1 2 Previous Next 13 Replies Latest reply on Apr 8, 2010 9:17 AM by bgable

    Removing HIPS manually

      How do you uninstall HIPS from a workstation (running Win XP SP3) when you do not have connectivity to the ePO server, do not have the unlock password for the HIPS UI, the HIPS service can't be stopped, and the policy pushed to it says to not show HIPS in Add/Remove Programs?  I have tried disabling all protection features in the Virus Scan, and then trying to stop the HIPS service to no avail.  Is there a command to uninstall HIPS similar to the "frminst.exe /forceuninstall" command for the McAfee Agent?  I'm even willing to remove all files and registry keys if necessary as long as someone could provide that for me.  Any assistance is appreciated.

       

       

      SETUP

      ePO 4.0

      McAfee Agent 4.5.1270

      HIPS 7.0.0.1070

      McAfee VirusScan 8.7

        • 1. Re: Removing HIPS manually

          Have a look at https://kc.mcafee.com/corporate/index?page=content&id=KB58629

           

          Does this technote help?

           

          There's also https://kc.mcafee.com/corporate/index?page=content&id=KB51699

           

          Although you may have already tried it judging by your "cannot stop service" comment.

           

           


           

           

          Message was edited by: Mal09 on 08/03/10 17:44:29 GMT
          • 2. Re: Removing HIPS manually

            The first link looks helpful in allowing me to uninstall, but what does it mean when it says "Run the uninstall string to remove the client?"  I will need to try this when I get a chance to reboot the machine into Safe Mode.

             

            In the second link,

             

            net stop hips (failed)
            net stop enterceptagent (failed)
            net stop firepm (ran but said service could not be stopped)

            I was able to end the firetray.exe process, but there is still a FireSvc.exe and HIPsvc.exe running.  As far as removing the registry key, the following did not exist:

             

            [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000]

            I will try going through the rest of the registry settings to see if I have any luck with it.  Thanks.

            • 3. Re: Removing HIPS manually

              If you use Regedit and expand that Registry Branch, you will find a set of subkeys with alpha-numerical values. If you click on one, it will show you in the right pane which program that is for. You will need to scroll down the list until you find the one that describes HIPS.

               

              When you find it, it will have an uninstall string similar to:

               

              msiexec /x {XXX-XXXXX-XXXXX-XXXXX} REMOVE=ALL REBOOT=R /q

               

              Someone else might be able to give you the correct value for the uninstall command, but it does vary between different versions of software.

              1 of 1 people found this helpful
              • 4. Re: Removing HIPS manually

                The Windows Installer (msiexec.exe) is not running in safe mode.

                It is better to boot into safe mode and open services.msc then disable the McAfee Host Intrusion Prevention service.

                 

                After reboot into normal mode, open regedit and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

                The HIP 7 GUID should begin with a B33.

                 

                Locate it and copy the value of UninstallString to RUN and uninstall.

                • 5. Re: Removing HIPS manually

                  KB58629 has been updated.

                  • 6. Re: Removing HIPS manually

                    Thank you for the assistance.  I was able to boot into safe mode, stop the service, then boot normally and run that uninstall command.  I now have the McAfee Agent and HIPS reloaded and communicating with the ePO server again.

                    • 7. Re: Removing HIPS manually

                      Hey, Mr.

                       

                      I know you solved this issue, but, in time, allow me to say that the reason you weren´t able to stop the services is because Viruscan access protection blocked the action. You had have to stop the access protection first in order to proceed with the KB.

                       

                      All the best,

                       

                      Diego Carvalho

                      • 8. Re: Removing HIPS manually

                        @DiegoLorenzo,

                         

                        I did have the Access Protection disabled on the VirusScan, and I had unchecked the box that said "Prevent McAfee Services from being stopped."  It seems that HIPS still has a built-in self-protect mode that prevents the service from being stopped and it being removed.  I just had the added problem of not having the correct HIPS UI unlock password.

                        • 9. Re: Removing HIPS manually

                          HIP has its own self protection and is outside of VSE's.

                           

                          Signature 1000 - Windows Agent Shielding - Service Access.

                           

                          There are similar self protection sigs for HIP on Linux and Solaris too.

                          1 2 Previous Next