Methods to Uninstall the App Control Agent
search cancel

Methods to Uninstall the App Control Agent

book

Article ID: 286794

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Methods to uninstall the App Control Agent

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

  • Table of Contents

    Windows

    Method 1: Uninstall Via Disabled Mode / Add Remove Programs

    1. Log in to the Console and navigate to: Assets > Computers.
    2. Locate the relevant Agent and move it to a Policy with the Control Mode set to Disabled.
    3. On the endpoint use Programs and Features (Add/Remove Programs) to uninstall the Carbon Black App Control Agent.
    4. Once uninstalled: in the Console > Assets > Computers: check the box next to the Agent > Action > Delete Computer.

    Method 2: Uninstall via CMD or Script

    1. Determine the currently installed Agent Product GUID.
    2. Issue the commands manually via an administrative command prompt or via script: 
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password InsertCLIPasswordHere
      dascli tamperprotect 0
dascli allowuninstall 1
msiexec.exe /x {EnterGUIDHere} FORCE=1 /L*v "%userprofile%\Desktop\AgentUninstall.log"

    Method 3: Uninstall Via Safe Mode

    1. Boot the machine into Safe Mode.
    2. Use an administrative command prompt to issue the following commands: 
      sc config parity start= disabled
sc config paritydriver start= disabled
      Important: These commands must be issued exactly as shown.
    3. Reboot to Normal Mode.
    4. Determine the currently installed Agent Product GUID.
    5. Open an administrative command prompt and issue the command: 
      msiexec.exe /x {EnterGUIDHere} /qn FORCE=1 /L*v "%userprofile%\Desktop\AgentUninstall.log"

    Method 4: Uninstall Using the Agent Uninstall Utility

    IMPORTANT NOTES: 
    • The Agent Uninstall Tool should be considered a "Last resort" tool when all other methods have failed.
    • The latest Agent Uninstall Tool version is 1.0.0.33. Do not use any other version of the tool.
    • To run the Agent Uninstall Tool in Test Mode (without actual uninstall), remove the "-uninstall" option from the command
    • The "-uninstall" flag is case sensitive, if there is a typo the tool will still run in test mode
    • To identify the tool is running in test mode the keyword :"TEST" will be included at the beginning of every line in the log generated
    • The Global Password is not required for test mode
    • The Global Password is required to fully disable the Agent's Tamper Protection.
    1. Open a Support case and provide info and/or logs from any failed Agent uninstall attempt to confirm the utility is needed.
    2. Save the utility to a directory outside the Agent directory (e.g. C:\Temp)
    3. Open an administrative command prompt and issue the command:
      AgentUninstallUtility -password InsertCLIPasswordHere -logfile "%userprofile%\Desktop\Uninstall.log" -uninstall
      REMINDER: The -uninstall parameter is required in the command for full removal.
    4. System reboot is not needed unless there were errors removing the agent's files and registry keys (check the uninstall log)
    5. If there were errors and some of the agent's files or keys were not removed during the first run, reboot the System and run the tool again

    macOS

    Method 1: Uninstall Via Disabled Mode / Terminal

    1. Log in to the Console and navigate to Assets > Computers to move the Agent into a Policy that has the Control Mode set to Disabled.
    2. Log in to the endpoint with an administrator account that can run sudo and from a Terminal Window issue the command: 
      sudo /Applications/Bit9/uninstall.sh
    3. From the Console, delete the Computer from the Assets > Computers page.

    Method 2: Uninstall Via CLI Password / Terminal

    1. Open terminal, authenticate with the Agent and flag it for uninstall: 
      cd /Applications/Bit9/tools
./b9cli --password InsertCLIPasswordHere
./b9cli --tamperprotect 0
    2. Shutdown the Agent and execute the uninstall script: 
      ./b9cli --shutdown
sudo /Applications/Bit9/uninstall.sh
    3.  

