Here is the AVSig.INI file, followed by the readme file:
 Code:
[PANDALITE]
Info=Glenn Barnas; April 22, 2007; Panda Antivirus Lite
Name=Panda Antivirus Lite
Detect=REG;HKLM\SOFTWARE\Panda Software\Panda Antivirus Lite;PRODUCT;bool
Service=PavSrv|PavPrSrv
Product ID=REG;HKLM\SOFTWARE\Panda Software\Panda Antivirus Lite;PRODUCT;Value
Install Path=REG;HKLM\SOFTWARE\Panda Software\Panda Antivirus Lite;DIR;Value
Version=REG;HKLM\SOFTWARE\Panda Software\Panda Antivirus Lite;VERSION;Value
Signature Date=FILED;&INSTALL PATH&\pav.sig;;Value

[PANDAPRO]
Info=Glenn Barnas; April 22, 2007; Panda Antivirus Business Secure
Name=Panda Antivirus Business Secure
Detect=REG;HKLM\SOFTWARE\Panda Software\Setup;PRODUCT;bool
Service=Panda TPSrv
Product ID=REG;HKLM\SOFTWARE\Panda Software\Setup;PRODUCTNAME;Value
Install Path=REG;HKLM\SOFTWARE\Panda Software\Setup;PATH;Value
Version=REG;HKLM\SOFTWARE\Panda Software\Setup;NORMAL;Value
Signature Date=FILED;&INSTALL PATH&\pav.sig;;Value

[MCAFEE]
INFO=Glenn Barnas; April 20, 2007; McAfee antivirus
Name=McAfee Anti Virus
Detect=REG;HKLM\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx;DAT;bool
Service=McShield
Product Name=REG;HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion;Product;Value
Product Version=REG;HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion;szProductVer;Value
Engine Version=REG;  HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion|HKLM\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx;szEngineVer;Value
Database Version=REG;HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion|HKLM\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx;szVirDefVer;Value
Database Date=REG;HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion|HKLM\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx;szVirDefDate;Value
EPolicy Director=REG;HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent;Installed Path;Bool:Installed

[TRENDM]
Info=Glenn Barnas; April 20, 2007; Trend Micro Anti Virus
Name=Trend Micro Anti Virus
Detect=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion;InstDate;bool
Service=OfficeScanNT|Trend Micro Client/Server Security Agent RealTime Scan
Product Version=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc;ProgramVer;Value
Engine Version=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc;VsAPINT-Ver;Value
Database Version=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc;PatternVer;Value
Internal DB Version=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc;InternalPatternVer;Value
Database Date=REG;HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc;PatternDate;Value

[SYMANTECCE]
Info=Glenn Barnas; April 20, 2007; Symantec Corp Edition
Name=Symantec Anti Virus Corporate Edition
Detect=REG;HKLM\SOFTWARE\Symantec\InstalledApps;SAVCE;bool
Service=Norton Antivirus|Symantec Antivirus
Product Version=REG;HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion;ProductVersion;Value
Virus Signature Version=REG;HKLM\SOFTWAER\Symantec\SharedDefs;DEFWATCH10|NAVCORP_70|NAVNT_50_AP1;Value

[WLONECARE]
Info=Glenn Barnas; April 22, 2007; Windows Live OneCare
Name=Windows Live OneCare
Detect=REG;HKLM\SOFTWARE\Microsoft\OneCare Protection;InstallLocation;bool
Service=OneCareMP
Engine Version=REG;HKLM\SOFTWARE\Microsoft\OneCare Protection\Signature Updates;EngineVersion;Value
AntiVirus Version=REG;HKLM\SOFTWARE\Microsoft\OneCare Protection\Signature Updates;AVSignatureVersion;Value
AntiSpyware Version=REG;HKLM\SOFTWARE\Microsoft\OneCare Protection\Signature Updates;ASSignatureVersion;Value


WMIGetAVI() - PRELIMINARY -

Provides a general purpose UDF to detect various anti-virus products, and
return key information about the product(s) that are installed. The UDF uses
and external signature file (AVSig.INI) to define the detection process. Each
product defined in the signature file is scanned for, and the results returned
in an array of arrays.

The UDF does not actually use WMI to detect the AV product, but does use WMI
to determine if the AV service is running. Hence, I allow passing of a pre-
authenticated WMI object pointer, which puts this in the same class as the
other WMI UDFs (in my library, at least).


