Some Notes on the Machines

For Symantec, rolling one’s own seems usual. I have been doing it using psexec and LabTech command prompt, running the msiexec lines below remotely. One has to get the long code first via regedit. Examples are below under major subversions. But before you do that, make sure there’s no password protection on the client. There are two locations.

First in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

and make sure SmcGuiHasPassword is 0.

Second, in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security

make sure UseVPUninstallPassword is 0.

And now for some example msiexec lines. The /q is apparently needed just as the /qn, and the last two (very sparsely documented) items appear helpful as well. The GUID (the long code) is the tough part. It comes from:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

searching for “Symantec Endpoint Protection”, and it is possible to have more than one sub-subversion — and therefore more than one GUID — needed within a given LAN, mostly depending on update status.

for 12.1:

MsiExec.exe /X {EFCC6FA1-8F3F-46E6-B7BF-8336CCD3DA67} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {BCE5F3B0-8407-42DB-8073-1812F7D2D1E6} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL

for 12.0:

MsiExec.exe /X {895665D9-6614-4930-9D39-3567283DD424} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {D350A6A1-044F-4E19-8267-F1C44775CFC2} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL

for 11.0:

MsiExec.exe /X {26624215-248C-4F88-A415-35301812FB75} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {AAE221D5-C3DD-4FE2-A063-C1368FE730A5} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
msiexec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart /REBOOT=ReallySuppress REMOVE=ALL

It can take a while — but it happens very silently.

Go here:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tools

and run resetpass.cmd. A command prompt box will arise which (at least in this part of the world) will shortly contain the word “English”. Wait for it to come and go by itself.

Your SEPM login and password are now both “admin”. It will require a change at first login.

The indomitable Liz Landry found this registry key, which should be used if VIPRE is causing PCs to bluescreen after installation. Go here:

HKLM\System\CurrentControlSet\Services\sbtis

Change the item inside named “Start” from 1 to 4.

Works very well, esp. for remote work.

http://www.emsisoft.com/en/software/cmd/

Unpack it, go into the folder “Run”, and then see the a2cmd readme.

You can run a VIPRE console on your desktop PC, and connect it to a VIPRE server somewhere else, over LAN or WAN:

http://kb.gfi.com/articles/SkyNet_Article/How-to-connect-remote-consoles?retURL=%2Fapex%2FSupportHome&popup=true

Trend Micro has placed their excellent HiJackThis to open source:

http://sourceforge.net/projects/hjt/files/

and there are new versions!!! Interesting instructions for its use, are here:

http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#HowToUse

Several ports may need to be opened in Windows Firewall, sometimes even if the service is turned off, and sometimes on both client and server. To accomplish this by command line, use these:

netsh firewall add portopening protocol=TCP port=18082 name=VIPRE_client_1
netsh firewall add portopening protocol=TCP port=18086 name=VIPRE_client_2
netsh firewall add portopening protocol=TCP port=18087 name=VIPRE_client_3
netsh firewall add portopening protocol=TCP port=18088 name=VIPRE_client_4

If you would like to have the above ports opened using an Active Directory group policy, edit the policy, go to Administrative Templates under Computer Configuration, then Network, Network Connections, and Windows Firewall.  Under both “Domain Profile” and “Standard Profile” you will find “Define Inbound Port Exceptions”.  In these, the following lines will be needed:

18082:TCP:*:enabled:VIPRE1
18086:TCP:*:enabled:VIPRE2
18087:TCP:*:enabled:VIPRE3
18088:TCP:*:enabled:VIPRE4

For our configuration of client install outside of the LAN, you’ll want port 591 added as a fifth item to the above, i.e., either this:

netsh firewall add portopening protocol=TCP port=18082 name=VIPRE_client_1
netsh firewall add portopening protocol=TCP port=18086 name=VIPRE_client_2
netsh firewall add portopening protocol=TCP port=18087 name=VIPRE_client_3
netsh firewall add portopening protocol=TCP port=18088 name=VIPRE_client_4
netsh firewall add portopening protocol=TCP port=591 name=VIPRE_client_5

or this:

18082:TCP:*:enabled:VIPRE1
18086:TCP:*:enabled:VIPRE2
18087:TCP:*:enabled:VIPRE3
18088:TCP:*:enabled:VIPRE4
591:TCP:*:enabled:VIPRE5

To configure VIPRE Business 5 to handle a laptop outside of the LAN, including installation of agents and automatic agent version updates, do this:

1. Set up a router configuration where an external DNS name is pointed to the VIPRE server, for ports 18080-18088 as well as port 591 (and see related info below). Test it via a telnet on port 18082; if you press Enter, the server should respond.
2. Set up a policy where that DNS name is specified as Policy and Update Server under Agent/Communication.
3. Under the top-level server properties, under Agent Installation, make sure the port listed is set to 591. The default is 80, which is in use on many servers, certainly SBS.
4. Create an MSI for the policy and copy it to the laptop.
5. On the laptop, set up the necessary firewall exceptions to be found here.
6. Install the MSI onto the laptop.

To download a 30-day trial which can be activated with a key, go here:

http://www.gfi.com/downloads/mirrors.aspx?pid=vpe

Here is a procedure given by the ComboFix people:

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery