How to completely remove Symantec Antivirus (without entering password)

CleanWipe Utility

The cleanwipe utility is used to completely remove Symantec Antivirus and Symantec Endpoint Protection products. 
To obtain Cleanwipe please contact Symantec Technical support.

Once the utility has been obtained please follow these instructions:

This utility can be run on Windows 2000, Windows XP (32 and 64 bit), and Windows Server 2003 (32 and 64 bit.)

Warnings:
Do not run this utility on Windows NT, Windows 9x, or Windows Me.
Do not run this utility on systems that have Symantec AntiVirus 8.x or below installed.

You cannot select individual applications to remove. 

CleanWipe may remove LiveUpdate.

CleanWipe will remove Virus Definitions if you select Yes to "Do you want to do a detailed MSI Product Code registry search?...", even when selecting No to "If Virus Defs remain after uninstalling Symantec products do you want to uninstall the Virus Defs?". If you have other Symantec applications that use the VirusDefs folder, it is recommended that you make backup copy of the VirusDefs folder before running the CleanWipe tool. The VirusDefs folder is located under C:\Program Files\Common Files\Symantec Shared\

When using the CleanWipe utility, please be aware that it removes the following products and components from the computer:

Alert Management Server
Firewall Administrator
Quarantine Console
Quarantine Server
Symantec AntiVirus (Version 9.x and above)
Symantec AntiVirus Corporate Edition
Symantec Client
Symantec Client Firewall
Symantec Client Security
Symantec Endpoint Protection
Symantec Endpoint Protection Manager
Symantec LiveUpdate
Symantec Network Access Control
Symantec Sygate Enterprise Protection
Symantec System Center
Symevent

If you have other Symantec applications on the computer that depend on any of the applications listed above, those applications may not function properly. The customer may need to re-install the missing applications after running CleanWipe.

Note: The zip file is password protected.
Un-Zip Password: symantec

1. Extract the file to a new folder in a convenient location, such as the Desktop, using the un-zip password provided above.
2. Browse to the new folder and execute the utility by double clicking 'CleanWipe.exe'
3. Follow the on-screen instructions.

The utility runs in verbose mode and will ask you about the components you want uninstalled.

Note: If the CleanWipe utility fails to remove Symantec Endpoint Protection, please proceed through the manual uninstall procedure for the version of the product you have installed.

You can find the manual uninstall instructions in the following document: 

Title: How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions
Solution ID: 2007073018014248
Document URL:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248

Title: 'Manual uninstallation documents for Symantec Client Security products'
Solution ID: 2002031914291648
Document URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648

Symantec: How to work with Data Sources (ODBC) or ODBC connection in 64bit Windows OS

Problem

The Symantec Endpoint Protection Manager (SEPM) is installed on a 64 bit Windows Operating System. The Data Source Name (DSN) entry is not listed on the System DSN tab when Data Sources (ODBC) is accessed using control panel or through Administrative tools.

Symptoms
The Symantec Endpoint Protection Manager (SEPM) is installed on a 64 bit Windows Operating System.

  • The installation of the Symantec Endpoint Protection Manager (SEPM) produces no errors during installation, but the DSN name is still not listed.
  • The “SymantecEndpointDSN” is not listed in the System DSN tab in the ODBC connection.

Cause

The ODBC information for 64 bit systems will not appear in the Data Sources (ODBC) applet, because the Symantec Endpoint Protection Manager (SEPM) creates a 32-bit DSN.

Solution

Go to %systemroot%\Windows\SysWoW64 folder (Example – Click Start -> Run -> C:\Windows\Syswow64 and click on OK)

  1. Locate Odbcad32.exe & double click on the file
  2. Click on System DSN Tab
  3. You will find the “SymantecEndpointDSN” listed in the window.
  4. Now click on the CONFIGURE button and proceed with the configuration of the DSN for the Symantec Endpoint Protection Manager

source: http://www.symantec.com/docs/TECH103990

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

  1. Using an unzipping utility, unzip the .jdb file into a new folder.

    Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click “Extract All…”.

