→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Bert_D
Lansweeper Employee
Lansweeper Employee

The below script will clear the anti-virus WMI class in the SecurityCenter or SecurityCenter2 namespace, depending on the Windows OS. After a reboot of the client machine, WMI will rebuild this class.

If you're running this script as a deployment package:

  • Copy the code below and save it as DelWMIAntivirus.vbs in the Program Files (x86)\Lansweeper\PackageShare\Scripts folder on your Lansweeper server.
  • Run the deployment package under your scanning credentials.

 

On Error Resume Next

Set shell = CreateObject("WScript.Shell")
Set getOSVersion = shell.exec("%comspec% /c ver")
version = getOSVersion.stdout.readall

Select Case True
Case InStr(version, "n 5.") > 1 : GetOS = 0 'Windows XP
Case InStr(version, "n 6.") > 1 : GetOS = 1 'Windows Vista, 7, 8, 8.1
Case InStr(version, "n 10.") > 1 : GetOS = 1 'Windows 10
Case Else : GetOS = -1
End Select

strComputer = "."
If GetOS = 0 Then
Set oWMI = GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")

Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem In colItems
objItem.Delete_
Next
End If

If GetOS = 1 Then
Set oWMI = GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")

Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem In colItems
objItem.Delete_
Next

End If
3 REPLIES 3
antonioc
Engaged Sweeper

Hello,

I used this package for deployment, but below are the validations and the script.vbs to fix this AV issue.

Correction address:

https://community.spiceworks.com/t/check-the-wmi-repository-for-an-antivirus-product-that-is-not-ins...

Validation 1
Stop the service, remove or rename the folder, and start the service.

net stop winmgmt /y
ren %windir%\System32\wbem\Repository Repository.old
net start winmgmt

The device needs to be restarted to normalize the registry.

Validation 2
Manual - run wbemtest in cmd
Connect to the namespace root\SecurityCenter2
Enumerate the superclass instance AntivirusProduct
Remove the registry {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

There is a script below in VBS that allows deletion by searching for the AV name.

strPC = "."

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strPC & "\root\SecurityCenter2")

Set colAV = objWMIService.ExecQuery("Select * from AntiVirusProduct")

For Each objItem In colAV
If InStr(objItem.displayName, "AV Name") > 0 Then
objItem.Delete_
End If
Next

 

chendricks
Engaged Sweeper
Also, make sure the "Security Center" and "Windows Firewall" services are enabled and running.
Bert_D
Lansweeper Employee
Lansweeper Employee
Additional information:

It might be that VBScript engine is unavailable after McAfee antivirus installation.
This issue may be caused either by a broken VBScript registration or by McAfee antivirus.

For McAfee:

- Open a command prompt in elevated mode (run as administrator).
- Type "regsvr32 vbscript.dll"
- Open regedit and verify that HKLM\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 is pointing to vbscript.dll
On a 64-bit machines the key is HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

There's a specific scenario when the key is overwritten by McAfee software, which change the key's value to McAfee script scanning DLL. In such a case please either uninstall McAfee then re-register vbscript.dll or contact McAfee support.

It's also possible that the same key may exist in HKCU hive.
Please delete the whole HKCU\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8} tree in such case.


Additional workaround: Please remove traces of McAfee using MCPR tool:

http://service.mcafee.com/FAQDocument.aspx?id=TS101331