Method of Procedure

Version 21.11

McAfee Endpoint Product Removal Tool User Guide

1
Contents
Contents ............................................................................................................................................................................................................ 2

Copyright Notice ............................................................................................................................................................................................... 3

Introduction ...................................................................................................................................................................................................... 3

Warnings and liability ................................................................................................................................................................................... 3

System Requirements .................................................................................................................................................................................. 5

Procedure .......................................................................................................................................................................................................... 6

Executing via the command line ................................................................................................................................................................. 6

Executing via the Graphical User Interface (GUI) ................................................................................................................................... 10

Conflicting Products .................................................................................................................................................................................. 11

Determining Conflicting products via GUI execution ........................................................................................................................ 11

Determining Conflicting products via CMD line execution ............................................................................................................... 12

Mass Deployments ........................................................................................................................................................................................ 14

ePO Installation & Deployments .............................................................................................................................................................. 14

Third-party deployments .......................................................................................................................................................................... 14

Troubleshooting ............................................................................................................................................................................................ 15

Progress determination ............................................................................................................................................................................ 15

Exit Codes ................................................................................................................................................................................................... 15

Logging ........................................................................................................................................................................................................ 15

If you encounter an issue ......................................................................................................................................................................... 15

Where to find product documentation....................................................................................................................................................... 15

2
Copyright Notice
This document and its contents are proprietary to McAfee, LLC. Unauthorized use, reproduction, or
distribution of this document or any of its contents may result in legal and financial penalties.

Introduction
The McAfee Endpoint Product Removal (McAfeeEndpointProductRemoval.exe) tool allows you to remove the
following McAfee products from endpoints in your environment:
• DAT Reputation (DAT Rep) • McAfee File and Removable Media Protection
• Data Exchange layer (DXL) (FRP)
• Data Loss Prevention (DLP) • McAfee Management of Native Encryption (MNE)
• Endpoint Intelligence Agent (EIA) • McAfee Stinger
• Endpoint Security (ENS) • MOVE multiplatform deployment
• Endpoint Security Storage Protection (ENS SP) • MVISION Endpoint
• ePO-MER • MVISION Endpoint Detection and Response (EDR)
• Host Intrusion Prevention (HIPS) • Policy Auditor (PA)
• McAfee Active Response (MAR) • Site Advisor Enterprise (SAE)
• McAfee Agent (MA) • Threat Intelligence Exchange Module for VSE
• McAfee Application and Change Control (MACC) (TIEm)
• McAfee Client Proxy (MCP) • VirusScan Enterprise (VSE)
• McAfee Drive Encryption (MDE)

For multi-platform McAfee products, note that this tool is for Windows versions only. The tool can be deployed
via ePO or 3rd party deployment tools or can be executed as a standalone application.
Warnings and liability
This software:
• Should be tested in a pilot environment before you attempt to deploy it to your users.
• Expires and ceases to function after a specified date. To find the expiration date, click the icon in the top left corner of
the tool, launch the About menu and the expiry date will be visible here.

3
 The tool expires so that customers are forced to update the EPR tool once a quarter to ensure the customer is running
with the latest EPR Tool service level that picks up new bug fixes or new functionality that the customer should be using.
• Endpoint Upgrade Automation will not execute on an endpoint on which the EPR tool has been executed until that
endpoint has been rebooted
• It is not recommended to remove McAfee Agent if there will be any other products remaining on the endpoint after it is
removed (applies to both products supported and not supported by the EPR tool)
• If running from the command line, it is recommended to use the command line parameters for each individual product
to be removed, instead of using the –ALL parameter.
• EPR may determine that McAfee Drive Encryption (MDE), McAfee Native Encryption (MNE) cannot be safely removed. In
this scenario, MA will also not be removed, as this could affect the operation of MDE or MNE.
o MDE will not be removed if it is active
o MNE will not be removed if Network Unlock is enabled
o In some versions of MNE, the flag stating that the product is safe to remove is incorrectly set, which leads to
EPR unexpectedly not removing the product. In this case, refer to the command line parameter descriptions
below for --BRUTEFORCE=REMOVE_ACTIVE_MNE.
• EPR may determine that McAfee Application and Change Control is active, in which case it will not be removed
• EPR does not operate in the presence of the following products:
o VSE for Storage
o VSE for SAP
o OVI
o Deep Defender
o HIPS 7
o VSE 8.5

