Cylance - Uninstalling Agent

Description

Uninstalling the CylancePROTECT Agent does NOT remove the device from the Cylance tenant.

  • Please be certain to remove the uninstalled device(s) from the Cylance tenant to avoid them being included in the next monthly invoice.

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Table of Contents

Uninstalling Focus/CylanceOPTICS

Windows - Focus/OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling Focus/OPTICS using Add/Remove programs.

  1. Select Start > Control Panel.
  2. Click Uninstall a Program. If you have Icons selected instead of Categories, click Programs and Features.
  3. Select Focus/Cylance OPTICS, then click Uninstall.

Uninstalling Focus/OPTICS with command line

MacOS - OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstall Focus/OPTICS from Finder > Applications

  • Navigate to the install directory under Applications
    • In the Cylance folder look for and run the Uninstaller

Uninstalling Focus/OPTICS with command line

Linux - Focus/OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling Focus/OPTICS

Uninstalling CylancePROTECT

 OPTICS should be uninstalled before uninstalling PROTECT.

  • If OPTICS is not installed, then proceed with uninstalling PROTECT.

 The Cylance agent does not require a system reboot when it is uninstalled.

  • However, the agent uses msiexec to uninstall and there are some events, unrelated to the agent, that require msiexec to reboot the system.
    • If one of these event occurs during a session when the agent is uninstalled, then the system must be rebooted to complete the uninstall.

If USB Device Control has been enabled, Windows Installer will prompt for a reboot when uninstalling the agent.

  • To avoid an unexpected restart when using quiet, hidden, or passive commands to uninstall:
    • Add the /norestart parameter to your uninstall command.
  • Restart the system at a planned time to fully complete the uninstall.

Windows - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

 If a Windows device cannot communicate with the Cylance console to receive the Default policy.

  • Use the steps at the following link to unlink the agent from the device side, then restart the device for the agent to revert to the Default policy.
    • Cylance: Protect - Offline Mode Issue

 

Uninstalling PROTECT using Add/Remove programs.

  1. Select Start > Control Panel.
  2. Click Uninstall a Program. If you have Icons selected instead of Categories, click Programs and Features.
  3. Select Cylance Protect, then click Uninstall.

Uninstalling PROTECT with Command Line

Complete the following steps to uninstall CylancePROTECT using the Command Line

  • Launch Command Prompt as Administrator
    • Select Start and type cmd in the Search field.
    • Right-click cmd.exe and select Run as administrator.
  • Use one of the following uninstall command options based on the installation package originally used to install the agent: 

 

  • Product ID GUID
    • Standard uninstall:
      • msiexec /uninstall {2E64FC5C-9286-4A31-916B-0D8AE4B22954}
    • Windows Installer:
      • msiexec /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954}

 

  • CylancePROTECT_x64.msi
    • Standard uninstall:
      • msiexec /uninstall CylancePROTECT_x64.msi
    • Windows Installer:
      • msiexec /x CylancePROTECT_x64.msi

 

  • CylancePROTECT_x86.msi
    • Standard uninstall:
      • msiexec /uninstall CylancePROTECT_x86.msi
    • Windows Installer:
      • msiexec /x CylancePROTECT_x86.msi

 

  • Optional Parameters
    • For quiet uninstall:
      • /quiet
    • For quiet and hidden:
      • /qn
    • For displaying a progress bar with no interactive prompts:
      • /passive
    • For preventing a restart after uninstalling:
      • /norestart
    • For password protected uninstall:
      • UNINSTALLKEY=<password>
    • For uninstall log file:
      • /L*vx <path>
        • Note: This creates a log file at the designated <path>. Include the filename.
          • Example:
            • /L*vx c:\Temp\CyUninstall.log

 

  • CylancePROTECTSetup.exe
    • CylancePROTECTSetup.exe /uninstall
  • Optional Parameters
    • For quiet uninstall:
      • /quiet
    • For password protected uninstall:
      • UNINSTALLKEY=<password>
    • For uninstall log file:
      • /l <path>
        • Note: This creates a log file at the designated <path>. Include the filename.
          • Example:
            • /l C:\Temp\CyUninstall.log

MacOS - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling Protect (Uninstaller)

  • Navigate to the install directory under Applications
    • In the Cylance folder look for and run the Uninstaller

Uninstalling Protect with Terminal Command

  • The following is the uninstall command without a password:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT
  • The following is the uninstall command with an uninstall password:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --password=<password>
    • If the uninstall password set in the Cylance tenant is unknown:
      • Use the following to stop the service: 
        • sudo launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist
      • Use the following to delete the values.xml file:
        • sudo rm /Library/Application\ Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/values.xml
      • Use the following to rerun the uninstaller:
        • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT
  • The following is the uninstall command for a silent uninstallation:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --noui

Linux - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

 

Be sure to both uninstall the “agent” and then the “drivers”

  1. Use one of the following commands to uninstall the agent:
    1. RHEL/CentOS:
      1. rpm -e $(rpm -qa | grep -i cylance)
    2. Ubuntu/Debian
      1. dpkg -P cylance-protect cylance-protect-ui cylance-protect-driver cylance-protect-open-driver
    3. Amazon Linux 2/SUSE:
      1. rpm -e $(rpm -qa | grep -i cylance)
  2. Use one of the following commands to uninstall the drivers:
    1. RHEL/CentOS:
      1. rpm -e CylancePROTECTDriver CylancePROTECTOpenDriver
    2. Ubuntu/Debian
      1. dpkg -P cylance-protect-driver cylance-protect-open-driver
    3. Amazon Linux 2:
      1. rpm -e CylancePROTECTDriver-<package_version>.amzn2.x86_64
      2. rpm -e CylancePROTECTOpenDriver-<package_version>.amzn2.86_64

 

Uninstall Cleanup Tool - Windows - PROTECT and OPTICS

  • This cleanup method should only be used if all normal uninstall methods are failing.
  • Please open an Aurora Cylance SonicSentry Support Ticket using the link below to request the latest Aurora Cylance cleanup tool procedures and files required to cleanup the existing agent installations:

 

Related Articles

  • Cylance - Support Collection Tool
    Read More
  • Policy Naming Structure
    Read More
  • SOC Alert Processing Summary
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community
Chat
Cylance - Uninstalling Agent