Script to remove Symantec Cloud

[Joe Lusk 1]

Has anyone had any luck with this since the updates to Cloud Protection Agent. I had a script that ran SEPPrep.exe with the RemoveSymantec=Y option, but that no longer seems to work.  None of the msexec methods or wmi methods seem to work either.  Any ideas?

[SteveYates 8]

Do you mean SEPC (Endpoint Protection Cloud), vs. Symantec.cloud aka Small Business?  Per support one has to run the uninstaller manually, on the PC, and the help doc that says one can do it from the portal is incorrect.

Would really like a way to remotely uninstall, because of: https://www.symantec.com/connect/forums/no-alerts-invalid-licensesdisabled-antivirus

[Joe Lusk 1]

You are correct, that is the version and we have found the same things.  Looks like manual is the only way by design.

[HickBoy 4]

I've hacked one together that works fairly well (albeit not an officially supported uninstall method from Symantec).  We use this as a last resort when the official ways to remove does not work...  This uses CEDAR from Symantec to clean the agent from the system.  I do some other stuff such as pre-removing the registry values that usually stop Symantec from uninstalling when it complains about pending actions.  I do this via an embeded batch file called from the LabTech Script:

:: 04/02/2019
:: Clears PendingFileRenameOperations Registry Key to allow Symantec AntiVirus to Uninstall

:: Delete Key
REG Delete "HKEY_LOCAL_MACHINE\System\currentcontrolset\control\session manager" /v PendingFileRenameOperations /f 2> nul

Here's the two important parts of the script (NOTE: The -silent is case sensitive and undocumented).

Let me know if you want the full thing and I will clean it up and export it.

[Joe Lusk 1]

@HickBoy

I would love an export. I managed to get something working using AutoIT, but it is less than perfect and requires a user to be logged on.  This looks much better.  Thanks in advance. I am actually most curious about the pre-removal operations. Are you doing more than you identified there?

Edited April 22, 2019 by Joe Lusk

[EOpronet 1]

I have a working one, but it relies on Revo Pro Portable. Happy to share if anyone would find it useful. 

[Joe Lusk 1]

@EOpronet

Sure, might be worth the purchase if it works. Thanks

[EOpronet 1]

Here you go. Lines 12 & 17 need to be edited to reflect the full path to the Revo archive and unzip.exe in your Transfer directory

Revo - Uninstall Symantec Cloud.xml

[DaysOfNoah 0]

@HickBoy Looks good.  I'd love to get a copy of your script.  Does CEDAR perform a reboot, or can you run this more transparently in the background?  Thanks!

[mnewman 0]

@HickBoy
@DaysOfNoah was this script shared?

looking to remove this as well.

Edited October 8, 2019 by mnewman
mistake

[HickBoy 4]

On 10/8/2019 at 1:36 PM, mnewman said:

@HickBoy
@DaysOfNoah was this script shared?

looking to remove this as well.

Sorry, did not realize I did not upload it.  It's attached and you will find it at AntiVirus > Symantec > Remove Symantec.Cloud
We use it to Remove Symantec.Cloud and Symantec Endpoint Protection Cloud Small Business Edition.

The script does the following:

1. Downloads the latest CEDAR from Symantec.
2. Clears the PendingFileRenameOperations registry key that loves to stop Symantec Installs/Uninstalls in their tracks.
3. Runs the CEDAR command silently (UNDOCUMENTED -silent command line).
4. Uploads the CEDAR log to the Automate server.
5. Resends software configs.
6. Emails tech who ran script if uninstalls fails with the CEDAR log.

NOTE: The script is not perfect.

There's two failures that seem to crop up:

FAILURE #1:
Script will fail if Symantec Endpoint was in the weird upgrade phase where the new Cloud or Endpoint version was downloaded and was set to upgrade via the RunOnce style registry update.  What ends up happening is that you uninstall Symantec and the next reboot it reinstalls because the CEDAR does not clear the new install key.  I've not figure out a good workaround for this.

FAILURE #2:
If Symantec is already corrupted (i.e. two versions made it onto the machine) the script may or may not clean up the corrupted versions.  You may end up with Symantec still showing as installed or launching upon subsequent reboots.  If that happens, it's on to the manual clean method: https://support.symantec.com/us/en/article.tech213385.html

Hope this is useful for someone...

