Solved

We want to remove webroot from the company wide endpoints- urgent!!

  • 16 January 2017
  • 11 replies
  • 158 views

We want to remove webroot from the company wide endpoints. How to accomplist this via centralized solution? Either by GPO, Power shell or task schedular or any other solution provided by you? We don't want to do this manually on each computer. Can we do this via running commants on each individual computers? Please send this solution asap.  Thanks.
icon

Best answer by coscooper 16 January 2017, 23:23

View original

11 replies

Userlevel 6
Badge +26
If you have access to the web console that these endpoints are managed, there are two options. If it's an entire site under a GSM (Global Site Manger), you can deactivate the entire site and it will auto-matically uninstall it'self. If it's not a GSM or under a GSM, then you can select all endpoints in the Group Management tab and send the deactive command to all endpoints.
 
This is the easist method for uninstalling more than one endpoint properly.
 
If you no longer have access to the management console, then the only option is boot into safe mode and uninstall manually on each endpoint. There is no method to centrally uninstall all of the endpoints outside of the management console. This is by design to ensure endpoints under management can not be programatically uninstalled if a network in compremised.
group management tab under webroot management console?
Userlevel 6
Badge +26
@ - correct. It's a tab at the site level where all endpoints show up. You can select all hosts with the check box on the left, then select the "Deactivate" button at the top and all endpoints will get the deactivate AND uninstall command. Deactivate puts the licenses back into the parent seat pool immediately.
 
Hope that helps.
do I need to reboot the system after deactivating? Because I still see webroot in my system?
Userlevel 6
Badge +26
Shouldn't have to reboot. The way it works is, the deactivate command gets sent to our server farm. The next time the agent checks in, it checks for commands to run. If the policy polling cycle is daily, then it could be 24 hours before the agent uninstalls itself.
 
A quick way to force it to check in is, select "Update Configuration" menu by right clicking the webroot icon in the system tray. This will force the agent to call home immediately. Select it a few times for good measure. If it gets the command properly, it will autouninstall.
after reboot, I still see this in my program and features and in web browser. Please hel me soon. Thanks.
Userlevel 7
@, please know that you can always reach out to our Support Team directly for technical assistance:
 
Business Technical Support: Call 1-866-254-8400
Open a Support Ticket: http://mysupport.webrootanywhere.com/supportwelcome.aspx?SOURCE=ENTERPRISEWSA
nothingworked! Even after rebbot, found software. We wanted to see a centrazed way of uninstalling this app. No user interface. Can we use GPO, TASK SCHEDULER OR POWER SHELL? Urgent!!
Userlevel 3
Badge +9
These guys seem to chuck 'Solved' on a thread at the drop of a hat don't they.
Userlevel 5
Badge +24
One note:
 
Assuming your Webroot agents are reporting to the GSM console correctly, you could use a script to change the following registry DWORD value:
 
HKLMSoftwareWow6432NodeWRDataActions
 
Set the DWORD value of UpdateNow to 1.  This will force a Webroot agent to poll the Webroot GSM, which, if it is communicating properly, will force the deactivation to proceed if the agent has already been set to Deactivated.
 
If the system is not communicating properly with the console (that is, it is in a state of "Not Seen Recently"), you will probably need to do a manual uninstall.
Userlevel 6
Badge +26
@ab01 - as was already stated, NO, there is no GPO, Powershell or other method to uninstall the agent across a network and this is done "by design".
 
FYI - The agent is a kernel level agent with the highest level privileges on a given endpoint so your core systems are protected while Webroot is on board. There is no way to gain those credentials using AD or any other way to elevate your domain wide credentials to kernel level. It's impossible and again, by design so no bad actor can compremise a network and shut all protection down across an entire network, which in effect, is what you're asking about.
 
As @DTMT mentioned, you can programatically tell all of your endpoints with WR onbaord to call home, but if the agent is having issues responding to the console, then your only option is to manually uninstall on each endpoint using safemode.
 
If you have a firewall with URL filtering of any sort, it may be blocking the agents ability to call home. Here are the URLs that the agent needs access to work properly.
 
Please allow for the following path masks through the firewall:
 
*.webrootcloudav.com
Agent communication and updates
*.webroot.com
Agent messaging
https://wrskynet.s3.amazonaws.com/*
https://wrskynet-eu.s3-eu-west-1.amazonaws.com/*
https://wrskynet-oregon.s3-us-west-2.amazonaws.com/*
Agent file downloading and uploading
*.webrootanywhere.com
 
 
 
Amazon specific:
https://wrskynet.s3.amazonaws.com/*
https://wrskynet-eu.s3-eu-west-1.amazonaws.com/*
https://wrskynet-oregon.s3-us-west-2.amazonaws.com/*
 
 
There is no other way other than from the console or locally manually at each machine.
 
You're always welcome to call support for additional input, but they have no other methods than what has been outlined here.

Reply