Script to uninstall Comodo cWatch EDR Agent and prompt pop up window to restart the system
Ratings
Release Time
08/13/2024
Downloads
369 times
Update Time
06/23/2025
Views
539 times
Share-it:
Categories
Action
Published on:
10 months ago
RUN AS LOCALSYSTEM USER
this script has been scanned with virustotal.com and xcitium verdict cloud.
PYTHON SCRIPT FILE SHA1 VALUE - 0a0e9d98a01037959062bed8762439ff857d8dc5
JSON FILE SHA1 VALUE - ab68f2cd12b59629368385c91bae7a93cfc92928
Procedure's Instructions
113
1
title_name_for_popup = u"Restart Reminder" #edit here2
3
message_for_popup = u"""4
Successfully uninstalled Comodo cWatch EDR Agent5
This system is going to restart in 5 minutes6
if you would like to cancel restart, press cancel. otherwise press ok7
""" #edit here8
9
10
import os11
import ctypes12
import re13
import shutil14
from ctypes import wintypes15
16
class disable_file_system_redirection:17
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection18
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection19
def __enter__(self):20
self.old_value = ctypes.c_long()21
self.success = self._disable(ctypes.byref(self.old_value))22
def __exit__(self, type, value, traceback):23
if self.success:24
self._revert(self.old_value)25
26
kernel32 = ctypes.windll.kernel3227
wtsapi32 = ctypes.windll.wtsapi32 28
29
WTS_CURRENT_SERVER_HANDLE = None30
WTS_CURRENT_SESSION = kernel32.WTSGetActiveConsoleSessionId()31
WTS_WELCOME_TITLE = title_name_for_popup32
WTS_WELCOME_MESSAGE = message_for_popup33
TIMEOUT = 0 34
BUTTON_TYPE = 1 35
Icon = 0 36
37
38
wtsapi32.WTSSendMessageW.argtypes = [39
wintypes.HANDLE, 40
wintypes.DWORD, 41
wintypes.LPCWSTR, 42
wintypes.DWORD, 43
wintypes.LPCWSTR, 44
wintypes.DWORD, 45
wintypes.DWORD, 46
wintypes.DWORD, 47
ctypes.POINTER(wintypes.DWORD), 48
wintypes.BOOL 49
]50
51
52
title = WTS_WELCOME_TITLE53
message = WTS_WELCOME_MESSAGE54
title_length = len(title) * 255
message_length = len(message) * 256
response = wintypes.DWORD()57
58
if 'PROGRAMW6432' in os.environ.keys():59
path=r"C:\Program Files (x86)\COMODO\cWatchEDRAgent"60
delete=r'reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\COMODO\EDREndpoint'61
else:62
path=r"C:\Program Files\COMODO\cWatchEDRAgent"63
delete=r'reg delete HKEY_LOCAL_MACHINE\SOFTWARE\COMODO\EDREndpoint'64
65
path1=r"C:\ProgramData\COMODO\cWatchEDRAgent"66
67
k=[]68
with disable_file_system_redirection():69
guid=os.popen(r"wmic product get name,identifyingnumber").read()70
k.append(re.findall("{.*",guid))71
j=[]72
for i in k[0]:73
j.append(i)74
EDR=re.findall("EDR Agent v2",guid)75
if EDR:76
with disable_file_system_redirection():77
uninst=os.popen(r"wmic product where name='EDR Agent v2' call uninstall").read()78
if uninst:79
print(uninst)80
print("EDR Agent v2 Uninstalled successfully")81
CMD=delete +' /va /f'82
print(CMD)83
out=os.popen(CMD).read()84
print(out)85
result = wtsapi32.WTSSendMessageW(86
WTS_CURRENT_SERVER_HANDLE,87
WTS_CURRENT_SESSION,88
title,89
title_length,90
message,91
message_length,92
BUTTON_TYPE,93
TIMEOUT,94
ctypes.byref(response),95
True96
)97
if result:98
if response.value == 1:99
print("User clicked on ok button to restart the system in 5 minutes")100
os.popen("shutdown -r -t 300")101
elif response.value == 2:102
print("user clicked on cancel button to cancel system restart")103
else:104
print("Unknown response: %s"%(response.value))105
else:106
print("Failed to send message.")107
else:108
print("EDR Agent v2 not Uninstalled successfully")109
else:110
print('CEDR Agent v2 not installed at Endpoint')111
112
113
Leave a Comment
CONTACT US
Call now! 
(972) 649-9012
(972) 649-9012
---
Comments