Question

Agent uninstall command from console not working

  • 17 April 2020
  • 2 replies
  • 90 views

Badge +3

HI:

 

I am testing the usage of the WSA for buisness and the agent commands.  One of which I need to use is the “uninstall command” so that I can remove the program from computers owned by users that leave the company, or for any other multitude of reasons.

 

The agent refresh is set at 15 minutes.

 

I manually refresh the WSA client.

 

Nothing happens, I even reboot.

 

No over one hour hour later still nothing.

 

Is this a feature that is expected to work?

 

Version 9.0.29.9

 

Windows 10 1909 18363,778.

 

I can’t distribute the software if I cannot uninstall the agents.

 

Any help is welcome.

 

 


2 replies

Badge +3

It is now the next day.

 

Webroot SecureAnywhere for Business Endpoint Protection did uninstall within 24 hours as it explains.  I don’t know when which brings me to the following.

 

Is there away from the console to find out:

  1. That the client is not longer installed?
  2. When the client was uninstalled?
  3. Why the client was uninstalled?

In the command long on the webroot console, I see the uninstall command being executed, but as I was logged in at the time, the command was not executed on the endpoint at the time it is recorded on the console.

I searched in the windows event logs but I could not find any record of the webroot software uninstalling.

  1. Is there somewhere something that would indicate when the webroot software was uninstalled on the client?

If there was an event entered in the Windows Event Log I”d be able to search our Centralized Event Log Server, as the client forwards all events.

I ask this because since we work in a regulated environment all actions need to be recorded and enough information needs to be available to provide the answer to what, where, when, why and how, in order to support any legal forensic analysis.

 

David

Userlevel 6
Badge +21

@David Woodson 

In regards to faster “uninstall” there are a few options you may consider.

  1. Try sending a specific Poll Home command in command shell with Run as Admin enabled.
    C:\Program Files (X86)\Webroot\wrsa.exe -poll (This seems to be more consistent than “refresh” config.) Also, if WRSA was installed in 64-bit programs folder, c:\Program Files\Webroot\Wrsa.exe -poll will need to be used.
  2. Turn down the UAC of the device in question for a short duration. We are anecdotally finding that UAC may be getting in the way. This is being tested.
  3. For detection, if you have a system monitor, then the most used variable is to check the WRSVC service. If it’s no longer present, then it’s uninstalled or gone.
  4. Currently there are no system events specifically related to “uninstall” - but you can check services, registry and whether the wrsa.exe is still present on endpoints.

For console awareness in a SaaS model, reliance on the agent “calling home” is the only option. The console can not reach out to an agent due to architecture and network reliance, so it’s all on the agent to check in and report status. So, there really isn’t a way for the console to truly know status.

Hope this helps.

Reply