Forefront, Etrust & SCCM
- August 14th, 2009
- Posted in Antivirus . sccm . windows
- Write comment
Etrust has expanded to a heavy resource hog. Even tweaked to exclude certain files/folders/processes it seems to lag the entire computer down..
Just check the services, count them 5 !
Crazy
Now I know I could most likely trim them down, but I don’t see the point now. CA Etrust is using way over 100mb of ram, that’s not acceptable in any situation and I can feel the computer being pulled into the pits of hell by Etrust, Its time to declaw and uninstall CA Etrust
What are my options?
For now there is only one. ForeFront (read up, Its actually good)
This is going to be a new install and deployment of Forefront to the entire domain, I am testing the rollout now and its actually working pretty well.
As I try to use Systems Centre Configuration Manager (SCCM) for application deployment (among other things) these are the special steps I took
- Install & Configure Forefront Server (New Physical)
This is easy, Just follow the prompts and guides from MS - WSUS Server
You need to follow this guide WSUS FCS Updates - Follow this guide to deploy FCS Client with SCCM Deploy FCS with SCCM
The only difference with my installation is that I did not use a TASK Sequence to remove the previous Antivirus. I don’t like the idea of having a system unprotected for any amount of reboots. - I created a New Program for the FCS Client that had to run another software package (etrust uninstaller)
- Etrust remover.bat was basically just a msiexec that called for it to be removed. here is the BAT if you dare to use it :
net stop ITMRTSVC
net stop InoRT
net stop InoTask
net stop InoRPC
REM ITM
MsiExec.exe /X{847501DF-07C0-4691-B04A-893929F108AE} /qn
REM AV
MsiExec.exe /X{85F88F9C-6EB2-426B-88AB-28DA4A3526B9} /qn
exit
This seems to be effective in removing the old and installing the new.
Microsoft forefront has so many good points its hard to imagine how anyone will compete, the reporting is great! It also scans for security problems (service packs or weak passwords etc) I only hope it will handle viruses better or at least as well as CA, Not that viruses happen very often anyway, due to my heavily fortified virus proof(ish) boundary.
How does FCS seem to me? 43MB service, nice.
EDIT
Here are all the required MSIEXEC commands to remove etrust
MsiExec.exe /qn /X{847501DF-07C0-4691-B04A-893929F108AE}
MsiExec.exe /qn /X{85F88F9C-6EB2-426B-88AB-28DA4A3526B9}
This was the final part of the CA Story, Seems to have only left some empty folders..
Great, thanks, this is what I have to do in probably in few months time. Have SCCM Server, FCS and WSUS in place on Windows 2008 Servers. Need to install SCCM Clients and then convert Symantec to Forefront… Part of the company has e-trust…
Sounds good, I have had no issues so far in the deployment, it was harder to remove etrust than deploy FCS, one thing I do miss is the “scan file” context menu, it seems its very much dumbed down.. but it did find a few viruses on the network (inside zips) that for some reason or not etrust did not..
good luck!
If anyone’s interested, I created an expanded version of the script posted here for removing CA ITM. This one also has the uninstalls for the 64-bit versions of the ITM agent and iGateway.
Just substitute in your server name and create a share called rmitm. I used psexec to push this out to all my systems, worked great and I have it generating lots of logs in case anything goes wrong.
Hope it helps someone!
rem stop services
net stop ITMRTSVC >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
net stop InoRT >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
net stop InoTask >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
net stop InoRPC >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
net stop igateway >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
rem rename Spin.conf so iTechnology iGateway can be uninstalled
move “C:\Program Files\CA\SharedComponents\iTechnology\Spin.conf” “C:\Program Files\CA\SharedComponents\iTechnology\Spin.conf.old” >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
rem CA eTrustITM Agent 32-bit
MsiExec.exe /qn /X{85F88F9C-6EB2-426B-88AB-28DA4A3526B9} >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
echo CA eTrustITM Agent 32-bit: %errorlevel% >> \\[server name here]\rmitm\logs\%computername%.errorlevel
rem CA eTrustITM Agent 64-bit
MsiExec.exe /qn /X{E6BECFFB-D60F-464A-9F7C-89C2D6E84465} >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
echo CA eTrustITM Agent 64-bit: %errorlevel% >> \\[server name here]\rmitm\logs\%computername%.errorlevel
rem CA iTechnology iGateway (4.2.0.2):
MsiExec.exe /qn /X{847501DF-07C0-4691-B04A-893929F108AE} >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
echo CA iTechnology iGateway (4.2.0.2): %errorlevel% >> \\[server name here]\rmitm\logs\%computername%.errorlevel
rem CA iTechnology iGateway [x64]:
MsiExec.exe /qn /X{ACB0696B-AB1F-4A40-831A-65A2E5BA54B0} >> \\[server name here]\rmitm\logs\%computername%.out 2>> \\[server name here]\rmitm\logs\%computername%.err
echo CA iTechnology iGateway [x64]: %errorlevel% >> \\[server name here]\rmitm\logs\%computername%.errorlevel