Method of Procedure

Version 21.2

McAfee Endpoint Product Removal Tool User Guide

1
Contents
Contents ............................................................................................................................................................................................................2

Copyright Notice ...............................................................................................................................................................................................3

Introduction.......................................................................................................................................................................................................3

Warnings and liability ...................................................................................................................................................................................3

System Requirements ..................................................................................................................................................................................5

Procedure ..........................................................................................................................................................................................................6

Executing via the command line .................................................................................................................................................................6

Executing via the Graphical User Interface (GUI) ......................................................................................................................................9

Conflicting Products .................................................................................................................................................................................. 10

Determining Conflicting products via GUI execution ........................................................................................................................ 10

Determining Conflicting products via CMD line execution ............................................................................................................... 10

Mass Deployments ........................................................................................................................................................................................ 11

ePO Installation & Deployments .............................................................................................................................................................. 11

Third-party deployments .......................................................................................................................................................................... 11

Troubleshooting ............................................................................................................................................................................................ 11

Progress determination ............................................................................................................................................................................ 11

Exit Codes ................................................................................................................................................................................................... 11

Logging ........................................................................................................................................................................................................ 11

If you encounter an issue ......................................................................................................................................................................... 11

Where to find product documentation ....................................................................................................................................................... 12

2
Copyright Notice
This document and its contents are proprietary to McAfee, LLC. Unauthorized use, reproduction, or
distribution of this document or any of its contents may result in legal and financial penalties.

Introduction
The McAfee Endpoint Product Removal (McAfeeEndpointProductRemoval.exe) tool allows you to remove the
following McAfee products from endpoints in your environment:
• VirusScan Enterprise (VSE) • MVISION Endpoint
• Host Intrusion Prevention (HIPS) • McAfee File and Removable Media Protection
• Site Advisor Enterprise (SAE) (FRP)
• Data Loss Prevention (DLP) • McAfee Management of Native Encryption (MNE)
• Endpoint Security (ENS) • McAfee Drive Encryption (MDE)
• McAfee Agent (MA) • McAfee Application and Change Control (MACC)
• Data Exchange layer (DXL) • MVISION Endpoint Detection and Response (EDR)
• DAT Reputation (DAT Rep) • Threat Intelligence Exchange Module for VSE
• McAfee Client Proxy (MCP) (TIEm)
• McAfee Active Response (MAR)
• Endpoint Intelligence Agent (EIA)
• Policy Auditor (PA)

For multi-platform McAfee products, note that this tool is for Windows versions only. The tool can be deployed
via ePO or 3rd party deployment tools or can be executed as a standalone application.
Warnings and liability
This software:
• Should be tested in a pilot environment before you attempt to deploy it to your users.
• Expires and ceases to function after a specified date. To find the expiration date, click the icon in the top left corner of
the tool, launch the About menu and the expiry date will be visible here.

The tool expires so that customers are forced to update the EPR tool once a quarter to ensure the customer is running
with the latest EPR Tool service level that picks up new bug fixes or new functionality that the customer should be using.
• Endpoint Upgrade Automation will not execute on an endpoint on which the EPR tool has been executed until that
endpoint has been rebooted

3
 • It is not recommended to remove McAfee Agent if there will be any other products remaining on the endpoint after it is
removed (applies to both products supported and not supported by the EPR tool)
• If running from the command line, it is recommended to use the command line parameters for each individual product
to be removed, instead of using the –ALL parameter.
• EPR may determine that McAfee Drive Encryption (MDE), McAfee Native Encryption (MNE) cannot be safely removed. In
this scenario, MA will also not be removed, as this could affect the operation of MDE or MNE.
o MDE will not be removed if it is active
o MNE will not be removed if Network Unlock is enabled
• EPR may determine that McAfee Application and Change Control is active, in which case it will not be removed
• EPR does not operate in the presence of the following products:
o VSE for Storage
o VSE for SAP
o MOVE
o OVI
o Deep Defender
o HIPS 7
o VSE 8.5

The default and strongly recommended action is to reboot the endpoint after removing any products.
When the EPR tool removes products, it attempts to delete all files and registry keys associated with each
product. For most products, there will be some files that cannot be deleted immediately, such as driver
files that are loaded by the OS. When this happens, the EPR tool will mark the files for deletion on reboot
instead.
If the machine is not rebooted, the following scenario can occur:
• A product that was removed by EPR is re-installed
• The product works as expected
• At some point, the machine is rebooted
• The files marked for deletion by the EPR tool are deleted
• The product stops functioning

Best Practices

The EPR tool is designed to remediate endpoint that have a specific issue that cannot be fixed via the normal support channels.
It should be used as a last resort and only after the issues have been properly analyzed and the details have been provided to
the appropriate point product team via support.

