Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Customizing Your Symantec Endpoint Protection Migration

Created: 29 Jul 2008
Language Translations
stebro's picture
+1 1 Vote
Login to vote

The Symantec Endpoint Protection Integration Component allows users to leverage the Altiris platform to facilitate deployments and migrations to Symantec Endpoint Protection. This article will outline the migration process that the Integration Component uses and how to create custom migrations.

Migration Process Flow

Once the Symantec Endpoint Protection client installation file (setup.exe) has been added to the Altiris package and the rollout task enabled, there are a sequence of steps for the software delivery and installation:

  1. The appropriate client installation task (32 or 64-bit) needs to be enabled and target the appropriate collection.
  2. Altiris agent configuration update at configuration request interval.
  3. If new tasks are available, the Altiris Agent retrieves them from the Notification Server. This includes the Symantec Endpoint Protection Client Installation task.
  4. The Symantec Endpoint Protection Client package is copied from the Notification Server or nearest package server to the local machine.
  5. Install.js is executed:
    • Trend or McAfee client software is uninstalled.
    • Symantec Endpoint Protection client setup.exe is executed
    • Integration Component file is installed
  6. At the next basic inventory, the Symantec Endpoint Protection service should be identified and inventoried.

Symantec Endpoint Protection client version information should be present when the next data import from the Symantec Endpoint Protection Manager to the Notification Server is run.

Installation Script Deconstructed

The install.js script is a java script that is launched to commence the installation and migration process once the installation package has been distributed from the Notification Server to the Altiris Agent. By default, the Symantec Endpoint Protection Integration Component has predefined package folders where the script is located. For 32-bit packages, the default path is C:\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86 with folders starting with ConnectSEP. There are five folders allowing one to create different SEP packages and deploy them to different groups of computers. By default, the 64-bit packages are located at C:\Program Files\Altiris\Notification Server\NSCap\Bin\Win64\X64.

The script has six key sections:

  1. Variable Declaration
  2. Trend Client Uninstall
  3. McAfee Client Uninstall
  4. Symantec Endpoint Protection Client Install
  5. Integration Component File Installation
  6. Script Termination and Function Definition

1.Variable Declaration

var shell = WScript.CreateObject("WScript.Shell");
var filesys = WScript.CreateObject("Scripting.FileSystemObject");
var connectSepAgentFileName = "SEPAltirisActor.exe";
var connectSepAgentUninstallFileName = "uninstall.js";
var connectSepAgentDir = "ConnectSEPAgent";
var connectSepAgentRegKey = "HKLM\\SOFTWARE\\Altiris\\Altiris Agent\\Plugin Objects\\Agents\\ConnectSEPAgent\\";
var altirisAgentInstallPathRegKey = "HKLM\\Software\\Altiris\\Altiris Agent\\InstallDir";
var sepVersionRegKey = "HKLM\\Software\\Symantec\\Symantec Endpoint Protection\\SMC\\Version";
var trendAVAllowUninstallRegKey = "HKLM\\Software\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\\Misc.\\Allow Uninstall";
var trendAVUninstallRegKey = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OfficeScanNT\\UninstallString";

2. Trend Client Uninstall

// uninstall Trend Micro 7.0
var key = null;
try
{
    key = shell.RegRead( trendAVAllowUninstallRegKey );
}
catch(ex)
{
    //product not installed
}
if(key != null)
{
    try
    {
            //hack to bypass password
            shell.RegWrite( trendAVAllowUninstallRegKey, 1, "REG_DWORD" );
            
            //get uninstall string
            var strUninstallString = shell.RegRead( trendAVUninstallRegKey );
            
            //run uninstaller minimized. the uninstaller does not support hidden execution
            shell.Run(strUninstallString, 7, true);
    }
    catch ( ex ) {}
}

3. McAfee Client Uninstall

// uninstall McAfee
try
{
    shell.Run("MsiExec.exe /quiet /X {5DF3D1BB-894E-4DCD-8275-159AC9829B43}", 0, true);
    shell.Run("MsiExec.exe /quiet /X {F80DE1CB-C248-8994-691C-A62908B73C11}", 0, true);
    shell.Run("MsiExec.exe /quiet /X {35C03C04-3F1F-42C2-A989-A757EE691F65}", 0, true);
}
catch ( ex ) {}

