Skip to main content

Windows Server/Workstation | Antivirus Displayed Multiple Times

Updated over a week ago

Overview 💥

In some cases, partners may observe the same antivirus (AV) product appearing multiple times in Liongard inspectors dataprint (for example, AVs[].Name showing the same AV repeatedly). This behavior is most commonly reported on Windows workstations and servers.


Example :

This is not caused by Liongard.

Liongard accurately reports antivirus information exactly as it is exposed by Windows Security Center via WMI. If Windows reports multiple antivirus registrations, Liongard will faithfully display each one.

How Liongard Collects Antivirus Data 🔍

On Windows systems, Liongard retrieves antivirus information from Windows Security Center via WMI.

WMI Source

  • Namespace: root\SecurityCenter2

  • Class: AntiVirusProduct

During an inspection:

  • Liongard queries the AntiVirusProduct class through WMI.

  • The antivirus products that Windows reports are collected from this class.

  • Those results are then mapped into Liongard’s Windows endpoint Dataprint in the antivirus/security section.

Liongard does not try to reinterpret or “guess” which entries should be combined beyond what Windows itself reports. If Windows exposes multiple antivirus entries (even if they appear similar), Liongard will surface those entries so that partners can see exactly what the operating system is reporting.

📌 This design is intended to provide a faithful reflection of the operating system’s reported security state, which helps avoid hiding misconfigurations or unexpected conditions that might be visible in Windows Security Center.

Why the Same Antivirus Appears Multiple Times 🤔

Windows Security Center does not automatically prevent or clean up duplicate antivirus registrations. As a result, antivirus products may become registered multiple times in WMI.

Common causes include:

  • Antivirus upgrades or major version changes

  • Reinstallations that do not fully remove previous WMI registrations

  • Failed or interrupted uninstall / reinstall attempts

  • Vendor self-protection mechanisms re-registering the product

  • WMI repository inconsistencies or corruption

When this occurs, Windows exposes multiple AntiVirusProduct instances with identical properties, such as:

  • Same display name

  • Same executable path

  • Same product state value

Each instance is treated as a separate AV record by Windows, and Liongard reports each one as provided.

Example Validation 👨‍🔧

If validation is required, the following PowerShell command can be run locally on the affected system:

Get-CimInstance -Namespace "root\SecurityCenter2" -ClassName AntiVirusProduct | Select-Object displayName, pathToSignedProductExe, productState

🔎 What to look for:

  • If the same antivirus appears multiple times in the output, this confirms the duplication exists at the Windows WMI level.

  • Liongard is simply reflecting what Windows reports.

Example :

Why This Is Not a Liongard Defect 🧑‍🏫

  • Liongard does not intentionally create or synthesize additional antivirus entries beyond what Windows reports.

  • Liongard surfaces the antivirus products that Windows Security Center exposes via WMI, without trying to decide which entries should be combined or hidden.

  • Any tool that queries root\SecurityCenter2 and the AntiVirusProduct class in a comparable way would see the same underlying antivirus product data.

  • Automatically deduplicating or collapsing AV entries would require assumptions about which entries “belong together” and could hide real misconfigurations or valid security conditions.

This behavior is by design, is applied consistently in the Windows inspectors, and aligns with Liongard’s emphasis on data accuracy and transparency—showing what the operating system reports rather than masking it.

Recommended Resolution 👨‍💻

If duplicate antivirus entries are not desired, remediation must occur on the endpoint, not within Liongard.

Recommended actions:

  • Repair or reinstall the antivirus using vendor-recommended cleanup or removal tools

  • Ensure only one active antivirus product is installed

  • Validate WMI repository health (for example, using winmgmt /verifyrepository)

  • Confirm only a single AV entry exists in AntiVirusProduct

  • Re-run the Liongard inspection

Once Windows reports a single antivirus instance, Liongard will automatically reflect the corrected state.

Impact 🚀

  • Reporting dashboards and data prints may show multiple AV entries

  • No inspection or agent failures occur

  • Liongard functionality is not affected

  • Security posture is determined by the endpoint configuration, not Liongard

Summary

Liongard displays multiple antivirus entries only when Windows Security Center reports multiple antivirus registrations. This is an operating system–level condition and must be resolved at the endpoint.

Liongard accurately reflects the system state and does not alter, merge, or deduplicate antivirus data, ensuring full visibility and reliable security reporting.

If you have questions or need help validating endpoint behavior, Liongard Support can assist with technical troubleshooting guidance.

Did this answer your question?