Jump to content
Joe Lusk

Script to remove Symantec Cloud

Recommended Posts

Has anyone had any luck with this since the updates to Cloud Protection Agent. I had a script that ran SEPPrep.exe with the RemoveSymantec=Y option, but that no longer seems to work.  None of the msexec methods or wmi methods seem to work either.  Any ideas?

Share this post


Link to post
Share on other sites

I've hacked one together that works fairly well (albeit not an officially supported uninstall method from Symantec).  We use this as a last resort when the official ways to remove does not work...  This uses CEDAR from Symantec to clean the agent from the system.  I do some other stuff such as pre-removing the registry values that usually stop Symantec from uninstalling when it complains about pending actions.  I do this via an embeded batch file called from the LabTech Script:

:: 04/02/2019
:: Clears PendingFileRenameOperations Registry Key to allow Symantec AntiVirus to Uninstall

:: Delete Key
REG Delete "HKEY_LOCAL_MACHINE\System\currentcontrolset\control\session manager" /v PendingFileRenameOperations /f 2> nul

Here's the two important parts of the script (NOTE: The -silent is case sensitive and undocumented).

image.png.c3c4ce462cfbef6da0e263ed8944b9bc.png

image.png.a2934a39cf3518909254d38aa15e5057.png

Let me know if you want the full thing and I will clean it up and export it.

  • Like 1

Share this post


Link to post
Share on other sites

@HickBoy

I would love an export. I managed to get something working using AutoIT, but it is less than perfect and requires a user to be logged on.  This looks much better.  Thanks in advance. I am actually most curious about the pre-removal operations. Are you doing more than you identified there?

Edited by Joe Lusk

Share this post


Link to post
Share on other sites
On 10/8/2019 at 1:36 PM, mnewman said:

@HickBoy
@DaysOfNoah was this script shared?

looking to remove this as well.

Sorry, did not realize I did not upload it.  It's attached and you will find it at AntiVirus > Symantec > Remove Symantec.Cloud
We use it to Remove Symantec.Cloud and Symantec Endpoint Protection Cloud Small Business Edition.

The script does the following:

  1. Downloads the latest CEDAR from Symantec.
  2. Clears the PendingFileRenameOperations registry key that loves to stop Symantec Installs/Uninstalls in their tracks.
  3. Runs the CEDAR command silently (UNDOCUMENTED -silent command line).
  4. Uploads the CEDAR log to the Automate server.
  5. Resends software configs.
  6. Emails tech who ran script if uninstalls fails with the CEDAR log.

NOTE: The script is not perfect.

There's two failures that seem to crop up:

FAILURE #1:
Script will fail if Symantec Endpoint was in the weird upgrade phase where the new Cloud or Endpoint version was downloaded and was set to upgrade via the RunOnce style registry update.  What ends up happening is that you uninstall Symantec and the next reboot it reinstalls because the CEDAR does not clear the new install key.  I've not figure out a good workaround for this.

FAILURE #2:
If Symantec is already corrupted (i.e. two versions made it onto the machine) the script may or may not clean up the corrupted versions.  You may end up with Symantec still showing as installed or launching upon subsequent reboots.  If that happens, it's on to the manual clean method: https://support.symantec.com/us/en/article.tech213385.html

Hope this is useful for someone...

S

 

Remove Symantec.Cloud.xml

Share this post


Link to post
Share on other sites

Bringing this back. Has anyone had any luck removing "Symantec Endpoint Protection Cloud" The cedar.exe application does not seem to pickup on this product. 
I Have also used "(Get-WmiObject -Class Win32_Product -Filter "Name='Symantec Endpoint Protection'" -ComputerName . ).Uninstall()" in powershell which works most of the times with on prem and small business versions. However not luck when targeting  "Symantec Endpoint Protection Cloud". Main reason why I think it doesn't work is that win32 seems to only pick up applications that were installed using widows installer. If you use this command on its one "Symantec Endpoint Protection Cloud" does not show up on the list and it doesnt come up using wmi either. 

Current install method we are using is done via command line using their "" integration package which has a package creator then installs using a command with a token generated from the portal. 
"C:\Users\Public\Downloads\SEPCloud\SEPCloud_Package\SEPC_install.exe" /CC_TOKEN "@Token@" /silent /smart_restart 1

So far the only cleaning application that seems to remove it correctly is NRNR.exe from symantec however. No way to run it silently. 

Share this post


Link to post
Share on other sites

The PowerShell I'm guessing calls the uninstaller command line in the registry, and most of those stop at a prompt for the user, meaning, they don't run silently.  MSI installs can normally be uninstalled via msiexec /x /qn.

We had come from SEP SBE, and found the SBE agent was left installed on the PC a good portion of the time even when deleted from the SBE portal.  We ended up connecting in to each PC manually to uninstall them both (SBE agent first), then restart, and then could install Bitdefender remotely via that solution/plugin.  Ugh, so glad we're not going through this new migration now that SEPC is going away.

Share this post


Link to post
Share on other sites
44 minutes ago, SteveYates said:

The PowerShell I'm guessing calls the uninstaller command line in the registry, and most of those stop at a prompt for the user, meaning, they don't run silently.  MSI installs can normally be uninstalled via msiexec /x /qn.

We had come from SEP SBE, and found the SBE agent was left installed on the PC a good portion of the time even when deleted from the SBE portal.  We ended up connecting in to each PC manually to uninstall them both (SBE agent first), then restart, and then could install Bitdefender remotely via that solution/plugin.  Ugh, so glad we're not going through this new migration now that SEPC is going away.

 

Right, and the uninstall string is as follow. 
"C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SCS\562C4DD5\22.20.2.57\InstStub.exe" /X /ARP
This one will have a pop up screen that will ask if you want to uninstall completely or leave current config. 

 

 

  • Sad 1

Share this post


Link to post
Share on other sites
Posted (edited)

Were using SEP Small Business edition and also have the same issue. The Main AV engine is easy to uninstall silently. Just use the following command in Powershell:

 

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

 

This will generate the GUID for the AVEngine. We then run the following in a batch file:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

The issue is removing the Cloud agent. If you run the following command it WILL remove it silently BUT you need to have the Cloud Agent and Scheduler services STOPPED:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

If you run this command with the services running it will corrupt the program. So in order for this to work(I've been testing on a machine), you need to set the 'Startup Type' for these 2 services to either Disabled or Manual, then reboot the machine so the services are not running. Trying to find a way to uninstall this product without having to reboot or messing with services.

 

 

Edited by GeorgeWKush

Share this post


Link to post
Share on other sites
Posted (edited)

Were using SEP Small Business edition and also have the same issue. The Main AV engine is easy to uninstall silently. Just use the following command in Powershell:

 

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

 

This will generate the GUID for the AVEngine. We then run the following in a batch file:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

The issue is removing the Cloud agent. If you run the following command it WILL remove it silently BUT you need to have the Cloud Agent and Scheduler services STOPPED:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

If you run this command with the services running it will corrupt the program. So in order for this to work(I've been testing on a machine), you need to set the 'Startup Type' for these 2 services to either Disabled or Manual, then reboot the machine so the services are not running. Trying to find a way to uninstall this product without having to reboot or messing with the services.

 

I really don't want to have to uninstall this manually as we have too many machines.

 

 

Edited by GeorgeWKush

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...