We have a large amount of machines that were tagged incorrectly in our ePO (5.10 Build 2428) and started to encrypt. We were able to stop most machines and uninstall from others. What we're experiencing is the two folders on Program Data (EPC & EADMIN_1000) are staying, and so are the the installs for encryption. If a machine goes out of our system tree it has the chance of triggering EEPC & EADMIN_1000 to start encrypting again. Or if someone messes up the tagging.
I'm working on a WMI Query for tagging properly but I want to remove these remnants from our workstations, but the client task to uninstall isn't removing them, the product removal tool isn't detecting it. Is there anything that can be done? I've tried Power Shell commands, taking ownership (Ownership is currently the local admin group), added my elevated account to the security settings / local admin group. All get denied.
To get these folders deleted under windows 10 Ent 64-bit Ver 1803 is there any other option or do I have to completely remove everything from McAfee (ENS, Client Agent etc..) or is there anything else that can be done?
DE is 18.104.22.168 if that matters.
To make sure that I follow correctly, are you seeing these folders in C:\ProgramData or C:\ProgramData\McAfee? Are you able to see the contents of each? If so, can you tell us what is in them?
They are not installation directories for the product but can contain varying logs depending upon the configuration of the product and installation task. The installation directories are in C:\Program Files\McAfee\Endpoint Encryption Agent for EEAdmin and C:\Program Files\McAfee\Endpoint Encryption for EEPC.
These are all under C:\ProgramData\McAfee\Agent\Evaluation.
Inside of there is a MSI file that is being triggered that puts the encryption agent back on the system. there's an install.mcs, mfeEEPc64.MSI and MfelsWin64.app.
Under the EEPC folder. Under the EEAdmin_1000 folder there is just an install folder with nothing in it. But that doesn't mean it couldn't populate.
In EPO under the product settings tab when you view system information the DE status for 22.214.171.124 changes from saying DE: Windows & DE Agent to EEAdmin_1000 and EEPC. So that is what is making me believe that these are changing it.
When I run the MSI under EEPC it will sometimes encrypt machines that still have the improper tagging giving the policy to encrypt.
Thank you for the information. That clears things up greatly. These locations are for the McAfee Agent when it downloads the point product software components to be installed.
Their presence alone should not cause further action but if you are seeing it still being reinstalled after you have removed it, we should start looking into the installation tasks that the clients have assigned and may need to look into the McAfee Agent logs to see what the specific task is that is carrying it out. Even if we were to get these components removed right now, if there is a task still being carried out on these systems, it would just downloa them again.
Of course, if you are manually running the MSI for EEPC, I would expect for it to get installed but it should not activate MDE unless both components are installed so that suggest that EEAdmin is still present on the system as well.
The McScript deployment log will give us information on the times that the MSI installer is triggered if the MA is doing it and then we can reference that in the MASVC log for the actual task that is being invoked.
We were using client tasks to run DE on machines, but stopped to contain the encrypting on devices that shouldn't have been encrypted. The machines are labeling themselves as laptops and sometimes after communicating with ePO they'll begin to encrypt after the weekly reboot. Or any reboot, but users do not really restart their machines unless forced to in our environment.
We've had a SR put in to check, and they couldn't find anything that was connecting the deleted / removed client task to run on a system tree that it wasn't applied to. SR came to a close basically saying that these folders are remaining, and that things might be caught in a limbo state, so when it detects a laptop it changes the policy on the machine and begins to encrypt from the files.
So that's why we're trying to remove them, since there's no reason to ever have them encrypted we don't want to have to go through this again while people are working from home. This way if the policy is changed and there's no DE to run then it will just not work until we can get the tag query working properly.
If it can't be removed and the MSI is the main trigger, then maybe i'll just change what the file opens with. I guess if it errors out trying to open MSI for that single file that starts encryption because it's trying to open it in NotePad, then it should stop the off chance of encrypting.
I'll find a machine that is having the issue and look in that log maybe for something new.
The issue actually interacting with the directories and deleting files may have to do with the McAfee Agent self-protection, what I'm concerned with is that something still has to trigger the installation of the MSI file. Just sitting there, it should be completely benign. If you wouldn't mind providing the SR number I can take a look at the log files there to see if I can locate anything within the MA that is triggering the installation.
4-21195013941 is the service request. There isn't much there and we're already working on tags and tree sorting. What we're needing to do is get rid of the MSI installer. Whether it' should or shouldn't be used or not it is still on the system to cause a potential incident. That's why we want to remove the EPC and EEADMIN_1000 folders.
This is a new SR because the original had other troubleshooting solutions for a similar problem that doesn't relate to what we're trying to do now.
Thank you for the information. I had actually looked through this one yesterday after opening, although at that point I was not aware that it was the same as the one we are speaking about here. With the new SR open, if you don't mind, we'll focus the correspondence there and then update this thread when completed.
So I've been looking more at this. It seems there's something wrong with the uninstall client task. It runs but it won't remove those two folders because those two extensions are part of the Agent. The McAfee agent process is always running on the machine so I've found it hard to terminate the process using system tree or going deeper with SysInternals ProcMon.
Our EPO admins above me say nothing is wrong with the uninstall client task so I need to find a KB to review removing DE from EPO using client tasks, and see if something is actually wrong.
Alternatively, using SCCM, I can detect variants of these folders and use Microsoft tool to uninstall the McAFee agent, forcing a restart. This clears those two folder extensions.
Using SCCM, I have a collection that lets me see devices that don't have the McAfee agent or the agent of a certain version. I can instantly install remotely with SCCM and the problem is semi-solved. Though I wasn't able to use EPO to solve the task, which is why I say semi-solved.