Endpoint Protection

 View Only

  • 1.  Remove SAV from Windows Security Center

    Posted Sep 15, 2009 07:42 AM
    Hi.

    Looking for a way to remove SAV 10.X from the Windows Security Center. We use the Symantec cleanwipe to remove SAV, but the Windows Security Center still reports SAV as installed. When we install the new AV app, then Windows Security Center reports two AV programs are installed - what a mess!

    Anyone have a command line tool or way to unregister SAV from WSC - without deleting the windows32\wbem\repository folder?

    Thanks
    Chris


  • 2.  RE: Remove SAV from Windows Security Center

    Posted Sep 15, 2009 07:52 AM
    have you configred this..???


    Configuring Windows Security Center alerts using Symantec AntiVirus Corporate Edition or Symantec Client Security


    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004100414075048?Open&docid=2003101512393448&nsf=ent-security.nsf&view=ppfdocs

    check the registry keys..



  • 3.  RE: Remove SAV from Windows Security Center

    Posted Sep 15, 2009 08:06 AM
    This only helps if SAV is installed or to be installed. SAV has been removed with cleanwipe. Reinstalling SAV to set Windows Security Center options then removing again is not an option!


  • 4.  RE: Remove SAV from Windows Security Center

    Posted Sep 15, 2009 08:36 AM
    any entry in these locations..reference to symantec
    ?

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusDisableNotify
    • under the key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
    • do u see disableantivirus 0 or 1, does any key exist?
    •  


  • 5.  RE: Remove SAV from Windows Security Center

    Posted Sep 15, 2009 10:09 AM
    The Security Center checks for the presence of antivirus software using queries for specific WMI providers that are made available by participating vendors. If the information is available, the Security Center service also determines whether the software is up-to-date and whether real-time scanning is turned on

    if you have removed symantec, then these entried might still be in wmi..

    lets try this.

    Go to a command prompt and run wbemtest
    • Click the Connect button
    • Replace root\default with root\securitycenter and click Connect
    • You will be returned to the original screen, now click the Enum Classes button, leave the Superclass info box that appears as is (empty) and click OK
    • On the Query Results screen, highlight AntivirusProduct and choose the Delete button.
    • Close the Query windows and exit wbemtest
    reboot the box, let me know if you still see it ..:) 



  • 6.  RE: Remove SAV from Windows Security Center

    Posted Sep 15, 2009 12:31 PM
    Thanks, as soon as I delete the sav instance under AntivirusProduct , WSC reports no antivirus installed! now, just need to script this ...


  • 7.  RE: Remove SAV from Windows Security Center
    Best Answer

    Posted Sep 15, 2009 03:06 PM
    Incase anyone else needs this, here is a vbs script to remove SAV from Windows Security Center. Thanks for pointing me in the right direction with Wbem!

    <blockquote>
    '*******************************************************************************
    '* Script:         RmvSavWSC.vbs
    '* Purpose:        Removes Sav from Windows Security Center
    '* Parameters: 
    '*                 1 - iMsgMode
    '*                     (0 = Minimal Messages ; 1 = Display Debug Messages;
    '*                      2 = Login Script No Msgs) - Default = Minimal Msgs
    '* Returns:        0 - If sucessful Sav removed or sav not detected
    '*                 1 - If error removing sav
    '* Created:        2009/09/15
    '* Created by:     Chris Thibeau
    '* Supported OS:   XP
    '*******************************************************************************

    Option Explicit 

    '* ------------------------- Global Variable Declarations ------------------------------
    Dim iMsgMode, strComputer, oWMI, colAV, objAntiVirusProduct, strAVGuid, strCompany, strAV, strScanning, strUptodate, strMsg, objSWbemServices, strInstance, Err

    '------------------------------------- Get Arguments ---------------------------------------------
    If WScript.Arguments.count = 1 then           '1
        iMsgMode = WScript.Arguments.Item(0)
    Else                                        
        iMsgMode = 0
    End if

    '============================== Main Script =============================

    '--- Connect to WMI \root\SecurityCenter\AntiVirusProduct
    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
    Set colAV = oWMI.ExecQuery("Select * from AntiVirusProduct")
       
