Question

Webroot SecureAnywhere Uninstall methods fail

  • 16 January 2021
  • 2 replies
  • 226 views

Uninstalling from Apps & Features or Appwiz.cpl fails with the above message. Logging in as Administrator does not work. Logging in Safe Mode doesn’t work. How do I remove this program from my Windows 10 system? Webroot Secureanywhere endpoint 9.0.29.62 -Protected is listed in Hidden Icons.


2 replies

This app starts even when I remove it from the Startup folder. Starts in Safe Mode. I booted to an Admin CMD prompt, renamed the application so it would not start, rebooted, changed the name back to run the uninstaller and the app started up by itself again. My client doesn’t know how it got installed. This is his personal PC.

 

I have never seen anything other than MALWARE act like this. I will have to reboot to Admin CMD and rename the executable so it will not run until I get a response on how to actually uninstall this malware.

Userlevel 6
Badge +26

@NeedSupport - The agent is in self-protection mode to keep malicious actors from shutting down protection. The agent is tied to a managed console that someone else manages, hence that message and inability to arbitrarily uninstall the agent while it’s launched and part of the system kernel, which is why renaming application does nothing. This is actually a method bad actors attempt to shut down protection by booting into self-protection mode, changing application names and then boot back to normal sessions. However, there is a system kernel driver that launches during boot.

There are two options:

  1. Have your client reengage with the previous service provider to invoke administrative commands in the console that will tell the agent to uninstall itself with console privileges.
  2. There is a safemode option. Boot into safemode, launch CMD (runas admin) session accounts do not pass admin privs to CMD, so runas is best. Locate the wrsa.exe application and run wrsa.exe -uninstall - This is well documented in many locations in our support and KB areas. 

     

Hope this helps.

Reply