  2. After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer’s hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.
  3. Confirm that the infected computer boots from CD or removable media first.
    Refer to the computer’s manual for information on configuring the computer appropriately.
  4. Boot the infected computer from the SERT disc created in step 2.
  5. Click Continue loading Endpoint Recovery Tool
  6. Select a language and click OK.
  7. When presented with the Symantec Software License Agreement, click I Agree.
  8. If a network connection is detected, the Symantec Endpoint Recovery Tool attempts to download the latest virus definitions. If the computer is isolated from the network, or if it is unable to download definitions for any reason, click Browse for Virus Definitions, and browse to the folder to which you unzipped the virus definitions.
  9. Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.
  10. Make sure that Save scan session information is checked.
    Saving the scan session allows you to undo any modifications made by the tool.
    If needed, you can change the location where the scan session information will be stored. To do so, click  Change location and select the preferred location.
  11. Click Start Scan.

 

Source: http://www.symantec.com/docs/TECH131732

Which Communication Ports does Symantec Endpoint Protection 11.0 use?

To open firewall ports for SEP you need to know the following ports:

Number Port Type Initiated by Listening Process Description
80, 8014 TCP SEP Clients svchost.exe (IIS) Communication between the SEPM manager and SEP clients and Enforcers. (8014 in MR3 and later builds, 80 in older).
443 TCP SEP Clients svchost.exe (IIS) Optional secured HTTPS communication between a SEPM manager and SEP clients and Enforcers.
1433 TCP SEPM manager sqlservr.exe Communication between a SEPM manager and a Microsoft SQL Database Server if they reside on separate computers.
1812 UDP Enforcer w3wp.exe RADIUS communication between a SEPM manager and Enforcers for authenticating unique ID information with the Enforcer.
2638 TCP SEPM manager dbsrv9.exe Communication between the Embedded Database and the SEPM manager.
8443 TCP Remote Java or web console SemSvc.exe HTTPS communication between a remote management console and the SEPM manager. All login information and administrative communication takes place using this secure port.
9090 TCP Remote web console SemSvc.exe Initial HTTP communication between a remote management console and the SEPM manager (to display the login screen only).
8005 TCP SEPM manager SemSvc.exe The SEPM manager listens on the Tomcat default port.
39999 UDP Enforcer Communication between the SEP Clients and the Enforcer. This is used to authenticate Clients by the Enforcer.
2967 TCP SEP Clients Smc.exe The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.

 

The Symantec Endpoint Protection Manager (SEPM) use two web servers: Internet Information Services (IIS) and Tomcat. IIS uses port 80 (or 8014) and 443 – Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.

Client-Server Communication:
For IIS SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the client server communication it uses port 80 (or 8014) and 443 by default. In addition, the Enforcers use RADIUS to communicate in real-time with the manager console for clients authentication. This is done on UDP port 1812.

Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.

Client-Enforcer Authentication:
The clients communicate with the Enforcer using a proprietary communication protocol. This communication uses a challenge-response to authenticate the clients. The default port for this is UDP 39,999.

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/edda0cd89141a6788025734e004b6a02?OpenDocument

Create a bootable SERT USB key

The Symantec Endpoint Recovery Tool is an image that you can burn on a disc, which you can use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec  Endpoint Protection to clean effectively.

(http://www.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert)

You can download the tool from https://fileconnect.symantec.com/ and you need your license number like B1234567891.

Download the tool and get a USB key with at least 512 MB space

1.    Using WinRAR or similar, extract the SERT.iso file to the local file system (assume C:\SERT).
2.    Open a command prompt with admin rights.
3.    Insert the USB stick into the computer.
4.    Type the following command to start Diskpart:
diskpart <enter>
5.    Type the following command to list the available disks:
list disk <enter>

This command is important.  It will show you what number your USB drive is.  Failure to select the right disk at this point may result in loss of data from your hard disk.  Normally the drive is Disk 1, but you should confirm before proceeding.