4. Symantec Endpoint Protection Client Install

// install SEP client
if ( filesys.FileExists( filesys.BuildPath(shell.CurrentDirectory, "Setup.exe" ) ) &&
    filesys.GetFile( filesys.BuildPath(shell.CurrentDirectory, "Setup.exe" ) ).Size > 0 )
{
    shell.Run( "\"" + filesys.BuildPath( shell.CurrentDirectory, "Setup.exe" ) + "\"", 0, true );
}
else
{
    fc = new Enumerator( filesys.GetFolder( shell.CurrentDirectory ).SubFolders );
    for ( ; !fc.atEnd(); fc.moveNext() )
    {
            var subfolder = fc.item();
            if ( filesys.FileExists( filesys.BuildPath( subfolder.Path, "Setup.exe" ) ) )
            {
                    shell.Run( "\"" + filesys.BuildPath( subfolder.Path, "Setup.exe" ) + "\"", 0, true );
                    break;
            }
    }
}

5. Integration Component File Installation

// check that we successfully installed the Symantec client
// and if so, copy the Altiris connector agent file over to a permanent location
if ( Sep11OrHigherIsInstalled() )
{
    var altirisAgentInstallPath = shell.RegRead( altirisAgentInstallPathRegKey );
    
    if ( altirisAgentInstallPath != null )
    {
            if ( !filesys.FolderExists( altirisAgentInstallPath + "\\..\\Agents" ) ) 
            {
                    filesys.CreateFolder( altirisAgentInstallPath + "\\..\\Agents" );
            }
            if ( !filesys.FolderExists( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir ) ) 
            {
                    filesys.CreateFolder( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir );
            }
            filesys.CopyFile( shell.CurrentDirectory + "\\" + connectSepAgentFileName, altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\", true );
            filesys.CopyFile( shell.CurrentDirectory + "\\" + connectSepAgentUninstallFileName, altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\", true );
            
            shell.RegWrite( connectSepAgentRegKey + "Agent Ident", "Altiris.ProductDelivery.ConnectSEPAgent", "REG_SZ" );
            shell.RegWrite( connectSepAgentRegKey + "Agent Name", "Symantec Endpoint Protection Integration Component Agent", "REG_SZ" );
            shell.RegWrite( connectSepAgentRegKey + "Always Load", "0", "REG_DWORD" );
            shell.RegWrite( connectSepAgentRegKey + "Build Number", "1157", "REG_DWORD" );
            shell.RegWrite( connectSepAgentRegKey + "Hidden", "0", "REG_DWORD" );
            shell.RegWrite( connectSepAgentRegKey + "Install Path", filesys.GetAbsolutePathName( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\SEPAltirisActor.exe" ), "REG_SZ" );
            shell.RegWrite( connectSepAgentRegKey + "Internal", "0", "REG_DWORD" );
            shell.RegWrite( connectSepAgentRegKey + "Product Version", "6.0.1157", "REG_SZ" );
            shell.RegWrite( connectSepAgentRegKey + "ProgID", "Altiris.ProductDelivery.ConnectSEPAgent", "REG_SZ" );
            shell.RegWrite( connectSepAgentRegKey + "UninstallString", "cscript.exe \"" + filesys.GetAbsolutePathName( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\uninstall.js\"" ), "REG_SZ" );
    }
}

6. Script Termination and function Definition

if ( !Sep11OrHigherIsInstalled() || !ConnectorAgentIsInstalled() )
{
    WScript.Echo( "Symantec EP Client or Symantec EP Connector Agent not successfully installed." );
    WScript.Quit( 1 );
}


function Sep11OrHigherIsInstalled()
{
    if ( !RegKeyExists( sepVersionRegKey ) ) return false;
    var version = shell.RegRead( sepVersionRegKey );
    if ( version.split(".")[0] < 11 ) return false;
    return true
}

function ConnectorAgentIsInstalled()
{
    if ( !RegKeyExists( connectSepAgentRegKey + "UninstallString" ) ) return false;
    if ( !RegKeyExists( altirisAgentInstallPathRegKey ) ) return false;
    var altirisAgentInstallPath = shell.RegRead( altirisAgentInstallPathRegKey );
    if ( !filesys.FileExists( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\" + connectSepAgentFileName ) ) return false;
    if ( !filesys.FileExists( altirisAgentInstallPath + "\\..\\Agents\\" + connectSepAgentDir + "\\" + connectSepAgentUninstallFileName ) ) return false;
    return true;
}

function RegKeyExists( key )
{
    try
    {
            shell.RegRead( key );
            return true;
    }
    catch ( ex )
    {
            return false;
    }
}

Customizing the Install Process

To customize the install process for different types of antivirus, there are a few key steps:

  1. Determine the uninstall command(s) for the antivirus product being removed.
  2. Script the uninstall process.
  3. Disable any client self-defense.
  4. Create install package.
  5. Leverage task server tasks for reboots or other complex scenarios.

Customization Example

The Integration Component supports migrations from Symantec Antivirus 9 and 10 by default, but due to some complexities in removing older versions, the migration process needs to be customized. This example will explore migration of Symantec Antivirus 8 to Symantec Endpoint Protection via a customization of the Integration Component. All scripts will be done in javascript, but could be easily ported to another language.

1. Determine the uninstall commands for Symantec Antivirus 8:

Most uninstallations can be trigger by calling the right MsiExec.exe command. These commands can usually be found by going to the registry and looking in the following key:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Products are listed by their globally unique identifier (GUID) so you may need to browse through the different GUID keys to find the antivirus you are trying to remove.

In the case of Symantec Antivirus 8, the command is

MsiExec.exe /x {0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} REMOVE=ALL /qn

Breaking down the parameters and variables:

  • /x is the uninstall parameter
  • {0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} is the of the Installer package for Symantec Antivirus 8.
  • REMOVE=ALL is for uninstalling all components.
  • /qn is the parameter for displaying not user interface

2. Script the uninstall process for Symantec Antivirus 8:

Converting the previous command to a javascript results in the following command:

var shell = WScript.CreateObject("WScript.Shell");

shell.Run("MsiExec.exe /x {0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} REMOVE=ALL /qn Reboot=Supress", 0, true);

The reboot is being suppressed in this script so that the reboot can be controlled by a managed mechanism such as task server. If you want to be fancy, you could wrap this in at try and catch statement for exceptions. For the purpose of this example, I'll keep it simple.

3. Disable client self-defense for Symantec Antivirus 8:

Most antivirus/client security products will have some form of client self-defense or tamper protection mechanism to prevent unauthorized uninstalls of the product. This is a very important step that the Integration Component will not do automatically, but must be changed by the administrator before executing the migration process. Referring to the appropriate product documentation will indicate how this feature is disabled.

4. Create Install Package:

The installer for the Symantec Endpoint Protection client can be created from the Symantec Endpoint Protection Manager Console. This can be done by going to the Admin Section and selecting the Install Packages view then selecting the Export Client Install Package under the Task menu. This is where one can select the Features to be used, the group(s) with policies, and export folder. The package should be exported or copied to the folders where the install.js script is located.

When a package folder has been modified, it often needs updating. Go to the appropriate package in the Altiris Console and select Update Distribution Points which will ensure that all contents of the package folder are sent down with a software delivery task.

5. Leverage task server tasks for reboots or other complex scenarios:

Some versions of antivirus or personal firewall software will require a reboot to complete the uninstall. This introduces a complexity to migrating to Symantec Endpoint Protection 11.0. In this scenario, the uninstall of the older version of security software, reboot, and install of Symantec Endpoint Protection need to be sequenced. If a reboot were not required, the uninstall script could be added to the install.js script that drives the migration. A complex migration with a reboot can be accomplished with the Altiris Task Server.

In order to leverage the task server install, one must install the client task agent, script task agent, and software delivery agent for task server plugin on the clients to which you wish to do the migration. All agents can be configured for rollout from the Configure\Agents\All Solution Agents Rollout menu in the Altiris Console. The client task agent and script task agent are installed with the Symantec Endpoint Protection Integration Component, but Software Delivery Solution for Windows must be installed for the software delivery agent for task server plugin.

To accomplish the migration, we will be creating a custom task server job with three key steps:

  1. Uninstall old antivirus software
  2. Reboot
  3. Install Symantec Endpoint Protection Client

1. Uninstall old antivirus software

This will be accomplished by added the script that was defined earlier in a task server script client task. Be sure to make the script type JavaScript. To hide any windows from showing during the task execution, click on the Advanced button and select Hidden from the Show script: dropdown menu.

2. Reboot

A reboot is easy to accomplish by leveraging a power control task.

3. Install Symantec Endpoint Protection Client

The uninstall task requires the creation of a software delivery task. The task will include the creation of a package which should modeled after the packages provided by the Symantec Endpoint Protection Integration Component.

After all three tasks are created, they can be sequenced in a client job and executed immediately or via a schedule

.

Article Filed Under: