Endpoint Protection

 View Only
  • 1.  SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 07, 2021 08:08 AM
    Hello everyone,
    Perhaps someone more experienced then me might assist a bit, i'm at the point where i don't understand why the requirement i've added to a Host Integrity policy, doesn't run/execute on the targe machine.
    The target machine is a win srv 2016 standard with SEP 14.3 RU1 MP1 - 14.3.3582.1100.
    I've assigned the HI policy, the policy contains the requirement to check for OS and run a program, which in my case i'd like to do a:
    msiexec /x {629388F2-A011-4F5C-A6BF-98A80A25317C} /q /forcerestart
    The policy is applied to the agent, but the agent doesnt' start the uninstall process and i don't understand why.

    If someone can help me with some info's, i'd be grateful.

    Thx,
    Calin


  • 2.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 07, 2021 08:11 AM
    Edited by Calin_Olariu Dec 07, 2021 09:27 AM
    Error message when msiexec /x {629388F2-A011-4F5C-A6BF-98A80A25317C} /passive /forcerestart is executed from CMD (not as admin)

    Product: Symantec Endpoint Protection -- Error 1730. You must be an Administrator to remove this application. To remove this application, you can log on as an administrator, or contact your technical support group for assistance.


  • 3.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 07, 2021 09:05 AM
    Edited by Calin_Olariu Dec 07, 2021 09:27 AM
    If the commands are executed from CMD with Admin, they do run, but curiously, they don't respect the Restart options.
    msiexec /x {629388F2-A011-4F5C-A6BF-98A80A25317C} /passive
    Even if i run them with:
    /forcerestart
    /norestart
    /promptrestart
    Eventually after the msiexec uninstall SEP, it automatically reboots the machine.


  • 4.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 08, 2021 01:36 AM
    is the agent uninstall password protected?


  • 5.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 08, 2021 05:45 AM
    No, there's no password.
    Like i tested yesterday, if i run the command simply from cmd, it gives the error message:
    Product: Symantec Endpoint Protection -- Error 1730. You must be an Administrator to remove this application. To remove this application, you can log on as an administrator, or contact your technical support group for assistance.
    However if i run the commands from cmd with admin, the process starts, but it reboots the machine, even if the command says no.
    But these are tested manually on the agent itself.

    Via HI policy nothing starts, no logs in eventviewer, nothing, even tho' the agent applied the HI policy.


  • 6.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 09, 2021 11:58 AM
    Hi Calin,

    Can you export and share your HI policy?

    You could also try to write .js script with the 'Utility: Run a script' to create for exaple a removesep.bat file and run it with 'Utility run a program'.


  • 7.  RE: SEP uninstall via Host Integrity policy won't execute requirement

    Posted Dec 09, 2021 12:19 PM
    I was facing a similar behavior trying to self-uninstall SEP with a host integrity policy, I agree its terrible not seems having a related execution log, details, etc. However, in my case, I realized, my powershell script was running but not actually taking effect for some machines, due the uninstall approach I was using. This first approach I did reffer to is below:

    UninstallSEP.ps1

    $application = Get-WmiObject -Class Win32_Product -Filter "Name='Symantec Endpoint Protection'"
    $application.Uninstall()


    So realized, again, for some machines, few ones, calling uninstall() method from WMI was not properly running. Not sure if a different client or legacy. Confess not looked for logs due a second script approach has worked on same machines, below:

    UninstallSepHarder.ps1

    $sepClient = Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty |
    Where-Object {$_.DisplayName -like "*Symantec Endpoint Protection*"} | Select-Object -Property DisplayName, UninstallString

    $uninsGuid = ($sepClient.UninstallString).Replace('MsiExec.exe /I','')

    $MSIArguments = @(
    "/X" + $uninsGuid
    "SYMREBOOT=ReallySuppress /qn"
    )

    #calls Msiexec with uninstall parameters
    (Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -Passthru).ExitCode

    I hope that helps in something.

    cesar