6.    Type following commands to format the USB stick and prepare it for SERT:
select disk <number> <enter>
clean <enter>
create partition primary <enter>
select partition 1 <enter>
active <enter>
format fs=fat32 <enter>
assign <enter>
exit <enter>

7.    At the command prompt, type the following to copy the SERT files to the USB Stick:
xcopy C:\SERT\*.* <removable disk drive letter>\ /e /h /f <enter>

For updated definition files, download the JDB files and unzip them to the USB key. The JDB files can be found at http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

To see how the SERT tool can be updated with the downloaded JDB file, read the following article: http://www.bvanleeuwen.nl/faq/?p=748

How to check local excluded dir’s in a Managed SAV environment

On a local machine you can check the excluded directories off Symantec Anti Virus in the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan\FileExceptions]

 

For Windows 2008 (64Bit) and Symantec Endpoint Protection (SEP) 11, look at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Admin

Migrate Symantec Anti Virus to Symantec Endpoint Protection

Document ID: 2007071909500548

What should I think about in advance before I begin migrating my Symantec AntiVirus environment to Symantec Endpoint Protection?
Consider several factors before you begin your migration:

  • Do you have the resources to create a test migration environment?
    If you create such an environment is highly beneficial before you begin migration so that you can test exactly how clients and servers are grouped, which settings are migrated, and the overall migration success rate.
  • Can you perform a complete migration to Symantec Endpoint Protection?
    If your network contains operating systems (such as Netware) that are not supported with Symantec Endpoint Protection, then Symantec System Center must manage a subset of the clients and servers.
  • Do you want to create a new client groupings or use the existing groupings from Symantec System Center?
  • How do you plan on migrating Symantec Endpoint Protection to your clients? Do you plan to use third party tools or the Migration and Deployment Wizard?
  • After you determine the method that you want to use to migrate your clients, you can determine whether to use certain Symantec Endpoint Protection features.
  • Are there client settings that you must disable or reconfigure to ensure successful migration?
  • Some client settings such as scheduled scans must be disabled before you begin migration.

Before you begin migration, you must read the migration chapters in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.

What are the general steps to migrating Symantec AntiVirus to Symantec Endpoint Protection?
You must complete the following steps to migrate Symantec AntiVirus to Symantec Endpoint Protection in the order listed:

  1. Uninstall the Reporting Sever if you have it installed.
  2. Use Symantec System Center to configure settings for the management server and clients that prepare them for migration.
    These settings changes are: disable scheduled scans, modify Quarantine purge options, delete histories, disable LiveUpdate, disable roaming, unlock server groups, and disable Tamper Protection. Install the Symantec Endpoint Protection Manager.
  3. Migrate your legacy clients and servers.
  4. Uninstall Symantec System Center
  5. Migrate the legacy client or server that was used to protect the computer running Symantec System Center.

Create user account in Symantec System Center 10.x

To create a user account for a server group

  1. Start Symantec System Center.
  2. Right-click the appropriate server group.
  3. Click Account Management.
  4. In the Configure Server Group Accounts dialog box, click Add.
  5. In the Account Setup dialog box, do the following:
    • Type the user name.
    • In the New password box, type the password.
    • In Confirm password box, type the password again.
    • Under Account Type, check the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security.
  6. Click OK.
  7. Click Finished.
    The changes are then sent to the secondary management servers in the server group.

source

How to change the password in Symantec AntiVirus Corporate Edition 10.x

Document ID: 2005041217010148

About the server group password
The “Remember this user name and password for me” check box saves a password so that you do not have to enter it the next time the server group is opened. Also, if you “Automatically unlock this Server Group when I start the Symantec System Center,” the password is saved in a secured cache.

To no longer save the server group password

  1. In the Symantec System Center console, in the left pane, right-click a locked server group, and then click Unlock Server Group.
  2. Uncheck Remember this user name and password for me.
  3. Uncheck Automatically unlock this Server Group when I start the Symantec System Center.
  4. Click OK.
  5. Exit the Symantec System Center console.
  6. When you are prompted to save, click No.

