Overriding Symantec Endpoint Protection's Unininstall Password
Wednesday, November 12, 2008
Standard story, I had a user today with Symantec Endpoint Protection and it was causing her CPU to redline. SEP said everything was fine so I thought I'd just save some time and uninstall and re-install like a good Sys-admin would do. Most people know that with Symantec's more corporate products they require that you put in a password in order to uninstall the application. This is a simple protection from an attacker manually removing the antivirus. I didn't realize until today just how simple that was.
I did some looking for the password and asked a few people and I tried to look up what the default password was because knowing this client, that's what it would be. No luck. Then I discovered something, I was watching the processes in the task manager and saw that when I went to uninstall SEP, msiexec ran as I expected but right as the password prompt came up, another instance of msiexec appeared. What are the odds that I just end that process and I'm allowed to get through? Very good.
So then I looked online about this and of course I'm not the first person to find this out. If you can end the process msiexec.exe that is being run as the current user (not system), then the password prompt will disapper and uninstallation will continue. There is a protection built into SEP and other Symantec products that blocks access to the task manager while the password prompt is showing. That's why my favorite windows tool Process Explorer comes in handy. So here's the steps:
- Download Process Explorer from Microsoft or Sysinternals
- Uninstall the symantec product of your choice
- wait for the password prompt to appear
- run Process Explorer and find msiexec.exe that is being run as the current user (not the system)
- end that process and continue with the uninstallation
I know this really isn't a revelation to most people but I had never done it before and it goes right along with some of my anti-anti-virus research I'm doing.
External Links
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Process Explorer download
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4852 – link to a forum that has other suggestion to resetting the password like “calling support”
Standard story, I had a user today with Symantec Endpoint Protection and it was causing her CPU to redline. SEP said everything was fine so I thought I'd just save some time and uninstall and re-install like a good Sys-admin would do. Most people know that with Symantec's more corporate products they require that you put in a password in order to uninstall the application. This is a simple protection from an attacker manually removing the antivirus. I didn't realize until today just how simple that was.
I did some looking for the password and asked a few people and I tried to look up what the default password was because knowing this client, that's what it would be. No luck. Then I discovered something, I was watching the processes in the task manager and saw that when I went to uninstall SEP, msiexec ran as I expected but right as the password prompt came up, another instance of msiexec appeared. What are the odds that I just end that process and I'm allowed to get through? Very good.
So then I looked online about this and of course I'm not the first person to find this out. If you can end the process msiexec.exe that is being run as the current user (not system), then the password prompt will disapper and uninstallation will continue. There is a protection built into SEP and other Symantec products that blocks access to the task manager while the password prompt is showing. That's why my favorite windows tool Process Explorer comes in handy. So here's the steps:
- Download Process Explorer from Microsoft or Sysinternals
- Uninstall the symantec product of your choice
- wait for the password prompt to appear
- run Process Explorer and find msiexec.exe that is being run as the current user (not the system)
- end that process and continue with the uninstallation
I know this really isn't a revelation to most people but I had never done it before and it goes right along with some of my anti-anti-virus research I'm doing.
External Links
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Process Explorer downloadhttps://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4852 – link to a forum that has other suggestion to resetting the password like “calling support”