It is not designed to be used as an ENS migration tool. If you are doing ENS migrations, you should use the Endpoint Upgrade
Assistant for this purpose. If you’re planning to use Endpoint Upgrade Automation, it will not execute on an endpoint on which
EPR tool has been executed until that endpoint has been rebooted.

The following are requirements and best practices for ensuring a successful EPR run:
• Run with Administrator permissions
• Run locally from the system you’re remediating. For example; don’t execute from a network share
• When deploying from ePO, ensure you’ve supplied the mandatory command line arguments when creating your
deployment task

4
 • In most cases, “--ALL” removal should not be used. It’s recommended that specific point product arguments are used
to remove products. Example: “--accepteula –VSE”

System Requirements
The following basic requirements are required on each machine:
• Windows 7 SP1 and above
• Windows Server 2008 R2 SP1 and above (Server Core versions are not supported)
• X86 or x64
• Administrator rights

5
Procedure
You can run the McAfee Endpoint Product Removal tool on your local machine by either running it from the
command line or using the graphical user interface. If no command line is supplied the user interface is displayed.
Executing via the command line
Run the McAfee Endpoint Product Removal tool at the command line with the appropriate arguments.
Command line arguments are not case sensitive.
Argument Removal Action
Order
none N/A This will open the graphical user interface.

--accepteula N/A Mandatory. If not supplied EPR will not execute

--ALL N/A Remove all supported McAfee products

--VSE 1 Remove only VirusScan Enterprise

--TIEM 2 Remove only Threat Intelligence Exchange Module

for VSE
--HIPS 3 Remove only Host Intrusion Prevention

--SAE 4 Remove only SiteAdvisor Enterprise

--DLP 5 Remove only Data Loss Prevention

--MAR 6 Removes only McAfee Active Response

--ENS 7 Remove only McAfee Endpoint Security

--DATRep 8 Remove only DAT Reputation

--MCP 9 Removes only McAfee Client Proxy

--MVISION_EP 10 Removes only MVISION Endpoint

--PA 11 Remove only Policy Auditor

--EIA 12 Remove only Endpoint Intelligence Agent

6
--FRP 13 Removes only McAfee File and Removable Media
Protection Note: McAfee Endpoint Encryption
KeyStore files (*.sks) are preserved by default.
These are local encryption keys created by FRP that
do not exist in ePO.
--MNE 14 Removes only McAfee Management of Native
Encryption
Note: MNE and MA will not be removed if the
Network Unlock authentication Feature is in effect
--MDE 15 Removes only McAfee Drive Encryption
Note: If MDE is active MDE and MA will not be
removed
--MACC 16 Removes only McAfee Application and Change
Control
Note: If MACC is active it will not be removed
--MVISION_EDR 17 Removes only MVISION EDR

--DXL 18 Remove only Data Exchange Layer

--MA 19 Remove only McAfee Agent
--deletefrpkeys N/A If provided, McAfee Endpoint Encryption
KeyStore files (*.sks) will be deleted.

--noreboot N/A If provided, the McAfee Endpoint Product

Removal tool will not restart the computer after
removing the selected product(s)
--notelemetry N/A As partEUA
Note: of product
will notremoval,
execute the McAfee
until Endpoint
a reboot has
Product
occurred Removal tool will send product removal
telemetry to McAfee. If this switch is provided, no
telemetry is sent.
--t=<number of minutes to wait> N/A Allows the user to set the amount of time to wait
(in minutes) before restarting the client post
product removal. (Note: This argument will be
ignored if used in conjunction with “--noreboot”)

7
 --installcert=globalsign
N/A McAfee endpoint products created after July 2019
are signed with a certificate issued by the
Certificate Authority GlobalSign. If the
GlogalSign root certificate is not installed on the
endpoint, then McAfee products will not install,
and the Endpoint Product Removal tool may not
work correctly. To use this feature, the user must
accept the EULA and use the command line
parameter: --installcert=globalsign. If a user
initiates the command to install the GlobalSign root
certificate, it will only perform the installation if
the certificate is not present. If the certificate is
present and disabled, then the tool will not detect
this, and it will not update the certificate. No reboot
is required after installing the certificate.

-- N/A After migration from VirusScan Enterprise or Host

bruteforce=Delete_Legacy_Settings
IPS to Endpoint Security, migrated settings and
exclusions are stored in
C:\ProgramData\McAfee\Endpoint
Security\McAfeeSettingsBackup\. Since this is a
protected location, if removal of these files is
desired, EPR is the recommended method of using
this. The EULA must be accepted, so the full
command line would be --accepteula --noreboot --
bruteforce=Delete_Legacy_Settings. The parameter
is case sensitive.

