Endpoint Protection

Hello Everyone,

We are currently migrating from Kaspersky Endpoint 10.3 to SEP 14.1. We have roughly 500+ devices that will be making the migration and we are trying to get things ready to go to make the deployment. We currently have SEPM configured on a 2016 server that seems to be working properly as well as our policy's adjusted to how we want them. We ran into a problem while setting up the SEPprep tool to configure the removal of Kaspersky on a computer prior to installation. We export the package from SEPM change the file names as required, and copy them into the exported installation directory. When we remote push the software installation package it will run through and successfully remove Kaspersky Endpoint Security 10 as well as Kaspersky Network Agent without any issues. After that it goes to execute the renamed SEPsetup.exe file and fails. Below is the log from one of the test machines that we are using. Restarting the machine doesn't do anything. I created a ticket and contacted support via phone but was told that they aren't trained nor do they support the SEPprep script. The remove 3rd party antivirus software feature that is packaged into install settings will not remove Kaspersky Endpoint 10.3. I'm really looking for any help here. I see there are others that have had similar issues but all of there forum posts do not seem to have real resolutions attached to them.

Computer Name: CSG-960
01/24/2018 14:42:06:227 SEPprep starting!
01/24/2018 14:42:06:321 Removing: Kaspersky Endpoint Security 10 for Windows
01/24/2018 14:42:06:321 Attempting to run: msiexec.exe /x {7911E943-32CC-45D0-A29C-56E6EF762275} /qn REMOVE=ALL REBOOT=R /qn
01/24/2018 14:42:58:508 Exit code: 0
01/24/2018 14:42:58:571 Removing: Kaspersky Security Center 10 Network Agent
01/24/2018 14:42:58:571 Attempting to run: MsiExec.exe /X{BCF4CF24-88AB-45E1-A6E6-40C8278A70C5} REMOVE=ALL REBOOT=R /qn
01/24/2018 14:46:19:962 Exit code: 0
01/24/2018 14:46:21:712 Attempting to run: SEPsetup.exe /s /w /s /w "/v/qn /l*v C:\windows\TEMP\SEP_INST.LOG REBOOT=ReallySuppress"
01/24/2018 14:46:22:243 Exit code: 1610
01/24/2018 14:46:22:243 Symantec Endpoint Protection is NOT installed.
01/24/2018 14:46:22:243 Added tool to local system RunOnce key, please reboot to run tool again.
01/24/2018 14:46:22:243 SEPprep stopping!

Below is a screen capture of the error that is placed in event viewer. 

Below is the log from temp from VPRemote

VPRemote.exe starting up with cmdline: C:\TEMP\Clt-Inst\vpremote.exe
Starting service: vpremote.exe...
Launching Command: "C:\TEMP\Clt-Inst\vpremote.exe" -launch
The process was created successfully.
Successfully deleted service: vpremote.exe. 
Using vpremote cmdline args
Process CmdLine: "C:\TEMP\Clt-Inst\setup.exe" /s /w /v"/qn /l*v "C:\windows\TEMP\SEP_INST.LOG" REBOOT=ReallySuppress"
The process was created successfully.
Removing temporary installation source files from: C:\TEMP\Clt-Inst
Deleted File C:\TEMP\Clt-Inst\Setup.exe
Deleted File C:\TEMP\Clt-Inst\PkgSrcList
Deleted Directory C:\TEMP\Clt-Inst\
One or more files or folders was marked for delete on reboot!
Trying to mark for delete on reboot file C:\TEMP\Clt-Inst\VPRemoteExecutionStatus.xml
One or more files or folders was marked for delete on reboot!
Deleted File C:\TEMP\Clt-Inst\VPRemote.dat
The vpremote processing has completed.

What I also found was that following the guide/infromation here https://support.symantec.com/en_US/article.TECH148513.html it states at the note:

Note: Step 7 will not work with a client package obtained from a CD because not all files will be imported into the Symantec Endpoint Protection Manager (SEPM) database. Client packages from the CD have a data1.cab file. Make sure the installation package does not contain any .cab files.

Which is funny becuase when I extract/save the .msi files from SEPM there is a .cab file in the directory. When I contacted your support channel they told me to just delete the .cab file and try again. Which resulted in the same failure to run/install via SEPsetup.exe.

I even transfered the installation package folder with SEPprep added and ran the application from the test computer directly. Executed the setup.exe or sepsetup.exe. It will remove Kaspersky again but fail to install SEP. Which writes no information to eventviewer nor anything to a log file in a temp directory but does produce this pop up error on screen.

