Delete AntiVirusProduct WMI

Bert_D · ‎11-18-2014

The below script will clear the anti-virus WMI class in the SecurityCenter or SecurityCenter2 namespace, depending on the Windows OS. After a reboot of the client machine, WMI will rebuild this class.

If you're running this script as a deployment package:

Copy the code below and save it as DelWMIAntivirus.vbs in the Program Files (x86)\Lansweeper\PackageShare\Scripts folder on your Lansweeper server.
Run the deployment package under your scanning credentials.

On Error Resume Next
 
Set shell = CreateObject("WScript.Shell")
Set getOSVersion = shell.exec("%comspec% /c ver")
version = getOSVersion.stdout.readall
 
Select Case True
   Case InStr(version, "n 5.") > 1 : GetOS = 0 'Windows XP
   Case InStr(version, "n 6.") > 1 : GetOS = 1 'Windows Vista, 7, 8, 8.1
   Case InStr(version, "n 10.") > 1 : GetOS = 1 'Windows 10
   Case Else : GetOS = -1
End Select
 
strComputer = "."
If GetOS = 0 Then          
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
       
    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")
     
    For Each objItem In colItems
        objItem.Delete_
    Next
End If
     
If GetOS = 1 Then  
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")
       
    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")
     
    For Each objItem In colItems
        objItem.Delete_
    Next
  
End If

antonioc · ‎08-16-2024

Hello,

I used this package for deployment, but below are the validations and the script.vbs to fix this AV issue.

Correction address:

https://community.spiceworks.com/t/check-the-wmi-repository-for-an-antivirus-product-that-is-not-ins...

Validation 1
Stop the service, remove or rename the folder, and start the service.

net stop winmgmt /y
ren %windir%\System32\wbem\Repository Repository.old
net start winmgmt

The device needs to be restarted to normalize the registry.

Validation 2
Manual - run wbemtest in cmd
Connect to the namespace root\SecurityCenter2
Enumerate the superclass instance AntivirusProduct
Remove the registry {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

There is a script below in VBS that allows deletion by searching for the AV name.

strPC = "."

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strPC & "\root\SecurityCenter2")

Set colAV = objWMIService.ExecQuery("Select * from AntiVirusProduct")

For Each objItem In colAV
If InStr(objItem.displayName, "AV Name") > 0 Then
objItem.Delete_
End If
Next

chendricks · ‎04-06-2016

Also, make sure the "Security Center" and "Windows Firewall" services are enabled and running.

Bert_D · ‎11-20-2014

Additional information:

It might be that VBScript engine is unavailable after McAfee antivirus installation.
This issue may be caused either by a broken VBScript registration or by McAfee antivirus.

For McAfee:

- Open a command prompt in elevated mode (run as administrator).
- Type "regsvr32 vbscript.dll"
- Open regedit and verify that HKLM\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 is pointing to vbscript.dll
On a 64-bit machines the key is HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

There's a specific scenario when the key is overwritten by McAfee software, which change the key's value to McAfee script scanning DLL. In such a case please either uninstall McAfee then re-register vbscript.dll or contact McAfee support.

It's also possible that the same key may exist in HKCU hive.
Please delete the whole HKCU\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8} tree in such case.

Additional workaround: Please remove traces of McAfee using MCPR tool:

http://service.mcafee.com/FAQDocument.aspx?id=TS101331

Delete AntiVirusProduct WMI

New to Lansweeper?

Try Lansweeper For Free