3 Replies Latest reply on Aug 30, 2017 12:44 PM by brandonr116

    Manually Unistall McAfee Agent 5.0.x

    eyal

      Good day,

       

      I have corrupted McAfee agents due to a failed upgrade to version 5.0.4.  I've also tried to re-install the agents and it is failing to install.

      How do I manually delete or remove  all McAfee Agent 5.0.4 remnants.

        • 1. Re: Manually Unistall McAfee Agent 5.0.x
          Hayton

          Moved from Support Forums to Business -> ePolicy Orchestrator (ePO)

          • 2. Re: Manually Unistall McAfee Agent 5.0.x
            Steve Chmiewliski

            Have you tried to remove the management side first ?

             

            run from a cmd prompt -  FRMINST /Remove=Agent

             

            Then go to add / remove programs and uninstall from there.

             

            If this fails you may need to log a support call and request the McAfee removal tool.

            • 3. Re: Manually Unistall McAfee Agent 5.0.x
              brandonr116

              So when I have an agent that is corrupt this is what I do. If someone has a quicker and/or easier way please let me know. Just like everyone else its always nice to learn a more efficient way.

               

              First off you need to know if the agent itself can communicate back to the ePO server. I have noticed that sometimes the agent gets so corrupt that it simply fails when you try to "check new policies", "enforce policies", "send events", or "collect and send props".

               

              Now if the agent CAN communicate back to the server the process is rather simple. Within the ePO console go to the "System Tree" select the computer that has been having the issue. Delete the machine and ensure that the "Remove Agent on next agent-server communication" check box is selected. Now either remotely via RDP or through some kind of remote management program have the agent manually check-in. Its even easier if you can physically walk to the computer like I have in some cases here in my environment. I like to have the computer "check new policies" this will make the computer check-in and it will get the uninstall command to uninstall all modules (DLP, HIPS, Endpoint Security) as well it will delete the agent. After the operation is complete, ensure that there is no McAfee instances within the program and features tab found within the control panel. I would also preform clean up of the left over McAfee folders that can be found in %appdata% and the hidden folder %ProgramData%

               

              If the agent DOES NOT check in with the ePO server it is a bit more difficult as now you have to manually uninstall the modules before you can uninstall the agent. I will try to explain it the best I can.

               

              Within my environment we deploy HIPS, and DLP, Firewall and Threat Prevention as modules with in our Endpoint Security. First I have to manually disable HIPS by going through the client's agent found in the system tray. Pulling up the HIPS module unlock the interface then uncheck "Enable Host IPS" and uncheck "Enable Network IPS" found within the IPS Policy tab. Once complete, go programs and features and uninstall HIPS. Next uninstall, in my case would be Endpoint Security threat Prevention and Endpoint Security Firewall. Then you can uninstall the Endpoint Security Platform. Those three modules would be done through the program and features. You might have to provide an uninstall password depending upon how you configured your agents. Next is the DLP module. This can be tricky as you need to grant a Uninstall Key from the ePO console. I can explain that if necessary in another post. Once that is complete you should be left with just the agent in programs and features. Uninstall as normal. If it says that it is in managed mode you need to go to the ePO console and delete the machine and ensure that the "Remove Agent on next agent-server communication" check box is selected.

               

              That should do it! Sorry this was a long post and it may cover topics and/or modules that are not even utilized by your company.

               

              Best of luck!