Loading...

Knowledge Center


How to manually remove Host Intrusion Prevention Agent 7.0
Technical Articles ID:  KB51699
Last Modified:  06/17/2013
Rated:


Environment

McAfee Host Intrusion Prevention 7.0

 

Summary


Video Tutorial


Problem


System Change


Cause


Solution

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.
 
 
To completely remove the Host Intrusion Prevention (Host IPS) agent, do the following:
 
Disable the Host IPS agent
NOTE: Disable the Host IPS module from the Host IPS client UI before proceeding with the steps below.
  1. Click Start, Run, type cmd and click OK.
  2. At the command prompt, type each of the commands below and press ENTER after each:

    net stop hips
    net stop enterceptagent
    net stop firepm

  3. Close the Host IPS client interface.
  4. Press CTRL+ALT+DEL, and in the Security menu click Task Manager.
  5. Select Firetray.exe and click End Process.
     
Unload the ePolicy Orchestrator (ePO) Plugin
  1. Click Start, Run, type regedit and click OK. 
  2. Delete the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000]

    For 64-bit systems:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000]

     
  3. Click Start, Run, type cmd and click OK.
  4. Type the following command and press ENTER:

    regsvr32 -u C:\Windows\System32\fireepo.dll

    For 64-bit systems:
    regsvr32 -u C:\Windows\SysWOW64\fireepo.dll
     
Remove Talkback
  1. Click Start, Run, type cmd and click OK.
  2. Type the following command and press ENTER:

    C:\Program Files\Common Files\McAfee Inc\TalkBack\tbmon.exe -delref

    For 64-bit systems:
    C:\Program Files (x86)\Common Files\McAfee Inc\TalkBack\tbmon.exe -delref
     
  3. Click Start, Run, type explorer and click OK.
  4. Delete the folder:

    C:\Program Files\Common Files\McAfee Inc\TalkBack

    For 64-bit systems:
    C:\Program Files (x86)\Common Files\McAfee Inc\TalkBack\

  5. Click Start, Run, type regedit and click OK.
  6. Locate and expand the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]

  7. Under SharedDLLs, delete the each of the following keys:

    C:\Program Files\Common Files\McAfee Inc.\TalkBack\dbghelp.dll
    C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.exe
    C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.loc
    C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe


    For 64-bit systems:
    C:\Program Files (x86)\Common Files\McAfee Inc.\TalkBack\dbghelp.dll
    C:\Program Files (x86)\Common Files\McAfee Inc.\TalkBack\TBMon.exe
    C:\Program Files (x86)\Common Files\McAfee Inc.\TalkBack\TBMon.loc
    C:\Program Files (x86)\Common Files\McAfee Inc\TalkBack\TBMon.exe

Remove the firehk driver
  1. Click Start, Run, type cmd and click OK.
  2. Type the following command and press ENTER:

    cd "C:\Program Files\McAfee\Host Intrusion Prevention\Inf\"
    installfirehk.bat /u

    For 64-bit systems:
    cd "C:\Program Files (x86)\McAfee\Host Intrusion Prevention\Inf\"
    installfirehk.bat /u


     
  3. Click Start, Run, type regedit and click OK.
  4. Delete the following registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firehk]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirehkMP]

  5. Navigate to: C:\windows\system32\drivers\
  6. Delete the file firehk.sys.
     
Delete the HIPSCore service and remove the drivers
  1. Click Start, Run, type regedit, and click OK.
  2. Delete the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hips]

  3. Click Start, Run, type cmd and click OK.
  4. Type the following command and press ENTER:

    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\mfehidin.exe -u HIPK.sys HIPPSK.sys HIPQK.sys

    For 64-bit systems:
    C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\mfehidin.exe -u HIPK.sys HIPPSK.sys HIPQK.sys
     
  5. In the registry editor, delete each of the following registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPPSK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPQK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk] 
    (see below)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfetdik]   (see below)

    IMPORTANT: If VirusScan Enterprise (VSE) 8.x is installed on the computer, do not remove the mfehidk and mfetdik key. This disables the VSE On-Access Scanner if Host IPS is not reinstalled.

