Trend uninstall tool hangs when run under Ansible

[Gregory Machin]

Hi, 

I'm trying to use AWX to deploy a play book to windows servers that will remove Trend Micro AV, clean up and then on-board to the server to Microsoft Defender. 

The issue I'm having is that the SCUT.exe tool when run from the playbook it runs then stops "running",  but looking at memory and using process monitor it's is still doing something. When run manually it runs as expected. 

Trend Micro support say it's an issue with Ansible as it works fine when run manually and won't help any further. The only thing I can think of is that it needs something that exists in the user logged in session that is not there in the session created by Ansible at run time. 

Has anyone seen and resolved an issue like this ?

The Playbook :

---
- name: RemoveTrend
  hosts: all
  gather_facts: true
  tasks:
    - name: reboot host(s)
      ansible.windows.win_reboot:
        msg: "reboot by AWX (Ansible)"
        pre_reboot_delay: 30
        post_reboot_delay: 60

    - name: Copy files to C:\temp
      ansible.windows.win_copy:
        src: tools
        dest: C:\temp

    - name: Unload Apex Agent and Run Removal tool
      ansible.windows.win_command:
        cmd: C:\temp\tools\SCUT.bat

    - name: Run BaseCamp Removal tool
      ansible.windows.win_shell: |
       if (Test-Path 'C:\Program Files (x86)\Trend Micro\Endpoint Basecamp\EndpointBasecamp.exe' ) {
         write-output "Found EndpointBascamp.exe, uninstalling Enpoint Baseeamp"
         cd c:\temp\tools
         & ".\XBCUninstaller.exe" "XBCUninstallToken.txt"
         if ($LASTEXITCODE -eq 0) {
           Remove-Item -Recurse -Force 'C:\Program Files (x86)\Trend Micro\Endpoint Basecamp\EndpointBasecamp.exe'
         }else{
           Write-output 'failed to remove Endpoint Basecamp'
         }
       }else{
          write-output "EndpointBascamp.exe not found, no action being taken"
       }

    - name: reboot host(s)
      ansible.windows.win_reboot:
        msg: "reboot by AWX (Ansible)"
        pre_reboot_delay: 30
        post_reboot_delay: 60

    - name: Post Uninstall cleanup
      ansible.windows.win_shell: |
       if (!(Test-Path 'C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRmv.exe' )){
          if (Test-Path 'C:\Program Files (x86)\Trend Micro\OfficeScan Client' ){
             Remove-Item -Recurse -Force 'C:\Program Files (x86)\Trend Micro\OfficeScan Client'
          }
       }

       if (!(Test-Path 'C:\Program Files (x86)\Trend Micro\Endpoint Basecamp\EndpointBasecamp.exe' )){
          if (Test-Path 'C:\Program Files (x86)\Trend Micro\Endpoint Basecamp' ){
             Remove-Item -Recurse -Force 'C:\Program Files (x86)\Trend Micro\Endpoint Basecamp'
          }
       }

    - name: Defender On-Boarding
      win_command: C:\temp\tools\DefenderATPOnboardingScript-1803-2019-2022.cmd

The batch file that run the SCUT.exe tool C:\temp\tools\SCUT.bat :

c:\temp\tools\A1\SCUT.exe -noinstall

AWX settings  Privilege Escalation is selected, and I can see it is run as elevated using Task Manger.

I have posted on Spiceworks with screenshots Using Ansible to remove Trend Apex One, uninstall process gets stuck - Windows Server - Spiceworks. I keep getting and error submitting this with the screenshots.  

The SCUT.exe process seem to loop continually but there is no change to the log file.  

The log file stops progressing at "Kill NTRTSCAN process OK." and yet the SCUT.exe is still running as per above screenshot.:

