NOTE:
• PowerShell 5.1 or later is required.
• Run PowerShell as an administrator to ensure complete results.
<#
.SYNOPSIS
Security Tool Scanner Script
.DESCRIPTION
Scans the system for traces of known security tools across processes, services, programs, registry, ports, certificates, and browser extensions.
.VERSION
1.0
.LAST UPDATED
2025-07-16
.PREREQUISITES
- PowerShell 5.1 or later
- Run PowerShell or PowerShell ISE as Administrator
.NOTES
Run this script with elevated privileges to ensure full access to system resources.
#>
# Define keywords to search for
$keywords = @(
# EDR/XDR/MDR
"CrowdStrike", "SentinelOne", "Carbon Black", "Microsoft Defender", "Sophos", "Trellix",
"Trend Micro", "Bitdefender", "ESET", "Malwarebytes", "Heimdal", "Webroot", "Elastic",
"Cortex XDR", "FireEye", "Kaspersky", "Avast", "AVG", "Comodo", "F-Secure", "G DATA",
"Panda", "Cisco Secure Endpoint", "Workspace ONE", "Cybereason", "Cylance", "Deep Instinct",
"ReaQta", "Taegis", "EclecticIQ", "Huntress", "Sophos MDR", "Bitdefender MDR",
"Vigilance", "Unit 42", "Red Canary", "Falcon Complete", "Taegis MDR",
# DLP / Insider Threat
"Forcepoint", "Symantec", "Digital Guardian", "ObserveIT", "Teramind", "Varonis", "Ekran",
"Code42", "Purview", "ActivTrak", "Veriato", "InterGuard",
# Firewalls / NGFW
"Fortinet", "Palo Alto", "Cisco ASA", "Firepower", "Check Point", "SonicWall", "WatchGuard",
"Barracuda", "pfSense", "Untangle", "IPFire", "Hillstone", "Juniper SRX", "Sophos XG",
"KerioControl",
# Cloud / CNAPP / CSPM
"Prisma Cloud", "Wiz", "Lacework", "Orca Security", "Aqua Security", "Sysdig", "Snyk",
"Tenable Cloud Security",
# Zero Trust / VPN / SASE
"Zscaler", "Cloudflare", "Perimeter 81", "NordLayer", "NordVPN", "Tailscale", "OpenVPN",
"AnyConnect", "Pulse Secure", "Ivanti Neurons", "Akamai", "Appgate",
# Identity / PAM
"Okta", "Duo", "CyberArk", "BeyondTrust", "Thycotic", "Delinea", "One Identity", "JumpCloud",
# Patch / RMM / Asset
"NinjaOne", "Datto", "Kaseya", "BigFix", "SCCM", "MECM", "Endpoint Central", "PDQ",
"SolarWinds", "Patch Manager Plus", "Ivanti Security Controls", "Qualys", "Tanium Comply",
# Vulnerability / ASM
"Qualys VMDR", "InsightVM", "Nessus", "Tenable.io", "Intruder", "Outpost24", "Detectify",
"Censys", "Shodan",
# SIEM / SOAR
"Splunk", "Rapid7", "Exabeam", "QRadar", "LogRhythm", "Sumo Logic", "Microsoft Sentinel",
"Devo", "Arctic Wolf", "Blumira", "Logz.io", "Graylog", "AlienVault", "OSSIM", "USM Anywhere"
)
# Setup output path
$timestamp = (Get-Date).ToString("yyyy-MM-ddTHH-mm-ss")
$outputDir = Join-Path $env:USERPROFILE "Documents\\SecurityToolScanResults"
$outputPath = Join-Path $outputDir "scan_results_$timestamp.txt"
# Ensure output directory exists
if (-not (Test-Path $outputDir)) {
try {
New-Item -Path $outputDir -ItemType Directory -ErrorAction Stop | Out-Null
} catch {
Write-Host "Failed to create output directory: $($_.Exception.Message)" -ForegroundColor Red
exit
}
}
# Function to write section headers
function Write-Section {
param ($title)
Add-Content -Path $outputPath -Value "`n=== $title ===`n"
Write-Host "`n=== $title ===`n" -ForegroundColor Cyan
}
# Function to write and display results
function Write-Result {
param ($text, $color = "Gray")
Add-Content -Path $outputPath -Value $text
Write-Host $text -ForegroundColor $color
}
# Function to extract extension names from manifest.json
function Get-ExtensionNameFromManifest {
param ($Path, $Browser)
try {
Get-ChildItem -Path $Path -Directory | ForEach-Object {
$extId = $_.Name
Get-ChildItem -Path $_.FullName -Directory | ForEach-Object {
$manifest = Join-Path $_.FullName "manifest.json"
if (Test-Path $manifest) {
try {
$json = Get-Content $manifest -Raw | ConvertFrom-Json
$line = "$Browser Extension: $($json.name) (ID: $extId, Version: $($json.version))"
Write-Result $line "Green"
} catch {
Write-Result "$Browser Extension: Failed to read manifest for $extId - $($_.Exception.Message)" "Red"
}
}
}
}
} catch {
Write-Result "Error scanning $Browser extensions: $($_.Exception.Message)" "Red"
}
}
# === 1. Running Processes ===
Write-Section "Running Processes"
try {
foreach ($keyword in $keywords) {
