Endpoint Protection

 View Only
Expand all | Collapse all

Uninstall SEP through SEPM

  • 1.  Uninstall SEP through SEPM

    Posted Nov 11, 2010 12:18 PM

    Hi All,

    I've seen many threads about this and so far none of the answers can help me.

    I'm in a bit of a weird situation. We use SEPM to manage the AV for multiple customers. It works very well, I simply edit the sylink to talk back to a server in our DMZ and make the changes on the customers firewall.  All good,

    However one of our customers has left and all access to their domain has been removed. Some of their endpoints are still checking in and I need a way to uninstall them, or at least stop them from checking into us.

    I've disabled the various components and set a live update policy to get it's updates from http://255.255.255.255. What I need is a way to either uninstall the application through the management console (which I don't think we'll ever see) or a way to edit the sylink file.

     

    Any ideas?



  • 2.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 12:22 PM

    as of now u cannot uninstall them from SEPM

    you can make not to talk to your sepm

    make those clients as unmanged clients using sylink drop

    here is the tool

    https://www-secure.symantec.com/connect/downloads/sylinkreplacer-tool-connecting-sep-clients-sepm

    use a the sylink from CD1 of sepm folder, it will make them unmanged so that they wont check in 

    or else 

    make the communication mode to pull with a very long interval

    sepm

    clients

    polices

    communication settings; set it to pull mode with a very long interval 



  • 3.  RE: Uninstall SEP through SEPM
    Best Answer

    Posted Nov 11, 2010 12:28 PM

    If I were you, I wouldn't settle for changing policies to lessen communication between their clients and your server. I would want the communication completely cuttoff.

    In addition to this, I also would not want to make any changes to their environment by modifying SEPM policies because you are no longer authorized to do so.

    If you contact them and they are unwilling to uninstall the SEP product from their environment (or takes steps to ensure that it no longer commuicates with your SEPM), then I would block all traffic to/from their IP address(es) at your perimeter firewall.

    Regards,

    James



  • 4.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 01:30 PM

    You can block the clients or IP Range from connecting to SEPm from SEPM -Admin -servers-Local Site -Servername--properties

    You can block the range of ip address used for this client



  • 5.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 01:49 PM

    It would be more appropriate to block the ex-customer's public-facing class-A IP address than it would be to try to block the range of IP addresses that the ex-customer's SEP clients use.

    This should not be done by the Symantec Endpoint Protection product. The original poster should use his network's perimter firewall to do this.

    Regards,

    James



  • 6.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 05:06 PM

    Do you have host integrity component on your system?  It's an option (SNAC) you would have had to purchase separately.

    If so, you can create a rule that will execute the uninstall process for clients that meet whatever criteria you select or simply apply it to the groups where those clients reside.

    I've used to uninstall software or apply sylink's to move clients from different SEP domains.  I can provide more details if you have that feature.

    Kev



  • 7.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 05:54 PM

    It would seem that the original post no longer has permission from his client to make changes to his network. As such, I'm not sure he should do anything except sever communication.

    Regards,

    James



  • 8.  RE: Uninstall SEP through SEPM

    Trusted Advisor
    Posted Nov 11, 2010 08:01 PM

    Hello,

    Heave you heard of Symantec Endpoint Protection Integration Component. This comes along with Symantec Endpoint Protection DVD.

     

    Uninstalling antivirus software remotely

    You can use the Symantec Management Platform to uninstall existing antivirus

    software on the computers that you specify.

    To uninstall antivirus software remotely

    1 In the Symantec Management Console, on the Manage menu, click Jobs and

    Tasks.

    2 In the left pane, click Jobs and Tasks > System Jobs and Tasks > Symantec

    Endpoint Protection Management, right-click, and click New> Job or Task.

    3 On the Create New Task page, in the left pane, click Symantec Endpoint

    Protection Management > Uninstall Antivirus.

    4 On the Create New Task page, name the task.

    5 Click OK.

    6 In the left pane, click Jobs and Tasks > System Jobs and Tasks > Symantec

    Endpoint Protection Managment, and then click your task.

    7 In the right pane, click New Schedule to schedule the task and to define the

    computers that you want to run the antivirus inventory task on.

    For more information, see topics about using tasks in the Symantec

    Management Platform Help.

    8 In the New Schedule page, click Schedule.

    The status of your task is displayed under Task Status

      



  • 9.  RE: Uninstall SEP through SEPM

    Posted Nov 11, 2010 10:57 PM

    The most responsible way is to let them know how to reconfigure their SEP clients so that they are either managed internally, or are unmanaged but still getting updates from the internet. you really shouldn't cut them off without ensuring they are still being protected.

    If you can change your firewall policy to block their public facing IP address that is going to be easiest.

    Then I would just set a policy that turns off the communication back to the SEP Manager. Go to the group > communication settings and then untick the option that tells the clients to contact the management server at the very top right under the Management server list.

    The next time a client checks in it will get the new comms settings and then never talk to the SEPM ever again!

    Hope that helps...



  • 10.  RE: Uninstall SEP through SEPM

    Posted Nov 12, 2010 12:35 AM

    I agree with James-x on this one.

    Change the SEPM policy for their group so that they won't be reporting back to your SEPM for logs and updates. Maybe disable their NTP policies that concerns you.

    Then cut them off by changing the rules on the firewall appliance.

    Much easier.



  • 11.  RE: Uninstall SEP through SEPM

    Posted Nov 12, 2010 12:51 AM

    The Simplest of all.

    1. In AD deposit all those clients (on which we need to uninstall SEP) in one Single OU.
    2. Assign a Software deployment policy in AD, where in you may use Cleanwipe utility to excute for uninstallation of SEP.

             NOTE : Cleanwipe is a not a symantec developed tool. Hence, disclaimer applied.



  • 12.  RE: Uninstall SEP through SEPM

    Posted Nov 12, 2010 03:49 AM

    Thanks everyone,

    I think the only legal option I have to to go with James-x. If I use any method to uninstall the endpoint and it caused something to go wrong on users machnes then we'd have a lot of legal questions to answer. The chances are slim but it's not worth it.

    I guess blocking the ip on the firewall is probably the best route to take.

     

     

    Mithun,

    That looks like a very useful method. I'm managing nearly 2000 endpoints in a very complex setup (86 different domains across 120 locations) with more coming online everyday and the more tools I can integrate into SEPM the better.

     

    Thank again everyone,



  • 13.  RE: Uninstall SEP through SEPM

    Posted Nov 12, 2010 04:11 AM

    Hi Mithun,

    Do you know if there is a 64bit version of the Symantec Endpoint Protection Integration Component ?

    Thanks

    Conor