Posted on 07-20-2022 12:18 PM
Hello, trying to remove the demon known as SEP from a few machines. I am deploying the Broadcom provided script via PKG, then invoking it via policy with the -A switch. The following appears in the logs:
Result of command: TERM environment variable not set. TERM environment variable not set. com.symantec.mes.systemextension.systemextension com.symantec.mes.systemextension.systemextension is systemextension SystemExtensionName: com.symantec.mes.systemextension find com.symantec.mes.systemextension need to be uninstall in /Applications/Symantec Solutions/Symantec Endpoint Protection.app Removing /Applications/Symantec Solutions/Symantec Endpoint Protection.app 29:114: execution error: Not authorized to send Apple events to Finder. (-1743) Failed to remove /Applications/Symantec Solutions/Symantec Endpoint Protection.app. ATTENTION: You must use the uninstall option in your product's "Symantec Endpoint Protection" menu.
It looks like it's just not permitted to remove the .app, is that something I can add in as a step?
Is there an updated method to accomplish this removal?
07-20-2022 09:57 PM - edited 07-21-2022 08:32 PM
Used a modified version of the above script to remove SEP, found here: https://gist.github.com/rderewianko/6aa0032f19e57b595e0fdae4470f6286
Then ran a second policy to install SCEP, which was just the .pkg (taken from the SCEP installer .dmg and renamed)
Posted on 07-21-2022 09:46 AM
Hm tried that script instead of the one supplied directly by Symantec/Broadcom, same result. Blah blah blah and then:
ATTENTION: You must use the uninstall option in your product's "Symantec Endpoint Protection" menu.
Posted on 07-25-2022 07:41 AM
I think it's related to the issue I've been having. Apple made security changes where there has to be a user prompt to remove any ktext / sys extension. If I run the script locally on the machine, I get the confirmation prompt and the script works. I've not been able to automate / do this remotely.
Posted on 11-07-2022 02:58 PM
I agree, we have policy which includes the Removal Script which works fine however the user is still prompted to removed the System Extension. First prompt says the extensions will be removed if you continue upon pressing continue you then need to authenticate. I've yet to figure a way out to completely remove SEP silently. We are moving to a different AV product (thankfully) but getting there is a chore