Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

How to prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer.

Created: 03 Jan 2014 • Updated: 07 Jan 2014 | 4 comments
Language Translations
Lion Shaikh's picture
+7 7 Votes
Login to vote

To prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer you just need to Add uninstallation passwords to agents.

Uninstallation passwords prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer.
Passwords can only be added to Symantec DLP Agents during agent installation or upgrade. If you have existing agents you want to protect, you must remove the agent and then reinstall the agent with the password.

Passwords are generated using the UninstallPwdKeyGenerator.exe tool. You can add the uninstallation password by including the password parameter
in the agent installation command line. You can use either Symantec Management Platform (SMP) or a software management system (SMS) program to install the agents with the uninstallation password.

You cannot add the uninstallation password to agents through the installation wizard.

To add the uninstallation password to an agent installation
Add the uninstallation password parameter in the agent installationcommand line

UNINSTALLPASSWORDKEY="<password key>"
where <password key> is the password that you created with the password generation tool.

A sample agent installation command line might look like the following example:
msiexec /i AgentInstall.msi /q INSTALLDIR="%ProgramFiles%\Manufacturer\Endpoint Agent\" ENDPOINTSERVER="hostname" PORT="8000" KEY="" UNINSTALLPASSWORDKEY="<password key>" SMC="hostname" SERVICENAME="EDPA" WATCHDOGNAME="WDP"

Using uninstallation passwords
When you want to uninstall a Symantec DLP Agent that is password protected, you must enter the correct password before the uninstallation continues. If you uninstall your agents manually, a pop-up window appears on the endpoint computer that requests the password. You must enter the password in this window.

If you are using a software management system, include the password parameter in the command string. If you want to uninstall a group of agents, specify the uninstallation password in the agent uninstallation command line. To enter the uninstallation password using a command line
Enter the following parameter in the uninstallation command line;
UNINSTALLPASSWORD="<password>"where <password> is the password that you specified in the password generator.
 

An agent command line looks like the following example:
msiexec /uninstall ? <product code> /q UNINSTALLPASSWORD="<password>"

Below is the process of upgrading agents and uninstallation passwords.

You can upgrade any agents which are protected by uninstallation passwords without affecting the password. If you do not want to change the password, do not include the password parameter to the upgradecommandline. The pre-existing uninstallation password is included in the upgraded agent automatically. Only include the password parameter if you want to change the password or if you want to add a new password to an agent.To add or change a password while upgrading an agent
Add the following password parameter to the upgrade command line:
UNINSTALLPASSWORDKEY=<password key> where <password key> is the password key that you created using the password generation tool.

 

Comments 4 CommentsJump to latest comment

.Brian's picture

good stuff, thanks!

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Lion Shaikh's picture

thanks Brian and symantec connect comunity administrator to like my article, it is my first article.

Once again thanks all reviewer in advance.

0
Login to vote