unit antivir_detect;
{
Antivirus Detector v0.1 [Beta]
Author: FlipLab Software© 2006-2009
E-mail: fliplab@gmail.com, fliplab@ya.ru
URL: http://www.fls.com/
About: Вспомогательный модуль для обнаружения установленных
антивирусных программ, а также фаерволов. В текщей версии
поддерживаются:
+ ESET SysInspector
+ ESET Nod32 Antivirus
+ ESET Personal Firewall
+ Trend Micro Internet Security
+ Kaspersky Internet Security 2008 & WorkStation
+ Agnitum Outpost Firewall
+ Agnitum Anti-Spyware
+ Agnitum Host Protection
+ Malwarebytes' Anti-Malware
+ Zillya! Антивирус
}

interface

uses
Windows;

function IsEsetAntivir: Boolean;
function IsEsetSysInsp: Boolean;
function IsEsetFire: Boolean;
function IsTrendMicro: Boolean;
function IsKIS2008: Boolean;
function IsOutpostFire: Boolean;
function IsOutpostAntiSpy: Boolean;
function IsOutpostHostProt: Boolean;
function IsAntiMalware: Boolean;
function IsZillya: Boolean;

implementation

function GetSys: String;
var
Gsys: array[0..MAX_PATH] of Char;
begin
GetSystemDirectory(Gsys, MAX_PATH);
Result := Gsys;
if Length(Result) > 0 then
if Result[Length(Result)] <> '\' then
Result := Result + '\';
end;

function IsRing0(Device: String): Boolean;
var
hFile: THandle;
begin
Result := False;
hFile := CreateFileA(PChar(Device), GENERIC_READ or GENERIC_WRITE, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile <> INVALID_HANDLE_VALUE) then
begin
CloseHandle(hFile);
Result := True;
end;
end;

function FileExists(const FileName: String): Boolean;
var
Code: Integer;
begin
Code := GetFileAttributes(PChar(FileName));
Result := (Code <> -1) and (FILE_ATTRIBUTE_DIRECTORY and Code = 0);
end;

// ESET SysInspector
function IsEsetSysInsp: Boolean;
begin
if IsRing0('\\.\ESIASDRV') then
Result := True
else
Result := False;
end;

// ESET Nod32 Antivirus
function IsEsetAntivir: Boolean;
begin
if (FileExists(GetSys + 'drivers\ehdrv.sys')) or (FileExists(GetSys + 'drivers\eamon.sys')) then
Result := True
else
Result := False;
end;

// ESET Personal Firewall
function IsEsetFire: Boolean;
begin
if (IsRing0('\\.\EPFWNDIS')) or (IsRing0('\\.\EPFW')) or (FileExists(GetSys + 'drivers\epfwtdi.sys')) then
Result := True
else
Result := False;
end;

// Trend Micro Internet Security
function IsTrendMicro: Boolean;
begin
if IsRing0('\\.\TMACTMON') then
Result := True
else
Result := False;
end;

// Kaspersky Internet Security 2008 & WorkStation
function IsKIS2008: Boolean;
begin
if IsRing0('\\.\KLIM5') then
Result := True
else
Result := False;
end;

// Agnitum Outpost Firewall
function IsOutpostFire: Boolean;
begin
if (FileExists(GetSys + 'drivers\afwcore.sys')) or (FileExists(GetSys + 'drivers\afw.sys')) then
Result := True
else
Result := False;
end;

// Agnitum Anti-Spyware
function IsOutpostAntiSpy: Boolean;
begin
if FileExists(GetSys + 'filt\aswfilt.dll') then
Result := True
else
Result := False;
end;

// Agnitum Host Protection
function IsOutpostHostProt: Boolean;
begin
if FileExists(GetSys + 'drivers\sandbox.sys') then
Result := True
else
Result := False;
end;

// Malwarebytes' Anti-Malware
function IsAntiMalware: Boolean;
begin
if (FileExists(GetSys + 'drivers\mbam.sys')) or (FileExists(GetSys + 'drivers\mbamswissarmy.sys')) then
Result := True
else
Result := False;
end;

//Zillya! Антивирус
function IsZillya: Boolean;
begin
if FileExists(GetSys + 'drivers\ZFMSYS.sys') then
Result := True
else
Result := False;
end;

end.

http://slil.ru/28697335 - Скачать Antivirus Detector v0.1 [Beta] (Delphi Module)

Написал на досуге, думаю кому-нибудь пригодится. С удовольствием приму помощь в работе над данным модулем.

Как бы не люблю delphi... тут у тебя не оправданный вызов функции GetSys. Объяви ее как глобальную переменную и перед использованием твоего кода инициализируй. FileExists - очень странная функция...

Ок,а fileexists Просто вырезал из sysutils

Спасибо, полезный сорец. Надо будет на С переписать.
P.S. Для таких вещей лучше все функции самому импортировать из длл, благо, их немного ;)

Не спорю. Если есть желание перепишите на асм. Сорец пофиксю в ближайшее время и добавлю новые авири. Если не влом,киньте ссылки на авири которые знаете

добавь лучше не проверку сервисов а если найден процесс то хеш его ехе, вдруг так, фейк крутится

а вот список с вирустотала

a-squared
AhnLab-V3
AntiVir
Antiy-AVL
Authentium
Avast
AVG
BitDefender
CAT-QuickHeal
DNAScan
ClamAV
Comodo
DrWeb
eSafe
eTrust-Vet
F-Prot
F-Secure
Fortinet
GData
Ikarus
Jiangmin
K7AntiVirus
Kaspersky
McAfee
McAfee+Artemis
McAfee-GW-Edition
Microsoft
NOD32
Norman
nProtect
Panda
PCTools
Prevx
Rising
Sophos
Sunbelt
Symantec
TheHacker
TrendMicro
VBA32
ViRobot
VirusBuster

Ок.

Хэш будет различен в разных версиях антивируса.

Вот я как раз тоже зашел об этом написать:)хотя в принципе таким образом можно детектировать становленную версию,но тогда нужен помощник,который бы за меня собирал хеши:)

Да и фейк процесса также можно впринципе запустить при особом желании:)

Подскажите как переписать кернеливские функции под нтдлл

Открой делфийский файл с объявлением этих функций да посмотри ;)

Только есть 2 пункта.

1. Вы часто встречаете фейковые процессы антивирусов? Я - ни разу не видел
2. Все эти действия могут палиться проактивкой ;)

Не в первый раз замечаю что малварь частенько правит подобные файлы.
По-моему неплохая мысль для антивирусных компаний набросать фейков и следить за их изменениями...

Подскажите как переписать кернеливские функции под нтдлл
Всмысле переписать ?
Там часто можно встретить "заглушки" для sysenter, соответственно можно вполне использовать их вызов в обход ntdll.

Там часто можно встретить "заглушки" для sysenter, соответственно можно вполне использовать их вызов в обход ntdll.
Ты прежде чем советы давать,сам про перехват прочти.

