<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Can't Install an Antivirus - Windows Security Center still detects previous AV

Published on
25,831 Points
10,831 Views
20 Endorsements
Last Modified:
Awarded
Community Pick
Oftentimes after the removal of an Antivirus, Windows Security Center will still report that it's installed and prevent the installation of a new one. I've seen many threads where users have experienced this problem.

This can happen with either rogue or legitimate Antivirus/Anti-spyware/Firewall products that support WMI integration e.g., Kaspersky, AVG,  SAV, Panda etc., that after the program has been uninstalled, Windows Security Center will still report that the non-existent AV/AS or Firewall is still enabled therefore preventing the installation of an antivirus.

Even after using Symantec's CleanWipe to remove SAV, Security Center still detect it as installed.

When scanning with ComboFix you will be alerted that the previous antivirus is STILL RUNNING in the background even though all its files and registry entries had been removed as the case of this rogue Enterprise Suite below:

 CF alert
The entries in the DDS and ComboFix logs will still show 'enabled'.
AV: Enterprise Suite *On-access scanning enabled* (Updated) {1ED39ED7-08A3-4E29-8DAC-5D10956F61A3}
FW: Enterprise Suite *enabled* {FF6B533C-4F16-43D9-BBC2-927BCFFAC6CA}

Here is an example thread, where Enterprise Suite had been removed from the system and yet WSC is still detecting it:

*Cannot Install an Anti-Virus*
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/Q_24936303.html

So until the offending antivirus or Firewall entry is removed from the root\securitycenter WMI namespace, the user won't be able to install an antivirus.


TO RESOLVE THIS PROBLEM:

Click on Start menu > Run > type in:

wbemtest

Click OK

Connect to root\SecurityCenter

You would need to change the root\default to root\securitycenter
Click on Query tab
Type in SELECT * FROM AntivirusProduct
Click on Apply

In the Query result window, highlight the offending antivirus and click Delete.


Steps For Windows 7:
Run wbemtest
Click on Connect tab.
Instead of typing "root\SecurityCenter" for the namespace you need to type in

root\SecurityCenter2

Click Connect
Click on "Enum Instances"
In the "Enter superclass name" field, type in "AntivirusProduct" as the superclass name.
In the QueryResult window, delete the entry of your antivirus.


If it helps, below are the screenshots:(Windows XP)
1.      Click on Start > Run > type in: wbemtest click OK and the WMI Tester window opens:
 Image1
2.   Connect to root\SecurityCenter.  The root\default will be showing so you need to overtype it with root\SecurityCenter, then click the 'Connect' tab.
 Image2
3.   Then click on the Query tab.
 image3
4.  In the Query window that opens, type in: SELECT * FROM AntivirusProduct
Click Apply.
 Image4
5.  Then highlight the offending antivirus and click Delete.
 Image5
And that's it, Windows Security Center will no longer detect the previous AV and you can
install a new one.

If there is more than one result and you're not sure which one, just  doubleclick to check the properties to make sure you're only deleting the ones that are no longer installed in the system.
If you want to remove a Firewall entry then replace your query to select Firewall - SELECT * FROM FirewallProduct.

I hope you'll find this article helpful.
20
Comment
  • 6
  • 5
  • 3
  • +6
22 Comments
LVL 38

Expert Comment

by:younghv
rpggamergirl:
I really enjoyed reading through this Article. I see this problem a lot in my business and I get phone calls all of the time about it. Now I will be able to send customers a link (and maybe get them to join EE).

"Yes" vote up above.
0
LVL 23

Expert Comment

by:Suliman Abu Kharroub
how to do it in windows 7 ? the Query cant be applied
0
LVL 58

Expert Comment

by:tigermatt
rpg,

Thanks for this article. I'm sure it will prove to be incredibly useful. Voted "Yes" above.

