Jump to content
matt.yukna

Symantec Cloud Removal Script?

Recommended Posts

Hello everyone,

 

Has anyone had any luck with scripting an uninstall for Symantec Cloud? The only things I can come up with are manually removing from add/remove programs and / or manually running Symantec removal tools (cleanwipe, cedar, etc). We have approx. 170 workstations we're cutting over from Symantec Cloud to ESET.

 

Alternately, was anyone @ AN2014, and if so, did anyone get a copy of the script the "automate like a rockstar" winner used to win the contest (AV removal / ESET rollout script).

 

Thank you!

Share this post


Link to post
Share on other sites

Quick update - per Symantec support, there are no command-line switches for the Symantec Cloud removal software.

 

For anyone interested, here are instructions for obtaining a uninstall tool from Symantec that "can uninstall any AV." These steps are taken from an email they just sent:

 

-------------------------------------------------

 

I have reviewed the case description and would like to inform you that we do not have any command-line switches for running CEDAR but you can refer the given below tool.

 

This is a competitive uninstall tool from Symantec. It can uninstall any AV. Enterprise team supports this tool.

To download and use the SEPprep tool

1. Open a browser and go to: http://www.symantec.com/connect/downloads/sepprep.

2. Save SEPprep.zip and SEPprep.PDF to your desktop or your preferred download location.

3. Extract the SEPprep.zip file.

4. Read SEPprep.PDF to ensure that the program is configured to meet your requirements.

5. Modify the SEPprep.ini configuration file as necessary and then run either SEPprep.exe (32-bit) or SEPprep64.exe.

 

-------------------------------------------------

 

Thanks to anyone who took a look @ this post!

Share this post


Link to post
Share on other sites

Were you able to get the SEPPREP to work for uninstalling Symantec.Cloud? I have over 300 installations throughout 20 different locations. I would love to get this automated as much as possible.

 

Thanks

Share this post


Link to post
Share on other sites

I started looking at this SEPprep tool a little and noticed it uninstalled a couple that I tried, but on a test in Antivir for example since there is no Silent Uninstall option, it just pops up the GUI anyways. So this SEPprep tool won't work on non-silent uninstall apps I'm guessing...

Share this post


Link to post
Share on other sites

So I have found a way to remove multiple agents via the Web UI for Symantec.Cloud. I wrote some instructions, but the site will not allow me to upload a PDF. Please private message me and I will email it to anyone who needs help with this.

 

Without the screen shots, here are the steps:

 

1. Log into the Web UI

2. At the top of the page, click on Computers

3. Click on Add Group

4. Create a Group name. This could be anything. I went with To Be Deleted

5. At the top, click on Computers to refresh the page, then click on the group you just created. Then on the right click on Move Computers.

6. In the Move Computers windows, click on the double arrow that points to the right and all of the computers you want to remove. Then click save.

7. Once you have confirmed all of the computers you want to remove are in the group, on the right hand side of the window, click Delete Group.

8. This will open a Delete Group window. Select “Uninstall all computers….” Then click Proceed.

 

The computers will be immediately removed from the Web UI, and in about 15-20 minutes, depending on the speed of the computer, internet, etc., the agents should be uninstalled. I recommend rebooting the computers after you have confirmed the uninstall has completed.

 

I hope this helps anyone who has run into a large deployment of agents and needs to remove a lot of installed agents without having to touch every computer.

Share this post


Link to post
Share on other sites

Hey guys,

 

I needed to do this for symantec endpoint/corporate for ~200 machines myself. SEPprep did this silently. Are you sure you have the SEPprep.ini configured correctly?

 

How do I share my code with you? I exported it, but the forum doesn't allow me to attach it "The upload was rejected because the uploaded file was identified as a possible attack vector." nor can I paste it in here since it's too long.

 

Once shared:

- Make sure you change the location to point to your own SEPprep.exe/.ini on LTShare.

- I tried exporting it without an uninstall check I created. If it imports, just remove the lines.

Share this post


Link to post
Share on other sites
How do I share my code with you? I exported it, but the forum doesn't allow me to attach it "The upload was rejected because the uploaded file was identified as a possible attack vector." nor can I paste it in here since it's too long.

 

Zip it first, then upload should do the trick.

Share this post


Link to post
Share on other sites

I'm not sure I'm clearly following this thread, but I'm trying to find the least-bad way to remove Symantec.cloud Endpoint Protection from a large number of agents and hoping one of you in this thread found or devised a solution.

 

From my conversations with Symantec support I've learned:

- SEPPREP can be used to remove the software, but is NOT supported

- It is not possible to run CleanWipe, CEDAR, or any other removal tool (that will properly do the job) in a silent mode

 

I've also obtained from them their published procedures to manually remove the tools.

