Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Can't Install an Antivirus - Windows Security Center still detects previous AV

Oftentimes after the removal of an Antivirus, Windows Security Center will still report that it's installed and prevent the installation of a new one. I've seen many threads where users have experienced this problem.

This can happen with either rogue or legitimate Antivirus/Anti-spyware/Firewall products that support WMI integration e.g., Kaspersky, AVG,  SAV, Panda etc., that after the program has been uninstalled, Windows Security Center will still report that the non-existent AV/AS or Firewall is still enabled therefore preventing the installation of an antivirus.

Even after using Symantec's CleanWipe to remove SAV, Security Center still detect it as installed.

When scanning with ComboFix you will be alerted that the previous antivirus is STILL RUNNING in the background even though all its files and registry entries had been removed as the case of this rogue Enterprise Suite below:

 CF alert
The entries in the DDS and ComboFix logs will still show 'enabled'.
AV: Enterprise Suite *On-access scanning enabled* (Updated) {1ED39ED7-08A3-4E29-8DAC-5D10956F61A3}
FW: Enterprise Suite *enabled* {FF6B533C-4F16-43D9-BBC2-927BCFFAC6CA}

Here is an example thread, where Enterprise Suite had been removed from the system and yet WSC is still detecting it:

*Cannot Install an Anti-Virus*

So until the offending antivirus or Firewall entry is removed from the root\securitycenter WMI namespace, the user won't be able to install an antivirus.


Click on Start menu > Run > type in:


Click OK

Connect to root\SecurityCenter

You would need to change the root\default to root\securitycenter
Click on Query tab
Type in SELECT * FROM AntivirusProduct
Click on Apply

In the Query result window, highlight the offending antivirus and click Delete.

Steps For Windows 7:
Run wbemtest
Click on Connect tab.
Instead of typing "root\SecurityCenter" for the namespace you need to type in


Click Connect
Click on "Enum Instances"
In the "Enter superclass name" field, type in "AntivirusProduct" as the superclass name.
In the QueryResult window, delete the entry of your antivirus.

If it helps, below are the screenshots:(Windows XP)
1.      Click on Start > Run > type in: wbemtest click OK and the WMI Tester window opens:
2.   Connect to root\SecurityCenter.  The root\default will be showing so you need to overtype it with root\SecurityCenter, then click the 'Connect' tab.
3.   Then click on the Query tab.
4.  In the Query window that opens, type in: SELECT * FROM AntivirusProduct
Click Apply.
5.  Then highlight the offending antivirus and click Delete.
And that's it, Windows Security Center will no longer detect the previous AV and you can
install a new one.

If there is more than one result and you're not sure which one, just  doubleclick to check the properties to make sure you're only deleting the ones that are no longer installed in the system.
If you want to remove a Firewall entry then replace your query to select Firewall - SELECT * FROM FirewallProduct.

I hope you'll find this article helpful.

Comments (19)

David SpigelmanPresident / CEO

I'm also having the problem with the message Invalid Class on one machine. I can't query anything in wbemtest because of it. Any news would be greatly appreciated.

An old article but still very good.  Had come across the issue with Combofix detecting an old anti-virus before.  Thanks RPG
Top Expert 2007


I have now added instructions for Windows 7 systems.
Author of the Year 2011
Top Expert 2006

Excellent improvement - wish I could vote again.

We just had a couple of questions in the Spyware Zones about this and I will post a link to your Article.
Top Expert 2007


I saw a question recently which I think this article relates to.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.