Simple use:
===========

; gather the data
$aAVData = WMIGetAVI()

; loop throuth the outer array of products
For $I = 0 to UBound($aAVData)

; display the 4 standard elements
' 0: ' If $aAVData[$I][0] 'Installed' Else 'Not Installed' EndIf ?
' 1: ' If $aAVData[$I][1] 'Running' Else 'Not Running' EndIf ?
' 2: ' $aAVData[$I][2] ?
' 3: ' $aAVData[$I][3] ?

; loop through any additional elements of the inner array
For $J = 4 to UBound($aAVData[$I])
Right(' ' + $J, 2) ': ' $aAVData[$I][$J] ?
Next
?
Next


Using a WMI pre-authentication object pointer
=============================================

* Obtain the WMIAuthentication UDF from KORG

; Establish an authenticated object pointer
$objWMIAuth = WMIAuthentication('computer', 'user', 'password')

; call WMIGetAVI
$aAVData = WMIGetAVI('computer', $objWMIAuth)


Format of the AVSig.INI file
============================

An AV Product Signature consists of one section in the INI file and two or more values.
There are two mandatory values - DETECT and NAME, and any number of optional values.
The types of values are described here:

; new section starts with a header
[MY_AV_PRODUCT]
; the INFO value is specifically ignored by the udf, so you can provide key information
; or data used outside of the udf
INFO=author;date;description

; Define the generic product name. The actual product can often be extracted
NAME=My Anti-Virus

; defines how to detect if the product is installed - these items are discussed in detail below.
DETECT=method;path;value;return

; define the service name to validate. Multiple names can be defined, the status of the first one
; found is returned
SERVICE=svcname[|alt svc name...]

; request additional information - any number of additional values can be defined
; the value name should be descriptive, as it forms the field name of the name/value
; data pair that is returned
Engine Version=method;path;value;return

===================================

Each detection value uses a "method;path;value;return" format, described here.

"method" is one of
REG Perform a Registry Read
FILEX Returns a boolean true if the file exists
FILEV Returns the version number of the file
FILED Returns the date/time stamp of the file
File access assumes that an authenticated connection has already been made to the
remote computer prior to calling WMIGetAVI.


"path" defines the path to the registry key for REG methods, or the complete path
to the file, including drive letter and filename for any of the FILE methods. The
drive letter is translated to the appropriate admin share (C: => C$) if a remote
computer is being queried.

Multiple registry and file paths can be specified by separating them with "|". This
allows for situations where products might be installed on different drives, or when
product names change and you want to detect either the new or old version. When
multiple paths are specified, the first one that exists AND contains data will be
returned. It is recommended that paths be searched in a "newest to oldest" sequence.

It is possible to embed the result of one detection value in another detection
definition. For example, you might define:
Install Path=REG;HKLM\SOFTWARE\MYAVProd;Install Path;Value
which returns the installation path. You might then need to obtain the version or
date value of a file located in the install path. You can embed the Install Path
result in another query to find the value regardless of where it was installed,
such as:
AVDefinition Date=FILED;&Install Path&\myav.def;;Value
Note the earlier definition of "Install Path" has been surrounded with "&" tags.
The Install Path value is determined, and replaces the "&Install Path&" string
before the FILED check is performed.


"value" has different meanings depending on the method used. For "REG" methods,
that value is the registry key value to read. Like paths, multiple values can be
defined, separated with "|" characters. The first value found will be returned.
For FILEV detections, value will specify the version string to be returned. "value"
is ignored for FILEX and FILED methods.


"return" specifies what kind of data to return. The valid return values are "bool",
"bool:string", and "Value".

bool returns true/false based on the existance of the object specified by the
path (and value).

bool:s returns the specified string "s" if true, otherwise returns an empty string.

value specifies that the value of the registry object should be returned.

Note that the FILE methods do not use the "return" specifications. FILEX can use the
"bool:string" method, but is limited to returning either true/false or string/nostring.
FILEV and FILED always return Values


Core definitions for many common AV products are provided in the AVSig.INI file.
The user can extend the definitions to suit their specific needs. The UDF collects
and returns data - it does not validate that the AV product is running properly or
has up-do-date virus definitions! That would be up to the logic that calls this UDF.
_________________________
Actually I am a Rocket Scientist! \:D