About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2011/03/21

Symantec Endpoint Protection removal hell

Update:  I have stopped trying.  I hang my head in abject defeat.  I edited registry until my fingers bled….and all I accomplished was a network stack that refused to work.  I tried, I really did.  I followed instructions, I used the”approved” vendor-supplied tool, I read the blogs.  Nada.  At the end, I had the Teefer2 driver and service gone, with a NIC and driver that Win7 said it liked and enabled, but the firewall would not start because the Base Filtering Engine would not start because of a) lack of permissions, and b) having a wrong pw on the localservice account.  Luckily, this is why the VM is so good for us.  Eliminar la instancia de la imagen y seguir adelante.


I had to remove SEP 11 from a system.  Oooops!  First, I could not get it to go away.  Had to get a removal tool.  That took some judicious torrent work to find as I could not get Symantec non-help to give it to me….I did not have a license nor a support agreement nor the magic decoder ring…just a P2V image from which I was trying to remove SEP.  C’mon folks… it is just a lab machine!  I have all the approved licensing….except for this Symantec piece I was trying to remove so I could be legal….my mistake.

Adelante.

So CleanWipe did its’ thing.  Sort of.  It left me with a non-working network stack due to this Teefer2 driver that really does not want to go away.  After many hours, literally, of Google, I stumbled upon some advice that led me to remove the hklm/system/currentcontrolset/enum/root/symc_teefer2mp key.  At which point I was caught in a BFO….I think I know why these Symantec products are so hard to get rid of….

BTW, as background, in my reading over the last few hours, it is apparent that this teefer2 POS has a purpose in life redirecting traffic to SEP for scanning. My hypothesis is:  in an effort to make sure that malware cannot circumvent SEP, the clever developers created registry keys that cannot be modified except by superhuman effort.  OMG! 

My right hand hurts from the mouse clicking that it takes to remove on sub-sub-sub key.  But hey, it is only 0100 on a Monday night.  WTF eh wot?  People buy this on purpose?

image

See all that?  Each and every key – and I have removed about 20 so far, require administrator explicit assignment for full control and seize ownership so as to enable deletion.  EACH ONE.  And under the GUID there is several more.  Logged in with safe mode, as the machine administrator, not a member of administrators, and then have regedit run as administrator.  Save me Mr. Wizard!

No comments:

test 02 Feb

this is a test it’s only a test this should be a picture