 

I reviewed the procedures they sent me, and it looks like it wouldn't be too difficult to script the removal procedure for the Symantec.cloud components.

 

BUT, the Endpoint (SEP) software removal procedure (http://www.symantec.com/business/support/index?page=content&id=TECH161956) looks tough:

 

1) Log on to the PC as Admin (I think this is easy, or done implicitly, when running scripts, right?)

2) back up the registry (assuming this is easy)

3) Interact with the SEP tray icon and turn off Tamper Protection (HOW MIGHT I DO THIS? Seems impossible to do from a script unless Symantec provided an API, and I'm not holding my breath.)

4) Stop the SEP services from autostarting via registry (assuming that's easy)

5) REBOOT

 

 

6) Remove the 'Teefer' driver (more registry entries, easy enough)

7) REBOOT (see above question about this)

8) An enormous amount of Registry entries to remove (tedious, but doable)

9) Look for reg entries with Symantec in them, in specific registry locations & delete those reg entries (HOW would I do this?)

10) Delete any reg entries with specific strings in them (again, HOW?)

11)

1. In the Windows registry editor, go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\
2.Click Products to highlight it.
3.On the Edit menu, click Find.
4.Type Symantec Endpoint Protection.
5.Click Find Next.
6.A value appears in the right pane that includes the words Symantec Endpoint Protection, in a key named "InstallProperties". The "InstallProperties" key resides within another key whose name is a hexadecimal string. This hexadecimal string is the product GUID.
7.Use Edit > Find to search for any instances of the product GUID, and delete any registry values that contain it or have the string as the name.

(HOW?)

12) In two different Registry locations, remove 'SnacNp' from the NetworkProvider HwOrder list. (Script-speaking, I guess I'd need to read in a value, parse it, then replace it with the same value minus the 'SnacNp' bit? Can that be done?)

13) Delete another handful of values from a regkey. (DOABLE)

14) Rename some reg values. (DOABLE)

15) Delete another key. (DOABLE)

16) REBOOT into Safe Mode (Can this be done?)

17) Log on as Admin. (Asked about this above.)

18) Delete files & folders. (Easy)

19) Uncheck Read-Only on the EfaData folder and delete it & its contents. (How to change the attrib? Can I just use the DOS command in the script?)

20) Delete a bunch of files (easy)

21) For each file in C:\Windows\Installer, look at the Summary tab, and IF the file was created by Symantec, delete it. (HOW CAN I ID the creator of the file from my script?)

 

ANOTHER Section titled 'Remove the Teefer driver', with different steps:

22) As Admin, list & remove the Symantec drivers in the driver store using the 'pnputil' command. (Need to list the drivers to ID the Symantec drivers, then use a different arg on the command to remove the Symantec drivers, referencing them by their ID numbers. HOW could this be done via script?)

23) AGAIN, delete certain regkeys that have certain text strings in the names.

24) Delete any network adapters from Device Mgr with 'teefer' in them. (Can NICs be removed via script?)

25) Delete any NICs to which teefer was attached (HUH?)

26) REBOOT

 

(whew!) NOW, remove the Cloud components:

 

27) Delete services (cmd prompt as admin, presume easy)

28) Delete Symantec.cloud folders (easy)

29) REBOOT (again, how to continue post-reboot?)

30) Delete more files/folders (Easy)

31) Delete more regkeys (presumably Easy)

32) REBOOT

 

{Fin}

 

If I counted correctly, there are 6 REBOOTs in there.

 

I think my main stumbling blocks are:

1) How do I reboot and pick up where I left off?

2) How do I 'search for a string and act on reg keys with that string'?

3) How do I go into Safe Mode?

 

While writing this I considered using VB, or Powershell, instead of trying to do this via LT script, but I think I'd bump up against the EXACT same problems going those routes.

 

Has anybody solved this?

 

Thanks,

Steve

Share this post


Link to post
Share on other sites

I think my main stumbling blocks are:

1) How do I reboot and pick up where I left off?

-- Looks like I can use the 'RunOnce' key in the registry, along with some sort of simple text file or regkey to bookmark my progress.

2) How do I 'search for a string and act on reg keys with that string'? (still need to figure this one out)

3) How do I go into Safe Mode? - there is a 'Reboot into Safe Mode' script function

Share this post


Link to post
Share on other sites

1) Why not schedule a script for the future? i.e run script with a 10 minute delay. Even if it takes longer then 10 minutes for a computer to restart, it is still scheduled and will run once the computer comes online.

