Hi
I was trying to find a way to uninstall other AV software (ESET in this case) using WSA. I did the following: I created an override in the console for ESET marking it as bad. It seemed to work pretty fine because ESET disspeared. Would you recommend such actions or rather not? Do you have any other suggestions about how to achieve this? For example executing an agent command with some DOS command? It would be a huge asset for companies with many endpoints if they could uninstall their previous software with Webroot.
Answer
Other AV uninstallation
Best answer by JimM
Good question! That is actually not a recommended function of WSA. Although you could blacklist the other antivirus program's executables, those files were most likely marked as Good prior to the override being put in place on your end. That means those files were not journaled and changes made by those files will not be rolled back if the file is quarantined. Plus, they were probably on the system before WSA in many cases. So when you pull the executables, you aren't clearing the whole program off the computer - just part of it. There are almost certainly leftover registry keys, other non-executable files, the quarantine, etc. from the produce you're trying to remove. A broken anti-virus program is not something you want on your system because it can cause significant problems. So we advise against using WSA in such a way.
Good question! That is actually not a recommended function of WSA. Although you could blacklist the other antivirus program's executables, those files were most likely marked as Good prior to the override being put in place on your end. That means those files were not journaled and changes made by those files will not be rolled back if the file is quarantined. Plus, they were probably on the system before WSA in many cases. So when you pull the executables, you aren't clearing the whole program off the computer - just part of it. There are almost certainly leftover registry keys, other non-executable files, the quarantine, etc. from the produce you're trying to remove. A broken anti-virus program is not something you want on your system because it can cause significant problems. So we advise against using WSA in such a way.
+6Echoing Jim's post:
Let me be clear: You should not inject custom signatures into your new antivirus to remove your old antivirus. A partially damaged, corrupted antivirus is the last thing that you want on your endpoints. Not to mention you don't want two antivirus going to war with eachother's defense mechanisms.
I suspect you got this idea from Webroot's misguided documentation on this subject. Their example of removing Skype with WSA overrides sounds more like an endpoint management solution than purely an example using the name of a common piece of software. Overrides should only be used to disable core components of blatantly unwanted software.
Let me be clear: You should not inject custom signatures into your new antivirus to remove your old antivirus. A partially damaged, corrupted antivirus is the last thing that you want on your endpoints. Not to mention you don't want two antivirus going to war with eachother's defense mechanisms.
I suspect you got this idea from Webroot's misguided documentation on this subject. Their example of removing Skype with WSA overrides sounds more like an endpoint management solution than purely an example using the name of a common piece of software. Overrides should only be used to disable core components of blatantly unwanted software.
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.