Cylance - Uninstalling Agent

Description

Uninstalling the CylancePROTECT Agent does NOT remove the device from the Cylance tenant.

  • Please be certain to remove the uninstalled device(s) from the Cylance tenant to avoid them being included in the next monthly invoice.

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

 

Uninstalling CylanceOPTICS

Windows - OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling OPTICS using Add/Remove programs.

  1. Select Start > Control Panel.
  2. Click Uninstall a Program. If you have Icons selected instead of Categories, click Programs and Features.
  3. Select Cylance OPTICS, then click Uninstall.

Uninstalling OPTICS with command line

MacOS - OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstall OPTICS from Finder > Applications

  • Navigate to the install directory under Applications
    • In the Cylance folder look for and run the Uninstaller

Uninstalling OPTICS with command line

Linux - OPTICS Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling OPTICS

Uninstalling CylancePROTECT

 OPTICS should be uninstalled before uninstalling PROTECT.

  • If OPTICS is not installed, then proceed with uninstalling PROTECT.

 The Cylance agent does not require a system reboot when it is uninstalled.

  • However, the agent uses msiexec to uninstall and there are some events, unrelated to the agent, that require msiexec to reboot the system.
    • If one of these event occurs during a session when the agent is uninstalled, then the system must be rebooted to complete the uninstall.

If USB Device Control has been enabled, Windows Installer will prompt for a reboot when uninstalling the agent.

  • To avoid an unexpected restart when using quiet, hidden, or passive commands to uninstall:
    • Add the /norestart parameter to your uninstall command.
  • Restart the system at a planned time to fully complete the uninstall.

Windows - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

 If a Windows device cannot communicate with the Cylance console to receive the Default policy.

  • Use the steps at the following link to unlink the agent from the device side, then restart the device for the agent to revert to the Default policy.
    • Cylance: Protect - Offline Mode Issue

Uninstalling PROTECT using Add/Remove programs.

  1. Select Start > Control Panel.
  2. Click Uninstall a Program. If you have Icons selected instead of Categories, click Programs and Features.
  3. Select Cylance Protect, then click Uninstall.

Uninstalling PROTECT with Command Line

Complete the following steps to uninstall CylancePROTECT using the Command Line

  • Launch Command Prompt as Administrator
    • Select Start and type cmd in the Search field.
    • Right-click cmd.exe and select Run as administrator.
  • Use one of the following uninstall command options based on the installation package originally used to install the agent: 
  • Product ID GUID
    • Standard uninstall:
      • msiexec /uninstall {2E64FC5C-9286-4A31-916B-0D8AE4B22954}
    • Windows Installer:
      • msiexec /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954}
  • CylancePROTECT_x64.msi
    • Standard uninstall:
      • msiexec /uninstall CylancePROTECT_x64.msi
    • Windows Installer:
      • msiexec /x CylancePROTECT_x64.msi
  • CylancePROTECT_x86.msi
    • Standard uninstall:
      • msiexec /uninstall CylancePROTECT_x86.msi
    • Windows Installer:
      • msiexec /x CylancePROTECT_x86.msi
  • Optional Parameters
    • For quiet uninstall:
      • /quiet
    • For quiet and hidden:
      • /qn
    • For displaying a progress bar with no interactive prompts:
      • /passive
    • For preventing a restart after uninstalling:
      • /norestart
    • For password protected uninstall:
      • UNINSTALLKEY=<password>
    • For uninstall log file:
      • /L*vx <path>
        • Note: This creates a log file at the designated <path>. Include the filename.
          • Example:
            • /L*vx c:\Temp\CyUninstall.log
  • CylancePROTECTSetup.exe
    • CylancePROTECTSetup.exe /uninstall
  • Optional Parameters
    • For quiet uninstall:
      • /quiet
    • For password protected uninstall:
      • UNINSTALLKEY=<password>
    • For uninstall log file:
      • /l <path>
        • Note: This creates a log file at the designated <path>. Include the filename.
          • Example:
            • /l C:\Temp\CyUninstall.log