Кернелевская библиотека написана на функциях нтдлл.так вот мне просто надо их описание и т.п

Хорошая весчь) спасибо)

лови. Windows System Call Table (NT/2000/XP/2003/Vista) с Metasploit

Очень хорошая таблица, потому что есть прототипы функций. Практически все SDT функции для ntoskrnl.exe и их номера. Для Win Vista могут номера чуть отличаться от оригинала, там уже совсем путаница пошла

BaalHaddat
На счет фейков,в них нет смысла в антивирях:)а темболее наблюдать за ними

slesh Огромное вам человеческое спасибо:)

Вообщем какаято хрень.не могу редактировать свой пост и отвечать на сообщения,точнее могу,но они отображаются пустыми

Вообщем какаято хрень.не могу редактировать свой пост и отвечать на сообщения,точнее могу,но они отображаются пустыми
Слишком много текста. Раздели на два поста.

Ок,попробую.

unit antivir_detect;
{
Antivirus Detector v0.2 [Beta]
Author: FlipLab Software© 2006-2009
E-mail: fliplab@gmail.com, fliplab@ya.ru
URL: http://www.fls.com/
About: Вспомогательный модуль для обнаружения установленных
антивирусных программ, а также фаерволов. В текщей версии
поддерживаются:
+ ESET SysInspector
+ ESET Nod32 Antivirus
+ ESET Personal Firewall
+ Trend Micro Internet Security
+ Kaspersky Internet Security 2008 & WorkStation
+ Agnitum Outpost Firewall
+ Agnitum Anti-Spyware
+ Agnitum Host Protection
+ Malwarebytes' Anti-Malware
+ Zillya! Антивирус
+ Advanced SystemCare
+ Антивирус Stop!
+ USBGuard
+ AnVir Task Manager
+ Lavasoft Ad-Aware
+ Microsoft Security Essentials
+ McAfee
+ McAfee Personal Firewall
+ SpyHunter
}

interface

uses
Windows;

function IsEsetAntivir: Boolean;
function IsEsetSysInsp: Boolean;
function IsEsetFire: Boolean;
function IsTrendMicro: Boolean;
function IsKIS2008: Boolean;
function IsOutpostFire: Boolean;
function IsOutpostAntiSpy: Boolean;
function IsOutpostHostProt: Boolean;
function IsAntiMalware: Boolean;
function IsZillya: Boolean;
function IsAdvancedSysCare: Boolean;
function IsAvirStop: Boolean;
function IsUSBGuard: Boolean;
function IsAnvitTaskMgr: Boolean;
function IsAdAware: Boolean;
function IsMSecEssentials: Boolean;
function IsMcAfee: Boolean;
function IsMcAfeeeFire: Boolean;
function IsSpyHunter: Boolean;

implementation

function ImportKernelFunc(const Name: String): Pointer;
var
KernelModule: THandle;
begin
KernelModule := GetModuleHandle('kernel32.dll');
Result := GetProcAddress(KernelModule, PChar(Name));
end;

function UpperCase(const S: string): string;
asm
push ebx
push esi
push edi
mov esi, eax // s
mov eax, edx
test esi, esi
jz @Nil
mov edx, [esi-4] // Length(s)
mov edi, eax // @Result
test edx, edx
jle @Nil
mov ecx, [eax]
mov ebx, edx
test ecx, ecx
jz @Realloc // Jump if Result not allocated
test edx, 3
jnz @Length3
xor edx, [ecx-4]
cmp edx, 3
jbe @TestRef
jmp @Realloc
@Length3:
or edx, 2
xor edx, [ecx-4]
cmp edx, 1
ja @Realloc
@TestRef:
cmp [ecx-8], 1
je @LengthOK // Jump if Result RefCt=1
@Realloc:
mov edx, ebx
or edx, 3
call System.@LStrSetLength
@LengthOK:
mov edi, [edi] // Result
mov [edi-4], ebx // Correct Result length
mov byte ptr [ebx+edi], 0
add ebx, -1
and ebx, -4
mov eax, [ebx+esi]

@Loop: mov ecx, eax
or eax, $80808080 // $E1..$FA
mov edx, eax
sub eax, $7B7B7B7B // $66..$7F
xor edx, ecx // $80
or eax, $80808080 // $E6..$FF
sub eax, $66666666 // $80..$99
and eax, edx // $80
shr eax, 2 // $20
xor eax, ecx // Upper
mov [ebx+edi], eax
mov eax, [ebx+esi-4]
sub ebx, 4
jge @Loop

pop edi
pop esi
pop ebx
ret

@Nil: pop edi
pop esi
pop ebx
jmp System.@LStrClr // Result:=''
end;

function IsUninstall(const ProgramName: String): Boolean;
var
Str, MBuf, DisplayName: String;
function RegEnum(RootKey: HKEY; Name: String; var ResultList: String; const DoKeys: Boolean): Boolean;
var
I, iRes: Integer;
S: String;
hTemp: HKEY;
Buf: Pointer;
BufSize: Cardinal;
begin
Result := False;
ResultList := '';
if RegOpenKeyEx(RootKey, PChar(Name), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
Result := True;
BufSize := 1024;
GetMem(buf, BufSize);
I := 0;
iRes := ERROR_SUCCESS;
while iRes = ERROR_SUCCESS do
begin
BufSize := 1024;
if DoKeys then
iRes := RegEnumKeyEx(hTemp, I, buf, BufSize, nil, nil, nil, nil)
else
iRes := RegEnumValue(hTemp, I, buf, BufSize, nil, nil, nil, nil);
if iRes = ERROR_SUCCESS then
begin
SetLength(S, BufSize);
Move(buf^, S[1], BufSize);
ResultList := Concat(S, #13#10, ResultList);
Inc(i);
end;
end;
FreeMem(Buf);
RegCloseKey(hTemp);
end;
end;
function RegEnumKeys(RootKey: HKEY; Name: String; var KeyList: String): Boolean;
begin
Result := RegEnum(RootKey, Name, KeyList, True);
end;
function LastPos(Needle: Char; Haystack: String): Integer;
begin
for Result := Length(Haystack) downto 1 do
if Haystack[Result] = Needle then
Break;
end;
function RegValueExists(RootKey: HKEY; Name: String): Boolean;
var
SubKey: String;
n: Integer;
hTemp: HKEY;
begin
Result := False;
n := LastPos('\', Name);
if n > 0 then
begin
SubKey := Copy(Name, 1, n - 1);
if RegOpenKeyEx(RootKey, PChar(SubKey), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
SubKey := Copy(Name, n + 1, Length(Name) - n);
Result := (RegQueryValueEx(hTemp, PChar(SubKey), nil, nil, nil, nil) = ERROR_SUCCESS);
RegCloseKey(hTemp);
end;
end;
end;
function RegGetValue(RootKey: HKEY; Name: String; ValType: Cardinal; var PVal: Pointer; var ValSize: Cardinal): Boolean;
var
SubKey: String;
n: Integer;
MyValType: DWORD;
hTemp: HKEY;
Buf: Pointer;
BufSize: Cardinal;
PKey: PChar;
begin
Result := False;
n := LastPos('\', Name);
if n > 0 then
begin
SubKey := Copy(Name, 1, n - 1);
if RegOpenKeyEx(RootKey, PChar(SubKey), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
SubKey := Copy(Name, n + 1, Length(Name) - n);
if SubKey = '' then
PKey := nil
else
PKey := PChar(SubKey);
if RegQueryValueEx(hTemp, PKey, nil, @MyValType, nil, @BufSize) = ERROR_SUCCESS then
begin
GetMem(Buf, BufSize);
if RegQueryValueEx(hTemp, PKey, nil, @MyValType, Buf, @BufSize) = ERROR_SUCCESS then
begin
if ValType = MyValType then
begin
PVal := Buf;
ValSize := BufSize;
Result := True;
end
else
FreeMem(Buf)
end
else
FreeMem(Buf);
end;
RegCloseKey(hTemp);
end;
end;
end;
function RegGetString(RootKey: HKEY; Name: String; Var Value: String): Boolean;
var
Buf: Pointer;
BufSize: Cardinal;
begin
Result := False;
Value := '';
if RegGetValue(RootKey, Name, REG_SZ, Buf, BufSize) then
begin
Dec(BufSize);
SetLength(Value, BufSize);
if BufSize > 0 then
Move(Buf^, Value[1], BufSize);
FreeMem(Buf);
Result := True;
end;
end;
begin
Result := False;
if RegEnumKeys(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll', Str) then
while Length(Str) > 0 do
begin
MBuf := Copy(Str, 1, Pos(#13#10, Str) - 1);
Delete(Str, 1, Pos(#13#10, Str) + 1);
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\' + MBuf + '\DisplayName') then
begin
RegGetString(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\' + MBuf + '\DisplayName', DisplayName);
DisplayName := UpperCase(DisplayName);
if Pos(UpperCase(ProgramName), DisplayName) > 0 then
begin
Result := True;
Exit;
end;
end;
end;
end;

