Every once in a while, for whatever reason, we'll notice that certain endpoints will randomly give us a false positive message stating that the antivirus has been removed by the user. We know that none of those actually are true because of the fact that there needs to be a password in order to uninstall the antivirus software. Furthermore, the WSC reported product will show show up with Kaspersky Endpoint 10. For the few times this happens, I find that running an reinstall from the VSA will get it back to normal, but I feel like something's gotta give when it comes to our VSA randomly giving us these "removed by user" false positives.
Has anyone else experienced this particular issue?
Yep, this is a well-known 'feature' of the Kaspersky module. If, for whatever reason, a local Kaspersky installations fails to send a sort of hartbeat to the VSA, the status is set to 'Removed by user'.
We've seen it many times and have experienced firsthand it was never an important enough issue to fix, for Kaseya.
This issue, combined with all the other fun things you need to spend time on to keep these Kaspersky installations healthy, has made us decide to abondon this as a bad deal. We're migrating about 6500 installs from Kaspersky to Webroot and are very happy with the results....
dczarnecki we have had exactly the same issues for a couple of years with both KAM and KAV and have had many tickets raised for it. As OudjesEric has said, the issue in both cases is caused by a timeout. The agent taskrunner looks in the registry for HKLM\Software\Wow6432Node\KasperskyLab\Components\34\Connectors\KES and if it times out before getting the value from the registry (the machine may be busy for a few seconds or the connection heavily loaded for instance), it believes the key is missing, then the VSA shows that KAV has been uninstalled by the user and if using alert profiles and alert will be generated.
This has proved embarrassing in a few instances when the customer has been contacted by an engineer. We have also recently moved a similar number of installs as OudjesEric away from KAV to Kaspersky using Kaspersky Security Centre to manage it all. KAV is an absolute nightmare to keep on top as it is too unpredictable - something support has agreed with many times.
if you want to link to our tickets at all, use 326138 and 314456.