Uninstall Windows Sensor if Tamper Protection is Enabled
search cancel

Uninstall Windows Sensor if Tamper Protection is Enabled

book

Article ID: 286264

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Uninstall a Windows sensor while in Tamper Protection mode and the password has changed or was deleted.

Environment

  • EDR Windows Sensors: 7.2+

Resolution

Scenario A: Tamper Protection Password is Known

1. Retrieve Password: In the EDR Console, go to Sensors > Group > Settings > Advanced. View the Tamper Override Password (check History if needed).
2. Lift Protection: Run the following command in an elevated prompt:
   `C:\Windows\CarbonBlack\CbEDRCLI.exe` 
   *Note: Enter the password when prompted.*
3. Execute Uninstall. Run the uninstaller:
   `C:\Windows\CarbonBlack\uninst.exe` 

Scenario B: Tamper Protection Password is Deleted/Unavailable

1. Enter Safe Mode: Restart the machine while holding Shift. Navigate to Troubleshoot > Advanced Options > Startup Settings > Restart.
2. Modify Startup: Select the option for Disable early launch anti-malware protection.
3. Manual Removal: Once in Windows, open CMD as Administrator and run:
   `C:\Windows\CarbonBlack\uninst.exe` 

Powered by Wolken Software