Uninstalling Symantec Endpoint Protection from a corporate network
ElementZero | March 19, 2009My company is getting rid of Symantec Anti-virus. The final kick in the shins was the new software they brought out called “Symantec Endpoint Protection”. I’m not exactly sure what Symantec was thinking when they brought out this product, but the old Symantec Corporate Server was much easier to administer. The new product just seems to go out of your way to make itself difficult – from installing to reviewing what sort of viruses are found. Anyways, couple that with the 92% virus detection rate that Symantec supposedly has, and you wind up with one heck of a crappy product.
After some research, I found that there is basically two products that are currently the best for Anti-virus: NOD32, and Kaspersky. The are VERY similar – both have something like a 99.8% detection rate, and both leave a very small footprint. Supposedly NOD32 is just a bit less overhead than Kaspersky, but the latter is easier to administer. Seeing that I would rather be able to tell what my anti-virus program is doing in a corporate environment that get a marginal 1% increase in performance, we went with Kaspersky. Let me say that I don’t regret it one bit as it has already detected over 100 viruses, trojans, and other spyware that Symantec apparently had let slip by.
In any case, the uninstallation of Symantec was quite a chore. I found a few articles on how to remove it using some Symantec tools – but the tools (just like the Antivirus product) were either not present or didn’t function properly. Next I found an article on how to manually remove Symantec by running the uninstall wizard from a command prompt. After reviewing how this worked for a bit, I wrote a short vb script that basically finds the registry key for the Symantec Endpoint Protection, and then issues the command to uninstall the program. It also leaves entries into the Application event log on what the script is currently doing.
Be aware that as soon as the uninstall is completed, the computer will reboot (it took about 2-3 minutes on average for the uninstall to complete). Note also that sometimes the script can say that it failed to remove the program, I think that just happens because the computer reboots before it can send the “ok” back to the uninstall script (Basically as long as the shield is gone, it’s removed).
Once you have the script, you simply set it up to run as a script to run through Group Policy. Create a new Group Policy and then do Computer Configuration–>Windows Settings–>Scripts–>Startup. Then just add the script. This will make the uninstallation of Symantec occur the next time the computers under that Group Policy are started up. You probably should send an email to those users though and inform them that you are removing Symantec and that upon the next reboot of their computer it wil automatically reboot again after two to three minutes of starting up (again, since the Symantec reboots the machine after it is uninstalled).
One last note – make sure you remove the uninstall password from the program, otherwise the uninstall script will fail to uninstall the program.
Anyways, hopefully this can help someone else – I found it rather useful myself.
Option Explicit const HKEY_LOCAL_MACHINE = &H80000002 dim ProductName, ProductKey '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sub GetSymantecProductKey() dim oReg, sPath, aKeys, sName, sKey Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") sPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" oReg.EnumKey HKEY_LOCAL_MACHINE, sPath, aKeys For Each sKey in aKeys oReg.GetStringValue HKEY_LOCAL_MACHINE, sPath & "\" & sKey, "DisplayName", sName If Not IsNull(sName) Then if (sName = "Symantec Endpoint Protection") then ProductKey = sKey ProductName = sName end if end if Next end sub '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sub RemoveSymantec(key, name) dim cmd, objShell, iReturn cmd = "C:\windows\system32\msiexec.exe /q/x " & key set objShell = wscript.createObject("wscript.shell") objShell.LogEvent 0, "Removing the program [" & name & "] under Product Key [" & key & "]" & vbCrLf & "Executing command: " & vbCrLf & cmd iReturn=objShell.Run(cmd,1,TRUE) if (iReturn = 0) then objShell.LogEvent 0, "Program [" & name & "] was successfully removed" else objShell.LogEvent 0, "Failed to remove the program [" & name & "]." end if Set objShell = Nothing end sub '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ProductKey = "" ProductName = "" call GetSymantecProductKey() if Not (ProductKey = "") then call RemoveSymantec(ProductKey, ProductName) end if
How can I obtain a copy of the scrop?
The script is located in the box at the bottom of the post. It begins with the line “Option Explicit”. You just have to copy everything in the box, and then open notepad and paste the script in. Then save the file as “SymantecUninstall.vbs”. Make sure it doesn’t save it as “SymantecUninstall.vbs.txt”. After that, just copy the file into the group policy as mentioned in the post.
Fantastic. Thanks
Exactly what I was looking for getting this awful software off my whole network, after 2 days of support not getting back to me and the system down I have opted for trend micro which is getting rid of my the conflicker virus, this script is a godsend! Thanks so much!!!
This worked perfect the first time I tried it but it didn’t seem to do anything when I tried it on two other systems.
It’s as if it doesn’t run. I look for wscript in Task Manager but nothing. I wait and wait and never ever happens. Am I missing something? This script could be the best since sliced bread if it will work on most installations. Good work!
Hmm – Sorry to hear it did not work for you again. Does Symantec still show as installed under Add/Remove programs? Also look and see if Msiexec is running after the script starts (that’s the uninstall program it is running to remove Symantec). If this does not run then the script is truly not doing anything or the registry key may not be present anymore. Also you can look in the event log of the computer and see what events are logged as I wrote the script to output to there in case this happened.
I had a problem where the program would not install from the last two machines in my workplace using this script – but that was only after the SEP server was removed. My problem was that I had not set the uninstall password to blank in the server BEFORE I removed it. In that case you can remove them manually with this:
http://www.omegaprojex.com/index.php/2009/03/19/uninstalling-symantec-endpoint-protection-without-the-uninstall-password/
Also – you MUST be logged on as an administrator of the machine in order to have the script run properly.
Let me know what you find in the event log and I can probably point you in the right direction as to steps to try next.
Excellent – worked well (as just stand-alone).
Haven’t tried thru GP yet but will have a bit of a test before do that.
Maybe you should give symantec a call and get them to pay you some coin because they dont have any scripts available on their site!
I was able to get the Symantec Endpoint off my company PC. Thank you so much for the script. This is a very greedy question, but will there be another script to uninstall the Live Update (Symantec) as well?
I know i’m asking a ridiculous question but our company have so many PC and it takes too long for me to uninstall single one of them. Hope there’s a script for it, if not, it’s all good. Again thanks alot for your post.