I'd like to suggest a change for the Symantec EndPoint client. In short, I'd like to suggest that you support Microsoft's SysPrep Provider feature (
http://technet.microsoft.com/en-us/library/ee676646%28WS.10%29.aspx).
Supporting this feature would allow SysPrep to correctly remove the keys and files that Symantec suggests here (
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110510364248) in an automated and orderly fashion. It would also allow Symantec to match the cleanup requirements to the currently installed client, since the provider can be updated as the cleanup requirements of the other client components change. This provides a much better solution for administrators going forward than googling symantec.com and hoping you have found the most current instructions.
If I were to spec this out, I would envision that Symantec's Sysprep provider would:
Cleanup phase:
Remove all log files
Remove all events
Empty the quarantine bin
Remove any old versions of virus definitions
(Optionally) remove current virus definitions
Generalize phase:
Remove all hardware id keys (registry and xml)
Specialize phase:
Create the new hardware id
Trigger an immediate LiveUpdate call to get both the latest program updates and definitions.
I'm tempted to write this myself as the basics of creating such a DLL are remarkably simple. However, doing this outside Symantec is impractical. In order to remove some of these keys/files, the related services must be shut down. I (like many administrators) have toggled the switch from "Allow tampering" to "Disable Tampering." As a result, shutting down those services is all but impossible. Presumably a Symantec-provided solution could resolve that problem.
Also (presumably) a Symantec solution would be more complete, since you would know where all the bodies (files, registry keys, etc) are buried.