Uninstall Sensors for Windows
At times, you will need to uninstall sensors from machines. You can uninstall sensors in the following ways:
Uninstall sensors from the Sensors screen
Uninstall sensors via command line from multiple machines with uninstall password
Uninstall sensors via command line from individual machines with uninstall password
Uninstall sensors with an uninstall file (available for early access from version 23.2.4 and later)
This topic details the different methods to uninstall a sensor.
Note
If you have trouble uninstalling, check that the relevant files and processes listed in the Add sensor processes to third-party tool allowlists (all OSs) tables are not being blocked by any third-party antivirus tools.
In this topic:
Uninstall sensors from the Sensors screen
You can uninstall sensors from the Sensors screen. This option is useful, for example, when you use an uninstall password but the uninstall password is forgotten.
Note
Sensor uninstallation from the Sensors screen is currently supported for Windows machines only.
To uninstall a sensor from the Sensors screen, follow these steps:
In the System > Sensors screen, select the sensors to uninstall.
Above the sensors list, click Actions and select Uninstall:
In the Uninstall dialog box, click Yes, uninstall.
The Cybereason platform then runs the command on the machine to uninstall the sensor.
After the sensor uninstalls, in the System > Sensors screen, the uninstalled sensor displays grayed out (like an offline sensor), and the Last update status column displays Uninstalled.
Note
If a sensor is running on a macOS or Linux machine, the Last update status column in displays OS not supported for uninstallation.
Uninstall sensors from multiple machines (appropriate for mass deployments)
To uninstall sensors from multiple machines, run the following command:
When using the EXE installation file:
wmic process call create "cmd.exe /c for /r \"%programdata%\Package Cache\\" %a in (cybereasonsensor.exe) do if exist %a %a /uninstall /quiet /norestart AP_UNINSTALL_CODE=\"<password>\""
When using the MSI installer (version 18.0 and earlier):
for /F "usebackq skip=1" %a in (`wmic product where "name like 'Cybereason ActiveProbe'" get packagecache`) do msiexec /qn /norestart /x %a AP_UNINSTALL_CODE="<password>"
If an uninstall password is required, replace <password> with the password. To obtain this password, contact Technical Support. Place the password between escaped quotes as shown above. If no uninstall password is required, do not use the AP_UNINSTALL_CODE=”<password>” flag.
Uninstall sensors from individual machines
Use one of the following options:
Use the Add/Remove Programs option in the operating system to remove the Cybereason sensor program.
Run this command as an administrator:
<file name> /uninstall /quiet /norestart -l <log file> AP_UNINSTALL_CODE="<password>"
In this example:
<file name> is the name of the installer file used to install the sensor. Verify that it is the same version as the sensor you are uninstalling.
/uninstall is the command to uninstall the sensor
/quiet is the command to not show any prompts
/norestart is the command to not restart the machine in situations where a restart is normally required.
-l is the command to create a log file
<password> is the uninstall password if required. To obtain this password, contact Technical Support. Place the password between quotes as shown above. If no uninstall password is required, do not use the AP_UNINSTALL_CODE=”<password>” flag.
For the MSI uninstall command for sensor versions older than 18.0, see the specific version’s documentation.
Cybereason recommends that you check the uninstallation logs to verify a machine restart is not required, as there are cases where a manual restart of the machine is required.
Note
When uninstalling a sensor, the Windows Restart Manager reports errors during the uninstallation. You can safely ignore these errors.
Uninstall using an uninstall file
You can uninstall multiple sensors using an uninstall file. You can generate this file from the Sensors screen > Actions menu in the Cybereason UI. You can run the file on endpoints and it is capable of uninstalling both online and offline sensors without requiring the uninstall password.
Note
This feature is available for early access in version 23.2.x and is disabled by default. Contact Cybereason Support to enable this feature.
From the Sensors screen, select the sensors you want to uninstall.
From the Actions menu, select Create uninstall file.
On the pop-up message, click Yes, create the file.
The file is downloaded to your machine. The file is a .p7b PKCS certificate file that enables the sensor driver to identify each sensor to be removed by its unique sensor key (ID). You can save the file in any location you wish (on a local machine or on a network drive), as long as you have the path to the file.
Run the file using the following command:
<filename> /uninstall /silent AP_UNINSTALL_OFFLINE_FILE=<path_to_offline_file>
<file name> is the name of the installer file used to install the sensor. Verify that it is the same version as the sensor you are uninstalling.
/uninstall is the command to uninstall the sensor.
/silent (optional) is the command to not show any prompts.
<path_to_offline_file> is the path to the uninstall file.
The sensors are uninstalled from the endpoints.
Uninstall the Application Control driver
The Execution Prevention driver is installed when App Control is enabled. In Cybereason versions prior to version 20.1.280, this driver is not always uninstalled automatically when uninstalling the sensor. See Uninstall Execution Prevention driver for details on how to uninstall the driver.