Solved

Webroot SecureAnywhere Uninstall methods fail

4 years ago
January 16, 2021
2 replies
324 views

NeedSupport
Fresh Face
1 reply

Uninstalling from Apps & Features or Appwiz.cpl fails with the above message. Logging in as Administrator does not work. Logging in Safe Mode doesn’t work. How do I remove this program from my Windows 10 system? Webroot Secureanywhere endpoint 9.0.29.62 -Protected is listed in Hidden Icons.

Best answer by coscooper

@NeedSupport - The agent is in self-protection mode to keep malicious actors from shutting down protection. The agent is tied to a managed console that someone else manages, hence that message and inability to arbitrarily uninstall the agent while it’s launched and part of the system kernel, which is why renaming application does nothing. This is actually a method bad actors attempt to shut down protection by booting into self-protection mode, changing application names and then boot back to normal sessions. However, there is a system kernel driver that launches during boot.

There are two options:

Have your client reengage with the previous service provider to invoke administrative commands in the console that will tell the agent to uninstall itself with console privileges.
There is a safemode option. Boot into safemode, launch CMD (runas admin) session accounts do not pass admin privs to CMD, so runas is best. Locate the wrsa.exe application and run wrsa.exe -uninstall - This is well documented in many locations in our support and KB areas.
Media not available

Hope this helps.

View original

Did this help you find an answer to your question?

This topic has been closed for comments

N

NeedSupport
Author
Fresh Face
1 reply
4 years ago
January 16, 2021

This app starts even when I remove it from the Startup folder. Starts in Safe Mode. I booted to an Admin CMD prompt, renamed the application so it would not start, rebooted, changed the name back to run the uninstaller and the app started up by itself again. My client doesn’t know how it got installed. This is his personal PC.

I have never seen anything other than MALWARE act like this. I will have to reboot to Admin CMD and rename the executable so it will not run until I get a response on how to actually uninstall this malware.

+26

coscooper
Manager, Channel Sales
219 replies
Answer
4 years ago
January 18, 2021

@NeedSupport - The agent is in self-protection mode to keep malicious actors from shutting down protection. The agent is tied to a managed console that someone else manages, hence that message and inability to arbitrarily uninstall the agent while it’s launched and part of the system kernel, which is why renaming application does nothing. This is actually a method bad actors attempt to shut down protection by booting into self-protection mode, changing application names and then boot back to normal sessions. However, there is a system kernel driver that launches during boot.

There are two options:

Have your client reengage with the previous service provider to invoke administrative commands in the console that will tell the agent to uninstall itself with console privileges.
There is a safemode option. Boot into safemode, launch CMD (runas admin) session accounts do not pass admin privs to CMD, so runas is best. Locate the wrsa.exe application and run wrsa.exe -uninstall - This is well documented in many locations in our support and KB areas.
Media not available

Hope this helps.

Shane Cooper | Manager, Channels Sales (RMM & Strategic Partners)

Related Topics

Unable to view moved boards from another teamicon

Article: How to find (and hopefully recover) a "lost" or "missing" board

I have a big problem, my life's project is gone!

lost my board

I just moved a board to a different account and lost edit access, but I'm the board owner....?

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded