PSP

*Nix

Selinux

See if its running on the system sestatus || getenforce

Config cat /etc/selinux/conf

Version cat /etc/selinux/conf

Other checks /etc/selinux and /usr/bin

Find Selinux find / -name *selinux* 2>/dev/null

Log files /var/log/audit/audit.log | grep selinux

ClamAV

ClamAV version clamscan -V

RKhunter (rootkit hunter)

System check rkhunter --check

Location /usr/local/bin

Sophos

ls -lisah /opt | grep -i sophos

cat /opt/sophos-av/bin/savconfig

Windows

Find Security Products

Powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

Antivirus Info dir /s C:\*SecurityProductInformation.ini

Find Antivirus Logs dir /s c:\*Logs | findstr -i antivirus

Installed Software

reg query hklm\software

reg query hklm\software\wow6432node

dir “C:\Program Files”

dir “C:\Program Files (x86)”

dir “C:\”

dir A:H “C:\”

dir “C:\Program Files\Common Files”

wmic product get Description, InstallDate, Name, Vendor, Version

Windows Defender

reg query "hklm\software\Microsoft\Windows Defender"

reg query "hklm\system\currentcontrolset\services\windefend

dir "C:\Program Files\Windows Defender"

dir "C:\ProgramData\Microsoft\Windows Defender\Support"

type "C:\ProgramData\Microsoft\Windows Defender\Support\*.log"

dir “C:\ProgramData\Microsoft\Windows Defender\Support\”

wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /rd:false /c:25 /f:text

Kaspersky

wevtutil qe "Kaspersky Event Log" /rd:false /c:25 /f:text

McAfee

dir “C:\ProgramData\Mcafee\Managed VirusScan\Logs”

reg query hklm\software\McAfee

reg query hklm\software\Symantec\Symantec Endpoint Protection\AV\

reg query hklm\software\Symantec\Symantec Endpoint Protection\CurrentVersion\Public-Opstate

reg query hklm\software\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\OpState\

Norton

dir “C:\Users\Public\Public Documents\Altiris”

dir “C:\Program Files\Altiris\Notification Server\Logs”

dir “C:\ProgramData\Symantec\SMP\Logs”

dir “C:\Program Files\Altiris\Altiris Agent\Logs”

dir “C:\Users\Public\Public Documents\Altiris\Altiris Agent\Logs”

dir “C:\ProgramData\Symantec\Symantec Agent\Logs”

reg query hklm\software\Symantec

Other

wevtutil qe "COMODO Internet Security CEF" /rd:false /c:25 /f:text

reg query hklm\software\wow6432node\Comodo

Something odd running but isn’t running anymore

reg query "hkcu\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /S

reg query "hkcu\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /S

reg query"hkcu\Software\Microsoft\Windows\ShellNoRoam\MUICache" /S

dir /o:d /t:W c:\windows\prefetch