For example:
Scenario Command line
Remove VSE, HIPs and McAfeeEndpointProductRemoval.exe --accepteula --
DLP VSE --HIPS --DLP
Remove ENS with no McAfeeEndpointProductRemoval.exe --accepteula --
reboot at the end of the ENS --noreboot
process

8
Executing via the Graphical User Interface (GUI)
The McAfee Endpoint Product Removal tool has a simple, graphical user interface which informs the user about
the installed McAfee products and allows you to select what product(s) to remove.
After launching the tool, the user needs to accept the EULA. This is always the first step, even if the tool was
launched before.
Once the EULA is accepted, the McAfee Endpoint Product Removal tool scans for McAfee Products. It gets the
list of the installed McAfee products from this registry key:
For x64 systems:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NetworkAssociates\ePolicyOrchestrator\A
pplication Plugins
Or for x86 Systems:
HKEY_LOCAL_MACHINE\SOFTWARE\NetworkAssociates\ePolicyOrchestrator\Application Plugins
There is one exception to this i.e. if a product that EPR supports is not found in the above registry location it
will still appear in the list but will be identified as “Undetected”. This is to allow for that fact that there may
still be remnants of the products on the system due to a failed install/uninstall and by selecting the product, EPR
will attempt to remove all remaining traces of the product.

9
After selecting the products to remove, click on Remove button. The default and recommended action is to
reboot the endpoint after removing any products, but you can choose not to reboot by unselecting the “Restart
after product removal” check box. Note: If you’re planning to use Endpoint Upgrade Automation, it will not
execute on an endpoint on which EPR tool has been executed until that endpoint has been rebooted.
The progress of the removal is displayed in the Progress section. Logs can be opened by clicking on the Show
Logs button.

Conflicting Products
When the EPR tool executes via the CMD line or UI it first checks for conflicting products and if any are
found it will not execute.
Determining Conflicting products via GUI execution
When a conflicting product is found a message will be displayed to the notify the user. Every time an attempt
is made to remove a product the message will be displayed. You will not be able to execute the EPR tool until
the conflicting product has been removed.

Determining Conflicting products via CMD line execution

IF conflicting products are found to be present on the endpoint, an exit code of 5030 will be generated.
The following will be printed in the EPR logs:
Scanning for conflicting products...
EPR20 Conflicting product found on machine: File and Removable Media Protection/Endpoint
Encryption for Files and Folders
Exit Code: 5030

10
Mass Deployments
You can execute the EPR tool on more than one computer at a time. How this is achieved is up to the end user.
The EPR tool is provided both as an executable and a package which can be checked in and deployed from
McAfee ePO.

ePO Installation & Deployments

To implement a mass ePO deployment, first check-in the EPR tool to the ePO Master repository. From there
you can create a standard ePO deployment task and deploy the EPR tool to your environment. You must
supply the appropriate command line options for the products you wish to remove, as well as the mandatory “-
-accepteula” argument while creating the deployment task.
Third-party deployments
The EPR tool can be deployed as a self-extractable executable or any other preferred deployment method.

Troubleshooting
Progress determination
The progress of the removal process is best tracked by viewing the EPR logs.
Exit Codes
Exit Code Explanation
0 Successful removal
1010 Invalid command line
5030 Conflicting product(s) found
-1 Error encountered while running EPR
1 Likely a successful removal. (It is difficult for the EPR tool to
verify if it has been successful or that it has failed. Exit code 1
indicates that not all operations were successful, but in the
majority of cases, these failed operations are cosmetic and will
not cause functional problems on the endpoint.)

Logging
To view logs, click the “Show Logs” button or the EPR log can be found here
C:\Windows\Temp\McAfeeLogs\EPR.log
When the EPR tool is executed and when it exits, an event is written to the Windows Event Log. This is done
for traceability and visibility for administrators. “Source” is “McAfee Endpoint Product Removal Tool”.
When the EPR tool is executed and when it exits, an event is written to ePO with an ID of 1119. This is done
for traceability and visibility for administrators.
Note that if the EPR tool is executed with the --ALL command line argument, since McAfee Agent is
removed, it will not report the final execution status to ePO.
If you encounter an issue
Please report any issues to McAfee Support with the following details provided:
• Steps to reproduce

11
 • Expected results
• Actual results
• MER
• Refer to EPR Best Practices Guide

Where to find product documentation

• Go to docs.mcafee.com to find the product documentation for McAfee products.
• Go to support.mcafee.com to find supporting content on released products, including technical articles.

Copyright © 2021 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may
be claimed as the property of others.

12