Getting away from the Linux game a bit I thought I would share a gem from my Windows side of things. This is how to remotely and silently remove Symantec's Antivirus Corporate Edition from Windows computers. I wanted to remove the antivirus programs remotely because the computers are too far away and my chair is rather comfortable having been moulded to my ample behind. I also wanted to do this removal silently to both allow the end users to continue working undisturbed and as an added bonus I don't have to talk to them and have them put me off because they are just too busy at that moment. The corporate edition of Symantec's antivirus suite (version 10.x BTW) has a great tool for remotely installing to client computers but it has a nasty habit of not wanting to upgrade its minor version. That is to say it goes through the motions and talks the talk but it just didn't walk the walk. This means that there were several computers floating around using an older version of the antivirus program and they weren't updating to the server. Nope not good at all. Unfortunately while I could install there was no way to remotely uninstall. This is where I started talking to my good friend google again and after several conversations we worked out a method of remotely and silently uninstalling those wayward antivirus program so I could install (again remotely) those updated versions and have everything working hunky dory again. What I first needed to do is find out how it manually uninstalls. This is found by going to the (I am not on a windows machine at the moment so this is going from memory) HKEY_LOCAL_MACHINESOFTWAREMICROSOFT WINDOWSCURRENT VERSIONUNINSTALL registry key and looking for the subkey dealing with uninstalling symantec antivirus. For version 10.0 it is {BA4B71D1-898E-4306-AE87-8BA7A596F0ED} (that's not from memory :) There is even a line there showing what program it calls to actually uninstall which is (surprise, surprise) MsiExec.exe. Just typing that line in a console starts the removal process just as if you called it from add and remove programs. That is not what we want however. The actual line needed with all of the proper arguments is. MsiExec.exe /norestart /q/x{BA4B71D1-898E-4306-AE87-8BA7A596F0ED} REMOVE=ALL Typing msiexec /? will give you a dialog box with what all the arguments mean but basically it just tells windows to remove that program and all of its parts quietly with no fuss and don't reboot when you have finished. Nothing would upset an end user more than having the computer reboot on them when they were just about to save a presentation that they worked on for four hours. This is not the end of it though. First the command is done locally so you still have to be sitting in front of the computer and have the end user breathing down your neck. Secondly the corporate edition of Symantec's antivirus can require a password to be uninstalled. Actually it should require a password to be uninstalled or you haven't done your job properly. This can all be fixed from the comfort of our well worn chair. First, to fix the password issue, we can start up regedit and from the file menu connect via the network to the remote machines registry. Then navigate to the following key. '[HKEY_LOCAL_MACHINESOFTWAREINTELLANDesk VirusProtect6CurrentVersionAdministratorOnlySecurity]' In that key make sure the two following values 'LockUnloadServices' and 'UseVPUninstallPassword' are zero. That takes care of the password asking problem. Finally the last thing we need to do is remotely execute the msiexec program. This is done by a great set of tools that were originally done by Sysinternals which have since been bought out by Microsoft. They are called PSTools and are freely downloaded from the Microsoft web site. The particular tool I used is called psexec and is used for remotely running a command on a machine. So to uninstall Symantec's antivirus program all I had to do was type the following line from a command prompt. psexec computer_name MsiExec.exe /norestart /q/x{BA4B71D1-898E-4306-AE87-8BA7A596F0ED} REMOVE=ALL Lo and behold the remote computer dutifully uninstalls that pesky virus program ready for a fresh install. The good thing about this is the end users have no idea what just happened and more importantly they had no interruption to their work. Most importantly I didn't have to get up from my chair :) There is one caveat. The account that you do all this work under has to have domain administrator privileges and the remote computer has to be joined to said domain. So random hackers, your out of luck. This operation is only for legitimate purposes. The most helpful reference I got from google is this page from www.appdeploy.com and Symantec's website.
I was wondering how those client softwares protect themselves from worms / malwares etc.Symantec protects their files from malicious users / admins with the tamper protection mechanism, but sometimes for troubleshooting it needs to be disabled.
How to Enable / Disable SmartScreen on Windows 10. We are describing here 2 tips to Enable / Disable SmartScreen on Windows 10 PC below. This is a Short Process and you can enable Windows SmartScreen more easily and quickly by using this process. Open Start Menu and click Control Panel as indicated by an arrow mark in the image.
This is how to stop the service:https://support.symantec.com/en_US/article.TECH192023.html
But, if a user can do it, can't a malicious worm do it as well? Which causes the whole protection to be useless?
Anders
Disable Bash Driver Symantec Windows 7
2 Answers
You are correct. Not just this feature, but antivirus in general, can be bypassed. That doesn't mean it's useless - it can be quite useful because it stops a lot of known threats and threat actors have to do a lot of work to bypass it.
So deploy antivirus by all means. But also know its limitations. Don't rely on antivirus alone to keep you secure.
Mark KoekMark KoekIn order for malware to disable anti-malware protection, it typically needs to escalate its privileges to admin levels. And that's what the anti-malware tools prevent.
So sure, an admin level malware could do that, but in most cases that would be pointless, as it already has admin access and can do anything it wants.
In summary - no, anti-malware and antivirus are valuable in stopping many types of attacks.
Rory Alsop♦Rory Alsop