    Method 3: Uninstall Via Safe Mode

    1. Boot the endpoint in Safe Mode.
    2. Log in to the endpoint with an administrator account that can run sudo and from a Terminal Window issue the command: 
      sudo /Applications/Bit9/uninstall.sh
    3. Reboot the endpoint and verify the Agent has been successfully removed.

    Method 4: Uninstall Via Recovery Mode (If Kernel Panic)

    1. Boot the endpoint into Recovery Mode
    2. Choose Utilities > Terminal and temporarily disable System Integrity Protection:
      csrutil disable
    3. Reboot to Safe Mode, log in with an administrative account and use Terminal to issue: 
      sudo /Applications/Bit9/uninstall.sh
    4. Verify the Agent is removed with the following commands: 
      sudo systemextensionsctl uninstall 7AGZNQ2S2T com.vmware.carbonblack.appc-es-loader.appc-es-extension
      sudo rm /Library/LaunchAgents/com.bit9.Notifier.plist
      sudo rm /Library/LaunchDaemons/com.bit9.Daemon.plist
      sudo rm -fR /Applications/Bit9
      sudo rm -fR "/Library/Application Support/com.bit9.Agent"
    5. Reboot to Recovery Mode to re-enable System Integrity Protection via Terminal: 
      csrutil enable

    Linux

    Method 1: Uninstall Via Disabled Mode /Terminal 

    1. Login to the Console and navigate to Assets > Computers to move the Agent into a Policy that has the Control Mode set to Disabled.
    2. Login to the endpoint with an administrator account that can run sudo and from a Terminal Window issue the command: 
      cd /opt/bit9/bin
sudo sh ./b9uninstall.sh

    Method 2: Uninstall Via CLI Password / Terminal

    1. Open terminal and issue the commands:
      cd /opt/bit9/bin
./b9cli --password InsertCLIPasswordHere
./b9cli --tamperprotect 0
./b9cli --allowuninstall 1
sudo sh ./b9uninstall

    Method 3: Uninstall Via Rescue Mode

    1. Boot machine into Rescue Mode
    2. Navigate to directory: /opt/bit9/bin
    3. Open terminal and issue the command: 
      sudo sh ./b9uninstall.sh

    Method 4: Uninstall When Install is Corrupt / b9uninstall.sh Is Missing

    1. Login with an admin account
    2. Open terminal and issue the command: 
      yum --setopt=tsflags=noscripts remove b9agent 
yum --setopt=tsflags=noscripts remove b9notifier
    3. Verify all directories Agent files & folders are removed.

    All Platforms:

    Uninstall Via the App Control Console

    WARNING: 
    • Improper configuration could create a situation that would require all Agents in the environment to be reinstalled.
    • Platform Notes with per-Policy Agent Configs:
      • Not all Agent Versions/Platforms support per-Policy Agent Configs.
      • Windows Agent Support: All Supported Versions
      • Linux Agent: Version 8.7.4+ Only (EPCB-8328)
      • macOS Agent: Support pending (EPCB-20260)
    • Proceed with extreme caution!

    1. Log in to the Console and navigate to Rules > Policies.
    2. Click Add Policy and use the following details:
      • Name: Automatic Uninstall (or something memorable)
      • Description: Automatically, and immediately, uninstalls any Agents added to this Policy.
      • Mode: Disabled
      • Automatic Policy Assignment: Unchecked
    3. Click Save & Exit.
    4. Navigate to https://ServerAddress/agent_config.php > Add Agent Config
      REMINDER! Limit this Agent Config by Platform to avoid accidental removal of Linux or macOS Agents.
      • Name: Immediate Agent Uninstall (or something memorable)
      • Host ID: 0
      • Value: allow_uninstall=2
      • Platform: Windows
      • Status: Enabled
      • Create For: Selected policies > Policy created in Step 2 (Automatic Uninstall)
    5. Click Save & Exit.
    6. When a connected Agent is successfully moved to the new Policy (Automatic Uninstall) from Assets > Computers it will now be automatically and immediately uninstalled.

Additional Information

Powered by Wolken Software