To my utter horror, I discovered yesterday that I would have to do the following things where I work.
1) Install McAfee Endpoint Protection on all future managed devices
2) The existing wild devices would already have AV on them
I’m not a fan of McAfee products on the Mac for a variety of reasons, but these are outside the scope of this article. However the thought of effectively installing two AV products on a single machine fills me with utter dread, namely because every time i’ve seen it done it causes all sorts of issues. On Windows, i’ve even seen competing AV products fight each other! This usually manifests in system slowness and may other odd behaviours.
It’s not a good idea ever m’kay? (You listening to me banks? This is why I don’t want your Trusteer Rapport software anywhere near my machine! You’ve broke it once, never again!)
So i’ve been spending time snapshotting various free Mac AV products to find out where they’re installing files and the best way to remove them. I’ve come to the conclusion that (like many things), the best way is some form of removal script run as root over the loginwindow. I normally perform operations at this point as it’s relatively safe.
Why not use the provided uninstall apps/scripts ? Example. Sophos’ uninstall is an .app bundle and trying to run that in the background is a sisiphean task at best. McAfee’s uninstall requires the ePO admin password and a very custom expect script to parse the output. Symantec’s uninstall script has similar issues but doesn’t require a password, but it is over 4000 lines of bash script and it’s very difficult to actually figure out what it’s doing!
Short version, none of the provided uninstallers are Mac Admin friendly. (Saying that, not many of the installers are admin friendly either but that’s been covered by others in the community. Sophos, looking at you …)
I wrote a bunch of very rough, non error checking scripts to remove all the files for a variety of AV products. I also wrote a series of companion Casper extension attributes to detect if the product is installed or not. These can be used independantly of the removal scripts, as they report installed version number or if it’s missing.
So if you smart group the EA, set it to detect if the AV product is present or not plus a policy to run the script at a time of your choosing you can remove these things.
These scripts are highly untested, but comments and feedback are always welcome through the GitHub feedback tools. Find everything here at https://github.com/franton/Remove-AV