Skip to main content

Troubleshooting: Removing Previous Third Party Antivirus (non-server OS only)

Rachael Smith-Robinson
  • Updated

Our Support Team has come up with a manual remedy to uninstall 3rd party AV, however we won't be able to help you troubleshoot any issues that could theoretically arise from modifying Windows values.

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically (client OS's only). If you uninstall the other app, Microsoft Defender Antivirus will turn back on automatically.

Overview

In order for Huntress to manage Microsoft Defender Antivirus, any third-party AV programs need to be uninstalled. Here you'll find links to resources and solutions to issues we've helped resolve. 

 

Links

Transition to Huntress Managed AV: "Other AV"

Microsoft Resources:
Uninstalling from Windows 10

Uninstalling from Windows 8

Webroot Resources:
Uninstalling Webroot

 

Non Compliant Policies / Resetting Windows Defender

Where hosts are still showing Non Compliant in the MAV Dashboard;
Check to see that MAV has been configured to Enforce for the host, and any inheritance settings are working correctly.

Domain Joined hosts that aren't connect to the domain controller will not receive updated policy settings from Huntress MAV.
The priority of policies operates from the Domain GPO, Local GPO, Local Settings and then Huntress Recommended. If policies are not showing compliant they may be being be overridden/stopped at a previous priority level.
In order to clear the priority policies and reset Defender, you can use this script to reset Defender to Defaults

Common Ticket/Issues

mceclip0.png

  • The Huntress Managed AV service data is gathered from WMI (Windows Management Instrumentation)
  • Sometimes AVs (commonly Webroot) don't correctly "de-register" themselves from WMI.
  • Huntress displays "missing" because executables exist for 'registered' antivirus.'
  • It does not affect the functionality of Microsoft Defender (or Managed AV).

    Currently, the way to altogether "remove" an offending AV isn't the most straightforward.

    Our Support Team has come up with a manual remedy; you may want to look over the guidance below. However, we won't be able to help you troubleshoot any issues that could theoretically arise from modifying Windows values.

Below is a simple PowerShell query that you can run, which emulates the check the Huntress agent performs. If the offending antivirus is not listed, the Huntress agent will no longer report it as a registered antivirus after the next survey.

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List


You may be able to manually clear the entries from WMI (we are using WMI to query for AV products). Please see below for a high-level overview.

  1. Run wbemtest as Admin.
  2. Connect to root\SecurityCenter2.
  3. Click Enum Instances....
  4. Type in AntiVirusProduct for the superclass name.

Result appears:
mceclip1.png

If you open each query result, there will be properties that reveal which product they are (such as displayName). You can then click "delete" on the screen after step 4.

Additional information about Transitioning to Huntress Managed AV: "Other AV"

 

Related articles:

 

Comments

0 comments

Please sign in to leave a comment.

Related articles