The default and strongly recommended action is to reboot the endpoint after removing any products.
When the EPR tool removes products, it attempts to delete all files and registry keys associated with each
product. For most products, there will be some files that cannot be deleted immediately, such as driver
files that are loaded by the OS. When this happens, the EPR tool will mark the files for deletion on reboot
instead.
If the machine is not rebooted, the following scenario can occur:
• A product that was removed by EPR is re-installed
• The product works as expected
• At some point, the machine is rebooted
• The files marked for deletion by the EPR tool are deleted
• The product stops functioning

Best Practices

The EPR tool is designed to remediate endpoint that have a specific issue that cannot be fixed via the normal support channels.
It should be used as a last resort and only after the issues have been properly analyzed and the details have been provided to
the appropriate point product team via support.

It is not designed to be used as an ENS migration tool. If you are doing ENS migrations, you should use the Endpoint Upgrade
Assistant for this purpose. If you’re planning to use Endpoint Upgrade Automation, it will not execute on an endpoint on which
EPR tool has been executed until that endpoint has been rebooted.

The following are requirements and best practices for ensuring a successful EPR run:
4
 • Run with Administrator permissions
• Run locally from the system you’re remediating. For example: don’t execute from a network share
• When deploying from ePO, ensure you’ve supplied the mandatory command line arguments when creating your
deployment task
• In most cases, “--ALL” removal should not be used. It’s recommended that specific point product arguments are used
to remove products. Example: “--accepteula –VSE”

System Requirements
The following basic requirements are required on each machine:
• Windows 7 SP1 and above
• Windows Server 2008 R2 SP1 and above (Server Core versions are not supported – see KB91765 for more information)
• X86 or x64
• Administrator rights

5
Procedure
You can run the McAfee Endpoint Product Removal tool on your local machine by either running it from the
command line or using the graphical user interface. If no command line is supplied the user interface is displayed.
Executing via the command line
Run the McAfee Endpoint Product Removal tool at the command line with the appropriate arguments.
Command line arguments are not case sensitive.
Argument Rem Action
oval
Orde
r
none N/A This will open the graphical user
interface.
--accepteula N/A Mandatory. If not supplied EPR will not
execute
--ALL N/A Remove all supported McAfee products

--VSE 1 Remove only VirusScan Enterprise

--TIEM 2 Remove only Threat Intelligence

Exchange Module for VSE
--HIPS 3 Remove only Host Intrusion Prevention

--SAE 4 Remove only SiteAdvisor Enterprise

--DLP 5 Remove only Data Loss Prevention

--MAR 6 Removes only McAfee Active Response

--ENS 7 Remove only McAfee Endpoint Security

--DATRep 8 Remove only DAT Reputation

--MCP 9 Removes only McAfee Client Proxy

--MVISION_EP 10 Removes only MVISION Endpoint

--PA 11 Remove only Policy Auditor

--EIA 12 Remove only Endpoint Intelligence Agent

6
--FRP 13 Removes only McAfee File and
Removable Media Protection Note:
McAfee Endpoint Encryption KeyStore
files (*.sks) are preserved by default.
These are local encryption keys created
--MNE 14 by FRP that
Removes doMcAfee
only not existManagement
in ePO. of
Native Encryption
Note: MNE and MA will not be removed
if the Network Unlock authentication
--MDE 15 Feature
Removesis only
in effect
McAfee Drive Encryption
Note: If MDE is active MDE and MA
will not be removed
--MACC 16 Removes only McAfee Application and
Change Control
Note: If MACC is active, it will not be
--MVISION_EDR 17 removed only MVISION EDR
Removes

--DXL 18 Remove only Data Exchange Layer

--MA 19 Remove only McAfee Agent

--STINGER 20 Remove only McAfee Stinger
--EPOMER 21 Remove only ePO-MER
--MOVE 22 Remove only MOVE multiplatform
deployment
--BRUTEFORCE=REMOVE_ACTIVE_MNE N/A Force removal of MNE regardless of the
status of the “CanRemove” flag value
--BRUTEFORCE= N/A Force removal of MA regardless of the
REMOVE_PROTECTED_MA presence of MNE or MDE.
--BRUTEFORCE= N/A Force removal of MNE and MA
REMOVE_ACTIVE_MNE_AND_MA regardless of the status of the
“CanRemove” flag value
--DELETEFRPKEYS N/A If provided, McAfee Endpoint Encryption
KeyStore files (*.sks) will be deleted.