 

With this I would consider 2 options. Run another script after 10 minutes, and just have multiple scripts for each step. Or pass a variable, and run the same script after 10 minute delay, and set up the script to jump to a certain spot depending on the variables value.

 

2)I think you would have to rely on power shell or some other means for this. With LT you can check the value of a key, but I use powershell to search for keys.

Share this post


Link to post
Share on other sites

I recently wrote a script that required a reboot. The way I did it was...

1	SHELL:  shutdown /r /t 0 /f and store the result in %shellresult%
2	Sleep 20 seconds
3	SET:  @LastContact@ = SQLRESULT[select LastContact from computers where computerid = %ComputerID%]
4	:WaitLoop - Label
5	   Sleep 15 seconds
6	   IF [sql select LastContact from computers where computerid = %ComputerID% ]  >  @LastContact@  THEN  Jump to line 8
7	   GOTO :WaitLoop

Not sure if this is an acceptable solution but it seems to work for my script.

Share this post


Link to post
Share on other sites

Labtech continues to run scripts where it left off after a reboot from my experience.

Also from my experience, Symantec uninstall sucks.....

 

Trying to remove the cloud product here too and stumbled across this thread - did anyone get this solution to work within Labtech?

My goal was initially to remove from Labtech so I can control and automate the whole remove old product, install new one, but I think I can just get Labtech to do a search of machines that do not have symantec cloud on them (after they are removed from the web interface) and then launch the whole reboot/install new product script.

Share this post


Link to post
Share on other sites

By removing the software on one of the computers and then checking the event logs I saw that the product code in my case was {735EF746-77A8-44E8-821F-4C77F038AA90} (Grab this from the Bytes option under Source=MsiInstaller, EventID= 11707

 

So it was then a quick shell of

msiexec /uninstall {735EF746-77A8-44E8-821F-4C77F038AA90} /q /n /l "c:\temp\clouduninstall.txt"

and one (unanticipated) automatic reboot later, Cloud was removed from the computer.

 

However I then ended up with Symantec Endpoint protection on the machine running as a service with no user gui anywhere that I could see.

 

fixed with another uninstall, this time with two uninstall commands and a reboot to cleanup the Symantec endpoint service:-

MsiExec.exe /x{A84E6630-FE81-4D1F-BBA0-4BFBCC1D9493} /q /n /l "c:\temp\sep2uninstall.txt" /REBOOT=REALLY_SUPPRESS

"C:\Program Files\Common Files\Symantec Shared\SEVINST.EXE" /U /Q

 

 

Followed by a clean up of the now manual Symantec.cloud Cloud agent.

sc delete ssspnav

sc delete sspaadm

 

rd /s c:\program files\symantec

rd /s c:\program files\symantec.cloud

 

That *should* be it from my testing.

I have not got around to scripting all that in Labtech......yet

Share this post


Link to post
Share on other sites

Justdoitsj's method using the console and groups worked like a champ in my testing... likely the way to go for SEP.Cloud. All my tests either require multiple command line removals and reboots or fail miserably... their method uninstalled (albeit slightly less than silently) and didn't require a reboot.

Share this post


Link to post
Share on other sites
So I have found a way to remove multiple agents via the Web UI for Symantec.Cloud. I wrote some instructions, but the site will not allow me to upload a PDF. Please private message me and I will email it to anyone who needs help with this.

 

Without the screen shots, here are the steps:

 

1. Log into the Web UI

2. At the top of the page, click on Computers

3. Click on Add Group

4. Create a Group name. This could be anything. I went with To Be Deleted

5. At the top, click on Computers to refresh the page, then click on the group you just created. Then on the right click on Move Computers.

6. In the Move Computers windows, click on the double arrow that points to the right and all of the computers you want to remove. Then click save.

7. Once you have confirmed all of the computers you want to remove are in the group, on the right hand side of the window, click Delete Group.

8. This will open a Delete Group window. Select “Uninstall all computers….” Then click Proceed.

 

The computers will be immediately removed from the Web UI, and in about 15-20 minutes, depending on the speed of the computer, internet, etc., the agents should be uninstalled. I recommend rebooting the computers after you have confirmed the uninstall has completed.

 

I hope this helps anyone who has run into a large deployment of agents and needs to remove a lot of installed agents without having to touch every computer.

 

You just saved me a ton of time today... Sorry to revive this old thread!

Share this post


Link to post
Share on other sites

Here is the script that I wrote, it uses the CEDAR.exe tool to perform the removal. Just place CEDAR.exe in your transfer directory, point the script step to the correct URL, and run against whatever agents you need. I use this as part of my automated offboarding script, in which I just check an EDF in the client screen, they join a custom service plan, and all of our software is silently removed. Hope this helps.

Uninstall Symantec.zip

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...