Problem
You remove antivirus software from an endpoint, but the antivirus continues to show up in CloudRadial's antivirus list for that workstation.
Solution
The probable cause is that the antivirus did not properly remove itself from the listing in the local workstation's security center. To correct this, run through the following steps on the workstation:
- Open a command window as an administrator
- Run the command:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get * /value - Run the Windows Management Instrumentation Tester command:
WBEMTEST - Click the "Connect..." button
- Enter:
root/securitycenter2 - Click the "Connect" button
- Click the "Query..." button
- Enter:
SELECT * from Antivirusproduct - Select the antivirus to delete
- Click the "Delete" button
Comments
3 comments
I was about to submit a ticket about this, and one of the suggestions was this article. So that's cool. But with potentially now hundreds of computers where we have this issue, this article is not an MSP-friendly solution. I get that this isn't a CR problem particularly, though RMMs are capable of identifying the only current AV product just fine.
It looks like this might be difficult to build a script around... is it possible to have CR dev folks find out how all the RMMs determine the active AV product and use that method instead?
Also to this process should be added a line that you have to match up the GUID shown in the command prompt result with the GUID you want to remove in the WMI query; it does not show the friendly names using this query.
Found this Powershell script that deletes all WMI AV entries, which supposedly get rebuilt on reboot or next time WMI does inventory. I will test and reply back here. It definitely clears all of them out:
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}
Article is closed for comments.