--NOREBOOT N/A If provided, the McAfee Endpoint

Product Removal tool will not restart the
computer after removing the selected
--NOTELEMETRY N/A product(s)
As part of product removal, EPR will
send
Note:product
EUA willremoval telemetry
not execute untiltoa reboot
McAfee. If this switch is provided, no
has occurred
telemetry is sent.

7
--T=<number of minutes to wait> N/A Allows the user to set the amount of time
to wait (in minutes) before restarting the
client post product removal. (Note: This
argument will be ignored if used in
conjunction with “--noreboot”)
--BRUTEFORCE= N/A Used to work around issues where ENS
MFEDEEPREM_FOLDER_ATP_STOP ATP’s $MfeDeepRem folder is not
removed. This will cause EPR to stop the
ATP service prior to deletion of the
folder.
--INSTALLCERT=globalsign N/A McAfee endpoint products created after
July 2019 are signed with a certificate
--INSTALLCERT=globalsign_r1
issued by the Certificate Authority
--INSTALLCERT=verisign_g5 GlobalSign. If the GlogalSign root
certificate is not installed on the endpoint,
--INSTALLCERT=usertrust_rsa then McAfee products will not install, and
--INSTALLCERT=sectigo_aaa the Endpoint Product Removal tool may
not work correctly. To use this feature,
--INSTALLCERT=digicert the user must accept the EULA and use
--INSTALLCERT=InstallAllCerts the command line parameter: --
installcert=globalsign (SHA256) or –
installcert=globalsign_r1 (SHA-1). If the
certificate is present or disabled, it will
reinstall an enabled certificate. No reboot
is required after installing the certificate.
Support for installing other potentially
required root certificates is also provided
via command line parameters. The
verisign-g5, usertrust_rsa, sectigo_aaa
and DigiCert root certificates are
supported in addition to GlobalSign
certificates.
All certificates included can be installed
using the InstallAllCerts option.

8
 --REPAIR=ens_platform N/A When used, EPR will invoke the ENS
repair feature, which replaces the installed
--REPAIR=fw
files from the ENS installer and sets some
--REPAIR=tp registry entries to default. This is
potentially useful as a less invasive
--REPAIR=atp method of resolving issues. This is a
--REPAIR=wc comma separated list (no spaces).
Examples:
--REPAIR=dsp
--REPAIR=wc - This will repair Web
--REPAIR=ens Control.
--REPAIR=ens_platform,fw,tp,atp - this
will repair ENS Platform, Firewall,
Threat Prevention, Adaptive Threat
Prevention - in the order that the options
were supplied.
--REPAIR=ens - this will repair all ENS
modules. If modules can't be found and
no unexpected failure occurs, the repair
will still be deemed a success.
--REPAIR=,tp,,fw,notaproduct,ens, - this
will repair Threat Prevention, Firewall
and then all ENS, but will report a fail,
because there are empty products
(redundant commas) and 'notaproduct' is
not a valid option.
--BRUTEFORCE= N/A After migration from VirusScan
DELETE_LEGACY_SETTINGS Enterprise or Host IPS to Endpoint
Security, migrated settings and exclusions
are stored in
C:\ProgramData\McAfee\Endpoint
Security\McAfeeSettingsBackup\. Since
this is a protected location, if removal of
these files is desired, EPR is the
recommended method of using this. The
EULA must be accepted, so the full
command line would be --accepteula --
noreboot --
bruteforce=Delete_Legacy_Settings.

For example:

9
 Scenario Command line
Remove VSE, HIPs and McAfeeEndpointProductRemoval.exe --accepteula --
DLP VSE --HIPS --DLP
Remove ENS with no McAfeeEndpointProductRemoval.exe --accepteula --
reboot at the end of the ENS --noreboot
process

Executing via the Graphical User Interface (GUI)

The McAfee Endpoint Product Removal tool has a simple, graphical user interface which informs the user about
the installed McAfee products and allows you to select what product(s) to remove.
After launching the tool, the user needs to accept the EULA. This is always the first step, even if the tool was
launched before.
Once the EULA is accepted, the McAfee Endpoint Product Removal tool scans for McAfee Products. It gets the
list of the installed McAfee products from this registry key:
For x64 systems:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NetworkAssociates\ePolicyOrchestrator\A
pplication Plugins
Or for x86 Systems:
HKEY_LOCAL_MACHINE\SOFTWARE\NetworkAssociates\ePolicyOrchestrator\Application Plugins
There is one exception to this i.e., if a product that EPR supports is not found in the above registry location it
will still appear in the list but will be identified as “Undetected”. This is to allow for that fact that there may
still be remnants of the products on the system due to a failed install/uninstall and by selecting the product, EPR
will attempt to remove all remaining traces of the product.