Get-Process | Where-Object { $_.Name -like "*$keyword*" } | ForEach-Object {
Write-Result "Process: $($_.Name) (PID: $($_.Id))" "Yellow"
}
}
} catch {
Write-Result "Error retrieving running processes: $($_.Exception.Message)" "Red"
}
# === 2. Installed Services ===
Write-Section "Installed Services"
try {
foreach ($keyword in $keywords) {
Get-Service | Where-Object { $_.DisplayName -like "*$keyword*" -or $_.Name -like "*$keyword*" } | ForEach-Object {
Write-Result "Service: $($_.DisplayName) (Status: $($_.Status))" "Yellow"
}
}
} catch {
Write-Result "Error retrieving services: $($_.Exception.Message)" "Red"
}
# === 3. Installed Programs ===
Write-Section "Installed Programs"
try {
$installedApps = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* ,
HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* -ErrorAction Stop
foreach ($keyword in $keywords) {
$installedApps | Where-Object { $_.DisplayName -like "*$keyword*" } | ForEach-Object {
Write-Result "Program: $($_.DisplayName)" "Yellow"
}
}
} catch {
Write-Result "Error retrieving installed programs: $($_.Exception.Message)" "Red"
}
# === 4. Registry Entries (Services) ===
Write-Section "Registry Entries (Services)"
try {
foreach ($keyword in $keywords) {
Get-ChildItem -Path HKLM:\System\CurrentControlSet\Services -ErrorAction Stop |
Where-Object { $_.Name -like "*$keyword*" } | ForEach-Object {
Write-Result "Registry Service Key: $($_.Name)" "Yellow"
}
}
} catch {
Write-Result "Error accessing registry services: $($_.Exception.Message)" "Red"
}
# === 5. Listening Ports with Process Mapping ===
Write-Section "Listening Ports (Process Mapped)"
try {
$connections = Get-NetTCPConnection -State Listen -ErrorAction Stop
foreach ($conn in $connections) {
try {
$proc = Get-Process -Id $conn.OwningProcess -ErrorAction Stop
$line = "Port: $($conn.LocalPort) | Address: $($conn.LocalAddress) | PID: $($proc.Id) | Process: $($proc.ProcessName)"
Write-Result $line "Yellow"
} catch {
Write-Result "Port: $($conn.LocalPort) | PID: $($conn.OwningProcess) | Process: [Unknown - $($_.Exception.Message)]" "Red"
}
}
} catch {
Write-Result "Error retrieving listening ports: $($_.Exception.Message)" "Red"
}
# === 6. Certificate Store ===
Write-Section "Certificate Store (Trusted Root CAs)"
try {
$certs = Get-ChildItem -Path Cert:\LocalMachine\Root -ErrorAction Stop
foreach ($keyword in $keywords) {
$certs | Where-Object { $_.Subject -like "*$keyword*" } | ForEach-Object {
Write-Result "Certificate: $($_.Subject)" "Yellow"
}
}
} catch {
Write-Result "Error accessing certificate store: $($_.Exception.Message)" "Red"
}
# === 7. Browser Extensions ===
# Chrome
$chromePath = "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Extensions"
if (Test-Path $chromePath) {
Write-Section "Chrome Extensions"
Get-ExtensionNameFromManifest -Path $chromePath -Browser "Chrome"
}
# Edge
$edgePath = "$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Extensions"
if (Test-Path $edgePath) {
Write-Section "Edge Extensions"
Get-ExtensionNameFromManifest -Path $edgePath -Browser "Edge"
}
# Firefox
Write-Section "Firefox Extensions"
try {
$firefoxProfiles = Get-ChildItem "$env:APPDATA\\Mozilla\\Firefox\\Profiles" -Directory -ErrorAction Stop
foreach ($profile in $firefoxProfiles) {
$extPath = Join-Path $profile.FullName "extensions"
if (Test-Path $extPath) {
Get-ChildItem -Path $extPath | ForEach-Object {
Write-Result "Firefox Extension: $($_.Name) in Profile: $($profile.Name)" "Green"
}
}
}
} catch {
Write-Result "Error retrieving Firefox extensions: $($_.Exception.Message)" "Red"
}
# === Final Output Path ===
try {
$resolvedPath = Resolve-Path -Path $outputPath -ErrorAction Stop
Write-Host "`nScan complete. Results saved to:`n$resolvedPath`n" -ForegroundColor Cyan
} catch {
Write-Host "Scan complete, but failed to resolve output path: $($_.Exception.Message)" -ForegroundColor Red
}
Next steps
- Open the Documents\SecurityToolScanResults folder.
- Review the results file for any unexpected or blocking security tools.
- If needed, work with your IT or security team before removing or changing security software.
Case id: 00001065
Activity: Status change: 2 hours ago