class even though uninstalled 5 days ago

 

I uninstalled F-Secure 5 days ago and have restarted/powered down this device several times since. It seems that either the data returned by this query is outdated (and a refresh/reload may solve the issue, if at all possible) or that Windows truly believes the F-Secure product is still installed and enabled.

 

 

Function ConvertTo-NPHex
{
    Param([int]$Number)"0x{0:x}" -f $Number
}

$Products = @();
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName Antivirusproduct -ErrorAction Stop | ForEach-Object{

    $hex = ConvertTo-NPHex $_.ProductState; 
    $mid = $hex.Substring(3,2);
    $end = $hex.Substring(5);

    $Products += [ordered]@{
        DisplayName = $_.DisplayName;
        Enabled = $( 
            If( $mid -match "00|01" ){ 
                $False 
            }Else{ 
                $True 
            } 
        );
        UpToDate = $( 
            If($end -eq "00"){ 
                $True 
            }Else{ 
                $False 
            } 
        );
        Updated = $( (Get-Date -Date $_.Timestamp).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") )
    }

};
Return $Products | ConvertTo-Json;

 

 

Output from snippet above:

 

[
    {
        "DisplayName":  "F-Secure SAFE",
        "ProductState":  270336,
        "Enabled":  true,
        "UpToDate":  true,
        "Updated":  "2020-06-17T08:09:16Z"
    },
    {
        "DisplayName":  "Windows Defender",
        "ProductState":  393472,
        "Enabled":  false,
        "UpToDate":  true,
        "Updated":  "2020-06-17T07:59:53Z"
    },
    {
        "DisplayName":  "ESET Security",
        "ProductState":  266240,
        "Enabled":  true,
        "UpToDate":  true,
        "Updated":  "2020-06-22T12:28:56Z"
    }
]

 

 

I am absolutely certain that F-Secure is not installed. Not only did I remove it manually, but it's also not visible in the Security Center UI, not under installed programs and not detected by a PowerShell script that looks through the registry for installed programs. This device is also not listed in my F-Secure web administration console, so I know it's uninstalled.

 

Expected situation:

  1. F-Secure isn't listed at all (it's not installed)
  2. Windows Defender is listed and not enabled
  3. ESET is listed and enabled

Questions:

  1. Is it possible to 'force' a refresh of this class?
  2. Is it known when this class is 'organically' updated?
  3. Any tacit knowledge as to why the product is still in the response?

 

antivirus
antivirusProduct
SecurityCenter2

Resources