search cancel

Unable to remove tefeer Driver during uninstall of SEP

book

Article ID: 216124

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Trying to uninstall the SEP using the third-party removal tool[ SCCM] or from Add remove Program. It failed to uninstall the SEP 
It was observed that it failed to uninstall the Teefer driver 
In the MSI logs Found below Error

MSI (s) (A8:B8) [10:19:59:579]: Executing op: ActionStart(Name=UninstallFirewall,,)
Action 10:19:59: UninstallFirewall.
MSI (s) (A8:B8) [10:19:59:587]: Executing op: CustomActionSchedule(Action=UninstallFirewall,ActionType=3073,Source=BinaryData,Target=UninstallFirewall,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection\14.2.3332.1000.105\Bin)
MSI (s) (A8:B8) [10:19:59:600]: Creating MSIHANDLE (33825) of type 790536 for thread 17080
MSI (s) (A8:20) [10:19:59:601]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIEF5E.tmp, Entrypoint: UninstallFirewall
MSI (s) (A8!94) [10:19:59:654]: Creating MSIHANDLE (33826) of type 790531 for thread 25748
UninstallFirewall start
MSI (s) (A8!94) [10:19:59:656]: Closing MSIHANDLE (33826) of type 790531 for thread 25748
MSI (s) (A8!94) [10:20:00:511]: Creating MSIHANDLE (33827) of type 790531 for thread 25748
Error uninstalling teefer launching installTeefer.exe: 4
MSI (s) (A8!94) [10:20:00:512]: Closing MSIHANDLE (33827) of type 790531 for thread 25748
CustomAction UninstallFirewall returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (A8:20) [10:20:00:516]: Closing MSIHANDLE (33825) of type 790536 for thread 17080
Action ended 10:20:00: InstallFinalize. Return value 3.
MSI (s) (A8:B8) [10:20:00:553]: User policy value 'DisableRollback' is 0
MSI (s) (A8:B8) [10:20:00:553]: Machine policy value 'DisableRollback' is 0
MSI (s) (A8:B8) [10:20:00:560]: Note: 1: 2318 2:
MSI (s) (A8:B8) [10:20:00:608]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1386041971,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (A8:B8) [10:20:00:608]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (A8:B8) [10:20:00:609]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection)
MSI (s) (A8:B8) [10:20:00:610]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
Action 10:20:00: Rollback. Rolling back action:
MSI (s) (A8:B8) [10:20:00:614]: Executing op: ActionStart(Name=UninstallFirewall,,)
MSI (s) (A8:B8) [10:20:00:615]: Executing op: ProductInfo(ProductKey={90FEEB01-1E20-4B5F-9F7F-164A425A8C25},ProductName=Symantec Endpoint Protection,PackageName=Sep.msi,Language=1033,Version=235015428,Assignment=1,ObsoleteArg=0,,,PackageCode={716D6FFE-D60E-481D-8F01-B8617807DC4E},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
Rollback: UninstallFirewall_RB
MSI (s) (A8:B8) [10:20:00:617]: Executing op: ActionStart(Name=UninstallFirewall_RB,,)
MSI (s) (A8:B8) [10:20:00:625]: Executing op: CustomActionRollback(Action=UninstallFirewall_RB,ActionType=1281,Source=BinaryData,Target=UninstallFirewall_RB,CustomActionData=C:\Program Files\Symantec\Symantec Endpoint Protection\14.2.3332.1000.105\Bin)
MSI (s) (A8:B8) [10:20:00:640]: Creating MSIHANDLE (33828) of type 790536 for thread 17080
MSI (s) (A8:58) [10:20:00:641]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF374.tmp, Entrypoint: UninstallFirewall_RB
MSI (s) (A8!7C) [10:20:00:694]: Creating MSIHANDLE (33829) of type 790531 for thread 23932



Environment

SEP version 14.2 Ru1
Issue reported on Win 7 32 bit SP1 system Only 

Cause

According to the symptom and logs provided, Process “C:\Windows\system32\MsiExec.exe” calls installTeefer.exe to remove. the Teefer driver.  However, installTeefer.exe has a security check and calls ccVerifyTrust to verify the certificate of the parent process “MsiExec.exe” that needs to signed with “SignatureType_Microsoft”. Unfortunately, ccVerifyTrust fails to verify the Microsoft certificate.  So, installTeefer.exe refuse to run and exit immediately with error code: 4: ERR_NO_TRUST. As a result, SEP uninstallation failed to remove Teefer driver.

Resolution

Please reach out to Broadcom support they can provide the fix.