The cleanwipe utility is used to completely remove Symantec Antivirus and Symantec Endpoint Protection products. To obtain Cleanwipe please contact Symantec Technical support. Once the utility has been obtained please follow these instructions: This utility can be run on Windows 2000, Windows XP (32 and 64 bit), and Windows Server 2003 (32 and 64 bit.) Warnings: Do not run this utility on Windows NT, Windows 9x, or Windows Me. Do not run this utility on systems that have Symantec AntiVirus 8.x or below installed. You cannot select individual applications to remove. CleanWipe may remove LiveUpdate. CleanWipe will remove Virus Definitions if you select Yes to "Do you want to do a detailed MSI Product Code registry search?...", even when selecting No to "If Virus Defs remain after uninstalling Symantec products do you want to uninstall the Virus Defs?". If you have other Symantec applications that use the VirusDefs folder, it is recommended that you make backup copy of the VirusDefs folder before running the CleanWipe tool. The VirusDefs folder is located under C:\Program Files\Common Files\Symantec Shared\ When using the CleanWipe utility, please be aware that it removes the following products and components from the computer: Alert Management Server Firewall Administrator Quarantine Console Quarantine Server Symantec AntiVirus (Version 9.x and above) Symantec AntiVirus Corporate Edition Symantec Client Symantec Client Firewall Symantec Client Security Symantec Endpoint Protection Symantec Endpoint Protection Manager Symantec LiveUpdate Symantec Network Access Control Symantec Sygate Enterprise Protection Symantec System Center Symevent If you have other Symantec applications on the computer that depend on any of the applications listed above, those applications may not function properly. The customer may need to re-install the missing applications after running CleanWipe. Note: The zip file is password protected. Un-Zip Password: symantec 1. Extract the file to a new folder in a convenient location, such as the Desktop, using the un-zip password provided above. 2. Browse to the new folder and execute the utility by double clicking 'CleanWipe.exe' 3. Follow the on-screen instructions. The utility runs in verbose mode and will ask you about the components you want uninstalled. Note: If the CleanWipe utility fails to remove Symantec Endpoint Protection, please proceed through the manual uninstall procedure for the version of the product you have installed. You can find the manual uninstall instructions in the following document: Title: How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions Solution ID: 2007073018014248 Document URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248 Title: 'Manual uninstallation documents for Symantec Client Security products' Solution ID: 2002031914291648 Document URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648
The Symantec Endpoint Protection Manager (SEPM) is installed on a 64 bit Windows Operating System. The Data Source Name (DSN) entry is not listed on the System DSN tab when Data Sources (ODBC) is accessed using control panel or through Administrative tools.
The Symantec Endpoint Protection Manager (SEPM) is installed on a 64 bit Windows Operating System.
- The installation of the Symantec Endpoint Protection Manager (SEPM) produces no errors during installation, but the DSN name is still not listed.
- The “SymantecEndpointDSN” is not listed in the System DSN tab in the ODBC connection.
The ODBC information for 64 bit systems will not appear in the Data Sources (ODBC) applet, because the Symantec Endpoint Protection Manager (SEPM) creates a 32-bit DSN.
Go to %systemroot%\Windows\SysWoW64 folder (Example – Click Start -> Run -> C:\Windows\Syswow64 and click on OK)
- Locate Odbcad32.exe & double click on the file
- Click on System DSN Tab
- You will find the “SymantecEndpointDSN” listed in the window.
- Now click on the CONFIGURE button and proceed with the configuration of the DSN for the Symantec Endpoint Protection Manager
- Using an unzipping utility, unzip the .jdb file into a new folder.
Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click “Extract All…”.
- After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer’s hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.
- Confirm that the infected computer boots from CD or removable media first.
Refer to the computer’s manual for information on configuring the computer appropriately.
- Boot the infected computer from the SERT disc created in step 2.
- Click Continue loading Endpoint Recovery Tool
- Select a language and click OK.
- When presented with the Symantec Software License Agreement, click I Agree.
- If a network connection is detected, the Symantec Endpoint Recovery Tool attempts to download the latest virus definitions. If the computer is isolated from the network, or if it is unable to download definitions for any reason, click Browse for Virus Definitions, and browse to the folder to which you unzipped the virus definitions.
- Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.
- Make sure that Save scan session information is checked.
Saving the scan session allows you to undo any modifications made by the tool.
If needed, you can change the location where the scan session information will be stored. To do so, click Change location and select the preferred location.
- Click Start Scan.