MacOS - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

Uninstalling Protect (Uninstaller)

  • Navigate to the install directory under Applications
    • In the Cylance folder look for and run the Uninstaller

Uninstalling Protect with Terminal Command

  • The following is the uninstall command without a password:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT
  • The following is the uninstall command with an uninstall password:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --password=<password>
    • If the uninstall password set in the Cylance tenant is unknown:
      • Use the following to stop the service: 
        • sudo launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist
      • Use the following to delete the values.xml file:
        • sudo rm /Library/Application\ Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/values.xml
      • Use the following to rerun the uninstaller:
        • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT
  • The following is the uninstall command for a silent uninstallation:
    • sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --noui

Linux - PROTECT Uninstall

 Before Uninstalling

  • Make sure all Agents you want to uninstall are using the Default policy prior to attempting to uninstall.
    • This makes sure the devices are NOT using Prevent service shutdown from device or Application Control.
      • If enabled, these features can prevent the Agent from successfully uninstalling.
    • Remove the device from your Cylance tenant after the agent has been successfully uninstalled.

 

Be sure to both uninstall the “agent” and then the “drivers”

  1. Use one of the following commands to uninstall the agent:
    1. RHEL/CentOS:
      1. rpm -e $(rpm -qa | grep -i cylance)
    2. Ubuntu/Debian
      1. dpkg -P cylance-protect cylance-protect-ui cylance-protect-driver cylance-protect-open-driver
    3. Amazon Linux 2/SUSE:
      1. rpm -e $(rpm -qa | grep -i cylance)
  2. Use one of the following commands to uninstall the drivers:
    1. RHEL/CentOS:
      1. rpm -e CylancePROTECTDriver CylancePROTECTOpenDriver
    2. Ubuntu/Debian
      1. dpkg -P cylance-protect-driver cylance-protect-open-driver
    3. Amazon Linux 2:
      1. rpm -e CylancePROTECTDriver-<package_version>.amzn2.x86_64
      2. rpm -e CylancePROTECTOpenDriver-<package_version>.amzn2.86_64

 

Uninstall Cleanup Tool - Windows - PROTECT and OPTICS

 This cleanup method should only be used if all normal uninstall methods are failing.

  • The system MUST be rebooted after a successful cleanup is run prior to reinstalling CylancePROTECT.

 Prior to running the Cylance Cleanup Tool check the device to see if it has Windows Bitlocker encryption enabled.

The Cylance cleanup tool removes Cylance from Windows ELAM and AMPPL services. If it has difficulty unregistering some components you may encounter a boot issue on the device which will also prompt for the BitLocker key.

 

Download the cleanup file:

 

Running as NT AUTHORITY\SYSTEM (Recommended)

When possible, it is recommended to run the tool using the ‘NT AUTHORITY\SYSTEM’ account using psexec.

NOTE: In some cases, the script will require a reboot and rerun of the script.

  • Check the Exit Code to determine if the removal was successful and/or if a reboot and another run of the tool is needed.
  • The system MUST be rebooted after a successful cleanup is run prior to reinstalling CylancePROTECT.

 

  1. Make sure you have PsExec available/installed on the device, or another method of running the tool as NT AUTHORITY\SYSTEM.
    1. PsExec is available from Microsoft at the following link.
      1. PsExec - Sysinternals | Microsoft Learn
  2. Launch Command Prompt as Administrator.
  3. Run the following command to utilize psexec and run the tool as NT AUTHORITY\SYSTEM.
    1. C:\<Path>\psexec.exe -accepteula -i -s C:\<Path>\CylanceUninstallToolx64.exe -r
  4. A log of the cleanup activity and Exit Code will be available at the following location.
    1. C:\Windows\Temp\Cylance_Removal_Tool_<Date>\

 

Running as Administrator:

If running as NT AUTHORITY\SYSTEM is not possible, you can use the following steps to run as Administrator.

NOTE: In most cases, the script will require a reboot and rerun of the script.

