PSP
*Nix
Selinux
See if its running on the system sestatus || getenforce
Config cat /etc/selinux/conf
Version cat /etc/selinux/conf
Other checks /etc/selinux and /usr/bin
Find Selinux find / -name *selinux* 2>/dev/null
Log files /var/log/audit/audit.log | grep selinux
ClamAV
ClamAV version clamscan -V
RKhunter (rootkit hunter)
System check rkhunter --check
Location /usr/local/bin
Sophos
ls -lisah /opt | grep -i sophos
cat /opt/sophos-av/bin/savconfig
Windows
Find Security Products
Powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Antivirus Info dir /s C:\*SecurityProductInformation.ini
Find Antivirus Logs dir /s c:\*Logs | findstr -i antivirus
Installed Software
reg query hklm\software
reg query hklm\software\wow6432node
dir “C:\Program Files”
dir “C:\Program Files (x86)”
dir “C:\”
dir A:H “C:\”
dir “C:\Program Files\Common Files”
wmic product get Description, InstallDate, Name, Vendor, Version
Windows Defender
reg query "hklm\software\Microsoft\Windows Defender"
reg query "hklm\system\currentcontrolset\services\windefend
dir "C:\Program Files\Windows Defender"
dir "C:\ProgramData\Microsoft\Windows Defender\Support"
type "C:\ProgramData\Microsoft\Windows Defender\Support\*.log"
dir “C:\ProgramData\Microsoft\Windows Defender\Support\”
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /rd:false /c:25 /f:text
Kaspersky
wevtutil qe "Kaspersky Event Log" /rd:false /c:25 /f:text
McAfee
dir “C:\ProgramData\Mcafee\Managed VirusScan\Logs”
reg query hklm\software\McAfee
reg query hklm\software\Symantec\Symantec Endpoint Protection\AV\
reg query hklm\software\Symantec\Symantec Endpoint Protection\CurrentVersion\Public-Opstate
reg query hklm\software\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\OpState\
Norton
dir “C:\Users\Public\Public Documents\Altiris”
dir “C:\Program Files\Altiris\Notification Server\Logs”
dir “C:\ProgramData\Symantec\SMP\Logs”
dir “C:\Program Files\Altiris\Altiris Agent\Logs”
dir “C:\Users\Public\Public Documents\Altiris\Altiris Agent\Logs”
dir “C:\ProgramData\Symantec\Symantec Agent\Logs”
reg query hklm\software\Symantec
Other
wevtutil qe "COMODO Internet Security CEF" /rd:false /c:25 /f:text
reg query hklm\software\wow6432node\Comodo
Something odd running but isn’t running anymore
reg query "hkcu\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /S
reg query "hkcu\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /S
reg query"hkcu\Software\Microsoft\Windows\ShellNoRoam\MUICache" /S
dir /o:d /t:W c:\windows\prefetch