Question

Taking over WEBROOT from an uncooperative Admin

  • 10 July 2022
  • 2 replies
  • 58 views

Hello,

I am taking over an account that had an uncooperative ex-admin. We were able to re-password and secure everything EXCEPT for Webroot AV. We use Ninja and Bitdefender.

We are unable to remove Webroot because we don't have access to the web portal. The uncooperative admin is NOT an MSP, it's an EX EMPLOYEE. The ex-employee used their personal email as the address to manage the webroot instance so resetting password is not an option.

Has anyone been through this with Webroot? Speaking to webroot support, they seem to indicate that there is no way to get the software removed without gaining access to the portal. They would not offer a removal tool or other ideas other than activating the NINJA API with Webroot. We did that, and we did get API alerts to work, but nothing will remove through the API access either.

I've found removal tools online that did not remove, and I've tried the uninstall command line switch as admin which also did not work. Even Sentinel has an uninstaller that works, even if it IS a pain to use....so I have to believe that something exists.

Advice is appreciated, thanks!


2 replies

Userlevel 6
Badge +4

Hello,

I am taking over an account that had an uncooperative ex-admin. We were able to re-password and secure everything EXCEPT for Webroot AV. We use Ninja and Bitdefender.

We are unable to remove Webroot because we don't have access to the web portal. The uncooperative admin is NOT an MSP, it's an EX EMPLOYEE. The ex-employee used their personal email as the address to manage the webroot instance so resetting password is not an option.

Has anyone been through this with Webroot? Speaking to webroot support, they seem to indicate that there is no way to get the software removed without gaining access to the portal. They would not offer a removal tool or other ideas other than activating the NINJA API with Webroot. We did that, and we did get API alerts to work, but nothing will remove through the API access either.

I've found removal tools online that did not remove, and I've tried the uninstall command line switch as admin which also did not work. Even Sentinel has an uninstaller that works, even if it IS a pain to use....so I have to believe that something exists.

Advice is appreciated, thanks!

@alphayash  Perhaps check with your Webroot AM and Webroot Support if they can add your business email account to the portal so you can access it from there. That is why we always have at least 2 accounts as admins, and never a private mail address linked to it, always a corporate one. 

Userlevel 7
Badge +30

@alphayash 

It’s pretty much true, that without access, you can’t easily remove the agent. Below are the steps to do a complete manual removal of the agent for both PC and MAC.

(prep yourselves as this is a long post).

Everything for Windows Agents MUST be done through Safe mode.

For PC:

Try “C:\Program Files (x86)\Webroot\WRSA.exe" –uninstall from a Run command 

If not, follow this (all From Safe Mode):

1. Go into Services and set the following services to disabled. (WRCoreService, WRSkyClient, WRSVC)
2. Look under Program Files and Program Files(x86) for any Webroot folder and delete
3. Under ProgramData look for and delete the WRData folder
4. Open an elevated command prompt with admin priv and run the following commands:
- "SC Delete WRSVC" (without quotes) and hit enter
- "SC Delete WRCoreService" (without quotes) and hit enter
- "SC Delete WRSkyClient" (without quotes) and hit enter
That'll remove the Webroot services
5. Under ProgramData look for and delete the WRData or WRCore folders
6. Open regedit and under the HKEY CURRENT USER SOFTWARE find and delete the WRData key
7. And under File Explorer in C:\Windows\System32\drivers find and delete the following two files:
wrkrn.sys
and
wrUrlFlt.sys


https://community.webroot.com/webroot-business-endpoint-protection-20/unable-to-uninstall-287436?postid=287447#post287447

For MAC:

Below you find the sudo command that removes Webroot from the agent so that no traces of the agent remains.

This ensures all remaining files from the previous install are removed

1. Go into your Applications Folder. From there go into Utilities Folder.
2. Then go into the Terminal.
3. Type in the following first exactly as it appears and then press Enter:

Sudo su -

4. It will then ask for your Apple password. Enter it in. Note that nothing will appear when you enter the password. Just enter it and then press enter.
5. After where it says "root# " Copy and paste the Following exactly as it appears and then press Enter.

launchctl unload /Library/LaunchDaemons/com.webroot.security.mac.plist
kextunload /Library/Extensions/SecureAnywhere.kext
kextunload /System/Library/Extensions/SecureAnywhere.kext
rm /usr/local/bin/WSDaemon
rm /usr/local/bin/WFDaemon
killall -9 WSDaemon
killall -9 WFDaemon
killall -9 "Webroot SecureAnywhere"
rm -rf /Library/Extensions/SecureAnywhere.kext
rm -rf /System/Library/Extensions/SecureAnywhere.kext
rm -rf "/Applications/Webroot SecureAnywhere.app"
rm /Library/LaunchAgents/com.webroot.WRMacApp.plist
rm /Library/LaunchDaemons/com.webroot.security.mac.plist
rm ~/Library/Preferences/com.webroot.WSA.plist
rm ~/Library/Preferences/com.webroot.Webroot-SecureAnywhere.plist
rm -rf ~/Library/Application\ Support/Webroot
rm -rf /Library/Application\ Support/Webroot

 

Hope this helps

John H

 

Reply