When anti-virus software is running during the installation of my software certain components do not get installed correctly. I always tell the users to turn it OFF first. But, they forget and then I am racking my brains trying to figure out what went wrong. Is there a Delphi function that anyone knows about that can detect whether AntiVirus software is running, so I can alert the user before installation starts?
+4
A:
Since XPsp2, there is the security center that registers if there is a known antivirus.
Afaik this functions over the WMI api, which can be accessed via Winapi. (and Jedi has headers for it).
I've found some VBScript here: http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx
Another tip: try to communicate to your users in any way possible to turn off heuristic scans as much as possible. These are typically the cause of false positives, and it can be an easier message to bring than killing the antivirus all together.
Marco van de Voort
2010-08-27 20:59:05
Make sure you read the comments, because that exact piece of code won't work as of Vista SP1 - they removed the namespace you need.
Michael Madsen
2010-08-28 02:41:07
There are alternatives in the comments too. Non of them is pretty, but this whole situation isn't. (as I already said, installed and "on" are also different things)
Marco van de Voort
2010-08-28 13:38:00
+1
A:
We've had success by checking the running processes for any process that we've determined before-hand is an AV program. (You can enumerate a list of processes using some simple code that you can find by googling something List Running Processes Delphi)
If we find one, we tell the user and refuse to continue...
To build our list of processes that we know are AV, we install trial versions of the AV programs and then look at the list of processes (either in the task manager, or using our enumerate processes code.) It's not to hard to spot them... and you can shut the AV programs down and see if the processes you identify go away. (Process Explorer is helpful: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
For example, some of the processes we currently look for include MCShield (McCaffe), NPROTECT (Norton), PCCNTMON (Trend Micro), etc.
Obviously this won't catch ALL AV programs, but if you do the above with the major vendors (Norton, McCaffe, Trend Micro, ZA, etc.) you'll have a large percentage of the AV programs in the field covered.
One thing that is nice about this is that it's easy to implement and doesn't require any really low level Windows API calls, except to enumerate the currently running processes...
Robert Frank
2010-08-27 21:18:22
Pretty darn fragile - you'd be better off *always* showing a splash screen (that *doesn't* look like a EULA or whatever) telling the users that running antivirus software could be problematic during install.
snemarch
2010-08-27 22:51:12
A:
The most reliable way would be to create a file on the disk containing the EICAR signature. If after creating that file it disapears or is locked for reading then you can safely assume another process has jumped on that file (ie an AV program)
More details about EICAR can be found here http://www.eicar.org/anti_virus_test_file.htm
DaveHogan
2010-08-27 21:38:15
What about all the phone calls and emails from customers complaining that every time they run the installer their anti-virus program popped up saying they have a virus on their computer? Doesn't seem like a good solution to me.
Robert Frank
2010-08-27 22:02:13
It's a fair point you make, however he already mentioned that he "always tell the users to turn it OFF first" therefore he can gracefully show a message that says something like “I told you to turn it off!". Most AV's also show it as a "dummy" virus.I still stand by that my solution is still the most reliable way to detected presence of anti-virus software. There are far too many process names which do frequently change (sometimes intentionally). I don't think my solution is ideal and I wouldn't personally release it.
DaveHogan
2010-08-27 22:14:02
That's why I went for the MS security center solution. There MS and the antivirus vendors maintain the registrations themselves. Of course there is always a chance that some minor vendor doesn't
Marco van de Voort
2010-08-27 22:16:46
Bad, bad idea. First, you can't programatically do anything reasonable to detect *what* happend wrt. the EICAR signature. Second, even if the antivirus software flags it as "dummy virus" or the like, it's going to be a big, flash and scary warning to regular end-users.
snemarch
2010-08-27 22:49:19
+1
A:
certain components do not get installed correctly
Explain what components you're installing, how you're installing those components, and how their installation is failing, and it will be easier to recommend a solution. Also, are you using an installer product, or your own installation code? If it's your own installer, or if you can automatically run your own code after the installer, you can do your own programmatic check to confirm your install is 100% OK, and if not then report what failed and remind the user to turn off antivirus stuff and retry the install.
joe snyder
2010-08-28 05:32:26