I've become a big fan of Kaspersky and their security products but I've only been using them for a year or so. I ran into an issue with a client the other day that had been using a Windows Server 2003 member server for some basic needs and wanted to upgrade to 2008. It was successfully upgraded and I re-installed Kaspersky Total Security which is their business security product. Not a good idea.

Kaspersky 2008 Support

As of writing this, Kaspersky's only product that supports Windows Server 2008 is Kaspersky Antivirus Enterprise Edition. I've read about some people that are using another Kaspersky product on Server '08 with some success or with "quirky" networking issues. For me it was more severe and had a Blue Screen of Death on every boot.

This was a bigger problem than expected because if I went into Safe Mode I wasn't abled to uninstall it because the Windows Installer service doesn't run in Safe Mode. I tried to disable the Kaspersky service as well as stop the Kaspersky program from starting in msconfig. Neither helped and the server kept rebooting itself.

Official Kaspersky Uninstall Tool

Luckily like most other Antivirus vendors, there is a tool to remove their application. Here is a link to that tool. It supports all the version 6 software and works like a charm.

External Links

http://www.kaspersky.com/support/kav6/install?qid=193239348 Kaspersky Uninstall Tool

Standard story, I had a user today with Symantec Endpoint Protection and it was causing her CPU to redline. SEP said everything was fine so I thought I'd just save some time and uninstall and re-install like a good Sys-admin would do. Most people know that with Symantec's more corporate products they require that you put in a password in order to uninstall the application. This is a simple protection from an attacker manually removing the antivirus. I didn't realize until today just how simple that was.

I did some looking for the password and asked a few people and I tried to look up what the default password was because knowing this client, that's what it would be. No luck. Then I discovered something, I was watching the processes in the task manager and saw that when I went to uninstall SEP, msiexec ran as I expected but right as the password prompt came up, another instance of msiexec appeared. What are the odds that I just end that process and I'm allowed to get through? Very good.

So then I looked online about this and of course I'm not the first person to find this out. If you can end the process msiexec.exe that is being run as the current user (not system), then the password prompt will disapper and uninstallation will continue. There is a protection built into SEP and other Symantec products that blocks access to the task manager while the password prompt is showing. That's why my favorite windows tool Process Explorer comes in handy. So here's the steps:

1. Download Process Explorer from Microsoft or Sysinternals
2. Uninstall the symantec product of your choice
3. wait for the password prompt to appear
4. run Process Explorer and find msiexec.exe that is being run as the current user (not the system)
5. end that process and continue with the uninstallation

I know this really isn't a revelation to most people but I had never done it before and it goes right along with some of my anti-anti-virus research I'm doing.

External Links

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Process Explorer download
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4852 – link to a forum that has other suggestion to resetting the password like “calling support”