function IsRing0(const Device: String): Boolean;
var
hFile: THandle;
begin
Result := False;
hFile := CreateFileA(PChar(Device), GENERIC_READ or GENERIC_WRITE, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile <> INVALID_HANDLE_VALUE) then
begin
CloseHandle(hFile);
Result := True;
end;
end;

function DriveExist(const DrivePath: String): Boolean;
var
GetSystemDirectory: function(lpBuffer: PChar; uSize: LongWord): LongWord; cdecl;
GetFileAttributes: function(lpFileName: PChar): LongWord; cdecl;
GSys: array[0..MAX_PATH] of Char;
SysPath: String;
Code: Integer;
begin
@GetSystemDirectory := ImportKernelFunc('GetSystemDirectoryA');
@GetFileAttributes := ImportKernelFunc('GetFileAttributesA');
GetSystemDirectory(GSys, MAX_PATH);
SysPath := String(GSys);
if Length(SysPath) > 0 then
if SysPath[Length(SysPath)] <> '\' then
SysPath := SysPath + '\';
SysPath := SysPath + DrivePath;
Code := GetFileAttributes(PChar(SysPath));
Result := (Code <> -1) and (FILE_ATTRIBUTE_DIRECTORY and Code = 0);
end;

// ESET SysInspector
function IsEsetSysInsp: Boolean;
begin
if IsRing0('\\.\ESIASDRV') then
Result := True
else
Result := False;
end;

// ESET Nod32 Antivirus
function IsEsetAntivir: Boolean;
begin
if (DriveExist('drivers\ehdrv.sys')) or (DriveExist('drivers\eamon.sys')) or (IsUninstall('ESET')) then
Result := True
else
Result := False;
end;

// ESET Personal Firewall
function IsEsetFire: Boolean;
begin
if (IsRing0('\\.\EPFWNDIS')) or (IsRing0('\\.\EPFW')) or (DriveExist('drivers\epfwtdi.sys')) then
Result := True
else
Result := False;
end;

// Trend Micro Internet Security
function IsTrendMicro: Boolean;
begin
if IsRing0('\\.\TMACTMON') then
Result := True
else
Result := False;
end;

// Kaspersky Internet Security 2008 & WorkStation
function IsKIS2008: Boolean;
begin
if IsRing0('\\.\KLIM5') then
Result := True
else
Result := False;
end;

// Agnitum Outpost Firewall
function IsOutpostFire: Boolean;
begin
if (DriveExist('drivers\afwcore.sys')) or (DriveExist('drivers\afw.sys')) or (IsUninstall('Outpost')) then
Result := True
else
Result := False;
end;

// Agnitum Anti-Spyware
function IsOutpostAntiSpy: Boolean;
begin
if DriveExist('filt\aswfilt.dll') then
Result := True
else
Result := False;
end;

// Agnitum Host Protection
function IsOutpostHostProt: Boolean;
begin
if DriveExist('drivers\sandbox.sys') then
Result := True
else
Result := False;
end;

// Malwarebytes' Anti-Malware
function IsAntiMalware: Boolean;
begin
if (DriveExist('drivers\mbam.sys')) or (DriveExist('drivers\mbamswissarmy.sys')) then
Result := True
else
Result := False;
end;

// Zillya! Антивирус
function IsZillya: Boolean;
begin
if DriveExist( 'drivers\ZFMSYS.sys') then
Result := True
else
Result := False;
end;

// Advanced SystemCare
function IsAdvancedSysCare: Boolean;
begin
if IsUninstall('Advanced SystemCare') then
Result := True
else
Result := False;
end;

// Антивирус Stop!
function IsAvirStop: Boolean;
begin
if IsUninstall('Антивирус Stop!') then
Result := True
else
Result := False;
end;

// USBGuard
function IsUSBGuard: Boolean;
begin
if IsUninstall('USBGuard') then
Result := True
else
Result := False;
end;

// AnVir Task Manager
function IsAnvitTaskMgr: Boolean;
begin
if IsUninstall('AnVir Task Manager') then
Result := True
else
Result := False;
end;

// Lavasoft Ad-Aware
function IsAdAware: Boolean;
begin
if (IsUninstall('Ad-Aware')) or (DriveExist('drivers\lbd.sys')) or (IsRing0('\\.\LBD')) then
Result := True
else
Result := False;
end;

// Microsoft Security Essentials
function IsMSecEssentials: Boolean;
begin
if (DriveExist('drivers\mpfilter.sys')) or (IsUninstall('Microsoft Security Essentials')) then
Result := True
else
Result := False;
end;

// McAfee
function IsMcAfee: Boolean;
begin
if IsUninstall('McAfee') then
Result := True
else
Result := False;
end;

// McAfee Personal Firewall
function IsMcAfeeeFire: Boolean;
begin
if (IsRing0('\\.\MPFP')) or (DriveExist('drivers\mpfp.sys')) then
Result := True
else
Result := False;
end;

// SpyHunter
function IsSpyHunter: Boolean;
begin
if IsUninstall('SpyHunter') then
Result := True
else
Result := False;
end;

end.


http://slil.ru/28697354 - Скачать Antivirus Detector v0.2 [Beta] (Delphi Module)

unit AntiVir_Detect_0_3_beta;

