Endpoint Protection

 View Only
Expand all | Collapse all

SEP Question regarding reinstall

Sulman Mushtaq Mushtaq Hussain

Sulman Mushtaq Mushtaq HussainDec 08, 2015 06:54 AM

Sulman Mushtaq Mushtaq Hussain

Sulman Mushtaq Mushtaq HussainDec 08, 2015 09:17 AM

  • 1.  SEP Question regarding reinstall

    Posted Dec 08, 2015 06:38 AM

    Hello Guys , I have three questions would appreciate your kind replies on this.

     

    1) SEP 12.1.6 MP3 is already  installed on client with all components ( AV, PTP , NTP ) full protection for client.

     

    We export a new 12.1.6 MP3 package , however we removed the Outlook scanner from features and push this newly exported package to the client , would it overinstall the new package on existing package or it will be rejected by client becuase it is already running on the same 12.1.6 MP3 version.

     

    2) what is the best method to remove the existing version of SEP and then install a newly exported package cleanly via the remote method either via the SEPM or SCCM. Are we required to use any script to achieve that ?

     

     

    3) when we run intelligent updater on the client running 12.1.6 MP3 it fails , in the log we are seeing the following message . SEP Agent is installed on default directory.

     

    Ignoring entry for VIRSCAN.zip because of registry read failure. Error occurred while reading the path for the Authorization DLL from the registry.
    The product corresponding to this entry in iuconfig.xml is not installed on the system.

    Does this message indicate that the existing installation of agent is corrupted.

     

    Your kind replies would be appreciated. Thanks



  • 2.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 06:54 AM

    Any 1 ?



  • 3.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 07:07 AM
    If you are pushing from sepm it will install with the new features..create another custom install setting and select remove all prev logs and reset client server communication.best to use is sccm create a ts to uninstall sep ..u can use the windows uninstall string from registry ..reboot..then the new package.. Instead of IU try rapid release exe..it would run just fine..give it a try


  • 4.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 07:08 AM
    P.S IU is available for 32 and 64 make sure u r running the right version on appropriate OS


  • 5.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 07:13 AM

    1) SEP 12.1.6 MP3 is already  installed on client with all components ( AV, PTP , NTP ) full protection for client.

    We export a new 12.1.6 MP3 package , however we removed the Outlook scanner from features and push this newly exported package to the client , would it overinstall the new package on existing package or it will be rejected by client becuase it is already running on the same 12.1.6 MP3 version.

    while creating the package create a custom install settings with  Remove all previous logs and policies, and reset the client-server communication settings checked and customer install featue set to rmove the outlook scaner.

    Note: if that is the only component you want to modify, you can also disable it by policy.

    2) what is the best method to remove the existing version of SEP and then install a newly exported package cleanly via the remote method either via the SEPM or SCCM. Are we required to use any script to achieve that ?

    I would suggest you to go ahead with SCCM as you will have more control over the installation. Yes you may be required to install with a custom script to remove the existing version first.

    3) when we run intelligent updater on the client running 12.1.6 MP3 it fails , in the log we are seeing the following message . SEP Agent is installed on default directory.

    Ignoring entry for VIRSCAN.zip because of registry read failure. Error occurred while reading the path for the Authorization DLL from the registry.
    The product corresponding to this entry in iuconfig.xml is not installed on the system.

    can you post the enite log so that we can see what is happening.



  • 6.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 07:35 AM

    Hello Rafeeq thanks for your reply. I am running into a situation would appreciate help of experts like you to fix it.

     

    Well Initially I exported a package and set the setting to remove existing , policies and reset client server communication . I pushed it via the SCCM on the client once it was done in the SEP_INST log I saw a line stating the client already have the same version so package is rejected so for some reasons client didnt perform the overinstall.

     

    Can you please share with me the uninstall string you are talking about ?

     

    Well I used 20151207-023-v5i64.exe for 64 BIT from Security response from Symantec side. I belive it is the right one ( https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep).

     

    Best Regards



  • 7.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 07:41 AM
    I will mesage you with the steps..tje task sequence will run a cmd whick will be the uninstall string from reg..im not at my desj will update u shortly sorry for the delay


  • 8.  RE: SEP Question regarding reinstall

    Broadcom Employee
    Posted Dec 08, 2015 08:00 AM

    Hello,

    Ideally it's not a good practice to uninstall existing SEP client and install new package to just modify existing feature sets. Why don't you do it via SEPM directly? Create a test group and assign custome install settings by removing the Outlook scanner from features. Monitor the result.

    However you should be able to uninstall/reinstall SEP client with Sepprep tool as well.

     

     



  • 9.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 08:03 AM

    No problem rafeeq but I would really appreciate if you can tell the steps or strings that I am required to use from SCCM that will help to achieve the following machine automatically in a single task.