  • Check the Exit Code to determine if the removal was successful and/or if a reboot and another run of the tool is needed.
  • The system MUST be rebooted after a successful cleanup is run prior to reinstalling CylancePROTECT.

 

  1. Launch Command Prompt (CMD) as Administrator.
  2. Use the following command to run the Cleanup Script.
    1. C:\<Path>\CylanceUninstallToolx64.exe -f -r
  3. A log of the cleanup activity and Exit Code will be available at the following location.
    1. C:\Users\<username>\AppData\Local\Temp\Cylance_Removal_Tool_<Date>\

Exit Codes:

  • Exit 0 - Script finished successfully.
  • Exit 1 - Script Finished but services are still running. A restart and re-run of the script is required.
  • Exit 2 - Script Finished but some files are in use. A restart before reinstall is required.
  • Exit 3 - A restart is required prior to reinstallation of Protect. (The system should always be restarted prior to reinstallation of PROTECT anyways).
  • Exit 4 - Free Memory: xx MB is less than the required 400 MB.
  • Exit 5 - It looks like you didn't call the executable with the appending .exe.
  • Exit 6 - Caught exception with creating the output directory.
  • Exit 7 - You are running a x86 version of PowerShell on Windows x64. Registry cleanup may fail. Please switch to x64 version of PowerShell.
  • Exit 8 - DisableRegistryTools GPO is enabled. No changes can be made in the registry (force exits in all cases).
  • Exit 9 - Invalid safemode flag (force exits in all cases).
  • Exit 10 - An error occurred with backup/restore (force exits in all cases).
  • Exit 11 - Exception caught while setting Protect SelfProtectionLevel (force exits in all cases).
  • Exit 12 - Failed to create HKEY_CLASSES_ROOT keys (force exits in all cases).
  • Exit 13 - Failed to re-enable Windows Defender (force exits in all cases).
  • Exit 14 - Tool Requires Powershell 3+ to be installed
  • Exit 15 - The current version of the script has been blacklisted. Please check for an updated version.
  • Exit 16 - The Script requires you to run as NT Authority\System or add the -f switch.
  • Exit 17 - Another installation/uninstall is already in progress. Complete that installation before proceeding with this uninstall.

 

Additional Switches:

      • -h = Help. Shows help dialog
        • CylanceUninstallToolx64.exe -h
      • -u = Uninstall Password.  Use to pass in an uninstall password if necessary.  Must wrap in double quotes.
        • CylanceUninstallToolx64.exe -r -u "UninstallPasword"
      • -c = Partial Cleanup. ProgramData is backed up and restored. This should not be used unless advised.
        • CylanceUninstallToolx64.exe -r -c
      • -r = Remove.  Takes the app out of safe mode and removes Protect and Optics.
        • CylanceUninstallToolx64.exe -r
      • -p = Pause.  Will pause the script before finishing.  This is optional.
        • CylanceUninstallToolx64.exe -r -p
      • -S = Silent. Runs the program in Silent mode, minimizing window popups and similar (Note to silence the SFX Extraction a -y is also required)
        • CylanceUninstallToolx64.exe -r -S
      • -l = Logging, Saves the log to a file on disk. Specify a folder path, or default will be TEMP.
        • CylanceUninstallToolx64.exe -r -l C:\<Log_Folder_Path>
      • -f = Force run when only Admin. The program should be run as System. This option allows the user to attempt to run without being System.
        • CylanceUninstallToolx64.exe -f -r
      • -T = Trace, Sets logging level to its highest level.
        • CylanceUninstallToolx64.exe -r -T
      • -q = Quiet Logging. Sets logging level to the lowest level.
        • CylanceUninstallToolx64.exe -r -q

Related Articles

  • NDR: Virtual Sensor Deployment (KVM)
    Read More
  • NDR: Virtual Sensor Deployment (Hyper-V)
    Read More
  • NDR: Virtual Sensor Deployment (VMware)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community
was this article helpful?
YesNo