Steps required to uninstall the Symantec SCSP agent

Critical System Protection (SCSP)

You need to uninstall the CSP agent via control panel or command line

Please consult the Installation Guide located in the folder "docs" of the installation package, or in the documentation page, for more comprehensive details.

On Windows, the SCSP Agent can be uninstalled using Add/Remove Programs.

On Unix, you can uninstall the agents by using native operating system package commands. The package name for the agent is SYMCcsp.
When the uninstaller completes, it reports an uninstall status.

For Unix DCS 6.x Agents, please see the following KB on uninstall details
Manual Uninstall of DCS Unix Agents

To uninstall agents using package commands:

1. (Solaris/Linux) Start the management console, and set the policy for the agent to uninstall to the Null policy.
   The agent prevents you from installing and removing agent-related files if it is enforcing a restrictive prevention policy.
   If the Solaris or Linux agent is not communicating with the management console, disable the agent, and then continue with the uninstall.
   See “Disabling and enabling Solaris agents” below.
   See “Disabling and enabling Linux agents” below.
2. Open a Terminal window on the computer that runs the agent to uninstall, and become superuser.
3. On Solaris, type and run the following command:

   pkgrm SYMCcsp

4. On RedHat Linux, type and run the following command**:

   rpm -e SYMCcsp

5. On AIX, type and run the following command:

   rpm -e SYMCcsp

6. On HP-UX, browse to  /usr/sbin/ and type and run the following command:

   swremove SYMCcsp

7. On Tru64, type and run the following command:

   setld -d SYMCSP520

8. (Solaris and Linux) If the uninstall completes successfully, run the following command to restart the computer:

   init 6

Computers running HP-UX and AIX do not need to be restarted.

**Note that the command for uninstalling from Linux has changed for DCS 6.x to:

rpm -e SYMCsdcss

Disabling and enabling Solaris agents

Temporarily disabling the Solaris IPS agent

You should temporarily disable the IPS agent, if there are serious performance issues that you suspect are being caused by the IPS agent, or if you have applied a prevention policy that is not allowing you to access the system in any way.

After you disable the agent, apply the Null prevention policy or a prevention policy in which prevention was disabled. Reboot the system.

You should perform these procedures only in emergency situations.

To temporarily disable the IPS driver, interrupt the boot cycle with a Stop-a or break sequence.
At the ok prompt, type and run the following command:
boot -as

You must include the s switch in the boot command to boot into single-user mode. If you omit the s switch, then once the system boots into multi-user mode, it will enable the Data Center Security: Server Advanced driver.

When the boot sequence asks for the location of your /etc/system file, type one of the following:
/etc/system-pre-sisips
/dev/null

Permanently disabling Solaris IPS agents

If you have performance issues with Solaris agents, you may need to permanently disable them.The following procedure disables an agent, not the driver. The driver will still be running.You should perform these procedures only in emergency situations.

To permanently disable Solaris agents, open a Terminal window and become superuser.

Type and run the following commands:
/etc/init.d/sisipsagent stop
/etc/init.d/sisidsagent stop

Type and run the following commands to rename the agent scripts, which temporarily break any symbolic links in the rc#.d startup scripts:
mv /etc/init.d/sisipsagent /etc/init.d/sisipsagentOFF
mv /etc/init.d/sisidsagent /etc/init.d/sisidsagentOFF

Open a Terminal window and become superuser.

Type and run the following commands, which rename the sisipsgent scripts:
mv /etc/init.d/sisipsagentOFF /etc/init.d/sisipsagent
mv /etc/init.d/sisidsagentOFF /etc/init.d/sisidsagent

Type and run the following command to restart the computer:
init 6

Disabling and enabling Linux agents

Temporarily disabling the Linux IPS agent

You should disable the Linux IPS agent, only if there are serious performance issues that you suspect are being caused by the IPS agent, or if you have applied a prevention policy that is not allowing you to access the system in any way.

After you disable the agent, apply the Null prevention policy or a prevention policy in which prevention was disabled. Reboot the system.

You should perform these procedures only in emergency situations.

To temporarily disable the IPS driver, during the boot cycle, add the string SISIPSNULL to the boot options. The agent and kernel mode driver do not load, and the policy is not enforced.

Permanently disabling Linux agents

If you have performance issues with Linux agents, you may need to permanently disable them.The following procedure disables an agent, not the driver. The driver will still be running.You should perform these procedures only in emergency situations.

To permanently disable Linux agents, open a Terminal window and become superuser.
Type and run the following commands:
/etc/init.d/sisipsagent stop
/etc/init.d/sisidsagent stop

Type and run the following commands to rename the agent scripts, which temporarily break any symbolic links in the rc#.d startup scripts:
mv /etc/init.d/sisipsagent /etc/init.d/sisipsagentOFF
mv /etc/init.d/sisidsagent /etc/init.d/sisidsagentOFF

Open a Terminal window and become superuser.

Type and run the following commands, which rename the sisipsgent scripts:
mv /etc/init.d/sisipsagentOFF /etc/init.d/sisipsagent
mv /etc/init.d/sisidsagentOFF /etc/init.d/sisidsagent

Type and run the following command to restart the computer:
init 6