{
Antivirus Detector v0.3 [Beta]
Author: FlipLab Software© 2006-2010
E-mail: fliplab@gmail.com, fliplab@ya.ru
URL: http://www.fls.com/
About: Вспомогательный модуль для обнаружения установленных
антивирусных программ, а также фаерволов. В текщей версии
поддерживаются:
+ ESET SysInspector
+ ESET NOD32 Integrity
+ ESET NOD32 On-Access
+ Kaspersky On-Access Scanner
+ Legacy Kaspersky Service
+ DrWeb
+ AVG Anti-Virus
+ Norton (Symantec) AntiVirus
+ Symantec AntiVirus AutoProtect
+ Symantec AntiVirus Content Filtration
+ Avast!
+ McAfee VirusScan
+ Avira AntiVir
+ BitDefender AntiVirus & 2008
+ Spy Sweeper
+ CA Anti-Virus
+ GDATA AntiVirusKit
+ Aston
+ Sophos Antivirus
+ McAffee Framework Self Protection
+ McAffee Enterprise Self Protection
+ McAffee Online Scan Self Protection
+ Antivirus Stop!
+ Zillya! Antivirus
+ Spy Hunter
+ Lavasoft Firewall
+ Quick Heal Firewall
+ PC Firewall
+ Sophos Client Firewall
+ AGAVA Firewall
+ F-Secure Firewall
+ Jetico Firewall
+ ZoneAlarm Firewall
+ CheckPoint Firewall
+ Online Armor Personal Firewall
+ VirusBuster
+ Comodo FireWall
+ Agnitum Outpost Firewall
+ Malwarebytes' Anti-Malware
+ Advanced SystemCare
+ USBGuard
+ AnVir Task Manager
+ Lavasoft Ad-Aware
+ Microsoft Security Essentials
+ Trend Micro Internet Security
}

interface

uses
Windows, WinSvc;

const
// AntiVirus
TREND_MICRO_INET_SEC_ISSUE = 'Trend Micro Internet Security Issue';
MICROSOFT_SEC_ESSENTIALS_ISSUE = 'Microsoft Security Essentials Issue';
LAVASOFT_ADADWARE_ISSUE = 'Lavasoft Ad-Aware Issue';
ANVIR_TASK_MGR_ISSUE = 'AnVir Task Manager Issue';
USBGUARD_ISSUE = 'USBGuard Issue';
SYSTEMCARE_ISSUE = 'Advanced SystemCare Issue';
MALWAREBYTES_ISSUE = 'Malwarebytes'' Anti-Malware Issue';
NOD32_SYSINSPECTOR_ISSUE = 'ESET SysInspector Issue';
NOD32_INTEGRITY_ISSUE = 'ESET NOD32 Integrity Issue';
NOD32_ON_ACCESS_ISSUE = 'ESET NOD32 On-Access Issue';
KLIF_ISSUE = 'Kaspersky On-Access Scanner Issue';
KAVAVP_ISSUE = 'Legacy Kaspersky Service Issue';
DRWEB_ISSUE = 'DrWeb Issue';
AVG_AV_ISSUE = 'AVG Anti-Virus Issue';
SYMANTEC_ISSUE = 'Norton (Symantec) AntiVirus Issue';
SYMANTEC_AUTOPROTECT_ISSUE = 'Symantec AntiVirus AutoProtect Issue';
SYMANTEC_FILTRATION_ISSUE = 'Symantec AntiVirus Content Filtration Issue';
AVAST_ISSUE = 'Avast! Issue';
MCAFEE_ISSUE = 'McAfee VirusScan Issue';
AVIRA_ISSUE = 'Avira AntiVir Issue';
BITDEFENDER_AV_ISSUE = 'BitDefender AntiVirus Issue';
BITDEFENDER_AV_2008_ISSUE = 'BitDefender Antivirus 2008 Issue';
SPYSWEEPER_ISSUE = 'Spy Sweeper Issue';
CA_ISSUE = 'CA Anti-Virus Issue';
GDATA_AVK_ISSUE = 'GDATA AntiVirusKit Issue';
ASTON_ISSUE = 'Aston Issue';
SOPHOS_ISSUE = 'Sophos Antivirus Issue';
MCAFEE_FRAMEWORK_ISSUE = 'McAffee Framework Self Protection Issue';
MCAFEE_ENTERPRISE_ISSUE = 'McAffee Enterprise Self Protection Issue';
MCAFEE_SCAN_ONLINE_ISSUE = 'McAffee Online Scan Self Protection Issue';
STOP_ISSUE = 'Antivirus Stop! Issue';
ZILLYA_ISSUE = 'Zillya! Antivirus Issue';
SPYHUNTER_ISSUE = 'Spy Hunter Issue';
// Firewalls
LAVASOFT_FIREWALL_ISSUE = 'Lavasoft Firewall Issue';
QUICKHEAL_FIREWALL_ISSUE = 'Quick Heal Firewall Issue';
BUHL_FIREWALL_ISSUE = 'PC Firewall Issue';
SOPHOS_FIREWALL_ISSUE = 'Sophos Client Firewall Issue';
AGAVA_FIREWALL_ISSUE = 'AGAVA Firewall Issue';
FSECURE_FIREWALL_ISSUE = 'F-Secure Firewall Issue';
JETICO_FIREWALL_ISSUE = 'Jetico Firewall Issue';
ZONEALARM_FIREWALL_ISSUE = 'ZoneAlarm Firewall Issue';
CHECKPOINT_FIREWALL_ISSUE = 'CheckPoint Firewall Issue';
ONLINEARMOR_FIREWALL_ISSUE = 'Online Armor Personal Firewall Issue';
VIRUSBUSTER_ISSUE = 'VirusBuster Issue';
COMODO_ISSUE = 'Comodo FireWall Issue';
AGNITUM_ISSUE = 'Agnitum Outpost Firewall Issue';

function IsPCProtect: Boolean;
function IsNod32Integrity: Boolean;
function IsNod32OnAccess: Boolean;
function IsEsetSysInspector: Boolean;
function IsKlif: Boolean;
function IsKavAVP: Boolean;
function IsTrendMicro: Boolean;
function IsAntiMalware: Boolean;
function IsZillya: Boolean;
function IsAdAware: Boolean;
function IsMSecEssentials: Boolean;
function IsAdvancedSysCare: Boolean;
function IsAvirStop: Boolean;
function IsUSBGuard: Boolean;
function IsAnvitTaskMgr: Boolean;
function IsSpyHunter: Boolean;
function IsDrWeb: Boolean;
function IsAvgAv: Boolean;
function IsOutpostFire: Boolean;
function IsSymantec: Boolean;
function IsSymantecAutoProtect: Boolean;
function IsSymantecFiltr: Boolean;
function IsAvast: Boolean;
function IsAvira: Boolean;
function IsBitDefender: Boolean;
function IsBitDefender2008: Boolean;
function IsCaAv: Boolean;
function IsGDATA: Boolean;
function IsSpyWeeper: Boolean;
function IsMcAfeeVirScan: Boolean;
function IsAston: Boolean;
function IsLavasoftFire: Boolean;
function IsQuickHealFire: Boolean;
function IsBuhlFire: Boolean;
function IsSophosFire: Boolean;
function IsAgavaFire: Boolean;
function IsFSecureFire: Boolean;
function IsJeticoFire: Boolean;
function IsZoneAlarmFire: Boolean;
function IsCheckPointFire: Boolean;
function IsOnlineArmorFire: Boolean;
function IsVirusBuster: Boolean;
function IsMcAfeeFramework: Boolean;
function IsMcAfeeEenterprise: Boolean;
function IsMcAfeeScanOnline: Boolean;
function IsSophos: Boolean;
function IsComodoFire: Boolean;
function GetProtectProgs: PChar;

implementation

function ImportKernelFunc(const Name: String): Pointer;
var
KernelModule: THandle;
begin
KernelModule := GetModuleHandle('kernel32.dll');
Result := GetProcAddress(KernelModule, PChar(Name));
end;