     

    1) Remove the existing agent and reboot   ( if agent is password protected , are we required to add some string for password as well ? if yes then what's the value or arguement ? )

     

    2) Install the newly exported agent 

     

    Please correct me if I am wrong , when we completely uninstall the agent I beleive it will also remove the corrupted definations if any available and entries from the registery and then install a new agent gracefully ?

     



  • 10.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 08:18 AM

    Hello Praveen , this is exactly what i have done now that while exporting the package I have set the following settings in the feature set

     

    • Remove existing , logs , policies and reset client server communication

     

    • Instead of unchcking Outlook scanner component , I have unchecked POP/SMTP scanner so i believe its not an issue becuase in the old package we have all options checked but for this package we have unchecked it to make it diffrent then the old one.

     

    I tried to use SysPrep to remove the existing package first and then install the new package , but what is happening actually is it can remove the existing package fine but when it tries to install the new package it fails becuase after the removal it requires a reboot ( becuase of the pending operation ) registery key . Actually I looking for some arguent that I can add which will make the SysPrep.ini to ignore this reboot requirement and will install the agent straight away.

    Actually I am looking for something like this RunAfterRemoval=reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "Install SEP 12" /t REG_SZ /d "C:\TEMP\SEPinst\SEPsetup.exe" /f        that will ignore the restart requirement and will start the install process but I dont know as what exactly to add here to make it happen. Current version of SEP is 12.1.6 MP3

     

    This is the SepPrep.ini file which I have at the momment. Please suggest how can I make the above happen ?

    [Settings]
    ShowGUI=N
    ShowMessageBox=N
    MessageBoxText=Prepairing your system for Symantec Endpoint Protection 11.0.  During this process other antivirus products will be removed.\n\nIf you are prompted please fully remove these products.
    AutoRunAfterUILoads=N
    AskBeforeRemoval=N
    SilentMSIInstaller=Y
    RemoveSymantec=N
    CheckDiskSpace=Y
    ResumeAfterReboot=Y
    EnableLogging=Y
    LogPath=C:\Users\Administrator\Desktop\t\
    RunBeforeRemoval=
    RunAfterRemoval=C:\Users\Administrator\Desktop\t\me.exe

    [UninstallPaths]
    SOFTWARE\McAfee\ePolicy Orchestrator\Application Plugins

    [ProductNames]
    ;Programs that must be removed first
    Symantec Endpoint Protection

     

     

    Thanks and Regards 



  • 11.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 08:25 AM

    Thanks for your reply Chetan , I know that but there are some specific reasons which have left us with this options as other options are not working fine.

     

    Can you help with the SepPrep.ini file . Actually I can remove the SEP fine but it is not starting the installation of the new package when it finsishes the removal of the old one. I believe it is probably becuase it requires a reboot to make changes take effect ( probably becuase SEP requires that there are some pending changes and requires computer to reboot) however even if I reboot the machine and as the machine comes online the installation process never starts.

    The version of SEP is 12.1.6 MP3 . This is the SepPrep.ini file which I am using . Can you please suggest me what else am I required to add in this file to make it happen ?

     

    Settings]
    ShowGUI=N
    ShowMessageBox=N
    MessageBoxText=Prepairing your system for Symantec Endpoint Protection 11.0.  During this process other antivirus products will be removed.\n\nIf you are prompted please fully remove these products.
    AutoRunAfterUILoads=N
    AskBeforeRemoval=N
    SilentMSIInstaller=Y
    RemoveSymantec=N
    CheckDiskSpace=Y
    ResumeAfterReboot=Y
    EnableLogging=Y
    LogPath=C:\Users\Administrator\Desktop\log\
    RunBeforeRemoval=
    RunAfterRemoval=C:\Users\Administrator\Desktop\t\sep.exe

    [UninstallPaths]
    SOFTWARE\McAfee\ePolicy Orchestrator\Application Plugins

    [ProductNames]
    ;Programs that must be removed first
    Symantec Endpoint Protection



  • 12.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 08:28 AM

    Hi chetan , actually we have imported groups from AD via integration so we cannot manually move endpoints between groups.  Secondly we need to perform this on 200 + endpoints so doing it from SEPM console is somewhat not feasible. 



  • 13.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 09:17 AM

    Any 1 ?



  • 14.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 09:45 AM

    Symspec,

    Navigate to 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal

    look for symnatec endpoint protection, you wil find the uninstall string

    something like 

    MsiExec.exe /norestart /q/x{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D} REMOVE=ALL,

    You need to use this as a cmd in your tasksequence.