10
After selecting the products to remove, click on Remove button. The default and recommended action is to
reboot the endpoint after removing any products, but you can choose not to reboot by unselecting the “Restart
after product removal” check box. Note: If you’re planning to use Endpoint Upgrade Automation, it will not
execute on an endpoint on which EPR tool has been executed until that endpoint has been rebooted.
The progress of the removal is displayed in the Progress section. Logs can be opened by clicking on the Show
Logs button.

Conflicting Products
When the EPR tool executes via the CMD line or UI it first checks for conflicting products and if any are
found it will not execute.

Determining Conflicting products via GUI execution

When a conflicting product is found a message will be displayed to the notify the user. Every time an attempt
is made to remove a product the message will be displayed. You will not be able to execute the EPR tool until
the conflicting product has been removed.

11
Determining Conflicting products via CMD line execution
IF conflicting products are found to be present on the endpoint, an exit code of 5030 will be generated.
The following will be printed in the EPR logs:
Scanning for conflicting products...
EPR20 Conflicting product found on machine: File and Removable Media Protection/Endpoint
Encryption for Files and Folders
Exit Code: 5030

Root Certificate Installation via User Interface

In some cases, root certificates required by McAfee for normal operation of its endpoint products can be
missing or disabled. Removal of these products by EPR can be impacted as well. While this can be
accomplished via command line execution, support for this feature is also provided in the user interface. Select
“Install Certificates” to view the options. Select the root certificates you wish to install, then select OK. If the
certificate already exists or is disabled, the certificate will be reinstalled as enabled.

12
When EPR is executed, it checks for these potentially required root certificates, and writes the scan results to
the EPR log. If the GlobalSign Root CA – R1 root certificate is not found, a warning dialog will be displayed.

After execution of this feature, the results of the process will be displayed.

13
Mass Deployments
You can execute the EPR tool on more than one computer at a time. How this is achieved is up to the end user.
The EPR tool is provided both as an executable and a package which can be checked in and deployed from
McAfee ePO.

ePO Installation & Deployments

To implement a mass ePO deployment, first check-in the EPR tool to the ePO Master repository. From there
you can create a standard ePO deployment task and deploy the EPR tool to your environment. You must
supply the appropriate command line options for the products you wish to remove, as well as the mandatory “-
-accepteula” argument while creating the deployment task.

Third-party deployments
The EPR tool can be deployed as a self-extractable executable or any other preferred deployment method.

14
Troubleshooting
Progress determination
The progress of the removal process is best tracked by viewing the EPR logs.
Exit Codes
Exit Code Explanation
0 Successful removal
1010 Invalid command line
5030 Conflicting product(s) found
-1 Error encountered while running EPR
1 Likely a successful removal. (It is difficult for the EPR tool to
verify if it has been successful or that it has failed. Exit code 1
indicates that not all operations were successful, but in most
cases, these failed operations are cosmetic and will not cause
functional problems on the endpoint.)

Logging
To view logs, click the “Show Logs” button or the EPR log can be found here
C:\Windows\Temp\McAfeeLogs\EPR_%TIMESTAMP%.log
When the EPR tool is executed and when it exits, an event is written to the Windows Event Log. This is done
for traceability and visibility for administrators. “Source” is “McAfee Endpoint Product Removal Tool”.
When the EPR tool is executed and when it exits, an event is written to ePO with an ID of 1119. This is done
for traceability and visibility for administrators. Note that if the EPR tool is executed with the --ALL command
line argument, since McAfee Agent is removed, it will not report the final execution status to ePO.

If you encounter an issue

Please report any issues to McAfee Support with the following details provided:
• Steps to reproduce
• Expected results
• Actual results
• MER

Where to find product documentation

• Go to docs.mcafee.com to find the product documentation for McAfee products.
• Go to support.mcafee.com to find supporting content on released products, including technical articles.

Copyright © 2021 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may
be claimed as the property of others.

15