I have a site that wants to remove the HBSS GroupShield Agent from their Exchange servers. A client task to remove the agent failed. When they manually tried to remove the agent, it badly hosed the server. (I've found it common that client tasks usually do pretty well either upgrading or installing software, but fail miserably when it comes to removing components.) The HIPS agent isn't installed on these servers so HIPS protection isn't blocking the un-install.
So, is there an elegant and safe way to remove the GroupShield agent?
Barring that, is it possible to duplicate the default GroupShield policy and just disable everything in the policy in one high level click? (I've been going through the master policy and finding about a thousand sub-policies that you need to drill down through to try and disable everything, and even then there's a lot of policies greyed out that can't be changed anyway)
Actually a follow up to my original question.
I've noticed some of our Exchange servers don't have "GroupShield for Exchange" listed in the installed products in the ePO server. I'm not that familiar with GroupShield. I understand GroupShield to be a McAfee security product for MS Exchange, but is the "GroupShield for Exchange 7.0.716.101" listed in 'Installed Products" referring to a management agent that controls the GroupShield security product, or is it one and the same?
The objective of the site is remove control of the Exchange server by the HBSS server. Can that be done without entirely removing the GroupShield security produuct?
Since there isn't a groupshield agent to remove, i am guessing you are referring to the mcafee common framework agent.
to remove the agent component
the 7.0.716.101 refers to the build that is installed on the exchange server.
also removing the agent component from the mcafee agent will keep it from being managed by epo.
No, I wasn't referring to the McAfee agent, I probably wasn't clear because I was still trying to figure this out. I thought there might be a "GroupShield management agent" in ePO, separate from the GroupShield product, but I realized they aren't 2 different things.
So, to be more clear, how do you remove the GroupShield product from an Exchange server? They tried to do it manually and hosed the server bad enough that they had to rebuild it from scratch. I tried setting up a client task in HBSS, but it failed to remove the product. (I've never had much success removing HBSS components via client tasks; installing/upgrading seems to work fine, but un-installs almost always bomb out)
the best method is to go into add/remove programs on the exchange server and select to remove groupshield. if they tried this first and it failed then it would be good to know what the error was when it failed.
With the manual removal what information were they using to guide them through it?
was groupshield being removed due to an issue that was happening? if so could i get some info on that?
They had a cluster configuration, using McAfee Cluster Framework service. This is probably what was making the removal more complicated.
They were given the following instructions to follow; they're getting hung up on step 3 -
1. Open Cluster Administrator
2. Take all the McAfee Cluster Framework resources offline
3. * only verify delete option * Delete all the Mcafee Cluster Framework resources. (I can't move past this point, option is grayed out)
4. Make the nodes of the cluster passive and uninstall groupshield for exchange
5. Close the Cluster Administrator
6. Repeat this process on each node of the cluster
this sounds like a permissions issue in cluster admin. we don't put any restricitoins on the groupshield resource so if you can create it you should be able to delete it as well.
Sorry to hijack this thread but I have a situation that I need to downgrade the HBSS agent from 4.5 to 4.0. I have done this
Click Start, Run and type in the following command to remove the existing agent:
C:\Program Files\McAfee\Common Framework\frminst.exe /Remove=Agent
but when I install from an exe that I know installs HBSS agent 4.0 when installed on a fresh system 4.5 is reinstalled. Is there a more agressive way to remove the agent?