3

We purchased a networking and software solution for PCI compliance: TrustWave. We started to install the antivirus but realized that it was not required on the machines it was being installed on and wanted to install a different solution.

The program's attended uninstall works fine. It is the unattended install that is not very clean. While it supports a silent switch much of itself is left behind. I have scripted most of it but there is one part I am having issues with: Windows still sees the software as installed as an antivirus product. Looking at how to confirm this comes from WMI

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

I am having a hard time finding out how to wipe this information. Searching just leads me to solution about installing or removing the whole antivirus product which has already been done.

Is there a way to write to this namespace (or equivalent registry) specifically so that Windows forgets this has been installed? I realize this request could be seen as malicious.

Installing the other antivirus would most likely fix this issue but there are some machines that will be running without so this information would still be useful.

Community
  • 1
Matt
  • 740
  • 6
  • 28

1 Answers1

4

Never tested it, but it would be a script like this:

On Error Resume Next

Set shell = CreateObject("WScript.Shell")
Set getOSVersion = shell.exec("%comspec% /c ver")
version = getOSVersion.stdout.readall

Select Case True
   Case InStr(version, "n 5.") > 1 : GetOS = 0 'pre vista
   Case InStr(version, "n 6.") > 1 : GetOS = 1 'vista/post vista
   Case Else : GetOS = -1
End Select

strComputer = "."
If GetOS = 0 Then          
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")

    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    For Each objItem In colItems
        objItem.Delete_
    Next
End If

If GetOS = 1 Then  
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")

    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    For Each objItem In colItems
        objItem.Delete_
    Next

End If

Code from here

I would think it would work, as the other code example follows the same format, like shown here but without a delete item in it.

A PowerShell equivalent would be 

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

This could also be run remotely using the -Computer parameter.

Matt
  • 740
  • 6
  • 28
yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Never even considered calling a delete method on it. Will try that for sure. Thanks – Matt Jul 05 '16 at 13:48
  • 1
    I added code that I did test on one of my affected systems in an edit. Thanks again. I got this working. – Matt Jul 05 '16 at 14:39