        '--- Check to see if any AV products are registered with Windows Security Center
        If colAV.Count > 0 Then
       
            ' --- Start loop for each AV product
            For Each objAntiVirusProduct In colAV
           
                ' -- Get the Guid
                strAVGuid = objAntiVirusProduct.instanceGuid
           
                ' -- Select the AV product and get it's details
                Set colAV = oWMI.ExecQuery("Select " &  strAVGuid & " from objAntiVirusProduct")
               
                strCompany = objAntiVirusProduct.companyName
                strAV = objAntiVirusProduct.displayName
                strScanning = objAntiVirusProduct.onAccessScanningEnabled
                strUptodate = objAntiVirusProduct.productUptoDate
           
                strMsg = "This information was collected on: " & Date & " at " & Time & vbCrLf
                strMsg = strMsg & "GUID: " & strAVGuid & vbCrLf
                strMsg = strMsg & "Manufacturer: " & strCompany & vbCrLf
                strMsg = strMsg & "Product: " & strAV & vbCrLf
                strMsg = strMsg & "Scanning Enabled? " & strScanning & vbCrLf
                strMsg = strMsg & "Definitions UptoDate? " & strUptodate & vbCrLf
                strMsg = strMsg & vbCrLf
           
                If iMsgMode = 1 Then
                    WScript.Echo strMsg
                End If
           
                ' -- Check to see if the AntiVirusProduct.companyName = Symantec
                If StrComp(strCompany,"Symantec Corporation") = 0 Then
                    If iMsgMode = 1 Then
                        WScript.Echo "SAV Detected: " & strAVGuid & vbCrLf & " removing from WSC!"
                    End If
               
                    ' -- Setup a connection to Wbem then delete Sav Instance
                    strInstance = "AntiVirusProduct.instanceGuid='" & strAVGuid & "'"
                    Set objSWbemServices = GetObject("winmgmts:\\" & "." & "\root\SecurityCenter")
                    objSWbemServices.Delete strInstance
               
                    If Err <> 0 Then ' -- Check if error deleting instance
                        If iMsgMode = 1 Then ' - Display error message
                            WScript.Echo "Error Deleting Sav Instance:" &  vbCrLf & Err.Number & "    " & Err.Description
                        End If ' - Display error message
                    Else
                        If iMsgMode < 2 Then ' - Display success message
                            WScript.Echo "Delete succeeded"
                        End If ' - Display success message
                    End If ' -- Check if error deleting instance

                    ' Release SwbemServices object
                    Set objSWbemServices = Nothing
               
                End If
           
            next ' --- process next AV product
           
        Else ' --- No AV products are registered
            If iMsgMode = 1 Then ' - Display message
                WScript.Echo "No Anti Virus Products registered"
            End If ' - Display message   
        End If
       
    ' --- Release all resources
    Set objAntiVirusProduct = Nothing
    Set colAV = Nothing
    Set oWMI = Nothing

    If Err <> 0 Then
        WScript.Quit(0) ' --- Quit, no errors
    Else
        WScript.Quit(1) ' --- Quit with errors
    End If

    </blockquote>


  • 8.  RE: Remove SAV from Windows Security Center

    Posted Jul 22, 2021 07:40 PM
    Here is an updated version targeting Symantec Endpoint Protection on Windows 10 (thus also WSC2).

    <blockquote>
    '============================== Updating =============================
    '-- this is Microsoft, they WILL change things - to check for current structure to query, try this powershell command
    '-- Get-CimInstance -Namespace root/SecurityCenter2 -Class AntiVirusProduct | Get-Member -MemberType Property
    '-- For more info: https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage
    '-- archived: https://archive.ph/PZLfq | http://web.archive.org/web/20201027102228/https://social.msdn.microsoft.com/Forums/en-US/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage

    Option Explicit

    '* ------------------------- Global Variable Declarations ------------------------------
    Dim iMsgMode, strComputer, oWMI, colAV, objAntiVirusProduct, strAVGuid, strAV, strProdExe, strRepExe, strRawState, strState, strStatus, strUpToDate, strTs, strMsg, objSWbemServices, strInstance, Err