function DriveExist(const DrivePath: String): Boolean;
var
GetSystemDirectory: function(lpBuffer: PChar; uSize: LongWord): LongWord; cdecl;
GetFileAttributes: function(lpFileName: PChar): LongWord; cdecl;
GSys: array[0..MAX_PATH] of Char;
SysPath: String;
Code: Integer;
begin
@GetSystemDirectory := ImportKernelFunc('GetSystemDirectoryA');
@GetFileAttributes := ImportKernelFunc('GetFileAttributesA');
GetSystemDirectory(GSys, MAX_PATH);
SysPath := String(GSys);
if Length(SysPath) > 0 then
if SysPath[Length(SysPath)] <> '\' then
SysPath := SysPath + '\';
SysPath := SysPath + DrivePath;
Code := GetFileAttributes(PChar(SysPath));
Result := (Code <> -1) and (FILE_ATTRIBUTE_DIRECTORY and Code = 0);
end;

function IsRing0(const Device: String): Boolean;
var
hFile: THandle;
begin
Result := False;
hFile := CreateFileA(PChar(Device), GENERIC_READ or GENERIC_WRITE, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile <> INVALID_HANDLE_VALUE) then
begin
CloseHandle(hFile);
Result := True;
end;
end;

function RegValueExists(RootKey: HKEY; Name: String): Boolean;
var
SubKey: String;
n: Integer;
hTemp: HKEY;
function LastPos(Needle: Char; Haystack: String): Integer;
begin
for Result := Length(Haystack) downto 1 do
if Haystack[Result] = Needle then
Break;
end;
begin
Result := False;
n := LastPos('\', Name);
if n > 0 then
begin
SubKey := Copy(Name, 1, n - 1);
if RegOpenKeyEx(RootKey, PChar(SubKey), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
SubKey := Copy(Name, n + 1, Length(Name) - n);
Result := (RegQueryValueEx(hTemp, PChar(SubKey), nil, nil, nil, nil) = ERROR_SUCCESS);
RegCloseKey(hTemp);
end;
end;
end;

function RegKeyExists(RootKey: HKEY; Name: String): Boolean;
var
hTemp: HKEY;
begin
Result := False;
if RegOpenKeyEx(RootKey, PChar(Name), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
Result := True;
RegCloseKey(hTemp);
end;
end;

function UpperCase(const S: string): string;
asm
push ebx
push esi
push edi
mov esi, eax // s
mov eax, edx
test esi, esi
jz @Nil
mov edx, [esi-4] // Length(s)
mov edi, eax // @Result
test edx, edx
jle @Nil
mov ecx, [eax]
mov ebx, edx
test ecx, ecx
jz @Realloc // Jump if Result not allocated
test edx, 3
jnz @Length3
xor edx, [ecx-4]
cmp edx, 3
jbe @TestRef
jmp @Realloc
@Length3:
or edx, 2
xor edx, [ecx-4]
cmp edx, 1
ja @Realloc
@TestRef:
cmp [ecx-8], 1
je @LengthOK // Jump if Result RefCt=1
@Realloc:
mov edx, ebx
or edx, 3
call System.@LStrSetLength
@LengthOK:
mov edi, [edi] // Result
mov [edi-4], ebx // Correct Result length
mov byte ptr [ebx+edi], 0
add ebx, -1
and ebx, -4
mov eax, [ebx+esi]

@Loop: mov ecx, eax
or eax, $80808080 // $E1..$FA
mov edx, eax
sub eax, $7B7B7B7B // $66..$7F
xor edx, ecx // $80
or eax, $80808080 // $E6..$FF
sub eax, $66666666 // $80..$99
and eax, edx // $80
shr eax, 2 // $20
xor eax, ecx // Upper
mov [ebx+edi], eax
mov eax, [ebx+esi-4]
sub ebx, 4
jge @Loop

pop edi
pop esi
pop ebx
ret

@Nil: pop edi
pop esi
pop ebx
jmp System.@LStrClr // Result:=''
end;

function IsService(const ServiceName: String): Boolean;
type
_SERVICE_STATUS = record
dwServiceType: DWORD;
dwCurrentState: DWORD;
dwControlsAccepted: DWORD;
dwWin32ExitCode: DWORD;
dwServiceSpecificExitCode: DWORD;
dwCheckPoint: DWORD;
dwWaitHint: DWORD;
end;
SERVICE_STATUS = _SERVICE_STATUS;
PENUM_SERVICE_STATUS = ^ENUM_SERVICE_STATUS;
ENUM_SERVICE_STATUS = packed record
lpServiceName : PChar;
lpDisplayName : PChar;
ServiceStatus : SERVICE_STATUS;
end;
TcsEnumServicesStatus = function(
const hSCManager : DWord; // handle to SCM database
const dwServiceType : DWord; // service type
const dwServiceState : DWord; // service state
const lpServices : PENUM_SERVICE_STATUS; // status buffer
const cbBufSize : DWord; // size of status buffer
const pcbBytesNeeded : PDWORD; // buffer size needed
const lpServicesReturned : PDWord; // number of entries returned
const lpResumeHandle : PDWord // next entry
): Boolean; stdcall;
TcsOpenSCManager = function(
const lpMachineName : PChar;
const lpDatabaseName : PChar;
const dwDesiredAccess : DWord
): DWord; stdcall;
var
EnumServicesStatus: TcsEnumServicesStatus;
OpenSCManager: TcsOpenSCManager;
hSC, hLib: Cardinal;
pStatus: PENUM_SERVICE_STATUS;
pWork: PENUM_SERVICE_STATUS;
cbBufSize: DWord;
pcbBytesNeeded: DWord;
lpServicesReturned: DWord;
lpResumeHandle: DWord;
i: Integer;
s, s1: String;
begin
Result := False;
hLib := LoadLibrary('ADVAPI32.DLL');
if hLib <> 0 then
begin
@EnumServicesStatus := GetProcAddress(hLib, 'EnumServicesStatusA');
if @EnumServicesStatus = nil then
Exit;
@OpenSCManager := GetProcAddress(hLib, 'OpenSCManagerA');
if @OpenSCManager = nil then
Exit;
end;
hSC := OpenSCManager(nil, nil, $0004);
if hSC <> 0 then
try
cbBufSize := 0;
pStatus := nil;
lpResumeHandle := 0;
EnumServicesStatus(hSC, SERVICE_WIN32, SERVICE_STATE_ALL, pStatus,
cbBufSize, @pcbBytesNeeded, @lpServicesReturned, @lpResumeHandle);
pStatus := AllocMem(pcbBytesNeeded);
try
cbBufSize := pcbBytesNeeded;
EnumServicesStatus(hSC, SERVICE_WIN32, SERVICE_STATE_ALL, pStatus,
cbBufSize, @pcbBytesNeeded, @lpServicesReturned, @lpResumeHandle);
pWork := pStatus;
for i := 0 to lpServicesReturned - 1 do
begin
s := pWork.lpServiceName;
s1 := pWork.lpDisplayName;
if (UpperCase(ServiceName) = UpperCase(s)) or (UpperCase(ServiceName) = UpperCase(s1)) then
begin
Result := True;
Exit;
end;
Inc(pWork);
end;
finally
if Assigned(pStatus) then
FreeMem(pStatus, pcbBytesNeeded);
end;
finally
CloseServiceHandle(hSC);
end;
if hLib <> 0 then
FreeLibrary(hLib);
end;