    Next will be the action after this cmd is run, so select reboot

    3rd step would be to install your package, you can use .exe no issues with that.

    i'm not sure who is mananging your SCCM, if you have any issues during this process please let me know will get it fixed :)



  • 15.  RE: SEP Question regarding reinstall

    Broadcom Employee
    Posted Dec 08, 2015 10:03 AM

    Let me consult with our Backline team on this but provide me some time to get back to you.



  • 16.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 10:23 AM
    Thanks for the reply Chetan . This is the SepPrep.ini file i am using . [Settings] ShowGUI=N ShowMessageBox=N MessageBoxText=Prepairing your system for Symantec Endpoint Protection 11.0. During this process other antivirus products will be removed.\n\nIf you are prompted please fully remove these products. AutoRunAfterUILoads=N AskBeforeRemoval=N SilentMSIInstaller=Y RemoveSymantec=Y CheckDiskSpace=Y ResumeAfterReboot=Y EnableLogging=Y LogPath=C:\Users\Administrator\Desktop\t\ RunBeforeRemoval= RunAfterRemoval=C:\Users\Administrator\Desktop\t\sep.exe [UninstallPaths] SOFTWARE\McAfee\ePolicy Orchestrator\Application Plugins [ProductNames] ;Programs that must be removed first Symantec Endpoint Protection


  • 17.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 12:30 PM

    Hi rafeeq thanks for the info . I checked in the registery and found out this uninstall string for 12.1.6 MP3 {8A02B375-AA8C-422D-A230-D3E6BABFABB5} . I believe this is only specific to this version.

     

    Please correct me if I am wrong we would have diffrent uninstall string for each version i.e 12.1.4 , 12.1.5 and 12.1.6 ? right 

     

    Secondly can you tell me about any value that I need to use in SepPrep.ini that will force client not to reboot and install new package immedietly after removing the old package ?  



  • 18.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 01:40 PM

    Yes you are correct it is version specific, here is the string for 12.1.5337.xxxx.xx

     

    MsiExec.exe /I{A5DCF955-5D4A-471D-8CB3-DCFDF5C5DEE7}

     

    unfortunately you will need to restart the machine after uninstalling SEP only then you will be allowed to reinstall SEP.



  • 19.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 02:21 PM

    Thanks for the reply Praveen , yes I suspected that without restart the new installation cannot be iniated. 

     

    Secondly if the machine is password protected I also think that it is difficult to remove the agent remotelty via some batch file MsiExec or even SepPrep . Perhaps you could dhed some more light on this , but this is what I have heard from people. 



  • 20.  RE: SEP Question regarding reinstall

    Posted Dec 08, 2015 10:12 PM

    Are these clients communicting to SEPM ? in that case you can create a test group and move few cleints to that group and remove the password. once its done you can push the uninstall script.



  • 21.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 12:00 AM
    Praveen thanks for your reply as I said above we are importing groups from AD so SEPM won't allow to move clients within the groups or to a new test group. Secondly after doing some research and reading I found out that if the client is password protected then for some unexpected reasons neither MsiExec nor SepPrep can't remove it even if its provided in the script . Password must be removed first in order for the MsiExec and SepPrep to remove it. Is it correct ?


  • 22.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 02:01 AM

    No that is not true, we had our team to build a custom script which will stop the smc password and uninstall the SEP. if you have team which can do it it will be great. and if that is not a option, why don't you try to target a set of PC's with cleanwipe and then deploy SEP with SCCM ?



  • 23.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 02:23 AM

    Just an update on this , we deployed a new custom package with the setting remove existing setting and policies and reset client server communication for the feature set we also removed outlook scanner component and deployed on clinets via SCCM but still client rejected the package.

     

    Secondly on one of the affected clients we manually uninstalled the software and installed a new package with above mentioned settings , however when it was installed it become active for few seconds and then the only sonar component become disabled automatically dont know why in the User Interface. It is really strange. 



  • 24.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 02:36 AM

    I belive now the only last solution that is left is to completely wipe out the existing corrupted installation including registery enteries , definations and all settings . Once that is done then reboot machine and perform a new installation.

    From where can I get a script like this for complete removal for the wipe out via SCCM ?

     

    Any help in this regard would be appreciated. Thanks



  • 25.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 02:43 AM

    Praveen I belive we cannot run and push cleanwipe silently from SCCM on a large number of clients . Correct me if I am wrong but cleanwipe can still uninstall even if the agent is password protected ?



  • 26.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 04:06 AM

    yes it can remove even if its password protected.



  • 27.  RE: SEP Question regarding reinstall

    Posted Dec 09, 2015 04:21 AM

    I am not really sure about that part about silent push via SCCM, the older version of Cleanwipe was available in command line so it was possible. Cleanwipe will remove all the SEP traces from the machine even if its password protected.