Can’t delete "com.avira.scanservice.systemextension" leftover from AVIRA Free Antivirus

I am very displeased with this software. It litters the Mac with a lot of files all over the place. I work in enterprise IT and I thought the expensive security tools were insane. This is just plain terrible software with sloppy packaging and removal.

I suspect you ran into trouble because you installed this prior to upgrading to Catalina. Then decided to remove it afterwards. For future reference, if you install security tools you need to take note and verify they are compatible before you upgrade the operating system. It is not uncommon to brick your Mac when upgrading the operating system with an incompatible security tool. Especially those that use kernel system extensions.

The Avira support site provides a script you can download, decompress and run but the file will be initially blocked as it's from an Unidentified Developer. You'll need to allow the script to run and then execute it in Terminal via the sudo (Super User Do) command. I've analyzed the script and it doesn't do anything it is not supposed to be doing.

https://support.avira.com/hc/en-us/article_attachments/360001695365/Avira_Uninstaller.zip

I recommend not running this tool in the GUI but from Terminal manually as below:

xattr -dr com.apple.quarantine ~/Downloads/Avira.Uninstall.command
sudo ~/Downloads/Avira.Uninstall.command

The Avira support pages seem to indicate there is an uninstall tool located in /Applications/Utilities/Avira-Uninstall.app/Contents/MacOS/Avira-Uninstall and that you may need to run this from Terminal instead of clicking the App in the /Applications/Utilities directory.

  • Open Terminal
  • Type the following command
sudo /Applications/Utilities/Avira-Uninstall.app/Contents/MacOS/Avira-Uninstall

Enter your Mac user password and I would recommend rebooting when it's finished.

If this does not work, then you can manually remove the AVIRA system extension. It looks scary and complex but it's not as bad as it looks it's just tedious.

Manual Process:

Fortunately, Apple provides a developer tool to fix this problem called "systemextensionsctl". Unfortunately, it is complicated by needing to disable SIP (System Integrity Protection) as well as enabling the root user account then retrieving the AVIRA system extension developer TeamIdentifier and Bundle Identifier information then uninstalling the system extension and finally turning SIP back on and turning off the root user account. All this in the name of improved security...

Prerequisites:

  1. macOS Catalina (you have that covered)
  2. Disable SIP (System Integrity Protection)
  3. Enable root account

Disable SIP:

  • Restart the computer while holding CMD + R to enter Recovery Mode
  • Click on the Utilities pull down menu and select Terminal and enter
    command below:
csrutil disable
  • Click the Apple pulldown menu and restart
  • Follow this Apple Support document to enable the root user account https://support.apple.com/en-us/HT204012
  • Don't forget to sign-out and back on as the root user with the password you created when following the Apple Support document. Do not reboot, but logout and back on instead

Open the Terminal (CMD + Spacebar type Terminal then press Return

You'll need to find the Team identifier of the certificate used to sign the system extension as well as the Bundle identifier for the system extension as you will need to supply them to the systemextensionctl tool so you can uninstall the AVIRA system extension. There's another tool from Apple called codesign that will give you that information.

Copy this command and paste into Terminal to return the TeamIdentifier code for the AVIRA system extension

codesign -dvvv /Library/SystemExtensions/511A3B18-B8D9-4324-A145-25F85A6CA02/com.avira.scanservice.systemextension 2>&1 | awk -F= '/^TeamIdentifier/ {print $NF}'

It will return the TeamIdentifier which will be a alphanumeric code something like:

AVY94IG3PA (sample result, use the result you receive)

Now copy and paste this slightly different command to obtain the Identifier for AVIRA

codesign -dvvv /Library/SystemExtensions/511A3B18-B8D9-4324-A145-25F85A6CA02/com.avira.scanservice.systemextension 2>&1 | awk -F= '/^Identifier/ {print $NF}'

This one should return something like:

com.avira.scanservice.extension (sample result use the one you receive)

Once you have both of these pieces of information displayed in the Terminal you can enter the actual command to remove the system extension: (enter the TeamIdentifier and Bundle Identifiers you retrieved earlier. The codes below are only an example do not copy and paste the command below)

systemextensionsctl uninstall AVY94IG3PA com.avira.scanservice.extension

IMPORTANT: Do not forget to Enable SIP and Disable the root user account when you are done. These two items are important to keep your Mac protected from truly nasty security threats.