Unable to install Antimalware because a competitor product is installed. Remove competitor product and the install will proceed.

I'm getting this error in ZCC on one computer, a notebook that lives elsewhere to which I don't have regular access.

The user insists she has nothing else installed, and when I was able to take a brief look at it I couldn't see anything installed either.  The in-built Windows Defender stuff is working fine, so I've let it go for a bit... but I'd like to get this resolved.

Is there any log I can look at that will tell me exactly what it thinks is installed or what files it's tripping on?

  • Much of the ZCM Updates need to flow through a ZCM configuration content so make sure she has some type of access to a ZCM Configuration and Content Server.  There error may just be about a failure to install but the root cause is erroneous.  I cannot suggest any particular logs, because I've never actually seen this before.  However, the fact you said it was a  remote device may indicate its lack of access to a content server so it does not have proper access to the actual install files.

    ....

    The other thing is you may want to try manually disabling the Windows Defender.  If you cannot, that may be the root cause as ZCM Anti-malware will try and disable it as part of installing itself.  There could be a Windows Setting blocking its disablement.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • And if you cannot manually disable check to see if "Tamper Protection" is enabled, which would prevent the changing of Windows Defender Settings....

    learn.microsoft.com/.../manage-tamper-protection-individual-device

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • the laptop is able to reach the zenworks server via the internet, but she's been in the office with a local IP address a few times and it still reports the same error.  it looks like I'll have to lay hands on it a little more seriously then...

    the office calendar suggests she _may_ be here part of the day Friday, so I'll take another look at her computer then if I can.  otherwise I'll setup some remote time; the zenworks remote control works over the VPN

  • Had the issue today at the customer with ZCM Antimalware. Unfortunately, some AV manufacturers dig deep into Windows systems, so the registry and drivers really have to be cleared out of the system. If a product has tamper protection, this can usually only be resolved with the help of a secure Windows start or by booting via a rescue system and removing drivers.

    ZCM usually stumbles over remaining entries in the WMI. With the help of e.g. wmbtest, entries from AV installations can be deleted or changed. The following is necessary after cleaning up an installation in the WMI:

    Step 1: Command line with administrative access

    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get * /value


    Result as an example

    Microsoft Windows [Version 10.0.19045.4291]
    (c) Microsoft Corporation. Alle Rechte vorbehalten.

    C:\WINDOWS\system32> WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get * /value

    displayName=Windows Defender
    instanceGuid={D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    pathToSignedProductExe=windowsdefender://
    pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
    productState=393472
    timestamp=Fri, 12 Apr 2024 14:20:12 GMT


    displayName=ZENworks Endpoint Security-Anti-Malware
    instanceGuid={E0021901-B44C-9858-C689-8B9D5A719DEC}
    pathToSignedProductExe=C:\Program Files\Micro Focus\ZENworks\WscRemediation.exe
    pathToSignedReportingExe=C:\Program Files\Micro Focus\ZENworks\EPHost.Integrity.exe
    productState=266240
    timestamp=Fri, 12 Apr 2024 14:19:08 GMT

    The instance ID is important for further processing, Example here displayName=ZENworks Endpoint Security-Anti-Malware instanceGuid={E0021901-B44C-9858-C689-8B9D5A719DEC}

    The instance ID of the AV products must be removed afterwards with administrative access. If it is clear what is to be deleted, this can also be done later using a Powershell script or policy.


    Step 2: Executing the WBEMTEST utility

    Info about the tool here learn.microsoft.com/.../introduction-to-wbemtest

    Call up WBEMTEST with administrative access.


    Now the following steps

    Click the "Connect..." button

    Enter:
     " root\securitycenter2"

    Click the "Connect" button

    Click  "Query..." button

    Enter:

    SELECT * from Antivirusproduct



    Select the antivirus to delete -- > At this point, select the corresponding instance ID that was determined in step one above. The Defender must always remain on the system if available
     
    Click the "Delete" button to delete the desired AV solution


    I have this issue again and again, even when it comes to another AV / malware / MRT solution. Hence my little hint.

    George

  • Suggested Answer

    https://portal.microfocus.com/s/article/KM000024835?language=en_US is a KB with PowerShell included so you can fix all of your devices at once without any interaction.  Most likely any "Stuck" AV product will be common across most devices. 

    However, you also have to make sure the product is really uninstalled before wiping out these entries.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks