I haven’t had Webroot installed for months but Syncro still detects it. I have tried reinstalling and uninstalling again via policy. The policy change seems to successfully push the agent and uninstall it. However, after it uninstalls Syncro still thinks that it is there. See the attached screenshot.
You can try this removal script:
# Removes Webroot by force
# Run the script once, let it reboot, then run again, if WRCore still present, do in Safe Mode
# Webroot services
$Services = @('WRSA','WRCore','WRCoreService','WRkrn','WRSkyClient','WRSVC')
# Webroot registry keys
$RegKeys = @(
"HKLM:\SOFTWARE\Classes\``*\shellex\ContextMenuHandlers\WRShellExt",
"HKLM:\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WRShellExt",
"HKLM:\SOFTWARE\Microsoft\Internet Explorer\Extensions\{43699cd0-e34f-11de-8a39-0800200c9a66}",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WRUNINST",
"HKLM:\SOFTWARE\Webroot",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{43699cd0-e34f-11de-8a39-0800200c9a66}",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\WRUNINST",
"HKLM:\SOFTWARE\WOW6432Node\Webroot",
"HKLM:\SOFTWARE\WOW6432Node\WRData",
"HKLM:\SOFTWARE\WRData",
"HKLM:\SYSTEM\ControlSet001\Services\WRBoot",
"HKLM:\SYSTEM\ControlSet001\Services\WRkrn",
"HKLM:\SYSTEM\ControlSet001\Services\WRSVC",
"HKLM:\SYSTEM\ControlSet001\Services\wrUrlFlt",
"HKLM:\SYSTEM\CurrentSet001\Services\WRCore",
"HKLM:\SYSTEM\CurrentSet001\Services\WRCoreService",
"HKLM:\SYSTEM\CurrentSet001\Services\WRSkyClient",
"HKLM:\SYSTEM\ControlSet002\Services\WRBoot",
"HKLM:\SYSTEM\ControlSet002\Services\WRkrn",
"HKLM:\SYSTEM\ControlSet002\Services\WRSVC",
"HKLM:\SYSTEM\ControlSet002\Services\wrUrlFlt",
"HKLM:\SYSTEM\CurrentSet002\Services\WRCore",
"HKLM:\SYSTEM\CurrentSet002\Services\WRCoreService",
"HKLM:\SYSTEM\CurrentSet002\Services\WRSkyClient",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRBoot",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRCore",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRCoreService",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRkrn",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRSkyClient",
"HKLM:\SYSTEM\CurrentControlSet\Services\WRSVC",
"HKLM:\SYSTEM\CurrentControlSet\Services\wrUrlFlt"
)
# Webroot startup registry item paths
$RegStartupPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
# Webroot folders
$Folders = @(
"$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot",
"$env:ProgramData\WRCore",
"$env:ProgramData\WRData",
"$env:ProgramFiles\Common Files\Webroot\WebFiltering\wrflt.dll",
"$env:ProgramFiles\Webroot",
"${Env:ProgramFiles(x86)}\Common Files\Webroot",
"${Env:ProgramFiles(x86)}\Webroot",
"$env:SystemDrive\Users\All Users\WRCore",
"$env:SystemDrive\Users\All Users\WRData",
"$env:SystemDrive\Windows\System32\WRDll.x64.dll",
"$env:SystemDrive\Windows\System32\wrusr.dll"
)
# Try to uninstall properly first
Start-Process -FilePath "${Env:ProgramFiles(x86)}\Webroot\WRSA.exe" -ArgumentList "-uninstall" -Wait -ErrorAction SilentlyContinue
Start-Process -FilePath "${Env:ProgramFiles}\Webroot\WRSA.exe" -ArgumentList "-uninstall" -Wait -ErrorAction SilentlyContinue
Start-Sleep 20
# Stop & delete Webroot services
function Kill-Services {
ForEach ($Service in $Services) {
Write-Host "Killing $Service"
Stop-Process -Name $Service -Force -ErrorAction SilentlyContinue
sc delete $Service
}
}
# Let's run it twice to be sure
Kill-Services
Kill-Services
# Remove Webroot registry keys
ForEach ($RegKey in $RegKeys) {
Write-Host "Removing $RegKey"
Remove-Item -Path $RegKey -Force -Recurse -ErrorAction SilentlyContinue
}
# Remove Webroot registry startup items
ForEach ($RegStartupPath in $RegStartupPaths) {
Write-Host "Removing WRSVC from $RegStartupPath"
Remove-ItemProperty -Path $RegStartupPath -Name "WRSVC" -ErrorAction SilentlyContinue
}
# Remove Webroot folders
ForEach ($Folder in $Folders) {
Write-Host "Removing $Folder"
Remove-Item -Path "$Folder" -Force -Recurse -ErrorAction SilentlyContinue
}
# Remove other leftovers
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Toolbar" -Name "{97ab88ef-346b-4179-a0b1-7445896547a5}" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar" -Name "{97ab88ef-346b-4179-a0b1-7445896547a5}" -ErrorAction SilentlyContinue
Remove-Item "C:\Program Files (x86)\Common Files\wruninstall.exe" -ErrorAction SilentlyContinue
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk" -ErrorAction SilentlyContinue
# Gentle restart (reopens apps)
shutdown /g /f
If that doesn’t help, Windows Security Center is probably being dumb. You can go find the webroot key (referenced in last line, replace with yours if not accurate) and run script:
#Windows Security Center AV Registration Removal
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
enable-privilege SeTakeOwnershipPrivilege
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Security Center\Provider\Av\{DF901FA1-F926-253B-C464-B01C79DCAD48}", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]"SYSTEM"
$acl.SetOwner($me)
$key.SetAccessControl($acl)
# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("SYSTEM", "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{DF901FA1-F926-253B-C464-B01C79DCAD48}"
This is another long way when I ran into the same issue. What I did to fix was start to run the Eset Removal tool that they have on their website. It worked. The other way I’ve got it to work is to manually locate the remaining uninstall.exe in the webroot folder on c drive and run as administrator.
Looks like I forgot to mention, this is a mac endpoint, running MacOS 12.6.2
Ah. I have no idea then. Maybe some sort of mac app cleanup utility? Contact support?
Yes, I submitted to support a couple of days ago. I’m waiting on a response.