[cmnunins_CommonUninstall.cpp(742) 02/21 00:00:35 12ac-13c4] isWFBSS==> 0 [cmnunins_CommonUninstall.cpp(148) 02/21 00:00:35 12ac-13c4] Make parameter internal >> [cmnunins_CommonUninstall.cpp(227) 02/21 00:00:35 12ac-13c4] Uninstall==> path I, requirement = [] [cmnunins_CommonUninstall.cpp(231) 02/21 00:00:35 12ac-13c4] Uninstall==> path I ignored [cmnunins_CommonUninstall.cpp(352) 02/21 00:00:35 12ac-13c4] parameter 1: 1675123200, parameter 2: 1682985600 [cmnunins_CommonUninstall.cpp(367) 02/21 00:00:35 12ac-13c4] parameter: 1676937635 [cmnunins_CommonUninstall.cpp(371) 02/21 00:00:35 12ac-13c4] Easy to go [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product1[TrendOfficeScan95Client_V3.1x] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product2[TrendOfficeScan95Client_V3.5] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product3[TrendOfficeScanNTClient_V3.1x] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product4[TrendOfficeScanNTClient_V3.5] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product5[PccillinCorpNTClient] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product6[PccillinCorp95Client] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product7[TrendOfficeScanNTClient_V6.5] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product8[TrendOfficeScanNTClient_V7.0] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product9[TrendOfficeScanNTClient_V8.0] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product10[TrendOfficeScanNTClient_V8.0SP1] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product11[TrendOfficeScanNTClient_V10.0] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product12[TrendOfficeScanNTClient_V10.5] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product13[TrendOfficeScanNTClient_V10.6] Uninstall == 0 [cmnunins_CommonUninstall.cpp(415) 02/21 00:00:35 12ac-13c4] Uninstall==>Product14[TrendOfficeScanNTClient_V11.0] Uninstall == 0 [cmnunins_Uninstall.cpp(686) 02/21 00:00:35 12ac-13c4] In--CUninstall::DoUninstall(c:\temp\7597ed8d2925998a62a3281e938eaf02\CmnUnins.ini, Product15) [cmnunins_Uninstall.cpp(695) 02/21 00:00:35 12ac-13c4] CUninstall::DoUninstall==>Product Name = TrendOfficeScanNTClient_V12.0 [cmnunins_Uninstall.cpp(761) 02/21 00:00:35 12ac-13c4] In--CUninstall::CheckProgramExist() [cmnunins_Uninstall.cpp(787) 02/21 00:00:35 12ac-13c4] CUninstall::CheckProgramExist==>szProgramFileRegPath(Software\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion), szProgramFileRegValue(Application Path) [cmnunins_Uninstall.cpp(813) 02/21 00:00:35 12ac-13c4] Out--CUninstall::CheckProgramExist() [cmnunins_Uninstall.cpp(384) 02/21 00:00:35 12ac-13c4] In--CUninstall::UnloadProgram [cmnunins_Uninstall.cpp(421) 02/21 00:00:35 12ac-13c4] CUninstall::UnloadProgram==>FindWindow(PCCNTClassName,) return NULL [cmnunins_Uninstall.cpp(421) 02/21 00:00:35 12ac-13c4] CUninstall::UnloadProgram==>FindWindow(PCCNTMONCLASS,) return NULL [cmnunins_Uninstall.cpp(421) 02/21 00:00:35 12ac-13c4] CUninstall::UnloadProgram==>FindWindow(PCCNT_UPDATE32,) return NULL [cmnunins_Uninstall.cpp(414) 02/21 00:00:35 12ac-13c4] CUninstall::UnloadProgram==>Class and Name == NULL, return [cmnunins_Uninstall.cpp(508) 02/21 00:00:35 12ac-13c4] Out--CUninstall::UnloadProgram [cmnunins_Uninstall.cpp(1196) 02/21 00:02:45 12ac-13c4] In--CUninstall::RunCommand [cmnunins_Uninstall.cpp(1221) 02/21 00:02:45 12ac-13c4] CUninstall::RunCommand(tmproxy remove) [cmnunins_CommonUtil.cpp(892) 02/21 00:02:45 12ac-13c4] Common_IsWin8AndLater dwMajorVersion=6, dwMinorVersion=2 [cmnunins_Uninstall.cpp(1238) 02/21 00:02:45 12ac-13c4] CUninstall::RunCommand In win8 skip Tmproxy Remove [cmnunins_Uninstall.cpp(1221) 02/21 00:02:45 12ac-13c4] CUninstall::RunCommand(tdiins -u "<CLIENT_FOLDER>\TmTdi.inf" SOFTWARE\TrendMicro\NSC\TmProxy InfNameForTdi) [cmnunins_Uninstall.cpp(1221) 02/21 00:02:45 12ac-13c4] CUninstall::RunCommand(ncfg -ur TM_CFW) [cmnunins_Uninstall.cpp(1221) 02/21 00:02:45 12ac-13c4] CUninstall::RunCommand(tmlwfins -u tmlwf Software\TrendMicro\NSC\PFW InfNameForLWF) [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(tmwfpins -u "<CLIENT_FOLDER>\tmwfp.inf" Software\TrendMicro\NSC\PFW InfNameForWFP) [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(TmExtIns.exe -ue "<CLIENT_FOLDER>") [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(TmExtIns32.exe -ue "<CLIENT_FOLDER>") [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(TmExtIns.exe -uf "<CLIENT_FOLDER>\FirefoxExtension") [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(CompRmv.exe -p "<CLIENT_FOLDER>" -u TMEBC) [cmnunins_Uninstall.cpp(1221) 02/21 00:02:46 12ac-13c4] CUninstall::RunCommand(CompRmv.exe -p "<CLIENT_FOLDER>" -u Osprey) [cmnunins_Uninstall.cpp(1221) 02/21 00:03:16 12ac-13c4] CUninstall::RunCommand(CompRmv.exe -p "<CLIENT_FOLDER>" -u NCIE) [cmnunins_Uninstall.cpp(1305) 02/21 00:03:17 12ac-13c4] Out--CUninstall::RunCommand [cmnunins_Uninstall.cpp(1007) 02/21 00:03:17 12ac-13c4] In--CUninstall::StopAndDeleteService [cmnunins_Uninstall.cpp(1064) 02/21 00:03:17 12ac-13c4] CUninstall::StopAndDeleteService==> StopServiceRetryCount: 80, StopServiceWaitingTime: 9000 [cmnunins_Uninstall.cpp(947) 02/21 00:27:23 12ac-13c4] service TMLISTEN stop failed, try to delete it [cmnunins_Uninstall.cpp(955) 02/21 00:27:23 12ac-13c4] Kill TMLISTEN process OK. [cmnunins_Uninstall.cpp(986) 02/21 00:27:23 12ac-13c4] Query Service TMLISTEN status 2412 [cmnunins_Uninstall.cpp(973) 02/21 00:27:24 12ac-13c4] Successfully delete TMLISTEN. [cmnunins_Uninstall.cpp(947) 02/21 00:51:31 12ac-13c4] service NTRTSCAN stop failed, try to delete it [cmnunins_Uninstall.cpp(955) 02/21 00:51:31 12ac-13c4] Kill NTRTSCAN process OK.