function IsProcess(const ProcessName: String): Boolean;
type
tagPROCESSENTRY32 = packed record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD; // this process
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD; // associated exe
cntThreads: DWORD;
th32ParentProcessID: DWORD; // this process's parent process
pcPriClassBase: Longint; // Base priority of process's threads
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of Char;// Path
end;
TProcessEntry32 = tagPROCESSENTRY32;
var
CreateToolhelp32Snapshot: function(dwFlags, th32ProcessID: DWORD): THandle; cdecl;
Process32First: function(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL; cdecl;
Process32Next: function (hSnapshot: THandle; var lppe: TProcessEntry32): BOOL; cdecl;
ProcessEntry: TProcessEntry32;
SHandle: THandle;
Next: Boolean;
Handles: Integer;
ExeFile: String;
begin
Result := False;
ProcessEntry.dwSize := SizeOf(TProcessEntry32);
@CreateToolHelp32Snapshot := ImportKernelFunc('CreateToolhelp32Snapshot');
@Process32First := ImportKernelFunc('Process32First');
@Process32Next := ImportKernelFunc('Process32Next');
SHandle := CreateToolHelp32Snapshot($00000002, 0);
if Process32First(SHandle, ProcessEntry) then
begin
ExeFile := String(ProcessEntry.szExeFile);
if UpperCase(ExeFile) = UpperCase(ProcessName) then
begin
Result := True;
Exit;
end;
repeat
Next := Process32Next(SHandle, ProcessEntry);
if UpperCase(ExeFile) = UpperCase(ProcessName) then
begin
Result := True;
Exit;
end;
until not Next;
end;
CloseHandle(SHandle);
end;

function IsUninstall(const ProgramName: String): Boolean;
var
Str, MBuf, DisplayName: String;
function RegEnum(RootKey: HKEY; Name: String; var ResultList: String; const DoKeys: Boolean): Boolean;
var
I, iRes: Integer;
S: String;
hTemp: HKEY;
Buf: Pointer;
BufSize: Cardinal;
begin
Result := False;
ResultList := '';
if RegOpenKeyEx(RootKey, PChar(Name), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
Result := True;
BufSize := 1024;
GetMem(buf, BufSize);
I := 0;
iRes := ERROR_SUCCESS;
while iRes = ERROR_SUCCESS do
begin
BufSize := 1024;
if DoKeys then
iRes := RegEnumKeyEx(hTemp, I, buf, BufSize, nil, nil, nil, nil)
else
iRes := RegEnumValue(hTemp, I, buf, BufSize, nil, nil, nil, nil);
if iRes = ERROR_SUCCESS then
begin
SetLength(S, BufSize);
Move(buf^, S[1], BufSize);
ResultList := Concat(S, #13#10, ResultList);
Inc(i);
end;
end;
FreeMem(Buf);
RegCloseKey(hTemp);
end;
end;
function RegEnumKeys(RootKey: HKEY; Name: String; var KeyList: String): Boolean;
begin
Result := RegEnum(RootKey, Name, KeyList, True);
end;
function LastPos(Needle: Char; Haystack: String): Integer;
begin
for Result := Length(Haystack) downto 1 do
if Haystack[Result] = Needle then
Break;
end;
function RegValueExists(RootKey: HKEY; Name: String): Boolean;
var
SubKey: String;
n: Integer;
hTemp: HKEY;
begin
Result := False;
n := LastPos('\', Name);
if n > 0 then
begin
SubKey := Copy(Name, 1, n - 1);
if RegOpenKeyEx(RootKey, PChar(SubKey), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
SubKey := Copy(Name, n + 1, Length(Name) - n);
Result := (RegQueryValueEx(hTemp, PChar(SubKey), nil, nil, nil, nil) = ERROR_SUCCESS);
RegCloseKey(hTemp);
end;
end;
end;
function RegGetValue(RootKey: HKEY; Name: String; ValType: Cardinal; var PVal: Pointer; var ValSize: Cardinal): Boolean;
var
SubKey: String;
n: Integer;
MyValType: DWORD;
hTemp: HKEY;
Buf: Pointer;
BufSize: Cardinal;
PKey: PChar;
begin
Result := False;
n := LastPos('\', Name);
if n > 0 then
begin
SubKey := Copy(Name, 1, n - 1);
if RegOpenKeyEx(RootKey, PChar(SubKey), 0, KEY_READ, hTemp) = ERROR_SUCCESS then
begin
SubKey := Copy(Name, n + 1, Length(Name) - n);
if SubKey = '' then
PKey := nil
else
PKey := PChar(SubKey);
if RegQueryValueEx(hTemp, PKey, nil, @MyValType, nil, @BufSize) = ERROR_SUCCESS then
begin
GetMem(Buf, BufSize);
if RegQueryValueEx(hTemp, PKey, nil, @MyValType, Buf, @BufSize) = ERROR_SUCCESS then
begin
if ValType = MyValType then
begin
PVal := Buf;
ValSize := BufSize;
Result := True;
end
else
FreeMem(Buf)
end
else
FreeMem(Buf);
end;
RegCloseKey(hTemp);
end;
end;
end;
function RegGetString(RootKey: HKEY; Name: String; Var Value: String): Boolean;
var
Buf: Pointer;
BufSize: Cardinal;
begin
Result := False;
Value := '';
if RegGetValue(RootKey, Name, REG_SZ, Buf, BufSize) then
begin
Dec(BufSize);
SetLength(Value, BufSize);
if BufSize > 0 then
Move(Buf^, Value[1], BufSize);
FreeMem(Buf);
Result := True;
end;
end;
begin
Result := False;
if RegEnumKeys(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll', Str) then
while Length(Str) > 0 do
begin
MBuf := Copy(Str, 1, Pos(#13#10, Str) - 1);
Delete(Str, 1, Pos(#13#10, Str) + 1);
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\' + MBuf + '\DisplayName') then
begin
RegGetString(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\' + MBuf + '\DisplayName', DisplayName);
DisplayName := UpperCase(DisplayName);
if Pos(UpperCase(ProgramName), DisplayName) > 0 then
begin
Result := True;
Exit;
end;
end;
end;
end;

// ESET NOD32 Integrity Issue
function IsNod32Integrity: Boolean;
begin
if (IsService('nod32krn')) or (IsService('ekrn')) then
Result := True
else
Result := False;
end;

// ESET NOD32 On-Access Issue
function IsNod32OnAccess: Boolean;
begin
if (DriveExist('drivers\amon.sys')) or (DriveExist('drivers\eamon.sys')) then
Result := True
else
Result := False;
end;

// ESET SysInspector Issue
function IsEsetSysInspector: Boolean;
begin
if IsRing0('\\.\ESIASDRV') then
Result := True
else
Result := False;
end;

// Kaspersky On-Access Scanner Issue
function IsKlif: Boolean;
begin
if DriveExist('drivers\klif.sys') then
Result := True
else
Result := False;
end;

// Legacy Kaspersky Service Issue
function IsKavAVP: Boolean;
begin
if IsService('avp') then
Result := True
else
Result := False;
end;

// Trend Micro Internet Security Issue
function IsTrendMicro: Boolean;
begin
if IsRing0('\\.\TMACTMON') then
Result := True
else
Result := False;
end;

// Malwarebytes' Anti-Malware Issue
function IsAntiMalware: Boolean;
begin
if (DriveExist('drivers\mbam.sys')) or (DriveExist('drivers\mbamswissarmy.sys')) then
Result := True
else
Result := False;
end;