S

 

Remove Symantec.Cloud.xml

[HickBoy 4]

Here's a printout of the code if anyone is interested:

[kleissen 0]

Bringing this back. Has anyone had any luck removing "Symantec Endpoint Protection Cloud" The cedar.exe application does not seem to pickup on this product. 
I Have also used "(Get-WmiObject -Class Win32_Product -Filter "Name='Symantec Endpoint Protection'" -ComputerName . ).Uninstall()" in powershell which works most of the times with on prem and small business versions. However not luck when targeting  "Symantec Endpoint Protection Cloud". Main reason why I think it doesn't work is that win32 seems to only pick up applications that were installed using widows installer. If you use this command on its one "Symantec Endpoint Protection Cloud" does not show up on the list and it doesnt come up using wmi either. 

Current install method we are using is done via command line using their "" integration package which has a package creator then installs using a command with a token generated from the portal. 
"C:\Users\Public\Downloads\SEPCloud\SEPCloud_Package\SEPC_install.exe" /CC_TOKEN "@Token@" /silent /smart_restart 1

So far the only cleaning application that seems to remove it correctly is NRNR.exe from symantec however. No way to run it silently. 

[SteveYates 8]

The PowerShell I'm guessing calls the uninstaller command line in the registry, and most of those stop at a prompt for the user, meaning, they don't run silently.  MSI installs can normally be uninstalled via msiexec /x /qn.

We had come from SEP SBE, and found the SBE agent was left installed on the PC a good portion of the time even when deleted from the SBE portal.  We ended up connecting in to each PC manually to uninstall them both (SBE agent first), then restart, and then could install Bitdefender remotely via that solution/plugin.  Ugh, so glad we're not going through this new migration now that SEPC is going away.

[kleissen 0]

44 minutes ago, SteveYates said:

The PowerShell I'm guessing calls the uninstaller command line in the registry, and most of those stop at a prompt for the user, meaning, they don't run silently.  MSI installs can normally be uninstalled via msiexec /x /qn.

We had come from SEP SBE, and found the SBE agent was left installed on the PC a good portion of the time even when deleted from the SBE portal.  We ended up connecting in to each PC manually to uninstall them both (SBE agent first), then restart, and then could install Bitdefender remotely via that solution/plugin.  Ugh, so glad we're not going through this new migration now that SEPC is going away.

 

Right, and the uninstall string is as follow. 
"C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SCS\562C4DD5\22.20.2.57\InstStub.exe" /X /ARP
This one will have a pop up screen that will ask if you want to uninstall completely or leave current config. 

 

 

[GeorgeWKush 0]

Were using SEP Small Business edition and also have the same issue. The Main AV engine is easy to uninstall silently. Just use the following command in Powershell:

 

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

 

This will generate the GUID for the AVEngine. We then run the following in a batch file:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

The issue is removing the Cloud agent. If you run the following command it WILL remove it silently BUT you need to have the Cloud Agent and Scheduler services STOPPED:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

If you run this command with the services running it will corrupt the program. So in order for this to work(I've been testing on a machine), you need to set the 'Startup Type' for these 2 services to either Disabled or Manual, then reboot the machine so the services are not running. Trying to find a way to uninstall this product without having to reboot or messing with services.

 

 

Edited April 28 by GeorgeWKush

[GeorgeWKush 0]

Were using SEP Small Business edition and also have the same issue. The Main AV engine is easy to uninstall silently. Just use the following command in Powershell:

 

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

 

This will generate the GUID for the AVEngine. We then run the following in a batch file:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

The issue is removing the Cloud agent. If you run the following command it WILL remove it silently BUT you need to have the Cloud Agent and Scheduler services STOPPED:

 

msiexec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /QN SYMREBOOT=ReallySuppress

 

If you run this command with the services running it will corrupt the program. So in order for this to work(I've been testing on a machine), you need to set the 'Startup Type' for these 2 services to either Disabled or Manual, then reboot the machine so the services are not running. Trying to find a way to uninstall this product without having to reboot or messing with the services.

 

I really don't want to have to uninstall this manually as we have too many machines.

 

 

Edited April 28 by GeorgeWKush