Symantec Removal script no longer works?

mikemangino
New Contributor III

Hello, trying to remove the demon known as SEP from a few machines. I am deploying the Broadcom provided script via PKG, then invoking it via policy with the -A switch. The following appears in the logs:


Result of command:
TERM environment variable not set.
TERM environment variable not set.
com.symantec.mes.systemextension.systemextension
com.symantec.mes.systemextension.systemextension is systemextension
SystemExtensionName: com.symantec.mes.systemextension
find com.symantec.mes.systemextension need to be uninstall in /Applications/Symantec Solutions/Symantec Endpoint Protection.app
Removing /Applications/Symantec Solutions/Symantec Endpoint Protection.app
29:114: execution error: Not authorized to send Apple events to Finder. (-1743)
Failed to remove /Applications/Symantec Solutions/Symantec Endpoint Protection.app.

ATTENTION: You must use the uninstall option in your product's
           "Symantec Endpoint Protection" menu.

 

 

It looks like it's just not permitted to remove the .app, is that something I can add in as a step?

Is there an updated method to accomplish this removal?

5 REPLIES 5

Johns987
New Contributor II

ref: https://www.jamf.com/jamf-nation/discussions/9271/uninstalling-symantec-endpoint-anti-virus

Used a modified version of the above script to remove SEP, found here:   https://gist.github.com/rderewianko/6aa0032f19e57b595e0fdae4470f6286

MyLabCorp Login

Then ran a second policy to install SCEP, which was just the .pkg (taken from the SCEP installer .dmg and renamed)

mikemangino
New Contributor III

Hm tried that script instead of the one supplied directly by Symantec/Broadcom, same result. Blah blah blah and then:

ATTENTION: You must use the uninstall option in your product's "Symantec Endpoint Protection" menu.

 

 

CSCC-JS
Contributor III

I think it's related to the issue I've been having. Apple made security changes where there has to be a user prompt to remove any ktext / sys extension. If I run the script locally on the machine, I get the confirmation prompt and the script works. I've not been able to automate / do this remotely.

I agree, we have policy which includes the Removal Script which works fine however the user is still prompted to removed the System Extension. First prompt says the extensions will be removed if you continue upon pressing continue you then need to authenticate.   I've yet to figure a way out to completely remove SEP silently. We are moving to a different AV product (thankfully) but getting there is a chore 

 

donmontalvo
Esteemed Contributor III

It appears the only way to remove the later versions of Symantec from macOS Ventura is to wipe/rebuild.

¯\_(ツ)_/¯

--
https://donmontalvo.com