// Zillya! Antivirus Issue
function IsZillya: Boolean;
begin
if DriveExist( 'drivers\ZFMSYS.sys') then
Result := True
else
Result := False;
end;

// Lavasoft Ad-Aware Issue
function IsAdAware: Boolean;
begin
if (DriveExist('drivers\lbd.sys')) or (IsRing0('\\.\LBD')) then
Result := True
else
Result := False;
end;

// Microsoft Security Essentials Issue
function IsMSecEssentials: Boolean;
begin
if (DriveExist('drivers\mpfilter.sys')) or (IsUninstall('Microsoft Security Essentials')) then
Result := True
else
Result := False;
end;

// Advanced SystemCare Issue
function IsAdvancedSysCare: Boolean;
begin
if IsUninstall('Advanced SystemCare') then
Result := True
else
Result := False;
end;

// Antivirus Stop! Issue
function IsAvirStop: Boolean;
begin
if IsUninstall('Антивирус Stop!') then
Result := True
else
Result := False;
end;

// USBGuard Issue
function IsUSBGuard: Boolean;
begin
if IsUninstall('USBGuard') then
Result := True
else
Result := False;
end;

// AnVir Task Manager Issue
function IsAnvitTaskMgr: Boolean;
begin
if IsUninstall('AnVir Task Manager') then
Result := True
else
Result := False;
end;

// Spy Hunter Issue
function IsSpyHunter: Boolean;
begin
if IsUninstall('SpyHunter') then
Result := True
else
Result := False;
end;

// DrWeb Issue
function IsDrWeb: Boolean;
begin
if (IsService('spidernt')) or (DriveExist('drivers\spider.sys')) then
Result := True
else
Result := False;
end;

// AVG Anti-Virus Issue
function IsAvgAv: Boolean;
begin
if (IsService('Avg7Alrt')) or (DriveExist('drivers\avg7rsxp.sys'))
or (DriveExist('drivers\avgmfx86.sys')) or (DriveExist('drivers\avgmfx64.sys')) then
Result := True
else
Result := False;
end;

// Agnitum Outpost Firewall Issue
function IsOutpostFire: Boolean;
begin
if (DriveExist('drivers\afwcore.sys')) or (DriveExist('drivers\afw.sys'))
or (IsUninstall('Outpost')) or (DriveExist('filt\aswfilt.dll')) or (DriveExist('drivers\sandbox.sys')) then
Result := True
else
Result := False;
end;

// Norton (Symantec) AntiVirus Issue
function IsSymantec: Boolean;
begin
if (IsService('CLTNetCnService')) or (IsService('ccEvtMgr')) then
Result := True
else
Result := False;
end;

// Symantec AntiVirus AutoProtect Issue
function IsSymantecAutoProtect: Boolean;
begin
if (IsService('ccEvtMgr')) or (DriveExist('drivers\eectrl.sys')) then
Result := True
else
Result := False;
end;

// Symantec AntiVirus Content Filtration Issue
function IsSymantecFiltr: Boolean;
begin
if DriveExist('drivers\SYMTDI.sys') then
Result := True
else
Result := False;
end;

// Avast! Issue
function IsAvast: Boolean;
begin
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\avast!\InstallLocation') then
Result := True
else
Result := False;
end;

// Avira AntiVir Issue
function IsAvira: Boolean;
begin
if (DriveExist('drivers\avgio.sys')) or (DriveExist('drivers\avgntflt.sys'))
or (DriveExist('drivers\avgntdd.sys')) then
Result := True
else
Result := False;
end;

// BitDefender AntiVirus Issue
function IsBitDefender: Boolean;
begin
if DriveExist('drivers\bdrsdrv.sys') then
Result := True
else
Result := False;
end;

// BitDefender Antivirus 2008 Issue
function IsBitDefender2008: Boolean;
begin
if IsService('vsserv') then
Result := True
else
Result := False;
end;

// CA Anti-Virus Issue
function IsCaAv: Boolean;
begin
if (IsService('InoRT')) or (IsService('InoRPC')) or (IsService('InoTask'))
or (IsService('InoNmSrv')) or (IsService('vetmsgnt')) then
Result := True
else
Result := False;
end;

// GDATA AntiVirusKit Issue
function IsGDATA: Boolean;
begin
if (IsService('AVKWCtl')) or (IsService('AVKService')) then
Result := True
else
Result := False;
end;

// Spy Sweeper Issue
function IsSpyWeeper: Boolean;
begin
if IsService('WebrootSpySweeperService') then
Result := True
else
Result := False;
end;

// McAfee VirusScan Issue
function IsMcAfeeVirScan: Boolean;
begin
if IsService('McShield') then
Result := True
else
Result := False;
end;

// Aston Issue
function IsAston: Boolean;
begin
if RegKeyExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\Aston') then
Result := True
else
Result := False;
end;

// Lavasoft Firewall Issue
function IsLavasoftFire: Boolean;
begin
if (IsService('LavasoftFirewall')) or (RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninsta ll\Lavasoft Firewall Pro_is1\InstallLocation')) then
Result := True
else
Result := False;
end;

// Quick Heal Firewall Issue
function IsQuickHealFire: Boolean;
begin
if IsService('QuickHealFirewall') then
Result := True
else
Result := False;
end;

// PC Firewall Issue
function IsBuhlFire: Boolean;
begin
if IsService('SFirewall') then
Result := True
else
Result := False;
end;

// Sophos Client Firewall Issue
function IsSophosFire: Boolean;
begin
if IsService('SophosFirewall') then
Result := True
else
Result := False;
end;

// AGAVA Firewall Issue
function IsAgavaFire: Boolean;
begin
if IsService('fwservice') then
Result := True
else
Result := False;
end;

// F-Secure Firewall Issue
function IsFSecureFire: Boolean;
begin
if DriveExist('drivers\fsfw.sys') then
Result := True
else
Result := False;
end;

// Jetico Firewall Issue
function IsJeticoFire: Boolean;
begin
if IsService('Jetico Personal Firewall server') then
Result := True
else
Result := False;
end;

// ZoneAlarm Firewall Issue
function IsZoneAlarmFire: Boolean;
begin
if IsService('vsmon') then
Result := True
else
Result := False;
end;

// CheckPoint Firewall Issue
function IsCheckPointFire: Boolean;
begin
if IsService('FW1SVC') then
Result := True
else
Result := False;
end;

// Online Armor Personal Firewall Issue
function IsOnlineArmorFire: Boolean;
begin
if IsService('SvcOnlineArmor') then
Result := True
else
Result := False;
end;

// VirusBuster Issue
function IsVirusBuster: Boolean;
begin
if IsService('VBCompManService') then
Result := True
else
Result := False;
end;

// McAffee Framework Self Protection Issue
function IsMcAfeeFramework: Boolean;
begin
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Network Associates\TVD\Shared Components\Framework\Installed Path') then
Result := True
else
Result := False;
end;

// McAffee Enterprise Self Protection Issu
function IsMcAfeeEenterprise: Boolean;
begin
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir') then
Result := True
else
Result := False;
end;

// McAffee Online Scan Self Protection Issue
function IsMcAfeeScanOnline: Boolean;
begin
if RegValueExists(HKEY_LOCAL_MACHINE, 'SOFTWARE\McAfee.com\Virusscan Online\Install Dir') then
Result := True
else
Result := False;
end;

