WMIGetAVI()	- PRELIMINARY - 

Provides a general purpose UDF to detect various anti-virus products, and 
return key information about the product(s) that are installed. The UDF uses
and external signature file (AVSig.INI) to define the detection process. Each
product defined in the signature file is scanned for, and the results returned
in an array of arrays.

The UDF does not actually use WMI to detect the AV product, but does use WMI
to determine if the AV service is running. Hence, I allow passing of a pre-
authenticated WMI object pointer, which puts this in the same class as the 
other WMI UDFs (in my library, at least).


Simple use:
===========

  ; gather the data
  $aAVData = WMIGetAVI()

  ; loop throuth the outer array of products
  For $I = 0 to UBound($aAVData)

    ; display the 4 standard elements
    ' 0: ' If $aAVData[$I][0] 'Installed' Else 'Not Installed' EndIf ?
    ' 1: ' If $aAVData[$I][1] 'Running' Else 'Not Running' EndIf ?
    ' 2: ' $aAVData[$I][2] ?
    ' 3: ' $aAVData[$I][3] ?

    ; loop through any additional elements of the inner array
    For $J = 4 to UBound($aAVData[$I])
      Right('  ' + $J, 2) ': ' $aAVData[$I][$J] ?
    Next
    ?
  Next


Using a WMI pre-authentication object pointer
=============================================

* Obtain the WMIAuthentication UDF from KORG

; Establish an authenticated object pointer
$objWMIAuth = WMIAuthentication('computer', 'user', 'password')

; call WMIGetAVI
$aAVData = WMIGetAVI('computer', $objWMIAuth)


Format of the AVSig.INI file
============================

An AV Product Signature consists of one section in the INI file and two or more values. 
There are two mandatory values - DETECT and NAME, and any number of optional values.
The types of values are described here:

; new section starts with a header
[MY_AV_PRODUCT]
; the INFO value is specifically ignored by the udf, so you can provide key information
; or data used outside of the udf
INFO=author;date;description

; Define the generic product name. The actual product can often be extracted
NAME=My Anti-Virus

; defines how to detect if the product is installed - these items are discussed in detail below.
DETECT=method;path;value;return

; define the service name to validate. Multiple names can be defined, the status of the first one 
; found is returned
SERVICE=svcname[|alt svc name...]

; request additional information - any number of additional values can be defined
; the value name should be descriptive, as it forms the field name of the name/value
; data pair that is returned
Engine Version=method;path;value;return

===================================

Each detection value uses a "method;path;value;return" format, described here.

"method" is one of 
 REG	Perform a Registry Read
 FILEX	Returns a boolean true if the file exists 
 FILEV	Returns the version number of the file
 FILED	Returns the date/time stamp of the file
File access assumes that an authenticated connection has already been made to the
remote computer prior to calling WMIGetAVI.


"path" defines the path to the registry key for REG methods, or the complete path
to the file, including drive letter and filename for any of the FILE methods. The 
drive letter is translated to the appropriate admin share (C: => C$) if a remote
computer is being queried.  

Multiple registry and file paths can be specified by separating them with "|". This
allows for situations where products might be installed on different drives, or when
product names change and you want to detect either the new or old version. When 
multiple paths are specified, the first one that exists AND contains data will be 
returned. It is recommended that paths be searched in a "newest to oldest" sequence.

It is possible to embed the result of one detection value in another detection 
definition. For example, you might define:
Install Path=REG;HKLM\SOFTWARE\MYAVProd;Install Path;Value
which returns the installation path. You might then need to obtain the version or
date value of a file located in the install path. You can embed the Install Path 
result in another query to find the value regardless of where it was installed, 
such as:
AVDefinition Date=FILED;&Install Path&\myav.def;;Value
Note the earlier definition of "Install Path" has been surrounded with "&" tags. 
The Install Path value is determined, and replaces the "&Install Path&" string
before the FILED check is performed.


"value" has different meanings depending on the method used. For "REG" methods, 
that value is the registry key value to read. Like paths, multiple values can be 
defined, separated with "|" characters. The first value found will be returned.
For FILEV detections, value will specify the version string to be returned. "value"
is ignored for FILEX and FILED methods.


"return" specifies what kind of data to return. The valid return values are "bool",
"bool:string", and "Value".

 bool	returns true/false based on the existance of the object specified by the 
        path (and value).

 bool:s	returns the specified string "s" if true, otherwise returns an empty string.

 value	specifies that the value of the registry object should be returned. 

Note that the FILE methods do not use the "return" specifications. FILEX can use the 
"bool:string" method, but is limited to returning either true/false or string/nostring.
FILEV and FILED always return Values


Core definitions for many common AV products are provided in the AVSig.INI file. 
The user can extend the definitions to suit their specific needs. The UDF collects
and returns data - it does not validate that the AV product is running properly or 
has up-do-date virus definitions! That would be up to the logic that calls this UDF.


