Geek Side Blog‎ > ‎Archives‎ > ‎2009-vftgs‎ > ‎

Antivirus stuff

posted Jul 24, 2011, 5:36 PM by Boyce Crownover   [ updated Jul 24, 2011, 5:39 PM ]
Wednesday, March 4, 2009, 09:43 AM
Posted by Administrator
We've used Symantec Endpoint Protection 11 for about a year now. When I started we were still using Symantec's Norton Antivirus 9, and it was well out of date and no longer under maintainance. We knew we could trust Symantec to do a decent job so we took the path of least resistance and moved to SEP. It proved to be an adequate product, but getting support was difficult at best. It is the type of product that you need training to understand well and you need hours every week or at least minutes every day. When you want to make changes or get reports it has every bell and whistle you could ask for, but it is far from intuitive.

We trialed and then moved to Kaspersky this year. I'm not their biggest fan by any means and wouldn't have recommended their products, but I would have recommended them over Symantec and have now gained enough experience to say that it is easier to work with them and with their product.

Symantec's client installations just started using our perimeter firewall as a proxy for no particular reason the other day, so the situation became somewhat urgent and I learned a couple things that somebody should write down somewhere.

First, Symantec has a tool that will remove their products, all of them. You should get it from them.

Second, there are ways to uninstall remotely and in an automated process, which they won't tell you.

If you're not familiar with psexec, then spend the time and effort to learn about sysinternals toolset. Essentially there was this company that made a bunch of tools that helped work on MS products... so well that MS bought them eventually. One of those tools is psexec which lets you run programs remotely.

So, to do remote uninstalls, the first step is to find the Uninstallation string associated with the program. You can do this by opening up the Registry editor with RegEdit then browsing down into:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
There there will be a key for each installed program. You'll probably need to use the Edit-Search menu to find the one you're needing, but somewhere there will be the uninstall string. Hang on to that for remote uninstallations.

For Symantec Endpoint Protection 11, the key turned out to be:
MsiExec.exe /I{76B2BC31-2D96-4170-9C44-09E13B5555F3}
With a little reading and googling, I changed that to:
MsiExec.exe /norestart /q/x{76B2BC31-2D96-4170-9C44-09E13B5555F3} REMOVE=ALL

I also wanted to remove LiveUpdate, which by the same method I found to be:
"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
which, thanks to google and friends, I switched to:
"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U /q

Now, you can use psexec to run those commands on a remote machine and it will remove SEP and LiveUpdate and not reboot, but you can go even further if you're using Kaspersky. Build it into a batch file then add that as a package and you can run it from the Deployment Wizard too!
Comments