Sensor Uninstall

Types of Uninstall

Elastic Endpoint Security provides two methods of sensor deployment: in-band and out-of-band. 

Requirements

• In-Band 
  • Must be communicating with Endgame
• Out-of-Band 
  • Manually Removing the agent

Deploy Sensor to Windows via In-band Management

Uninstalling a Sensor via In-band Management

1. On the Left Navigation toolbar, click the ENDPOINTS button

2. In the Endpoints list, select the box to the left of each appropriate endpoint.

3. On the Action toolbar, point to More Actions, then click Uninstall.

4. The Uninstall Sensors dialog box that reads, "Are you sure you would like to uninstall sensors from number endpoints?"  - Click Yes. An "Uninstall request sent" message appears.

5. Click Finish.

Uninstall a Sensor via Out-of-Band Management

It is recommended you only use an out-of-band uninstall method if the sensor is unable to communicate with the platform. If the sensor is actively communicating with Endgame, it can be uninstalled in-band, even if it was installed out-of-band.

Uninstall Modes: Graceful vs. Forceful Uninstall Modes

There are two uninstall modes that can be used to remove the sensor: graceful and forceful. When a graceful uninstall mode is used, the sensor is shut down gracefully. Whether or not the sensor stops, the installer still exits after attempting an uninstall and does not attempt a following installation.

When a forceful uninstall mode is used, the sensor's shut down gracefully, but it is followed by a more aggressive attempt to remove all possible on-disk artifacts. The specific artifacts that need to be removed are based on values from the *.cfg file. As such, an installer file is only able to forcefully remove sensors that were deployed using the same sensor profile the installer file was downloaded from. 

Uninstall from Windows

 Locate the previously saved SensorWindowsInstaller file from the sensorprofile, or download it again.

1. Using your preferred asset management tool, copy the file to the appropriate endpoint(s).

2. Depending on the preferred uninstall mode, run one of the following commands to configure the executable to uninstall the sensor:

True Uninstall 

SensorWindowsInstaller-Expedient-Public-DNS-Name.exe -c SensorWindowsInstaller-Expedient-Public-DNS-Name.cfg -u true -d false -l uninstall.log

SensorWindowsInstaller-Expedient-Internal-DNS-Name.exe -c SensorWindowsInstaller-Expedient-Public-DNS-Name.cfg -u true -d false -l uninstall.log

Force Uninstall 

SensorWindowsInstaller-Expedient-Public-DNS-Name.exe -c SensorWindowsInstaller-Expedient-Public-DNS-Name.cfg -u force -d false -l uninstall.log

SensorWindowsInstaller-Expedient-Internal-DNS-Name.exe -c SensorWindowsInstaller-Expedient-Public-DNS-Name.cfg -u force -d false -l uninstall.log

 Uninstall from Linux

 1. Locate the previously saved SensorLinuxInstaller file from the sensor profile, or download it again.

2. Using your preferred asset management tool, copy the file to the appropriate endpoint(s).

3. Run the following command to change the modification of the installer:

True Uninstall 

hmod +x SensorLinuxInstaller-

4. Depending on the preferred uninstall mode, run one of the following commands to configure the executable to uninstall the sensor:

True Uninstall 

sudo ./SensorLinuxInstaller- -c SensorLinuxInstaller- .cfg -u true -d false -l uninstall.log 

Force Uninstall 

sudo ./SensorLinuxInstaller- -c SensorLinuxInstaller- .cfg -u force -d false -l uninstall.log

Uninstall from Mac

1. Locate the previously saved SensorMacOSInstaller file from the sensor profile, or download it again.

2. Using your preferred asset management tool, copy the file to the appropriate endpoint(s).

3. Run the following command to change the modification of the installer:

chmod +x SensorMacOSInstaller-

4. Depending on the preferred uninstall mode, run one of the following commands to configure the executable to uninstall the sensor:

True Uninstall 

sudo ./SensorMacOSInstaller- -c SensorMacOSInstaller- .cfg -u true -d false -l uninstall.log 

Force Uninstall 

sudo ./SensorMacOSInstaller- -c SensorMacOSInstaller- .cfg -u force -d false -l uninstall.log