Thanks,

tigermatt
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

 

Administrative Comment

by:younghv
Sulimanw:
That is a great question. I have a couple of '7 boxes here that I might boot up and try to figure it out.
Why don't you post that question over in the "Windows 7" Zone and see if any of the Experts have the solution you need?

Be sure to post the URL of this question - so that they can read the details before they respond.

younghv
Page Editor
0
LVL 47

Author Comment

by:rpggamergirl
Sulimanw,

What do you mean by "the query can't be applied"?
Did you get an error or something when you queried?

I don't know if an Antivirus WMI provider writes to root\SecurityCenter WMI namespace in Windows 7, or how WMI finds its info on AV status that's being shown in the Action Center.

Sorry, I don't have that OS, you might like to ask in windows 7 zone as younghv had suggested.



@ younghv, tigermatt:

Thanks for your comments and the Yes votes, :)
0
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Thank you for your reply.

I got an error says : "invalid class", when i applied the query
0
 

Administrative Comment

by:younghv
Sulimanw:
As rpggamergirl already noted, she does not have Windows 7 loaded on any of her computers.
You really do need to post your question over in the Windows 7 Zone, and cross-post it with a couple of the anti-malware Zones.

We have some extremely sharp Experts posting in '7 and maybe one of them can help you.

"Articles" is not the place to seek computer specific help.

younghv
Page Editor
0
LVL 23

Expert Comment

by:Suliman Abu Kharroub
she asked :
"What do you mean by "the query can't be applied"?
Did you get an error or something when you queried?"
and i just want to answer her questions.
I know that i can post a question in windows 7 zone  and i am sure i will get an answer here in EE.

Thank you.
0
LVL 18

Expert Comment

by:Ravi Agrawal
A great article, I am always learning something new from you. Cast my Yes vote.

Ravi.
0
LVL 1

Expert Comment

by:Adrian Bowden
This problem has bugged me in the past too - worked a treat today on XP with a lingering
F-Secure/TalkTalk antivirus product..

Thanks again rpggamergirl

0
 

Administrative Comment

by:younghv
firstade:
If you haven't already, please click on the "Yes" next to "Was this article helpful?" (at the very bottom right corner of the actual Article).

The only reward the Authors get for the work they do is in the form of additional 'Points' for every yes vote.

Thank you.

younghv
Page Editor
0
LVL 1

Expert Comment

by:Adrian Bowden
Tried twice but doesn't seem to do anything - no page update progress, no confirmation - nada!
0
LVL 47

Author Comment

by:rpggamergirl
firstade,

It's because you've already voted in this article, each EE member can only vote once.
Thanks for the Yes vote, and you too grtraders.

Sulimanw,
I still haven't got an answer to the 'query' problem you're having sorry.

younghv,
Thanks for monitoring.
0
LVL 18

Expert Comment

by:Ravi Agrawal
Hehe its grtraders, btw you can call me Ravi.

Ravi.
0
LVL 47

Author Comment

by:rpggamergirl
Sorry about that. :(

Thanks Ravi.
0
LVL 16

Expert Comment

by:warturtle
Nice article, rpg :-). Got my 'yes' vote for sure.
0
LVL 47

Author Comment

by:rpggamergirl
Thanks for the "Yes' vote warturtle, :-)
0
LVL 8

Expert Comment

by:David Spigelman
I'm also having the problem with the message Invalid Class on one machine. I can't query anything in wbemtest because of it. Any news would be greatly appreciated.
0

Expert Comment

by:Jsmply
An old article but still very good.  Had come across the issue with Combofix detecting an old anti-virus before.  Thanks RPG
0
LVL 47

Author Comment

by:rpggamergirl
I have now added instructions for Windows 7 systems.
0
LVL 38

Expert Comment

by:younghv
Excellent improvement - wish I could vote again.

We just had a couple of questions in the Spyware Zones about this and I will post a link to your Article.
Thanks!
0
LVL 47

Author Comment

by:rpggamergirl
Thanks!
I saw a question recently which I think this article relates to.
0

Featured Post

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month