     
  6. Delete each of the following files:

    C:\windows\system32\drivers\HIPK.sys
    C:\windows\system32\drivers\HIPPSK.sys
    C:\windows\system32\drivers\HIPQK.sys
    C:\windows\system32\hipqa.dll
    C:\windows\system32\hipis.dll
    C:\windows\system32\mfehida.dll 

    For 64-bit systems, also delete:
    C:\Windows\SysWOW64\hipqa.dll
    C:\Windows\SysWOW64\hipis.dll
    C:\Windows\SysWOW64\mfehida.dll 

  7. From the command prompt, type the following command and press ENTER:

    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSCoreReg.exe -u

    For 64-bit systems:
    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSCoreReg.exe -u

  8. In the registry editor, delete the following key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIPSCore]

Delete services and drivers
  1. Click Start, Run, type regedit and click OK.
  2. Delete each of the following keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\enterceptAgent]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirePM]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\firelm01]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FireTDI]

  3. Click Start, Run, type explorer and click OK.
  4. Delete each of the following files:

    C:\WINDOWS\system32\drivers\firelm01.sys
    C:\WINDOWS\system32\drivers\FirePM.sys
    C:\WINDOWS\system32\drivers\FireTDI.sys

Remove the remaining Host IPS registry entries
  1. Click Start, Run, type regedit and click OK.
  2. Delete each of the following keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\enterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Entercept\EnterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee Fire]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    McAfee Host Intrusion Prevention Tray]

    For 64-bit systems:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\HIP]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\enterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Entercept\EnterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\McAfee Fire]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ McAfee Host Intrusion Prevention Tray]  
    (registry value)
     
Remove Host IPS files
  1. Click Start, Run, type explorer and click OK.
  2. Delete the folder:

    C:\Program Files\McAfee\Host Intrusion Prevention

    For 64-bit systems:
    C:\Program Files (x86)\McAfee\Host Intrusion Prevention.
     
  3. Delete each of the following files:

    C:\WINDOWS\system32\FireCL.dll
    C:\WINDOWS\system32\FireCNL.dll
    C:\WINDOWS\system32\FireComm.dll
    C:\WINDOWS\system32\FireCore.dll
    C:\WINDOWS\system32\FireEpo.dll
    C:\WINDOWS\system32\FireNHC.dll
    C:\WINDOWS\system32\FireSCV.dll 

    For 64-bit systems:
    C:WINDOWS\SysWOW64\FireCL.dll
    C:WINDOWS\SysWOW64\FireCNL.dll
    C:WINDOWS\SysWOW64\FireComm.dll
    C:WINDOWS\SysWOW64\FireCore.dll
    C:WINDOWS\SysWOW64\FireEpo.dll
    C:WINDOWS\SysWOW64\FireNHC.dll
    C:WINDOWS\SysWOW64\FireSCV.dll 

Remove the Host IPS Start Menu shortcut

NOTE:  The shortcut does not exist if you were running Host IPS 7.0 Patch 3 or higher; see KB60019.
  1. Click Start, Run, type explorer and click OK.
  2. Navigate to: C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\.
  3. Delete the Host Intrusion Prevention shortcut.
     
Additional product clean up

IMPORTANT: This is a required step to finalize manual removal of the Host IPS product.

Use the Microsoft MSIZAP (MSIZAP.exe) tool to clean up the Windows Installer information of the Host IPS product.  For information about downloading Microsoft MSIZAP, see: http://msdn.microsoft.com/en-us/library/aa370523(VS.85).aspx.

 
Steps using Microsoft MSIZAP:
  1. Click Start, Run, type cmd and click OK
  2. Type the following command and press ENTER:

    msizap.exe TW! {B332732A-4958-41DD-B439-DDA2D32753C5}

  3. Restart your client.

Workaround


Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.