cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Removing HIPS manually

Jump to solution

How do you uninstall HIPS from a workstation (running Win XP SP3) when you do not have connectivity to the ePO server, do not have the unlock password for the HIPS UI, the HIPS service can't be stopped, and the policy pushed to it says to not show HIPS in Add/Remove Programs?  I have tried disabling all protection features in the Virus Scan, and then trying to stop the HIPS service to no avail.  Is there a command to uninstall HIPS similar to the "frminst.exe /forceuninstall" command for the McAfee Agent?  I'm even willing to remove all files and registry keys if necessary as long as someone could provide that for me.  Any assistance is appreciated.

SETUP

ePO 4.0

McAfee Agent 4.5.1270

HIPS 7.0.0.1070

McAfee VirusScan 8.7

1 Solution

Accepted Solutions
Highlighted
Level 11
Report Inappropriate Content
Message 5 of 14

Re: Removing HIPS manually

Jump to solution

The Windows Installer (msiexec.exe) is not running in safe mode.

It is better to boot into safe mode and open services.msc then disable the McAfee Host Intrusion Prevention service.

After reboot into normal mode, open regedit and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

The HIP 7 GUID should begin with a B33.

Locate it and copy the value of UninstallString to RUN and uninstall.

View solution in original post

13 Replies
Highlighted
Level 12
Report Inappropriate Content
Message 2 of 14

Re: Removing HIPS manually

Jump to solution

Have a look at https://kc.mcafee.com/corporate/index?page=content&id=KB58629

Does this technote help?

There's also https://kc.mcafee.com/corporate/index?page=content&id=KB51699

Although you may have already tried it judging by your "cannot stop service" comment.


Message was edited by: Mal09 on 08/03/10 17:44:29 GMT
Highlighted

Re: Removing HIPS manually

Jump to solution

The first link looks helpful in allowing me to uninstall, but what does it mean when it says "Run the uninstall string to remove the client?"  I will need to try this when I get a chance to reboot the machine into Safe Mode.

In the second link,

net stop hips (failed)
net stop enterceptagent (failed)
net stop firepm (ran but said service could not be stopped)

I was able to end the firetray.exe process, but there is still a FireSvc.exe and HIPsvc.exe running.  As far as removing the registry key, the following did not exist:

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000]

I will try going through the rest of the registry settings to see if I have any luck with it.  Thanks.

Highlighted
Level 12
Report Inappropriate Content
Message 4 of 14

Re: Removing HIPS manually

Jump to solution

If you use Regedit and expand that Registry Branch, you will find a set of subkeys with alpha-numerical values. If you click on one, it will show you in the right pane which program that is for. You will need to scroll down the list until you find the one that describes HIPS.

When you find it, it will have an uninstall string similar to:

msiexec /x {XXX-XXXXX-XXXXX-XXXXX} REMOVE=ALL REBOOT=R /q

Someone else might be able to give you the correct value for the uninstall command, but it does vary between different versions of software.

Highlighted
Level 11
Report Inappropriate Content
Message 5 of 14

Re: Removing HIPS manually

Jump to solution

The Windows Installer (msiexec.exe) is not running in safe mode.

It is better to boot into safe mode and open services.msc then disable the McAfee Host Intrusion Prevention service.

After reboot into normal mode, open regedit and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

The HIP 7 GUID should begin with a B33.

Locate it and copy the value of UninstallString to RUN and uninstall.

View solution in original post

Highlighted

Re: Removing HIPS manually

Jump to solution

Thank you for the assistance.  I was able to boot into safe mode, stop the service, then boot normally and run that uninstall command.  I now have the McAfee Agent and HIPS reloaded and communicating with the ePO server again.

Highlighted

Re: Removing HIPS manually

Jump to solution

Hey, Mr.

I know you solved this issue, but, in time, allow me to say that the reason you weren´t able to stop the services is because Viruscan access protection blocked the action. You had have to stop the access protection first in order to proceed with the KB.

All the best,

Diego Carvalho

Highlighted

Re: Removing HIPS manually

Jump to solution

@DiegoLorenzo,

I did have the Access Protection disabled on the VirusScan, and I had unchecked the box that said "Prevent McAfee Services from being stopped."  It seems that HIPS still has a built-in self-protect mode that prevents the service from being stopped and it being removed.  I just had the added problem of not having the correct HIPS UI unlock password.

Highlighted
Level 11
Report Inappropriate Content
Message 9 of 14

Re: Removing HIPS manually

Jump to solution

HIP has its own self protection and is outside of VSE's.

Signature 1000 - Windows Agent Shielding - Service Access.

There are similar self protection sigs for HIP on Linux and Solaris too.

Highlighted
Level 11
Report Inappropriate Content
Message 10 of 14

Re: Removing HIPS manually

Jump to solution

KB58629 has been updated.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community