2008-08-14

Removing Symantec AntiVirus via Script

As my company's IT Project Tech I was given the task of finding a replacement for our old desktop AntiVirus solution. That's not hard; the hard part was finding the most efficient way of removing the old AV clients (Symantec) from all of our workstations distributed across the country.

That's still not too hard, but there was a twist. Before I started with the company we had not stuck with a single client across the board for our desktops. One look at my software inventory showed I had not one, not two, but 4 different versions of Symantec AntiVirus on the network.

Each different version has it's own unique registry key. For this purpose I will leave the script at its current length for example IDs of the various Symantec versions. Speaking of length, it's not the most elegant script, but it gets the job done. I plan to give it a once-over later on to see if I can't make it even better.

The one thing this script does not do is remove Live Update. I could not lash together a way to bypass Live Update's warning about removing the service. The warning didn't break the script, but it would require the user to click "Yes" and then continue with the next step. I didn't trust the users to read my e-mail instructing them to click the correct button, so I ended up using my new anti-virus' command console to remove Live Update.

When I find out how they do it so easily (because it runs so smoothly and erases any trace of it) I'll update the script.

To remove Live Update manually you need to run LSETUP.EXE located in one of the Symantec folders. It's either in C:\Program Files\Symantec\Live Update\ or in C:\Program Files\Symantec AntiVirus\. LSETUP.EXE will install the Live Update, so you need to add the "/U" argument to the command:

"C:\Program Files\Symantec\Live Update\LSETUP.EXE" /U

That command will launch the uninstall process. You may also want to stop various services first. I did not need to, but you can do it with net stop:

cmd /c net stop "Symantec AntiVirus"

You can replace "Symantec AntiVirus" with any other service's name.

The other obstacle you may need to overcome is the password portection on the AntiVirus install. If you have a password requirement enabled the script disables it via the registry.

Once the script has removed the registry keys it can continue with the uninstall, also via the registry. It uses MsiExec.exe to silently uninstall the appropriate version.

Note: If your version is not listed you can find the registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\.

Here you go:





'------------------------------
'Author: Christopher Maddalena
'Date: June 20, 2008
'Purpose: Uninstall various Symantec Anti-Virus clients
'How: This script runs MsiExec.exe with SAV's uninstall registry key.
'------------------------------

Option Explicit
Call Main()
WScript.Quit(0)

On Error Resume Next

Sub Main
Const HKEY_LOCAL_MACHINE = &H80000002

Dim objShell, objRegistry, objFileSystem
Dim strComputer, strKeyPath, strValueName, strValue, strSAV, strSAV0, strSAV1, strSAV2, strSAV3
Dim strFolder0, strFolder1, strFolder2

strFolder0 = "C:\Program Files\Symnatec"
strFolder1 = "C:\Program Files\Symantec AntiVirus"
strFolder2 = "C:\Program Files\Common Files\Symantec Shared"

strComputer = "."

Set objShell = WScript.CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objFileSystem = WScript.CreateObject("Scripting.FileSystemObject")

strValueName = "DisplayName"

'Set registry keys to disable Symantec uninstall password
objShell.RegWrite "HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\LockUnloadServices", "0", "REG_DWORD"
objShell.RegWrite "HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPuninstallPassword", "0", "REG_DWORD"

'Check for SAV 10.1.4000.4
strSAV = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{46B63F23-2B4A-4525-A827-688026BE5E40}"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strSAV, strValueName, strSAV0

'Check for SAV 10.1.394.0
strSAV = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strSAV, strValueName, strSAV1

'Check for SAV 10.1.5000.5
strSAV = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strSAV, strValueName, strSAV2

'Check for SAV 10.0.2000.2
strSAV = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{46B63F23-2B4A-4525-A827-688026BE5E40}"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strSAV, strValueName, strSAV3

'Remove SAV 10.1.4000.4 if installed
If Not IsNull(strSAV0) Then
objShell.Run "MsiExec.exe /norestart /q /x {46B63F23-2B4A-4525-A827-688026BE5E40} REMOVE=ALL"
End If

'Remove SAV 10.1.394.0 if installed
If Not IsNull(strSAV1) Then
objShell.Run "MsiExec.exe /norestart /q /x {A011A1DC-7F1D-4EA8-BD11-0C5F9718E428} REMOVE=ALL"
End If

'Remove SAV 10.1.5000.5 if installed
If Not IsNull(strSAV2) Then
objShell.Run "MsiExec.exe /norestart /q /x {78D891EF-9E2D-4FC8-A71F-E6F897BA1B21} REMOVE=ALL"
End If

'Remove SAV 10.0.2000.2 if installed
If Not IsNull(strSAV3) Then
objShell.Run "MsiExec.exe /norestart /q /x {46B63F23-2B4A-4525-A827-688026BE5E40} REMOVE=ALL"
End If

' If objFileSystem.FolderExists(strFolder0) Then
' Set tempFolder = objFileSystem.GetFolder(strFolder0)
' tempFolder.Delete
' End If
'
' If objFileSystem.FolderExists(strFolder1) Then
' Set tempFolder = objFileSystem.GetFolder (strFolder1)
' tempFolder.Delete
' End If

' If objFileSystem.FolderExists(strFolder2) Then
' objFileSystem.DeleteFolder(strFolder2),True
' End If
End Sub

3 comments:

Anonymous said...

Awesome - thanks man

Anonymous said...

Awesome - thanks man - It worked like a charm

Anonymous said...

Awesome - thanks man - It worked like a charm