I uninstalled F-Secure 5 days ago and have restarted/powered down this device several times since. It seems that either the data returned by this query is outdated (and a refresh/reload may solve the issue, if at all possible) or that Windows truly believes the F-Secure product is still installed and enabled.
Function ConvertTo-NPHex
{
Param([int]$Number)"0x{0:x}" -f $Number
}
$Products = @();
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName Antivirusproduct -ErrorAction Stop | ForEach-Object{
$hex = ConvertTo-NPHex $_.ProductState;
$mid = $hex.Substring(3,2);
$end = $hex.Substring(5);
$Products += [ordered]@{
DisplayName = $_.DisplayName;
Enabled = $(
If( $mid -match "00|01" ){
$False
}Else{
$True
}
);
UpToDate = $(
If($end -eq "00"){
$True
}Else{
$False
}
);
Updated = $( (Get-Date -Date $_.Timestamp).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") )
}
};
Return $Products | ConvertTo-Json;
Output from snippet above:
[
{
"DisplayName": "F-Secure SAFE",
"ProductState": 270336,
"Enabled": true,
"UpToDate": true,
"Updated": "2020-06-17T08:09:16Z"
},
{
"DisplayName": "Windows Defender",
"ProductState": 393472,
"Enabled": false,
"UpToDate": true,
"Updated": "2020-06-17T07:59:53Z"
},
{
"DisplayName": "ESET Security",
"ProductState": 266240,
"Enabled": true,
"UpToDate": true,
"Updated": "2020-06-22T12:28:56Z"
}
]
I am absolutely certain that F-Secure is not installed. Not only did I remove it manually, but it's also not visible in the Security Center UI, not under installed programs and not detected by a PowerShell script that looks through the registry for installed programs. This device is also not listed in my F-Secure web administration console, so I know it's uninstalled.
Expected situation:
- F-Secure isn't listed at all (it's not installed)
- Windows Defender is listed and not enabled
- ESET is listed and enabled
Questions:
- Is it possible to 'force' a refresh of this class?
- Is it known when this class is 'organically' updated?
- Any tacit knowledge as to why the product is still in the response?