The server group is now configured to prompt for a password, and the server group will not be unlocked automatically when you start Symantec System Center.

Reset the Symantec System Center admin user password
You can use the Password Reset Utility to reset any user’s password. You must have Administrator access to the primary server of the server group.

To reset the Symantec System Center admin user password

  1. On the computer running Symantec System Center, start Windows Explorer.
  2. Go to \Program Files\Symantec\Symantec System Center\Tools.
  3. In the right pane, double-click the IFORGOT.exe file.
  4. In the Primary server field, type the name of the server group’s primary server.
  5. In the user field, type admin
  6. In the New Password and Confirm New Password fields, type the new password.
  7. Click Reset Password.
    You may be prompted for a Windows user name and password if you specify a remote server.

For information about creating and managing user accounts in Symantec System Center, see the document Using Symantec System Center roles in Symantec AntiVirus 10.x and Symantec Client Security 3.x.

Use a client uninstallation password
It is possible to configure the client component of Symantec AntiVirus to request a password before allowing a user to uninstall it. By default, this feature is enabled, but often the password is not set by an administrator. When the client can communicate with the server, the password can be reset or disabled.

To require a password before uninstalling

  1. In the Symantec System Center console, right-click a server, a server group, or a client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
  2. On the Security tab, check Ask for password to allow uninstall of Symantec AntiVirus Client.
  3. Click Change.
  4. In the Configure Password dialog box, type a new password, and then confirm by typing the password again.
  5. Click OK, and then click OK again.

If the client system needs to be uninstalled but can no longer communicate with the parent server, please contact Symantec Technical Support for assistance.

Use a client network scan password
In a networked environment where most, if not all systems are running some form of antivirus software, it is inefficient to allow the systems to perform real-time or manual scanning of network resources. In such a setting, the network resources are already protected by the local antivirus system. However, it may not be desirable to completely disable this functionality as you may want to remote scan a system at a later date. The best solution is to implement a password known only to the system administrators that prevents casual scanning of network resources, while leaving it available as a useful tool. If the client system can still communicate with the parent server, the password can be reset or disabled.

To require a password before uninstalling

  1. In the Symantec System Center console, right-click a server, a server group, or a client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
  2. On the Security tab, check Ask for password to allow scan of Mapped Network Drives.
  3. Click Change.
  4. In the Configure Password dialog box, type a new password, and then confirm by typing the password again.
  5. Click OK, and then click OK again.

Configuring Symantec AntiVirus for deployment as part of a drive image

Symantec Document ID: 2005092215503348

Question/Issue:
You need to create a drive image with Symantec AntiVirus already installed.

Solution:
Every installation of Symantec AntiVirus creates a globally unique identifier (GUID) for that installation when the Rtvscan service first starts. If you use a computer with Symantec AntiVirus to create a drive image, and if that image is used to create clones of that computer on the same network, then each computer will have the same GUID. This causes problems in Symantec System Center, such as the following:

  • Clients do not appear.
  • Clients randomly appear and disappear.

You can prevent this problem by creating a drive image that does not have a Symantec AntiVirus GUID.

To create an image without a Symantec AntiVirus GUID

  1. Install the operating system, and install all patches as you would normally.
    Do not install Symantec AntiVirus yet.
  2. Install any other software besides Symantec AntiVirus that will be on the image.
  3. Install Symantec AntiVirus last, after any other installations.
  4. Before you save the image, start the Registry Editor.
  5. Go to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion

  6. In the right pane, right-click GUID, and then click Delete.
  7. Exit the Registry Editor.
    The hard drive now contains the final image. Do not restart the computer.
  8. Create the image with your preferred disk imaging software.

When the computer starts again, Rtvscan checks for the GUID value, and when it determines that it does not exist, it generates a new one.

If you have computers that were already deployed with identical GUID values, you can delete the GUID value on each computer, as described above. This can be done with a batch file, a login script, or a group policy object.