Disabling Symantec Endpoint Protection (SEP) - Misconfiguration

Majority of places during Internal Pentest we discover Symantec Endpoint Protection (SEP) is misconfigured allowing end user to disable the protection to run of malicious code. 

Inorder to disable the SEP on system, below is process for same.
But sometimes, its protected by password to disable the SEP.

Below are two methods which can can help to Remove the SMC Password without applying policy from Server.

Method 1:-
Double click on Symantec Client shield from Taskbar. Click on Help --> Troubleshooting
From Troubleshooting tab click on 'Export' tab of Policy Profile. Save the file with name of Policy.xml in your Local System. Edit the Policy.xml in Notepad++. 

Find the below mentioned keywords in the file and change the value of each parameters as "0".
AdminPassword ExitNeedPassword, UINeedPassword, ImportExportNeedPassword, UninstallNeedPassword

Then save the file. Now we need update the new policy, Click on 'Import' tab of Policy Profile and import the xml file.

Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”. Service will be stop without password

Method 2:-
Double click on Symantec Client shield from Taskbar. Click on Change Settings --> Configure Settings of Client Management.
Click on Tamper Protection of Client Management Settings. Unselect the box that says “Protect Symantec security software from being tampered with or shut down”.

Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”.

But sometimes, bypass doesn't help. Above mentioned methods are disabled by smart System Administrator.

Then we can use the crude way (not recommended) i.e.; Uninstalling Symantec Endpoint Protection with the CleanWipe utility.

Copy the folder that contains Cleanwipe.exe to the computer on which you want to run it.
  • Double-click Cleanwipe.exe, and then click Next.
  • Accept the license agreement, and then click Next.
  • Select the Symantec products you want to remove, and then click Next twice.
  • When the tool finishes running, you may be prompted to restart the computer.
  • After the computer restarts, CleanWipe reopens and continues to run.
  • Click Next.
  • Click Finish. 
The Symantec products you selected are now uninstalled.

Happy Hacking ;)

Reference :- https://warroom.securestate.com/how-to-bypass-sep-with-admin-access/
https://www.symantec.com/connect/blogs/remove-smc-password-without-applying-policy-server
https://support.symantec.com/en_US/article.HOWTO74877.html

Comments

  1. Nice blog... I found this blog content very helpful on disabling symantec endpoint protection. Thanks for sharing

    ReplyDelete
  2. The tool requires to be run with threat scanning as well load point analysis mode in order to identify boot level viruses and root kits. which antivirus unable to scan Password Generator.

    ReplyDelete
  3. Thanks a lot! Method 1 worked like a charm!

    ReplyDelete
  4. If you are looking for a blog that is completely informational then you should read this post. Important information is mentioned in this post.How to enable IMAP in Gmail?

    ReplyDelete



  5. Is this a paid topic or do you change it yourself?
    However, stopping by with great quality writing, it's hard to see any good blog today.

    ProCrackHere.com
    Norton Antivirus crack

    ReplyDelete
  6. The period in which THC remains detectable in the body will depend on a few factors, including: Essentially, there is no standard detection time frame, but you can estimate that it will stick around anywhere from a couple of days to several months or anywhere in between. Avid users will carry the metabolites for longer periods compared to someone who does it sporadically. Much of the detection period also depends on the type of drug test administered. For instance, cannabinoid metabolites are evident within urine for several weeks, even after long periods of self-restraint. For blood tests, the THC builds up in fat tissues and spreads into the bloodstream from there. But that takes months, which is a convenience you can't afford if you've just been told you'll be tested for drugs Visit: https://www.urineworld.com/

    ReplyDelete

Post a Comment

Popular Posts