About Me

My photo
TsooRad is a blog for John Weber. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.


Symantec Endpoint Protection removal hell

Update:  I have stopped trying.  I hang my head in abject defeat.  I edited registry until my fingers bled….and all I accomplished was a network stack that refused to work.  I tried, I really did.  I followed instructions, I used the”approved” vendor-supplied tool, I read the blogs.  Nada.  At the end, I had the Teefer2 driver and service gone, with a NIC and driver that Win7 said it liked and enabled, but the firewall would not start because the Base Filtering Engine would not start because of a) lack of permissions, and b) having a wrong pw on the localservice account.  Luckily, this is why the VM is so good for us.  Eliminar la instancia de la imagen y seguir adelante.

I had to remove SEP 11 from a system.  Oooops!  First, I could not get it to go away.  Had to get a removal tool.  That took some judicious torrent work to find as I could not get Symantec non-help to give it to me….I did not have a license nor a support agreement nor the magic decoder ring…just a P2V image from which I was trying to remove SEP.  C’mon folks… it is just a lab machine!  I have all the approved licensing….except for this Symantec piece I was trying to remove so I could be legal….my mistake.


So CleanWipe did its’ thing.  Sort of.  It left me with a non-working network stack due to this Teefer2 driver that really does not want to go away.  After many hours, literally, of Google, I stumbled upon some advice that led me to remove the hklm/system/currentcontrolset/enum/root/symc_teefer2mp key.  At which point I was caught in a BFO….I think I know why these Symantec products are so hard to get rid of….

BTW, as background, in my reading over the last few hours, it is apparent that this teefer2 POS has a purpose in life redirecting traffic to SEP for scanning. My hypothesis is:  in an effort to make sure that malware cannot circumvent SEP, the clever developers created registry keys that cannot be modified except by superhuman effort.  OMG! 

My right hand hurts from the mouse clicking that it takes to remove on sub-sub-sub key.  But hey, it is only 0100 on a Monday night.  WTF eh wot?  People buy this on purpose?


See all that?  Each and every key – and I have removed about 20 so far, require administrator explicit assignment for full control and seize ownership so as to enable deletion.  EACH ONE.  And under the GUID there is several more.  Logged in with safe mode, as the machine administrator, not a member of administrators, and then have regedit run as administrator.  Save me Mr. Wizard!

No comments:

Logitech Meetup ConferenceCam

In the past, I have used a Logitech cs3000 , I had a furious love affair with a bc950 , and then I settled down to just using my laptop came...