To open firewall ports for SEP you need to know the following ports:
|Number||Port Type||Initiated by||Listening Process||Description|
|80, 8014||TCP||SEP Clients||svchost.exe (IIS)||Communication between the SEPM manager and SEP clients and Enforcers. (8014 in MR3 and later builds, 80 in older).|
|443||TCP||SEP Clients||svchost.exe (IIS)||Optional secured HTTPS communication between a SEPM manager and SEP clients and Enforcers.|
|1433||TCP||SEPM manager||sqlservr.exe||Communication between a SEPM manager and a Microsoft SQL Database Server if they reside on separate computers.|
|1812||UDP||Enforcer||w3wp.exe||RADIUS communication between a SEPM manager and Enforcers for authenticating unique ID information with the Enforcer.|
|2638||TCP||SEPM manager||dbsrv9.exe||Communication between the Embedded Database and the SEPM manager.|
|8443||TCP||Remote Java or web console||SemSvc.exe||HTTPS communication between a remote management console and the SEPM manager. All login information and administrative communication takes place using this secure port.|
|9090||TCP||Remote web console||SemSvc.exe||Initial HTTP communication between a remote management console and the SEPM manager (to display the login screen only).|
|8005||TCP||SEPM manager||SemSvc.exe||The SEPM manager listens on the Tomcat default port.|
|39999||UDP||Enforcer||Communication between the SEP Clients and the Enforcer. This is used to authenticate Clients by the Enforcer.|
|2967||TCP||SEP Clients||Smc.exe||The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.|
The Symantec Endpoint Protection Manager (SEPM) use two web servers: Internet Information Services (IIS) and Tomcat. IIS uses port 80 (or 8014) and 443 – Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.
For IIS SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the client server communication it uses port 80 (or 8014) and 443 by default. In addition, the Enforcers use RADIUS to communicate in real-time with the manager console for clients authentication. This is done on UDP port 1812.
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.
The clients communicate with the Enforcer using a proprietary communication protocol. This communication uses a challenge-response to authenticate the clients. The default port for this is UDP 39,999.
The Symantec Endpoint Recovery Tool is an image that you can burn on a disc, which you can use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively.
You can download the tool from https://fileconnect.symantec.com/ and you need your license number like B1234567891.
Download the tool and get a USB key with at least 512 MB space
1. Using WinRAR or similar, extract the SERT.iso file to the local file system (assume C:\SERT).
2. Open a command prompt with admin rights.
3. Insert the USB stick into the computer.
4. Type the following command to start Diskpart:
5. Type the following command to list the available disks:
list disk <enter>
This command is important. It will show you what number your USB drive is. Failure to select the right disk at this point may result in loss of data from your hard disk. Normally the drive is Disk 1, but you should confirm before proceeding.
6. Type following commands to format the USB stick and prepare it for SERT:
select disk <number> <enter>
create partition primary <enter>
select partition 1 <enter>
format fs=fat32 <enter>
7. At the command prompt, type the following to copy the SERT files to the USB Stick:
xcopy C:\SERT\*.* <removable disk drive letter>\ /e /h /f <enter>
For updated definition files, download the JDB files and unzip them to the USB key. The JDB files can be found at http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce
To see how the SERT tool can be updated with the downloaded JDB file, read the following article: http://www.bvanleeuwen.nl/faq/?p=748
On a local machine you can check the excluded directories off Symantec Anti Virus in the following registry key:
For Windows 2008 (64Bit) and Symantec Endpoint Protection (SEP) 11, look at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Admin
Document ID: 2007071909500548
What should I think about in advance before I begin migrating my Symantec AntiVirus environment to Symantec Endpoint Protection?
Consider several factors before you begin your migration:
- Do you have the resources to create a test migration environment?
If you create such an environment is highly beneficial before you begin migration so that you can test exactly how clients and servers are grouped, which settings are migrated, and the overall migration success rate.
- Can you perform a complete migration to Symantec Endpoint Protection?
If your network contains operating systems (such as Netware) that are not supported with Symantec Endpoint Protection, then Symantec System Center must manage a subset of the clients and servers.
- Do you want to create a new client groupings or use the existing groupings from Symantec System Center?
- How do you plan on migrating Symantec Endpoint Protection to your clients? Do you plan to use third party tools or the Migration and Deployment Wizard?
- After you determine the method that you want to use to migrate your clients, you can determine whether to use certain Symantec Endpoint Protection features.
- Are there client settings that you must disable or reconfigure to ensure successful migration?
- Some client settings such as scheduled scans must be disabled before you begin migration.
Before you begin migration, you must read the migration chapters in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.
What are the general steps to migrating Symantec AntiVirus to Symantec Endpoint Protection?
You must complete the following steps to migrate Symantec AntiVirus to Symantec Endpoint Protection in the order listed:
- Uninstall the Reporting Sever if you have it installed.
- Use Symantec System Center to configure settings for the management server and clients that prepare them for migration.
These settings changes are: disable scheduled scans, modify Quarantine purge options, delete histories, disable LiveUpdate, disable roaming, unlock server groups, and disable Tamper Protection. Install the Symantec Endpoint Protection Manager.
- Migrate your legacy clients and servers.
- Uninstall Symantec System Center
- Migrate the legacy client or server that was used to protect the computer running Symantec System Center.
To create a user account for a server group
- Start Symantec System Center.
- Right-click the appropriate server group.
- Click Account Management.
- In the Configure Server Group Accounts dialog box, click Add.
- In the Account Setup dialog box, do the following:
- Type the user name.
- In the New password box, type the password.
- In Confirm password box, type the password again.
- Under Account Type, check the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security.
- Click OK.
- Click Finished.
The changes are then sent to the secondary management servers in the server group.