Uninstalling Legacy ESET Antivirus Products on AWS EC2 Instances

Problem

The problem is that when you try and uninstall ESET 6.5 from a Windows Server image running under AWS the installation is blocked by the HIDS (intrusion detection) which prevents the installer from removing ESET for security reasons. You end up in an endless loop. There is a standalone removal tool provided by ESET by that requires that you run Windows Server in 'safe mode' which is not possible with AWS EC2.

So the solution we found that works is to detach the root volume, attach to another running EC2 instance and then delete the three files that are part of ESET HIDS. Then you can safely uninstall ESET 6.x using the Control Panel and install a clean version of ESET 7.x.

Solution

Preconditions

• You have a running EC2 instance with ESET 6.5

Steps

1. Inside AWS Console
   1. Create an image from the current instance (or use a new server instance)
   2. Launch that other instance.
   3. Stop the first instance
   4. Go to EC2 > Volumes
   5. Detach the C: drive volume on the first instance
   6. Attach this volume to the second instance (using a different EBS block name), e.g. xvdf
2. RDP into the second instance
3. Launch Administrative Tools > Computer Management > Disk Management
   1. Locate the new drive (listed as offline)
   2. In the lower pane, open the context (right-click) menu for the left panel for the disk for the EBS volume. Choose Online.
   3. It will now become the new E: drive
4. Delete the three .sys files listed in the registry files below
5. Copy across the bootsect.exe utility from a Windows 10 instance to this new EC2 server instance
6. Run the ‘Make Attached Drive Bootable Batch Script’
7. Make the Mounted Drive E: Offline again
8. Disconnect from RDP (optional)
9. Stop the second instance (optional)
10. Detach the E: volume from the second EC2 instance and reattach to the first instance as root volume device (C:) – usually named /dev/sda1
11. Start the first EC2 instance
12. RDP into the first instance
13. You should now be able to uninstall ESET from the Control Panel

ESET Files that Need to be Deleted

\SystemRoot\system32\DRIVERS\ehdrv.sys
\SystemRoot\system32\DRIVERS\eamonm.sys
\SystemRoot\system32\DRIVERS\epfwwfpr.sys

Make Attached Drive Bootable Batch Script

C:\bootsect /nt60 E: /mbr
C:\windows\system32\bcdboot.exe E:\Windows /s E:
bcdedit /store E:\Boot\BCD /set {default} device partition=E:
bcdedit /store E:\Boot\BCD /set {default} osdevice partition=E:
bcdedit /store E:\Boot\BCD /set {bootmgr} device partition=E: