Disabling Symantec Endpoint Protection (SEP) - Misconfiguration
Majority of places during Internal Pentest we discover Symantec Endpoint Protection (SEP) is misconfigured allowing end user to disable the protection to run of malicious code.
Inorder to disable the SEP on system, below is process for same.
But sometimes, its protected by password to disable the SEP.
Below are two methods which can can help to Remove the SMC Password without applying policy from Server.
Double click on Symantec Client shield from Taskbar. Click on Help --> Troubleshooting
From Troubleshooting tab click on 'Export' tab of Policy Profile. Save the file with name of Policy.xml in your Local System. Edit the Policy.xml in Notepad++.
Find the below mentioned keywords in the file and change the value of each parameters as "0".AdminPassword ExitNeedPassword, UINeedPassword, ImportExportNeedPassword, UninstallNeedPassword
Then save the file. Now we need update the new policy, Click on 'Import' tab of Policy Profile and import the xml file.
Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”. Service will be stop without password
Double click on Symantec Client shield from Taskbar. Click on Change Settings --> Configure Settings of Client Management.
Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”.
But sometimes, bypass doesn't help. Above mentioned methods are disabled by smart System Administrator.
Copy the folder that contains Cleanwipe.exe to the computer on which you want to run it.
- Double-click Cleanwipe.exe, and then click Next.
- Accept the license agreement, and then click Next.
- Select the Symantec products you want to remove, and then click Next twice.
- When the tool finishes running, you may be prompted to restart the computer.
- After the computer restarts, CleanWipe reopens and continues to run.
- Click Next.
- Click Finish.
Happy Hacking ;)
Reference :- https://warroom.securestate.com/how-to-bypass-sep-with-admin-access/