Team: Huntress EDR
Product: Managed AV
Environment: Windows
Summary: Transitioning from 3rd party AV to Defender
Moving to Huntress Managed AV is a pretty straightforward process, but removing the previous antivirus can come with some hiccups along the way.
Here is the process that we recommend to our partners when making the transition to Huntress Managed AV:
- Select a smaller client with minimal agents to test your removal process. We recommend this for two reasons, the first is so that you can test that the actual removal method is functioning properly, and the second is to ensure that you’ve ironed out any issues before creating a large headache for your team.
- In your antivirus Console, review any current exclusion for that client for validity. Once all are confirmed you should set all the valid exclusions under Huntress Managed AV.
-
- Currently, these are the only valid exclusions you can make:
- File/Path exclusions - type out the file you want to exclude (i.e., C:\Program Files\Huntress\HuntressAgent.exe). Path exclusions are never recommended but can be done in the same fashion.
- Extension exclusions - type the extension name of extensions you'd like to exclude from scanning (i.e. *.txt )
- Process exclusions - type the full path of programs you'd like to exclude (i.e., C:\tester.exe)
- For guidance on how to set exclusions: Huntress Managed AV Exclusions
- Currently, these are the only valid exclusions you can make:
-
- While in the Huntress Dashboard under Managed Antivirus, set the Organization’s Antivirus configuration Mode from Audit to Enforce.
- Once you have your test client chosen, exclusions in place and your Organization Antivirus Configuration set to Enforce, follow your Antivirus’s Knowledge Base for removing agents
- Once uninstalled, Microsoft Defender Antivirus will turn back on automatically, the Huntress Agent will observe this and report back to the Huntress Dashboard. The Huntress Dashboard takes two check-ins to update the Managed Antivirus status. This process can take around 30 minutes but could take up to several hours.
The below only applies to Windows client OS (Windows 10, etc), as Microsoft Security Center does not exist in Windows Server OS:
-
- There are instances when there may be issues with the removal of 3rd party AV's (like Webroot) from Microsoft Security Center and, assuming the 3rd party AV has truly uninstalled, it can even be automated in your RMM.
- To query if that's the case post uninstall:
#Gets AV products installed. (PowerShell Command)-
Get-CimInstance -Namespace root\SecurityCenter2 -Class AntiVirusProduct
-
- If your 3rd party AV still shows when the above command is executed they can run the command below to remove it, which will in most cases result in Defender re-enabling itself. (PowerShell). Please note the 'Webroot Secure Anywhere' should be replaced with the exact name of the AV from above.
-
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Where-Object { $_.displayName -eq "Webroot Secure Anywhere" } | ForEach-Object{$_.Delete()}
-
-
More on Troubleshooting the Removal of Previous Antivirus
Review your Huntress portal for the client that you chose and confirm that you see the green shield on the agents that you removed the anti-virus
-
- Agents with the purple padlock icon have another AV installed, reporting that it's running properly and Defender is Disabled:
Agents with the green shield icon have Defender enabled, running properly and within guidelines for definition updates and recent scan:
- Agents with the purple padlock icon have another AV installed, reporting that it's running properly and Defender is Disabled:
- Once the process is complete with the smaller test client, note any steps that were taken to remediate issues, so they can be scripted for future clients. We recommend you then follow the same process with any of the remediation steps previously documented to complete the remainder of your clients.
Related Articles
Comments
0 comments
Please sign in to leave a comment.