Endpoint Protection

SEP Experts

I have searched high and low on how to remove SEP v11 managed client from a 7000+ seat organization.  I've followed most of the links I've come across, most refer to older versions of Symantec...too many to list here, let me quickly describe my environment, maybe someone else has a better idea:

7000+ managed clients

Novell Directory Services (no Xen support for software distribution)

All clients in workgroup (this is a Novell thingy) - no MS Active Directory

Windows XP + SP3

The rest of the underlying network topology is relatively standard.

We have tried the cleanwipe, this totally wrecks our network stack and other 3rd party apps once owned by Symantec (luckily only on a "labbed" SEP clients), so this is no good.  I've tried using psexec to initiate a uninstall, this only works on non password protected clients, exits with an error on a password protected one...

I'm busy trying this link...

https://www-secure.symantec.com/connect/forums/how-uninstall-symantec-endpoint-protection-sep-client-silently-using-command-line

But I'm running into a weird error that I'm still trying to "decrypt".

Any additional information would be great, I preferably want to run it using psexec, as this should be an equivalent to an agentless uninstall...if you get my drift.  The local admin usernames / passwords are known to me, so this should be ok.

Please keep in mind this needs to run on a 7000+ seat environment...silently, so I don't have the luxuary of doing any walk abouts.

Thanks

Try  Competitive Uninstaller that comes with the SEP Download

https://www-secure.symantec.com/connect/forums/how-uninstall-10000-symantec-endpoint-protection-clients

Hi Prachand

I forgot to mention, an engineer went and already uninstalled all the SEP Management Servers (6 of them), in anticipation of the new solution...I didn't know about this until it was done...so much for any form of change control / management...

I will try your link, am I correct in assuming this will override the whole password thing for a managed client?

1. Reinstall a single SEPM with the same name/ip address and old database if possible.
2. If not just make sure you restore the digital cert so the existing clients can communicate
3. Do not download any content updates so you can conserve your bandwidth
4. Change the security settings so that the password setting is cleared.

Wait until all of the SEP clients have checked in and they will get the updated policy.

Or you could try the following regsitry changes:

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

Change the value for SmcGuiHasPassword from 1 to 0

Or could be this one, I can't remember exactly:

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security

Hi Zer0

The above keys have had no effect, SEP is still prompting 4 a password, even after I rebooted the PC.  Also the 1st post refers to a VBS, I've tried this and it merely invokes the uninstall, and guess what...again prompts 4 the password...is there no way around this?

I need to "override" the whole password issue.

Hi AravindKM

This is not an option, as I said in my original post, this needs to be an automated process and I cannot do a walk around for 7000+ clients...there must be a complete zero touch remove process...your suggestion above does work, this is however if I'm sitting infront of a PC...and to "automate" the termination of the second msiexec process is going to be too complicated to "code".

Has nobody been able to overwrite / bypass the SEP password...?

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security\UseVPUninstallPassword  change the value to 1 and try... 

AravindKM

Still no luck, it still prompts 4 a password.  Does Symantec not have a process how to do this (not including cleanwipe or nonav)?  Surely someone out there has been able to bypass the password issue?

Can you tell us the reason for uninstallation ?Are you trying to upgrade?

After MR4 MP2 version you wont be able to bypass the password :(

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

Create a script based on this KB
How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions

I have send you a personal message please check 

AravindKM

I will give this a go...got an idea of turning this entire process into an MSI package...I will update this post if it works.

Hi Rafeeq

Please could you resend the message to my offsite email address(got active sync running 4 this 1) , I do not have access to my office emails...too much security

etienne.vanrooyen@norplats.co.za

Thanks

Done :)

Rafeeq

I got the message. Replied 2 your message...

Thanks

Hi Zer0

I have no backups of anything...if I rebuild, same name & IP, can I regenerate the certs?  Something like a DR?

If you are moving to a competitive solution (e.g. McAfee, Trend, etc) all of them have a competitive uninstaller.  ALL OF THEM.  Just like how Symantec will remove a competitors AV product and install theirs, perhaps look to your new product to do the uninstall and deployment in a single swoop.

I'm quite trained in SEP and if moving a 7000 user McAfee shop, I'd be using Symantec tools to remove McAfee.  I dont see this being any different with a different product.

Of course there is a means to remove the product.

As mentioned every competitor has removal tools. Symantec has removal tools - CompetitiveUninstall, cleanwipe, SEPprep can all be used.

Then you also have simple MSI uninstall commands, psexec, etc.

You (or someone) set a password to protect SEP from uninstall by users or malware, then you removed all of the SEPM's before you changed the setting back. There is only one issue here and its not Symantec or SEP. It is the people administering things.

You seriusly don't have a single backup of the disks on a SEPM?

How long were they in production?

All you need is the jks keystore files and you can recover without the old database and with very little bandwidth utilisation.

When I approached the new supplier / vendor, and they were shown the complexity of the environment...they ran out the door....the rest is history.

:) really nice, good to go with what we have :) Have a wonderful day