Worklet: Uninstall Malwarebytes from Windows

  • 10 November 2020
  • 0 replies
  • 326 views

Userlevel 5

This worklet downloads the latest version of the Malwarebytes Support Tool and runs it on the system to uninstall Malwarebytes. If you want to save the tool to a directory other than C:\Temp, modify $uninstallFile on line 1 of the remediation code.


From Malwarebytes: The Malwarebytes Support Tool command line version is used to cleanup and remove Malwarebytes products. The Support Tool removes Malwarebytes Endpoint Security and Malwarebytes Endpoint Protection, including their files, settings, and license information.


Note : The Malwarebytes Support Tool cannot uninstall Malwarebytes software if the Tamper Protection feature is enabled in your environment. Disable Tamper Protection before running this tool.


Evaluation:


<#
.SYNOPSIS
Check for presence of specified application on the target device

.DESCRIPTION
Read 32-bit and 64-bit registry to find matching applications

Exits with 0 for compliance, 1 for Non-Compliance.
Non-Compliant devices will run Remediation Code at the Policy's next scheduled date.

.NOTES
A scriptblock is used to workaround the limitations of 32-bit powershell.exe.
This allows us to redirect the operations to a 64-bit powershell.exe and read
the 64-bit registry without .NET workarounds.

.LINK
http://www.automox.com
#>

# The ScriptBlock method used here is to allow a 32-bit agent process
# to access the 64-bit registry on 64-bit Windows. This is necessary if the application
# isn't known to be 32-bit only.


$scriptblock = {
#Define Registry Location for the 64-bit and 32-bit Uninstall keys
$uninstReg = @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall','HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall')

# Define the App Name to look for
# Look at a machine with the application installed unless you're sure the formatting of the name/version
# Specifically the DisplayName. This is what you see in Add/Remove Programs. This doesn't have to be exact.
# Default behavior uses -match which is essentially "DisplayName contains VLC"
##################
$appName = 'Malwarebytes'
##################

# Get all entries that match our criteria. DisplayName matches $appname
$installed = @(Get-ChildItem $uninstReg -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { ($_.DisplayName -match $appName) })

# If any matches were present, $installed will be populated. If none, then $installed is NULL and this IF statement will be false.
# The return value here is what the ScriptBlock will send back to us after we run it.
# 1 for Non-Compliant, 0 for Compliant
if ($installed) {
return 1
} else {
return 0
}
}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Exit $exitCode

Remediation:


$uninstallFile = 'C:\Temp\mbstcmd.exe'
$switches = '/y /cleanup /noreboot'
$DLLink = 'https://downloads.malwarebytes.com/file/mbstcmd'

$MBPath1 = 'C:\Program Files\Malwarebytes'
$MBPath2 = 'C:\Program Files\Malwarebytes Endpoint Agent'
$MBPath3 = 'C:\ProgramData\Malwarebytes'
$MBPath4 = 'C:\ProgramData\Malwarebytes Endpoint Agent'

Try {
(New-Object System.Net.WebClient).DownloadFile($DLLink, "$uninstallFile")
}
Catch {
Write-Output "Failed to download Malwarebytes uninstall tool"
Exit
}

Invoke-Expression "$uninstallFile $switches"
Write-Output "Uninstalled Malwarebytes"
Start-Sleep -Seconds 30

# Post-uninstall clean-up
If (Test-Path $MBPath1) {
Remove-Item -Recurse -Force $MBPath1
}
If (Test-Path $MBPath2) {
Remove-Item -Recurse -Force $MBPath2
}
If (Test-Path $MBPath3) {
Remove-Item -Recurse -Force $MBPath3
}
If (Test-Path $MBPath4) {
Remove-Item -Recurse -Force $MBPath4
}

0 replies

Be the first to reply!

Reply