Video Screencast Help

Uninstall SEP through SEPM

Created: 11 Nov 2010 • Updated: 12 Nov 2010 | 12 comments
This issue has been solved. See solution.

Hi All,

I've seen many threads about this and so far none of the answers can help me.

I'm in a bit of a weird situation. We use SEPM to manage the AV for multiple customers. It works very well, I simply edit the sylink to talk back to a server in our DMZ and make the changes on the customers firewall.  All good,

However one of our customers has left and all access to their domain has been removed. Some of their endpoints are still checking in and I need a way to uninstall them, or at least stop them from checking into us.

I've disabled the various components and set a live update policy to get it's updates from http://255.255.255.255. What I need is a way to either uninstall the application through the management console (which I don't think we'll ever see) or a way to edit the sylink file.

 

Any ideas?

Comments 12 CommentsJump to latest comment

Rafeeq's picture

as of now u cannot uninstall them from SEPM

you can make not to talk to your sepm

make those clients as unmanged clients using sylink drop

here is the tool

https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

use a the sylink from CD1 of sepm folder, it will make them unmanged so that they wont check in 

or else 

make the communication mode to pull with a very long interval

sepm

clients

polices

communication settings; set it to pull mode with a very long interval 

James-x's picture

If I were you, I wouldn't settle for changing policies to lessen communication between their clients and your server. I would want the communication completely cuttoff.

In addition to this, I also would not want to make any changes to their environment by modifying SEPM policies because you are no longer authorized to do so.

If you contact them and they are unwilling to uninstall the SEP product from their environment (or takes steps to ensure that it no longer commuicates with your SEPM), then I would block all traffic to/from their IP address(es) at your perimeter firewall.

Regards,

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

SOLUTION
Vikram Kumar-SAV to SEP's picture

You can block the clients or IP Range from connecting to SEPm from SEPM -Admin -servers-Local Site -Servername--properties

You can block the range of ip address used for this client

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

James-x's picture

It would be more appropriate to block the ex-customer's public-facing class-A IP address than it would be to try to block the range of IP addresses that the ex-customer's SEP clients use.

This should not be done by the Symantec Endpoint Protection product. The original poster should use his network's perimter firewall to do this.

Regards,

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

kromine-123's picture

Do you have host integrity component on your system?  It's an option (SNAC) you would have had to purchase separately.

If so, you can create a rule that will execute the uninstall process for clients that meet whatever criteria you select or simply apply it to the groups where those clients reside.

I've used to uninstall software or apply sylink's to move clients from different SEP domains.  I can provide more details if you have that feature.

Kev

==========================
Kev Romine
Interpublic Group

James-x's picture

It would seem that the original post no longer has permission from his client to make changes to his network. As such, I'm not sure he should do anything except sever communication.

Regards,

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Mithun Sanghavi's picture

Hello,

Heave you heard of Symantec Endpoint Protection Integration Component. This comes along with Symantec Endpoint Protection DVD.

 

Uninstalling antivirus software remotely

You can use the Symantec Management Platform to uninstall existing antivirus

software on the computers that you specify.

To uninstall antivirus software remotely

1 In the Symantec Management Console, on the Manage menu, click Jobs and

Tasks.

2 In the left pane, click Jobs and Tasks > System Jobs and Tasks > Symantec

Endpoint Protection Management, right-click, and click New> Job or Task.

3 On the Create New Task page, in the left pane, click Symantec Endpoint

Protection Management > Uninstall Antivirus.

4 On the Create New Task page, name the task.

5 Click OK.

6 In the left pane, click Jobs and Tasks > System Jobs and Tasks > Symantec

Endpoint Protection Managment, and then click your task.

7 In the right pane, click New Schedule to schedule the task and to define the

computers that you want to run the antivirus inventory task on.

For more information, see topics about using tasks in the Symantec

Management Platform Help.

8 In the New Schedule page, click Schedule.

The status of your task is displayed under Task Status

  

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

zer0's picture

The most responsible way is to let them know how to reconfigure their SEP clients so that they are either managed internally, or are unmanaged but still getting updates from the internet. you really shouldn't cut them off without ensuring they are still being protected.

If you can change your firewall policy to block their public facing IP address that is going to be easiest.

Then I would just set a policy that turns off the communication back to the SEP Manager. Go to the group > communication settings and then untick the option that tells the clients to contact the management server at the very top right under the Management server list.

The next time a client checks in it will get the new comms settings and then never talk to the SEPM ever again!

Hope that helps...

mon_raralio's picture

I agree with James-x on this one.

Change the SEPM policy for their group so that they won't be reporting back to your SEPM for logs and updates. Maybe disable their NTP policies that concerns you.

Then cut them off by changing the rules on the firewall appliance.

Much easier.

“Your most unhappy customers are your greatest source of learning.”

Manish@symantec's picture

The Simplest of all.

  1. In AD deposit all those clients (on which we need to uninstall SEP) in one Single OU.
  2. Assign a Software deployment policy in AD, where in you may use Cleanwipe utility to excute for uninstallation of SEP.

         NOTE : Cleanwipe is a not a symantec developed tool. Hence, disclaimer applied.

Regards,
  MG

cloinsigh's picture

Thanks everyone,

I think the only legal option I have to to go with James-x. If I use any method to uninstall the endpoint and it caused something to go wrong on users machnes then we'd have a lot of legal questions to answer. The chances are slim but it's not worth it.

I guess blocking the ip on the firewall is probably the best route to take.

 

 

Mithun,

That looks like a very useful method. I'm managing nearly 2000 endpoints in a very complex setup (86 different domains across 120 locations) with more coming online everyday and the more tools I can integrate into SEPM the better.

 

Thank again everyone,

cloinsigh's picture

Hi Mithun,

Do you know if there is a 64bit version of the Symantec Endpoint Protection Integration Component ?

Thanks

Conor