Unable to remove Teefer Driver during uninstall of Endpoint client
search cancel

Unable to remove Teefer Driver during uninstall of Endpoint client

book

Article ID: 216124

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Trying to uninstall the Symantec Endpoint Protection [SEP] client using the third-party removal tool[ SCCM] or from Add remove Program. It failed to uninstall the SEP 
It was observed that it failed to uninstall the Teefer2 driver 
What is the Teefer2 driver?

In the MSI logs found below Error

MSI (s) (A8:B8) [10:19:59:579]: Executing op: ActionStart(Name=UninstallFirewall,,)
Action 10:19:59: UninstallFirewall.
MSI (s) (A8:B8) [10:19:59:587]: Executing op: CustomActionSchedule(Action=UninstallFirewall,ActionType=3073,Source=BinaryData,Target=UninstallFirewall,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection\14.2.3332.1000.105\Bin)
MSI (s) (A8:B8) [10:19:59:600]: Creating MSIHANDLE (33825) of type 790536 for thread 17080
MSI (s) (A8:20) [10:19:59:601]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIEF5E.tmp, Entrypoint: UninstallFirewall
MSI (s) (A8!94) [10:19:59:654]: Creating MSIHANDLE (33826) of type 790531 for thread 25748
UninstallFirewall start
MSI (s) (A8!94) [10:19:59:656]: Closing MSIHANDLE (33826) of type 790531 for thread 25748
MSI (s) (A8!94) [10:20:00:511]: Creating MSIHANDLE (33827) of type 790531 for thread 25748
Error uninstalling teefer launching installTeefer.exe: 4
MSI (s) (A8!94) [10:20:00:512]: Closing MSIHANDLE (33827) of type 790531 for thread 25748
CustomAction UninstallFirewall returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (A8:20) [10:20:00:516]: Closing MSIHANDLE (33825) of type 790536 for thread 17080
Action ended 10:20:00: InstallFinalize. Return value 3.
MSI (s) (A8:B8) [10:20:00:553]: User policy value 'DisableRollback' is 0
MSI (s) (A8:B8) [10:20:00:553]: Machine policy value 'DisableRollback' is 0
MSI (s) (A8:B8) [10:20:00:560]: Note: 1: 2318 2:
MSI (s) (A8:B8) [10:20:00:608]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1386041971,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (A8:B8) [10:20:00:608]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (A8:B8) [10:20:00:609]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection)
MSI (s) (A8:B8) [10:20:00:610]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
Action 10:20:00: Rollback. Rolling back action:
MSI (s) (A8:B8) [10:20:00:614]: Executing op: ActionStart(Name=UninstallFirewall,,)
MSI (s) (A8:B8) [10:20:00:615]: Executing op: ProductInfo(ProductKey={90FEEB01-1E20-4B5F-9F7F-164A425A8C25},ProductName=Symantec Endpoint Protection,PackageName=Sep.msi,Language=1033,Version=235015428,Assignment=1,ObsoleteArg=0,,,PackageCode={716D6FFE-D60E-481D-8F01-B8617807DC4E},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
Rollback: UninstallFirewall_RB
MSI (s) (A8:B8) [10:20:00:617]: Executing op: ActionStart(Name=UninstallFirewall_RB,,)
MSI (s) (A8:B8) [10:20:00:625]: Executing op: CustomActionRollback(Action=UninstallFirewall_RB,ActionType=1281,Source=BinaryData,Target=UninstallFirewall_RB,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection\14.2.3332.1000.105\Bin)
MSI (s) (A8:B8) [10:20:00:640]: Creating MSIHANDLE (33828) of type 790536 for thread 17080
MSI (s) (A8:58) [10:20:00:641]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF374.tmp, Entrypoint: UninstallFirewall_RB
MSI (s) (A8!7C) [10:20:00:694]: Creating MSIHANDLE (33829) of type 790531 for thread 23932


Environment

SEP version 14.2 Ru1
Issue reported on Win 7 32-bit SP1 system Only 

Cause

According to the symptom and logs provided, Process “C:\Windows\system32\MsiExec.exe” calls installTeefer.exe to remove. the Teefer driver.  However, installTeefer.exe has a security check and calls ccVerifyTrust to verify the certificate of the parent process “MsiExec.exe” that needs to be signed with “SignatureType_Microsoft”. Unfortunately, ccVerifyTrust fails to verify the Microsoft certificate.  So, installTeefer.exe refuses to run and exits immediately with error code: 4: ERR_NO_TRUST. As a result, SEP uninstallation failed to remove the Teefer driver.

Resolution

Please reach out to Broadcom support they can provide the fix.  

Powered by Wolken Software