Kaseya Community

Agent procedure to remove KAV and KAM

This question is answered

Does anyone have a script that can uninstall Kaspersky and Malwarebytes? I know i can do this through the KAV/KAM modules but looking for an agent procedure. 

I'm rolling out Werboot to replace them and what i want to do is have a script that can check for the existence of Webroot then remove both KAM and KAV. Doing it though the security modules is more of a manual process and harder to keep track of when doing a lot of clients.   

Verified Answer
  • Here is the command that has worked for us in the past. I haven't used it in a while, so I don't know if it has changed at all with recent versions. I put this in an ExecuteShellCommand step with Run as: Execute as System.

    msiexec.exe /x #MSI_GUID# /qn /l*v C:\kworking\kavuninstall.log KLPASSWD="#KAV_PASSWORD#" KLLOGIN="#KAV_USER#"

    Hope this helps.

    Nate

All Replies
  • Procedure Download KAV Remover.xml

    Removing through the KAV/KAM module will be cleaner in the long run and leveraging a 'View' of Webroot Exe (wrsa.exe) will make it easier to isolate the removal process. (We just finished the transition to Webroot).  That being said I attempted the procedure as a cleanup utilizing various configs of the line:

    msiexec /x {7A4192A1-84C4-4E90-A31B-B4847CA8E23A} KLLOGIN="KLAdmin" KLUNINSTPASSWD="YourPassword" /qn /l*v "#AgentWorkingDirectory#\KAVlog.txt"  

    I also tried with the Hex switches

    msiexec /x {7A4192A1-84C4-4E90-A31B-B4847CA8E23A} KLLOGINHEX="4b4c41646d696e" KLPASSWDHEX="YourPasswordInHEX" /qn /l*v "#AgentWorkingDirectory#\KAVlog.txt"

    Very little success was found and attempting to escalate through Kaseya lead to the recommendation to run(uninstall) through the module.  Also, their recommendation if you receive a "Failed Uninstall" was to run a "Repair" then attempt the uninstall again.  That worked for 99% of the remaining removals and the last 1% were removed utilizing KAVRemover.exe manually. (I have attached that procedure)

    Note: I did run into a few that had the Login when running KAVRemover as [blank] rather than KLAdmin as the default.

    I can get you the KAV MSIExec procedure if you still want it but as I mentioned - it was more of a waste of time.

  • Here is the command that has worked for us in the past. I haven't used it in a while, so I don't know if it has changed at all with recent versions. I put this in an ExecuteShellCommand step with Run as: Execute as System.

    msiexec.exe /x #MSI_GUID# /qn /l*v C:\kworking\kavuninstall.log KLPASSWD="#KAV_PASSWORD#" KLLOGIN="#KAV_USER#"

    Hope this helps.

    Nate

  • thank you. This worked and i used a malwarebytes cleanup utility to run a silent uninstall of that

  • If you only remove the program from the endpoint and not the integration, you are going to end up with loads of KALUA scripts attempting to continue to run from the endpoint, filling up UserProfiles\@MsgQueIn and making a load of errors in your system logs.  Coming from someone who did this with broken installations. 



    Updated incorrect data.
    [edited by: Kristin Muntz at 6:24 AM (GMT -8) on Nov 7, 2017]
  • These procedures or solutions were provided to me by Kaseya Support and modified for my needs. You may not feel comfortable using them, if not, contact Kaseya Support - disclaimer here of non-liability for screwing up your endpoints/database with these procedures.

    Procedure to cleanup KaLua/KAV-KAM Classic.

    Procedure KAV Classic - Endpoint cleanup.xml

    Procedure to clean up vestigial files on the endpoint.

    Procedure KAV - vestigial file cleanup.xml

  • After i manually (or through script) remove KAV and KAM it generally shows up as "Removed by User" in the module. Once it shows that should i still be having the failed KALUA scripts or it knows it not installed anymore?

  • Check your Kaseya folder in UserProfiles\@MsgQueIn for KALUA files with this sort of data inside:

    {"DateTime":"13:16:38 10 19 2017", "EventId":100001, "Message1":"kav_threatMonitor: Kaspersky Path not found in registry", "Message2":"", "Message3":"", "Message4":""}

    The filename will be something like "796510545837652-7f0c38221d348dc-out34538.kalua" where the first number sequence is the agent guid - you can find the name of the matching agent easily by opening the folder in userprofiles with that agentguid and looking in the KaseyaD.ini for the endpoint name.

    So, if you are seeing those, that means that it's still attempting to run KaLua scripts on the endpoint side and you need the cleanup, otherwise those files will just continue to pile up.  By the time we figured out it was a problem, there were over 300k files in that folder.  It was absolutely impacting the server performance.

  • My @MsgQueIn folder has 131k files in it but they date back to when we first built this server and they're not all .kalua

    Did you work with support to clean up this folder?

  • Yes, I did.  As I understand it, this directory is polled constantly for incoming data and should not have files sitting in it, if there are any there for more than a few minutes, it indicates an issue.

  • This is the response that support gave me:

    This is not a known problem. The size of that folder depends on customer DB size, the number of agents and tasks scheduled.

  • Hmm.  I was told otherwise by the engineer who did the health checkup on our server.  I'll send you a message with the ticket information.

  • It would be nice to have a definitive answer, Kaseya?  Or should I just put in another ticket?

    Our @MsgQueIn currently has 604k...

  • sounds like its a case by case issue. From support:

    It really depends on the scenario. If there are messages stuck for a particular module or if it is any task-specific you can purge else no action needs to be taken as these messages will go off on its own once executed.

    We advise to not take any action until you see any sort of performance issue on your VSA. If you still want to clear message queue (at your own risk), you can purge the journal and private message queue.