Below is the sepprep.ini file that we are using

[Settings]
ShowGUI=N
ShowMessageBox=N
MessageBoxText=Prepairing your system for Symantec Endpoint Protection 11.0.  During this process other antivirus products will be removed.\n\nIf you are prompted please fully remove these products.
AutoRunAfterUILoads=N
AskBeforeRemoval=N
SilentMSIInstaller=Y
RemoveSymantec=N
CheckDiskSpace=Y
ResumeAfterReboot=Y
EnableLogging=Y
LogPath=%temp%
RunBeforeRemoval=
RunAfterRemoval=SEPsetup.exe

[UninstallPaths]
SOFTWARE\McAfee\ePolicy Orchestrator\Application Plugins

[ProductNames]
;Programs that must be removed first
Cisco Security Agent
McAfee Agent
McAfee Anti-Spyware
Kaspersky Anti-Virus 6.0 for Windows Servers MP4
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition
Kaspersky Endpoint Security 10 for Windows
Kaspersky Endpoint Security 10 Network Agent
Kaspersky Endpoint Security 10 Maintenance Release 1 for Windows
Kaspersky Endpoint Security 8 for Windows
Kaspersky Security Center Network Agent
Kaspersky Anti-Virus 6.0 for Windows Workstations
Kaspersky
Kaspersky Small Office Security for Personal Computer / File Server, all versions 
Kaspersky Total Security 
Kaspersky PURE, all versions 
Kaspersky Anti-Virus, all versions 
Kaspersky Internet Security, all versions 
Kaspersky Password Manager, all versions 
Kaspersky Fraud Prevention for Endpoint, all versions 
AVP Tool driver 
Kaspersky Security Scan 3.0 
Kaspersky Security Scan 2.0 
Kaspersky Endpoint Security 8/10 for Windows (for File Servers) 
Kaspersky Endpoint Security 8/10 for Windows (for Workstations) 
Kaspersky Anti-Virus 6.0 R2 for Windows Workstations 
Kaspersky Anti-Virus 6.0 R2 for Windows Servers  
Kaspersky Anti-Virus 6.0 FS MP4 
Kaspersky Anti-Virus 6.0 SOS MP4 
Kaspersky Anti-Virus 6.0 WKS MP4 
Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition 
Kaspersky Network Agent 10 
Kaspersky Lab Network Agent 8/9 
;The name of antivirus companies
McAfee
Trend Micro
Sophos
Kaspersky
avast!
Webroot
BitDefender
F-Secure
AhnLab
;Key words used in product names
AntiVirus
Anti-Virus
Antispyware
Anti-spyware
AntiTrojan
Anti-Trojan
Client Security
Security Agent
Internet Security
Endpoint Protection
Total Security
Total Protection
Personal Firewall
Client Firewall
;Known product names
Norton Internet Security
Norton 360
Norton Antivirus
Norton SystemWorks
McAfee Total Security
McAfee VirusScan Enterprise
McAfee VirusScan
McAfee Antispyware
McAfee Total Protection
McAfee Active Virus
McAfee Internet Security
Trend Micro Internet Security
Trend Micro AntiVirus
Trend Micro SecureSite
Trend Micro Worry-Free
Trend Micro OfficeScan
Trend Micro NeatSuite
Trend Micro InterScan
Trend Micro ServerProtect
PC-Cillin
Sophos Anti-Virus
Sophos Endpoint Security
Sophos Client Firewall
Sophos Computer Security
Panda Administrator
Panda Internet Security
Panda Global Protection
VIPRE® Antivirus
VIPRE Antivirus
VIPRE Enterprise
CounterSpy Antispyware
Windows Defender
Microsoft Forefront Client Security
Forefront Client
BitDefender Antivirus
BitDefender Total Security
BitDefender Internet Security
BitDefender GameSafe
Agnitum Outpost
Outpost Security Suite
Outpost Firewall
Outpost Network Security
AVG Free
AVG Internet Security
AVG Anti-Virus
AVG 2010
AVG 2011
Avira AntiVir
Avira Premium Security
Avira WebProtector
CA eTrust
CA iTechnology
CA Internet Security
CA Anti-Virus
CA Personal Firewall
CA Anti-Spyware
eEye Blink
eEye Iris
eEye Retina
ESET NOD32
ESET Smart Security
ESET Enterprise Security
AntiTrojanVirus
Anti-TrojanVirus
Internet Guardian Angel
Finport Simple Anti-Virus
Fortinet FortiClient
FortiClient
Frisk F-PROT
F-PROT Antivirus
F-Secure Client Security
F-Secure PSB Workstation Security
F-Secure Anti-virus
G DATA AntiVirus
G DATA InternetSecurity
G DATA TotalCare
G DATA NotebookSecurity
G-DATA AntiVirus
G-DATA InternetSecurity
G-DATA TotalCare
G-DATA NotebookSecurity
K7 Total Security
K7 Antivirus
Kingsoft Internet Security
MWTI eScan Internet Security
eScan AntiVirus
eScan Internet Security
eScan Corporate Edition
eScan Enterprise Edition
Nifty Corp. Security
Norman Security
Norman Endpoint Protection
Norman Virus Control
Norman Online Protection
PC Tools AntiVirus
PC Tools Internet Security
PC Tools Spyware Doctor
Quick Heal AntiVirus
Rising Internet Security
Trustport Antivirus
VirusBuster VirusBuste
VirusBuste
TrustPort Antivirus
TrustPort PC Security
TrustPort USB Antivirus
TrustPort U3 Antivirus
ClamWin Free Antivirus
ClamWin
Spybot
ZoneAlarm
Proventia
BlackICE

