How to add the Cylance Uninstall Tool to the Safelist

Description

Environment:

  • Aurora Protect
  • Cylance Removal Tool

 

Overview:

This knowledge base article describes 2 techniques that could be used to safely use the Cylance Uninstall Tool. The techniques provide the ability to temporarily allow use of the tool. It is strongly recommended to only temporarily allow use of the tool.

 

Cause:

It is strongly recommended by Arctic Wolf that you are enabling the use of this tool with strict security and risk considerations within your environment. Please adhere to recommended security procedures for access and operational control.

 

Workaround:

 

Tool Hashes:

Tool Name

SHA256 HASH

CylanceUninstallTool.0.13.7-x64.exe 

E920D7A425548815250EBB7516F98CD7A007A5C2F001974DB29928A75E3E847A

CylanceUninstallTool.0.13.7-x86.exe

2D7858B9A97641987835A301AC941C3E3CFC47AAC7832FDF7041E12EF6F6FC16

 

Option 1: Policy Safe List (Recommended)

 

The hashes for the Cylance Uninstall Tool have been added to the Global Quarantine List to prevent it from being used. This method allows the administrator to safely and easily control which devices will allow the tool to execute (control scope) and allow this change to be easily reverted. 

It is critically important to delete the Cylance Uninstall Tool and associated files after the operation is complete as well as return the devices to their original Device Policy.

 

Steps

Screenshots

Create a copy of the Device Policy applied to the Device or create a new Device Policy and provide an appropriate and relevant name (for example append Cylance Removal Tool):

 

  1. Select Device Policy

Create a copy of the Policy

 

  1. Select the desired Device Policy
  2. Click the Copy Icon in the top right corner of the screen
  3. Give the copied Device Policy a meaningful name (for this example it will be Servers - Secure Blocking Policy - Safelist)

Assign the Copied Device Policy to the intended Device:

 

  1. Select Assets -> Devices
  2. Select the intended Devices
  3. Choose Assign Policy
  4. Select the Device Policy (Servers - Secure Blocking Policy - Safelist)
  5. click Save

Add the appropriate Hashes to the Policy Safe List in the copied Device Policy:

  1. Open the copied Device Policy
  2. Select the Malware Protection Section
  3. Under Policy Safe List select Add File
  4. Add the SHA256 Hash, Filename and Reason
  5. Click Add
  6. Click Save and Close

Ensure the Cylance Removal Uninstall Device Policy has applied to the intended devices:

 

  1. Return to the Devices View
  2. Validate the intended Device Policy is displayed under the Policy Column

Verify on Device:

 

  1. Logon to the device
  2. Locate the Aurora Icon in the Windows System Tray
  3. Right Click and choose About
  4. Validate the correct Device Policy has been applied

Manual Policy Update (if required):

 

  1. Logon to the device
  2. Locate the Aurora Icon in the Windows System Tray
  3. Right Click on the Aurora Icon and choose Update Policy

Ensure the correct Device Policy with the Safelisted Hashes is on the device before proceeding.

Run the Cylance Uninstall Tool and complete the reinstallation of Aurora Protect and Aurora Focus as per instructions in this article

***When the task is completed it is critically important to delete the Cylance Removal Tool and all files associated with this operation and return the devices to their original Device Policy***

 

 

Option 2: Global Safe List

 

The hashes for the Cylance Uninstall Tool have been added to the Global Quarantine List to prevent it from being used. This technique allows the administrator to move the hashes for the tool from the Global Quarantine List to the Global Safe List. This will allow the tool to execute on all devices in the tenant. Please note after changes are made to the Global Lists it can take up to 5 minutes for those changes to arrive on the devices.

It is critically important to delete the Cylance Uninstall Tool and associated files after the operation is complete as well as remove the tools hashes from the Global Safe List.

 

Steps

Screenshots

Navigate to the Global Quarantine List:

 

  1. Select Settings (Gear Icon)
  2. Select Global List

Add Hash to Global Safe List:

 

  1. Click Safe
  2. Click Add File

Add the SHA256 Hash along with any other desired information:

  1. Enter the SHA256 Hash in the top field
  2. Enter any other desired information
  3. Click Submit

 

Confirm your intention to move this Hash from the Global Quarantine List to the Global Safe list:

 

  1. Click Yes

Allow a minimum of 5 minutes to pass to allow the Global List change to be synchronized to the devices

 

Run the Cylance Uninstall Tool and complete the reinstallation of Aurora Protect and Aurora Focus as per instructions in this article

After the operation is completed move the Hash back to the Global Quarantine List

 

  1. Select Settings (Gear Icon)
  2. Select Global List
  3. Select Global Quarantine

Add the SHA256 Hash to the Global Quarantine List:

 

  1. Click Add File
  2. Enter the SHA256 Hash and other meaningful information
  3. Click Submit

Confirm your intention to move the SHA256 Hash to the Global Quarantine List:

 

  1. Click Yes

 

Related Articles

  • MSS FW Best Practices: Registration & Firmware
    Read More
  • MSS FW Best Practices: Unifi Equipment
    Read More
  • Command Line Install Examples
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community
Chat