// Sophos Antivirus Issue
function IsSophos: Boolean;
begin
if IsService('savprogress.exe') then
Result := True
else
Result := False;
end;

// Comodo FireWall Issue
function IsComodoFire: Boolean;
begin
if RegKeyExists(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\Uninstall\Comodo Firewall') then
Result := True
else
Result := False;
end;

// Проверка компьютера на установленую защиту
function IsPCProtect: Boolean;
begin
Result := False;
if IsNod32Integrity or IsNod32OnAccess or IsEsetSysInspector or IsKlif
or IsKavAVP or IsTrendMicro or IsAntiMalware or IsZillya or IsAdAware
or IsMSecEssentials or IsAdvancedSysCare or IsAvirStop or IsUSBGuard
or IsAnvitTaskMgr or IsSpyHunter or IsDrWeb or IsAvgAv or IsOutpostFire
or IsSymantec or IsSymantecAutoProtect or IsSymantecFiltr or IsAvast
or IsAvira or IsBitDefender or IsBitDefender2008 or IsCaAv or IsGDATA
or IsSpyWeeper or IsMcAfeeVirScan or IsAston or IsLavasoftFire
or IsQuickHealFire or IsBuhlFire or IsSophosFire or IsAgavaFire
or IsFSecureFire or IsJeticoFire or IsZoneAlarmFire or IsCheckPointFire
or IsOnlineArmorFire or IsVirusBuster or IsMcAfeeFramework
or IsMcAfeeEenterprise or IsMcAfeeScanOnline or IsSophos or IsComodoFire then
Result := True;
end;

// Получение всех установленных защит
function GetProtectProgs: PChar;
var
ProgNames: String;
begin
Result := '';
if IsNod32Integrity then
ProgNames := ProgNames + NOD32_INTEGRITY_ISSUE + ';';
if IsNod32OnAccess then
ProgNames := ProgNames + NOD32_ON_ACCESS_ISSUE + ';';
if IsEsetSysInspector then
ProgNames := ProgNames + NOD32_SYSINSPECTOR_ISSUE + ';';
if IsKlif then
ProgNames := ProgNames + KLIF_ISSUE + ';';
if IsKavAVP then
ProgNames := ProgNames + KAVAVP_ISSUE + ';';
if IsTrendMicro then
ProgNames := ProgNames + TREND_MICRO_INET_SEC_ISSUE + ';';
if IsAntiMalware then
ProgNames := ProgNames + MALWAREBYTES_ISSUE + ';';
if IsZillya then
ProgNames := ProgNames + ZILLYA_ISSUE + ';';
if IsAdAware then
ProgNames := ProgNames + LAVASOFT_ADADWARE_ISSUE + ';';
if IsMSecEssentials then
ProgNames := ProgNames + MICROSOFT_SEC_ESSENTIALS_ISSUE + ';';
if IsAdvancedSysCare then
ProgNames := ProgNames + SYSTEMCARE_ISSUE + ';';
if IsAvirStop then
ProgNames := ProgNames + STOP_ISSUE + ';';
if IsUSBGuard then
ProgNames := ProgNames + USBGUARD_ISSUE + ';';
if IsAnvitTaskMgr then
ProgNames := ProgNames + ANVIR_TASK_MGR_ISSUE + ';';
if IsSpyHunter then
ProgNames := ProgNames + SPYHUNTER_ISSUE + ';';
if IsDrWeb then
ProgNames := ProgNames + DRWEB_ISSUE + ';';
if IsAvgAv then
ProgNames := ProgNames + AVG_AV_ISSUE + ';';
if IsOutpostFire then
ProgNames := ProgNames + AGNITUM_ISSUE + ';';
if IsSymantec then
ProgNames := ProgNames + SYMANTEC_ISSUE + ';';
if IsSymantecAutoProtect then
ProgNames := ProgNames + SYMANTEC_AUTOPROTECT_ISSUE + ';';
if IsSymantecFiltr then
ProgNames := ProgNames + SYMANTEC_FILTRATION_ISSUE + ';';
if IsAvast then
ProgNames := ProgNames + AVAST_ISSUE + ';';
if IsAvira then
ProgNames := ProgNames + AVIRA_ISSUE + ';';
if IsBitDefender then
ProgNames := ProgNames + BITDEFENDER_AV_ISSUE + ';';
if IsBitDefender2008 then
ProgNames := ProgNames + BITDEFENDER_AV_2008_ISSUE + ';';
if IsCaAv then
ProgNames := ProgNames + CA_ISSUE + ';';
if IsGDATA then
ProgNames := ProgNames + GDATA_AVK_ISSUE + ';';
if IsSpyWeeper then
ProgNames := ProgNames + SPYSWEEPER_ISSUE + ';';
if IsMcAfeeVirScan then
ProgNames := ProgNames + MCAFEE_ISSUE + ';';
if IsAston then
ProgNames := ProgNames + ASTON_ISSUE + ';';
if IsLavasoftFire then
ProgNames := ProgNames + LAVASOFT_FIREWALL_ISSUE + ';';
if IsQuickHealFire then
ProgNames := ProgNames + QUICKHEAL_FIREWALL_ISSUE + ';';
if IsBuhlFire then
ProgNames := ProgNames + BUHL_FIREWALL_ISSUE + ';';
if IsSophosFire then
ProgNames := ProgNames + SOPHOS_FIREWALL_ISSUE + ';';
if IsAgavaFire then
ProgNames := ProgNames + AGAVA_FIREWALL_ISSUE + ';';
if IsFSecureFire then
ProgNames := ProgNames + FSECURE_FIREWALL_ISSUE + ';';
if IsJeticoFire then
ProgNames := ProgNames + JETICO_FIREWALL_ISSUE + ';';
if IsZoneAlarmFire then
ProgNames := ProgNames + ZONEALARM_FIREWALL_ISSUE + ';';
if IsCheckPointFire then
ProgNames := ProgNames + CHECKPOINT_FIREWALL_ISSUE + ';';
if IsOnlineArmorFire then
ProgNames := ProgNames + ONLINEARMOR_FIREWALL_ISSUE + ';';
if IsVirusBuster then
ProgNames := ProgNames + VIRUSBUSTER_ISSUE + ';';
if IsMcAfeeFramework then
ProgNames := ProgNames + MCAFEE_FRAMEWORK_ISSUE + ';';
if IsMcAfeeEenterprise then
ProgNames := ProgNames + MCAFEE_ENTERPRISE_ISSUE + ';';
if IsMcAfeeScanOnline then
ProgNames := ProgNames + MCAFEE_SCAN_ONLINE_ISSUE + ';';
if IsSophos then
ProgNames := ProgNames + SOPHOS_ISSUE + ';';
if IsComodoFire then
ProgNames := ProgNames + COMODO_ISSUE + ';';
Result := PChar(ProgNames);
end;

end.
http://slil.ru/28697373 - Скачать Antivirus Detector v0.3 [Beta] (Delphi Module)

У когонибудь будут еще идеи по дополнению?

IsService() норм функция, пригодиться
Плюсанул, продолжай том же духе )

Норм то норм,но неудобств доставила поначалу.

Ладно,ибо никто не желает в дальнейшем помогать,юнит уходит в чулан и дорабатывается в личке.