Welcome to my site. Please CLICK HERE to give your opinions regarding this new look of "PCTipsbyAnu". Thanks for visiting.

Saturday, July 9, 2011

How to disable and remotely remove Antivirus?

I wanted to remove the antivirus programs remotely because the computers are too far away and my chair is rather comfortable having been moulded to my ample behind. I also wanted to do this removal silently to both allow the end users to continue working undisturbed and as an added bonus I don't have to talk to them and have them put me off because they are just too busy at that moment.
The corporate edition of Symantec's antivirus suite (version 10.x BTW) has a great tool for remotely installing to client computers but it has a nasty habit of not wanting to upgrade its minor version. That is to say it goes through the motions and talks the talk but it just didn't walk the walk.

This means that there were several computers floating around using an older version of the antivirus program and they weren't updating to the server. Nope not good at all. Unfortunately while I could install there was no way to remotely uninstall.

This is where I started talking to my good friend google again and after several conversations we worked out a method of remotely and silently uninstalling those wayward antivirus program so I could install (again remotely) those updated versions and have everything working hunky dory again.

What I first needed to do is find out how it manually uninstalls. This is found by going to the (I am not on a windows machine at the moment so this is going from memory) HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ WINDOWS\CURRENT VERSION\UNINSTALL registry key and looking for the subkey dealing with uninstalling symantec antivirus.

For version 10.0 it is {BA4B71D1-898E-4306-AE87-8BA7A596F0ED} (that's not from memory :)

There is even a line there showing what program it calls to actually uninstall which is (surprise, surprise) MsiExec.exe. Just typing that line in a console starts the removal process just as if you called it from add and remove programs. That is not what we want however. The actual line needed with all of the proper arguments is.
MsiExec.exe /norestart /q/x{BA4B71D1-898E-4306-AE87-8BA7A596F0ED} REMOVE=ALL

Typing msiexec /? will give you a dialog box with what all the arguments mean but basically it just tells windows to remove that program and all of its parts quietly with no fuss and don't reboot when you have finished. Nothing would upset an end user more than having the computer reboot on them when they were just about to save a presentation that they worked on for four hours.

This is not the end of it though. First the command is done locally so you still have to be sitting in front of the computer and have the end user breathing down your neck. Secondly the corporate edition of Symantec's antivirus can require a password to be uninstalled. Actually it should require a password to be uninstalled or you haven't done your job properly.

This can all be fixed from the comfort of our well worn chair. First, to fix the password issue, we can start up regedit and from the file menu connect via the network to the remote machines registry. Then navigate to the following key.
[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\ VirusProtect6\CurrentVersion\AdministratorOnly\Security]
In that key make sure the two following values "LockUnloadServices" and "UseVPUninstallPassword" are zero. That takes care of the password asking problem.

Finally the last thing we need to do is remotely execute the msiexec program. This is done by a great set of tools that were originally done by Sysinternals which have since been bought out by Microsoft. They are called PSTools and are freely downloaded from the Microsoft web site. The particular tool I used is called psexec and is used for remotely running a command on a machine.

So to uninstall Symantec's antivirus program all I had to do was type the following line from a command prompt.
psexec \\computer_name MsiExec.exe /norestart /q/x{BA4B71D1-898E-4306-AE87-8BA7A596F0ED} REMOVE=ALL

Lo and behold the remote computer dutifully uninstalls that pesky virus program ready for a fresh install. The good thing about this is the end users have no idea what just happened and more importantly they had no interruption to their work. Most importantly I didn't have to get up from my chair :)

There is one caveat. The account that you do all this work under has to have domain administrator privileges and the remote computer has to be joined to said domain. So random hackers, your out of luck. This operation is only for legitimate purposes.

The most helpful reference I got from google is this page from www.appdeploy.com and Symantec's website. 

You can leave a response, or trackback from your own site.

About 'Anu': My name is 'Anu' also Known as 'ANU 007 TIGER' .I'm administrator of 'PC Tips by Anu' blog .This blog was opened for sharing contents about hacking n cracking.


Post a Comment

Back to Top