CrowdStrike Falcon and other EDR/XDR products don't register in WMI
SecurityCenter2, but put Defender in Passive Mode. This caused ASR
rules to either silently fail or throw errors.
New 3-layer detection:
- Layer 1: WMI SecurityCenter2 (traditional AV: Bitdefender, Kaspersky, etc.)
- Layer 2: Defender Passive Mode via Get-MpComputerStatus (EDR/XDR)
- Layer 3: 18 known EDR service names for display identification
Changes:
- Utils/Dependencies.ps1: New Test-ThirdPartySecurityProduct function,
updated Test-WindowsDefenderAvailable with IsPassiveMode property,
updated Test-AllDependencies to handle passive mode gracefully
- Modules/ASR/Public/Invoke-ASRRules.ps1: Detection runs before
Defender service check, inline fallback for standalone execution
- Tools/Verify-Complete-Hardening.ps1: Same 3-layer detection, ASR
counted as 19/19 verified when third-party product detected
Closes#15
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
