Blog | G5 Cyber Security

AV Software: Data Access After Uninstall

G5 Cyber Security

TL;DR

Yes, it’s possible for 3rd party antivirus (AV) software to retain some access or data even after uninstalling. This is due to leftover files, background services, and cloud-based components. Here’s how to check and minimise this risk on Windows PCs and Android phones.

Windows PC

  1. Check for Remaining Files & Folders: AV software often leaves behind folders in these locations:
    • C:Program Files<AV Software Name>
    • C:ProgramData<AV Software Name> (This is a hidden folder. You need to enable ‘Show hidden files and folders’ in File Explorer options.)
    • C:Users<Your Username>AppDataLocal<AV Software Name>

    Delete any remaining folders you find.

  2. Check Running Services: Some AV components might run as background services even after uninstalling the main program. 
    services.msc

    Open this by pressing Windows Key + R, typing services.msc and pressing Enter. Look for any services related to the uninstalled AV software. If found, right-click and select ‘Stop’. Then, right-click again and select ‘Properties’, change the ‘Startup type’ to ‘Disabled’, and click ‘Apply’ then ‘OK’.

  3. Check Task Scheduler: The AV might have scheduled tasks that continue running. 
    taskschd.msc

    Open this by pressing Windows Key + R, typing taskschd.msc and pressing Enter. Look in the ‘Task Scheduler Library’ for any tasks created by the uninstalled AV software. If found, right-click and select ‘Delete’.

  4. Check Browser Extensions: Some AVs install browser extensions. Check your browsers (Chrome, Firefox, Edge) for any related extensions and remove them.
    • Chrome: chrome://extensions
    • Firefox: about:addons
    • Edge: edge://extensions
  5. Registry Check (Advanced – Use with Caution!): The AV software may have left entries in the Windows Registry. Incorrectly editing the registry can cause system instability. 
    regedit

    Open this by pressing Windows Key + R, typing regedit and pressing Enter. Search (Ctrl+F) for the AV software name. Delete any keys or values you find related to it. Back up your registry before making changes! (File -> Export).

  6. Network Monitoring: Use a network monitoring tool (like Wireshark, but this is advanced) to see if your PC is communicating with the AV vendor’s servers after uninstalling. If so, investigate further.

Android Phone

  1. Check App Permissions: Even after uninstalling, some apps may have granted permissions that could be exploited (though this is less common).
    Go to Settings -> Apps -> See all apps. Select any previously installed AV app and check its ‘Permissions’. Revoke any unnecessary permissions.
  2. Check Device Admin Apps: Some AVs use device admin privileges for features like anti-theft.
    Go to Settings -> Security -> Device admin apps (or similar, depending on your Android version). Disable the uninstalled AV app if it’s listed.
  3. Check Accessibility Services: Similar to device admins, some AVs use accessibility services.
    Go to Settings -> Accessibility and disable any related services from the uninstalled AV software.
  4. Review Google Play Protect: Ensure Google Play Protect is enabled (Settings -> Security -> Google Play Protect). This provides a baseline level of cyber security protection.
  5. Factory Reset (Last Resort): If you are highly concerned and suspect persistent access, a factory reset will erase all data and reinstall the operating system. Back up your important data first! (Settings -> System -> Reset options -> Erase all data (factory reset)).
Exit mobile version