Hi Andrew,

Could you post that Support case number here, or send me a PM with it, so I can have a look?  Thanks.

It sounds like SEPprep is able to remove Kapersky, at least if run locally, is that correct?  I'd be curious whether simply running a SEP client install package without calling it via SEPprep would succeed.  The error you posted, about "installer integrity check" sounds like it could occur with this client package whether it was called by SEPprep or not.  If possible, please test your SEP client package without using SEPprep (and apologies if said that you already did so - I reviewed this a couple times but didn't see mention of that). 

Based on this, it might be possible to troubleshoot this as a general SEP install failure / rollback.  We've seen this error thrown for a number of reasons, including issues with system requirements and trouble with root certificates.  I may be able to find some useful data on the case.  Thank you. 

Correct, It will start the setup.exe which is sepprep. Removes Kaspersky AV silently, removes Kaspersky Network Agent silently. Then it calls SEPsetup.exe which nothing happens on screen. That SEP log I attached indicates exit code 1610. If I copy the installation folder over to the computer and run the setup.exe is does the same thing. If I run SEPsetup.exe it will produce the integrity error that I linked. If I remove the SEPprep files and rename SEPsetup.exe back to setup.exe it will run through and install SEP without any issues. 

Case Number was 13986857. They didn't do much aside from observe the issue and then state they weren't trained to support SEPprep.

Thanks for the additional information, Andrew.  It sounds as if the steps you performed with SEPprep should have worked. 

The notes on the case make it sound as if you may be planning to workaround this and take a different path for your SEP migration, but if you're still hoping to leverage SEPprep then here's what I can do:

1.) I'll spin up a new case and assign it to myself. 
2.) I'll run through a SEPprep deployment in my test environment as a sort of "sanity check".  It's honestly been a while since I used this tool, and it may help for me to go through the steps in a test deployment scenario. 
3.) If I encounter the same failure, I can troubleshoot why our directions aren't working.  If it works okay for me, I can report back to you with very specific steps so we can compare notes. 

A couple questions, assuming you do want to move forward with this:

- What sort of timeframe are you looking at for your deployment?
- Would you be willing to provide me with some data (i.e. SymDiag from one of your systems you tested with, possibly a copy of your install package materials, etc...)?

I'd like to provide further assistance if needed - please confirm whether you still wish to pursue SEPprep or have another avenue in mind.  Thank you. 

We are up and running on Kaspersky so this isn't really a issue that needs sorted today or even tomorrow for that matter. We have a lot of time left on our old Kaspersky licenses. We already have purchased our SEP contract and would like to move forward soon. We are stuck here for now until we can get a solution in place that will check and remove the Kaspersky software prior to installation of SEP and I can get it tested on a few test machines as well. Our SEPM is up and running and we even have SEP on 5 or 6 machines that we've done by hand. Just looking to get this ready for mass deployment to our 650+ workstations.

I can provide any data that you require. We are using the latest version of SEP 14.1 or 14.0.1.

The Symantec TS agent stated that I was going to look into a different path as he left me no choice. He stated that he couldn't assist with SEPprep and that there was a tool built into the software for removal of 3rd party AV's. Which unfortunatley doesn't support Kaspersky 10.3 or 10.2. Which are the 2 versions of Kaspersky that we have deployed in our enviroment. SEPprep has worked great for removing Kaspersky 10.2, 10.3, and the network agent as well. 

Okay Andrew, I will open a case and reach out via email a little later today to confirm the new case number.  I'll then begin testing, with the goal to have test results to report back by early next week.