    '------------------------------------- Get Arguments ---------------------------------------------
    If WScript.Arguments.count = 1 then '1
    iMsgMode = WScript.Arguments.Item(0)
    Else
    iMsgMode = 0
    End if

    '============================== Main Script =============================

    '--- Connect to WMI \root\SecurityCenter2\AntiVirusProduct
    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")
    Set colAV = oWMI.ExecQuery("Select * from AntiVirusProduct")

    '--- Check to see if any AV products are registered with Windows Security Center
    If colAV.Count > 0 Then

    ' --- Start loop for each AV product
    For Each objAntiVirusProduct In colAV

    ' -- Get the Guid
    strAVGuid = objAntiVirusProduct.instanceGuid

    ' -- Select the AV product and get it's details
    Set colAV = oWMI.ExecQuery("Select " & strAVGuid & " from objAntiVirusProduct")

    strAV = objAntiVirusProduct.displayName
    strProdExe = objAntiVirusProduct.pathToSignedProductExe
    strRepExe = objAntiVirusProduct.pathToSignedReportingExe
    strState = Hex(objAntiVirusProduct.productState)
    strRawState = right("000000" & strState, 6)
    If Mid(strState, 2, 2) = "10" Or Mid(strState, 2, 2) = "11" Then
    strStatus = "Yes"
    ElseIf Mid(strState, 2, 2) = "00" Or Mid(strState, 2, 2) = "01" Then
    strStatus = "No"
    End If
    If Mid(strState, 4, 2) = "00" Then
    strUpToDate = "Yes"
    ElseIf Mid(strState, 4, 2) = "10" Then
    strUpToDate = "No"
    End If
    strTs = objAntiVirusProduct.timestamp
    strMsg = "This information was collected on: " & Date & " at " & Time & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "GUID: " & strAVGuid & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Product Name: " & strAV & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Product State (raw): " & strRawState & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Product Enabled: " & strStatus & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Product Up To Date: " & strUpToDate & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Path To Signed Product Exe: [" & strProdExe & "]" & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "Path To Signed Reporting Exe: [" & strRepExe & "]" & vbCrLf
    strMsg = strMsg & vbCrLf
    strMsg = strMsg & "WSC2 Data Timestamp: " & strTs & vbCrLf
    strMsg = strMsg & vbCrLf

    If iMsgMode = 1 Then
    WScript.Echo strMsg
    End If

    ' -- Check to see if the AntiVirusProduct.displayName = Symantec Endpoint Protection
    If StrComp(strAV,"Symantec Endpoint Protection") = 0 Then
    If iMsgMode = 1 Then
    WScript.Echo "SEP Detected: " & strAVGuid & vbCrLf & " removing from WSC2!"
    End If

    ' -- Setup a connection to Wbem then delete SEP Instance
    strInstance = "AntiVirusProduct.instanceGuid='" & strAVGuid & "'"
    Set objSWbemServices = GetObject("winmgmts:\\" & "." & "\root\SecurityCenter2")
    objSWbemServices.Delete strInstance

    If Err <> 0 Then ' -- Check if error deleting instance
    If iMsgMode = 1 Then ' - Display error message
    WScript.Echo "Error Deleting SEP Instance:" & vbCrLf & Err.Number & " " & Err.Description
    End If ' - Display error message
    Else
    If iMsgMode < 2 Then ' - Display success message
    WScript.Echo "Delete succeeded"
    End If ' - Display success message
    End If ' -- Check if error deleting instance

    ' Release SwbemServices object
    Set objSWbemServices = Nothing

    End If


    next ' --- process next AV product

    Else ' --- No AV products are registered
    If iMsgMode = 1 Then ' - Display message
    WScript.Echo "No Anti Virus Products registered"
    End If ' - Display message
    End If

    ' --- Release all resources
    Set objAntiVirusProduct = Nothing
    Set colAV = Nothing
    Set oWMI = Nothing

    If Err <> 0 Then
    WScript.Quit(0) ' --- Quit, no errors
    Else
    WScript.Quit(1) ' --- Quit with errors
    End If
    </blockquote>
    Original Message


  • 9.  RE: Remove SAV from Windows Security Center

    Posted Sep 16, 2009 03:05 AM
    nice..