Team: Huntress EDR
Product: Managed AV
Environment: Windows, Huntress.io portal, PowerShell
Summary: How to remove 3rd party AV from non-server OS using PoSh or GUI (wbemtest)
If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically (client OS's only). If you uninstall the other app, Microsoft Defender Antivirus should turn back on automatically. We won't be able to help you troubleshoot any issues that could theoretically arise from modifying Windows values so be careful!
Table of Contents
View and Remove 3rd party AV from WSC using GUI
View WSC-registered AV's using PowerShell
Remove 3rd party AV from WSC using PowerShell
Non Compliant Policies
Common Issues
- The Huntress Managed AV service data is gathered from clients WSC (Windows Security Center) and WMI (Windows Management Instrumentation)
- Sometimes AVs (commonly Webroot) don't correctly "de-register" themselves from WSC.
- Huntress portal displays "missing" because executables don't exist for 'registered' antivirus.
- Server OS's are not affected by this as they do not have WSC
View and Remove using GUI
You may be able to manually clear the entries from WMI (we are using WMI to query for AV products). Please see below for a high-level overview.
- Run wbemtest as Admin
- Connect to root\SecurityCenter2
- Click Enum Instances....
- Type in AntiVirusProduct for the superclass name.
Result appears:
If you open each query result, there will be properties that reveal which product they are (such as displayName). You can then click "delete" on the screen after step 4. Take care to not delete Windows Defender!
View using PowerShell
Below is a simple PowerShell query that you can run, which emulates the check the Huntress agent performs. If the offending antivirus is not listed, the Huntress agent will no longer report it as a registered antivirus after the next survey.
Get-CimInstance -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Here are two alternate versions in case the above command doesn't work (for legacy systems).
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
Remove using PowerShell
This PowerShell command can be modified to surgically remove the offending 3rd party AV. You'll need to determine it's exact name using the above section. Once you have the exact name replace the first variable's value with the exact name.
$AVDisplayName = "Webroot SecureAnywhere"
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Where-Object { $_.displayName -eq $AVDisplayName} | ForEach-Object{$_.Delete()}
For a quicker resolution, this PowerShell command removes all AV's except Defender. Please take care when using this command as you don't want to accidentally remove Defender. Highly recommend you verify the name matches exactly with the version of Defender you're currently running.
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Where-Object { $_.displayName -ne "Windows Defender" } | ForEach-Object{$_.Delete()}
Further reading
Transition to Huntress Managed AV: "Other AV"
How to reset Microsoft Defender to Defaults
Microsoft Resources:
Uninstalling from Windows 10
Uninstalling from Windows 8
Webroot Resources:
Uninstalling Webroot
Comments
0 comments
Please sign in to leave a comment.