Rapidfire Tools data collectors use the following WMI query to detect installed AV/AS on both workstations.
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
displayName=Microsoft Security Essentials
ProductState gets translated into a status.
In some cases reported, the network detective data collector returns Windows Defender as the installed AV/AS even though 3rd party AV is as the primary antivirus.
The reason this might happen is because the WMI database has not been updated and/or purged of any residual AV/AS information. Spiceworks, which is another product that uses WMI to pull AV info provides a script to purge the WMI database of AV/AS info, which is then automatically rebuilt after the machine is rebuilt. Not only does it rebuild the WMI database reporting the AV correctly in Windows Security Center but it also prevents Windows Defender from being reported as AV/AS because when a 3rd party AV is installed Windows Defender is smart enough to disable itself and list the 3rd party AV in security center correctly.