Question

Webroot agent Unistallation

  • 20 March 2020
  • 8 replies
  • 116 views

Badge +3

I have multiple agents installed on users computers in my company. I do have an access to control panel and I can see agents over there but when I send a command to them and check if this command was executed in logs it says “elaspsed”.  Is this because the service already expired and I am not able to communicate with agents anymore?

I have read multiple threads on it and none of them solved my problem.
I tried to manually uninstall agents. Most of computers run on windows 10.

With CMD method “ WRSA.exe -uninstall” I get the prompt “do you really want to unistall ...” but nothing happens after it.   
I tired to unistal via control panel it also did not work 

Unfortunately running computers in safe mode is impossible because they have bitlocker installed and I do not have keys anymore. 


How do I unistall it via control panel without subscription?
Is there any other way to unistall it ? 

PS. Diffrent computers have diffrent versions of webroot installed 

I will greatly appreciate any advice


 


8 replies

Userlevel 6
Badge +17

@bartosz ,

Welcome to the community!

I’m going to tag in @coscooper on this one - He is one of our lead solutions engineers and will likely have an answer for you! 

-Keenan

Userlevel 6
Badge +21

@bartosz There are two issues at stake.

  1. Older versions of the agent; 9.0.26.x had issues with agent commands and were not being executed. (The issue was introduced with this version. Older versions than this work fine.) This was fixed with the latest release; 9.0.27.x or newer.
  2. Self protection. The -uninstall command will do nothing as it’s in self protection mode and requires administrative console access to send down the “Uninstall” or “Deactivate” command. (Which you’ve clearly attempted.)

Some options to consider.

  1. Resend or reapply the agent command “Uninstall”. If you have remote access to the endpoints in question AND the agent version is latest, 9.0.27.x, then it should uninstall without intervention. However, if it seems to still not uninstall, then try telling the agent to call home by: A) Update Configuration (Right click menu in system tray icon) and/or 😎 Start a local scan manually. Both of these tend to force the agent to call home and check in on all the servers it’s required to communicate, including the server farm holding the agent command.
  2. If you have older versions, then try the above to force the agent to call home and update itself. If it still does not update to 9.0.27.x to work better with agent commands, then try:
  3. Send down the “unmanaged” policy. Policy controls and assignment work on all versions as it’s a different command that was not problematic. From there, you can shutdown protection and stop the WRSVC. Reboot and you should be able to -uninstall. This is not 100% proven to work, but it’s one that has some success.
  4. For versions that are older and refuse to update, then there are some hard work arounds that may get the agent to uninstall. Locate the c:\programdata\wrdata\ folder and delete any file that has dst*.db (Basically, any file that starts with DST. Should be about 5). Can run a batch command or command line as well. (del C:\ProgramData\WRData\dst*.db) After these are gone, rerun the uninstall agent command from the web console, refresh config on devices remotely (or manually run a scan) and see what happens.

Give these a try and let us know how it goes.

Badge +3

Thank you very much coscooper. I will try this on Monday and get back to you.

Will I be able to do that even if agents status indicates “expired “and agents have not been seen for over 100 days ?

Also, I tried to push out different commands and one of them was to deactivate agent . I hoped this may help to uninstall agent. Unfortunately it did not help and the agent does not appear in the console anymore. Is there a way to activate it again? 
(I found this tutorial, 
https://docs.webroot.com/us/en/business/wsab_endpointprotection_adminguide/Content/ManagingEndpoints/DeactivatingEndpoints.htm
however my console looks different and I am not able to locate the missing agent in groups anymore)

Userlevel 6
Badge +21

@bartosz Expired agents and agents not seen in over 100 days may need to be handled different.

> Expired agents usually switch into unmanaged mode making them stand alone and you should be able to uninstall directly on the endpoint without console interaction. However, i’ve not tested this in some time.

> Not seen in XX days, means the agent is no longer operational and/or not installed, possibly. Remote access to those devices will determine its local status. If WR is still on the endpoint and not responding to our backend systems, could be a firewall blocking the URL they need to function or something else blocking it’s communication.

 

Deactivate actually does two things. 1-Tells your console that it’s no longer a device to manage which means it’s no longer considered an active license and 2-sends the uninstall command to the respective agent/endpoint.

NOTE:The uninstall commands live for 30 days in that server farm. After that they end and if the agent didn’t check in within 30 days of initiating these commands, they will stay installed and possibly active.

 

There are only two types of administrative consoles. Business or MSP with multiple business sites. (that article displays a site and the UI is the same for business (single site) MSP (multiple sites) . If you have something different, then it’s not a business console and could be a consumer console. If you DM me your key, i can investigate. However, both have Group Management tabs and you can “Reactivate” any agent that is displayed in the Deactive group and start managing them again.

Badge +3

Thank you so much for helping me in this process, it has been really a pain in the neck.
I am attaching a  screenshot of my dashboard, I hope this will be helpful (still can’t find deactivated

agent in groups).

 


Unfortunately, even though agents have already expired I am not able to uninstall them remotely. When I try to do that in control panel, usually agents disappear from control panel, but this does not uninstall them. I have also tried to run cmd as administrator and execute command

C:\Program Files (x86)\Webroot\WRSA.exe –uninstall

 Some of agents responded for it with captcha test, but still did not uninstall, rest of them do not respond on this command at all. 

 

You have mentioned that If I have remote access to an agent and I will force it to scan computer locally it may connect back to the dashboard, is this still possible even though they expired?

 

If a firewall can be blocking communication between dashboard and agents, what kind of communication agents use to communicate with dashboard (what kind of communication the firewall has to allow in order for them to start reporting back to the dashboard ).

 

Finally, is there any workaround option that will allow me to uninstall them if I will not be able to uninstall them via dashboard  ( except of save mode). How to check what mode an agent is operating on and is there a way to force it to operate in unmanaged mode?

Userlevel 7
Badge +55

@bartoszthe Uninstall command is without the (x86) as it’s always in Program Files!

"C:\Program Files\Webroot\WRSA.exe" -uninstall and include the Quotes!

 

 


https://docs.webroot.com/us/en/business/wsab_endpointprotection_adminguide/wsab_endpointprotection_adminguide.htm#ManagingEndpoints/RunningCommandsAtEndpoints.htm%3FTocPath%3DManaging%2520Endpoints%7C_____12

Badge +3

TripleHelix, thank you for the response. i tried both, program files and proigram files (x86). I always make sure that the WRSA.exe is located in the folder. Some agents after runnign this command display the “Are you sure you want to unistall” proimpt some of them doin’t. Even if they do display unistallation promp they still do not unistall.

Userlevel 7
Badge +55

TripleHelix, thank you for the response. i tried both, program files and proigram files (x86). I always make sure that the WRSA.exe is located in the folder. Some agents after runnign this command display the “Are you sure you want to unistall” proimpt some of them doin’t. Even if they do display unistallation promp they still do not unistall.


Try it again in Safe Mode with Networking!

Reply