Endpoint Protection

 View Only
Expand all | Collapse all

Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

  • 1.  Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 07, 2011 10:39 AM
      |   view attached

    Just wanted to give the community a little help here.  This is going to be a long post, but if you are trying to downgrade (or you can use this for an upgrade) it is VERY helpful.

     

    Backstory:  I was trying to find a good way to downgrade to SEP 11 remotely because I was not very happy with SEP 12.   I had a lot of clients that had this installed and I really did not want to downgrade every single system manually.  The other thing that I need was to be able to prevent any virus's from being able to attack the system while I was downgrading.  Finally, I wanted a single EXE that I could push to new clients for an install if need be.  I tried to use the EXE's that come with SEPM and I tried to use the Symantec product SEP Prep which is supposed to uninstall any anti virus product but it also did not seem to work very well.

     

    First things first:  All of my systems are running either Windows 7 or Server 2008 R2 so this will not work for you 2003 or xp users unless powershell is installed.  So let me map out my idea for you of what I needed to do:

     

    1.  Push a SINGLE EXE to entire domains
    2. Put in a firewall rule that allows ONLY me to talk to that pc. This will give you some downtime on the system, but will also keep the system safe if you have virus activity on the network while you reinstall.
    3. Uninstall SEP 12, (or any other SEP product this will work for)
    4. Restart Computer
    5. Start Install of SEP 11
    6. Wait for install to finish and Delete the firewall rule

     

    OK so now we start the actual process.  First thing I did was export my install package of SEP 11 (DO NOT export as a single EXE.  You will need the entire install folder)

    If you want you can update the virus Def prior to doing this.  To update the def you need to update the vdefhub folder in the install package that you just exported from SEPM.  If you need to know how to do this please ask and I will find a post that explains it. 

    Next, Working with the folder that actually holds the files (probably called Symantec Endpoint Protection 11 or something like that).  Rename that file as SymantecIns.  Send that entire folder to a zip file.  After you have that zipped file, Open it up in WinRAR (there may be ways to do this without downloading winRAR but I only know winRAR).  When you do that there is a button all the way to the rigth that says SFX.  This is a self executing zip.  Press that button and it should turn your zip file into a new EXE file.

     

     

     

    So here is where your scripting starts.  Please if you are not familiar with powershell feel completely free to ask me questions, but you are going to have to have some kind of background in scripting.

     

    We are going to want to package that EXE with a few powershell scripts to do what we want to do. 

    I have attached a zip file to this post with 2 scripts in it.  For right now you need the Import-Firewall Script (curtosy of Jason Fossen from sans.org).  This script is for the Firewall Rule.  You can read through this script if you want, but you need to do NO editing to this script for this purpose.

    Next, you need to make a text file that is the range of all IP address's except the range that you you want the system to access.  For example:  if my computer is IP address 192.168.2.2 (the computer I am going to push this exe from)  I would make a text file with the following in it:

    1.0.0.0-192.168.2.1

    192.168.2.3-255.255.255.255

    Save that file as iptoblock.txt

    Now start a new powershell script.  I use PowerGUI to guild my scripts but you can use whatever you want.  The script should be something like this:

     

    ./import-firewall-blocklist.ps1 -inputfile ./iptoblock.txt

    $Source = ".\sepinstall.exe"
    $Target = "c:\temp\Sepinstall.exe"
    copy-item "$Source" "$Target"

    Start-Sleep -seconds 5

    $app = Get-WmiObject win32_product -Filter "Name='Symantec Endpoint Protection'"
    $app.Uninstall()

    Start-Sleep -Seconds 10

    Restart-Computer -Force

    I will explain the reason for the copy item in a second.  The rest of this script does this:

    1. Enables the firewall rule so that the System can ONLY talk to your pc
    2. Copy's some information for later use
    3. Uninstall's Symantec
    4. Forces a restart

     

    Save that script as SEPInstall1.PS1

     

    Next Script,

    iex ".\SymantecIns\setup.exe"

    Start-Sleep -Seconds 10

    Wait-Process -Name setup

    Start-Sleep -Seconds 100

    netsh advfirewall firewall delete rule name="iptoblock-#001"
     

    Save this script as SEPInstall2.PS2


    This script will Kick off the install of SEP and wait for it to finish, then delete your firewall rule so that the computer that is getting installed can talk to everything again. 
     

    OK, now lets start packaging!

    Start -> Run -> iexpess   if you are not familiar iexpress packages your items as a single EXE>

    Just hit Next, Next, Name the Package title whatever you want, Next, Next

    HERE is where you will put the files you want to package.  In THIS package you will want your Symantec EXE that you made.  If you followed my earlier instructions it should be called SymantecINS.exe.  You will also want to include SEPInstall2.PS2.  Hit Next, Under install program to launch you want this:  SymantecIns.exe -s -d .\      In the post install command you will want:       powershell ".\SEPinstall2.ps1"         Then hit Next

    Show window I use Hidden then Next, Finished Message No message then Next, Save this package as sepinstall.exe AND MAKE SURE you check the box store files using long file name inside package.  then Next, No restart then Next, Save this file if you want this is just the config file for iexpress, then Next and Finish.  This process should give you ONE exe named sepinstall.exe.

     

    NOWWWW, We should have 1 exe bundled with 1 powershell script.  Now we need to do it again!   Go back into iexpress and do the same thing as before up to where you put in the packages to install.  This time you want to include SEPinstall1.ps1, sepinstall.exe (that you just made), the attached powershell script (import-firewall-blocklist.ps1), and the text file that you made named iptoblock.txt.  Then follow the same commands as the above step and name it SEP.exe. 

     

    OK, so far you have just about everything you need to make this happen.  You have one single EXE that when initiated properly will enable a firewall rule, uninstall SEP, Restart, Install EXE, and then delete the firewall rule.  The only thing we need now is a script to kick this all off. In this zip that is attached my script is the SymantecPusher.ps1 script. 

    you WILL need to do some editing to this script.  Check it out and check out the commented sections.  If you have any questions please post here and I will be happy to respond.

     

     

    I had done a few different ways including completely shutting off the nic to do the install but this method seems to be fullproof for me.  If you have any questions, comments, concerns please post them here.  I THINK I included everything, but if I didnt just let me know.  I hope this is useful to SOMEONE.  I know it is long and involved but if you spend the time to make this once, You can use it for Upgrades, Downgrades or every other programs other than Symantec!  Good Luck all.

     

     

     

     

    Attachment(s)

    zip
    Scripts.zip   3 KB 1 version


  • 2.  RE: Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 13, 2011 03:07 AM

    Hello,

    why don´t you create an article about that? ;)

    Regards,

    Marius



  • 3.  RE: Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 13, 2011 07:11 AM

    Submit it in Ideas forums first to understand how many people like the same. :-)



  • 4.  RE: Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 13, 2011 07:20 AM

    Didn´t know that rule - my mistake, sorry! :-(



  • 5.  RE: Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 13, 2011 07:22 AM

    Not a rule.. but a suggestion.



  • 6.  RE: Downgrading SEP 12 to SEP 11 remotely (enterprise solution windows 7 and server 2008 only, PS needed)

    Posted Dec 13, 2011 01:34 PM

    OK I will, It is waiting to be published as an article, but I have been waiting for a while and it hasnt been published for some reason.  I will post it to the Ideas forum now.