Disabling Symantec Endpoint Protection (SEP) - Misconfiguration

Majority of places during Internal Pentest we discover Symantec Endpoint Protection (SEP) is misconfigured allowing end user to disable the protection to run of malicious code. 

Inorder to disable the SEP on system, below is process for same.
But sometimes, its protected by password to disable the SEP.

Below are two methods which can can help to Remove the SMC Password without applying policy from Server.

Method 1:-
Double click on Symantec Client shield from Taskbar. Click on Help --> Troubleshooting
From Troubleshooting tab click on 'Export' tab of Policy Profile. Save the file with name of Policy.xml in your Local System. Edit the Policy.xml in Notepad++. 

Find the below mentioned keywords in the file and change the value of each parameters as "0".
AdminPassword ExitNeedPassword, UINeedPassword, ImportExportNeedPassword, UninstallNeedPassword

Then save the file. Now we need update the new policy, Click on 'Import' tab of Policy Profile and import the xml file.

Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”. Service will be stop without password

Method 2:-
Double click on Symantec Client shield from Taskbar. Click on Change Settings --> Configure Settings of Client Management.
Click on Tamper Protection of Client Management Settings. Unselect the box that says “Protect Symantec security software from being tampered with or shut down”.

Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”.

But sometimes, bypass doesn't help. Above mentioned methods are disabled by smart System Administrator.

Then we can use the crude way (not recommended) i.e.; Uninstalling Symantec Endpoint Protection with the CleanWipe utility.

Copy the folder that contains Cleanwipe.exe to the computer on which you want to run it.
  • Double-click Cleanwipe.exe, and then click Next.
  • Accept the license agreement, and then click Next.
  • Select the Symantec products you want to remove, and then click Next twice.
  • When the tool finishes running, you may be prompted to restart the computer.
  • After the computer restarts, CleanWipe reopens and continues to run.
  • Click Next.
  • Click Finish. 
The Symantec products you selected are now uninstalled.

Happy Hacking ;)

Reference :- https://warroom.securestate.com/how-to-bypass-sep-with-admin-access/
https://www.symantec.com/connect/blogs/remove-smc-password-without-applying-policy-server
https://support.symantec.com/en_US/article.HOWTO74877.html

Comments

Popular Posts