Follow the latest information and updates available on the FireEye and SolarWinds situations here.

Carbon Black Cloud: How to clean up Windows Sensor remnants using Sensor Removal Tool after failed uninstall

Carbon Black Cloud: How to clean up Windows Sensor remnants using Sensor Removal Tool after failed uninstall

Environment

  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Objective

This document describes how to clean up leftover artifacts of the Carbon Black Cloud sensor from a Windows machine in the event that the normal uninstall procedures have not worked

Resolution

ALWAYS run this tool using the Company Deregistration Code (if required)!

Prerequisites

  • The tool is not designed to uninstall a Carbon Black Cloud Windows Sensor, but rather to clean up application remnants left over from an incomplete/failed uninstallation
  • The main use-case for this tool is for when the normal uninstall methods fail
  • This should not be used by default, even after running the uninstaller, unless there are issues removing the product or updating the sensor to a newer version
  • The Sensor Removal Tool (SRT) should always be run with the endpoint in Safe Mode for best results
  • The Company Deregistration Code should always be used with the SRT for Sensors 3.1.x.x and higher

Steps (3.4 and above)

  1. Download the "SensorRemovalTool.zip" file found here
  2. Unzip the file
  3. Boot into Safe Mode
  4. Use the SRT that is appropriate for the Sensor version installed (see chart below)
    SRT VersionSRT NameApplicable Sensor VersionsRemoval Command
    64-bit v3.6.0.1672Sensor3.6.0.1672RemovalToolx64.exe2.0.x - 3.5.0.xSensor3.6.0.1672RemovalToolx64.exe /cleanup <uninstall code>
    32-bit v3.6.0.1672Sensor3.6.0.1672RemovalToolx86.exe2.0.x - 3.5.0.xSensor3.6.0.1672RemovalToolx86.exe /cleanup <uninstall code>
  5. Execute the the applicable removal command (see chart above)
  6. Boot into Normal mode and run this tool again to complete removal of the sensor
  7. Reboot one final time to complete sensor removal
  8. Verify in Enrollment page in Cb Defense Dashboard that the device has moved to Deregistered status
  9. If the device still shows as Active or Inactive, check the box for the machine on the Enrollment page, select Take Action -> Uninstall. The device will move to Deregistered
Steps (3.3 and below)
  1. Download the "SensorRemovalTool.zip" file found here
  2. Unzip the file
  3. Use the SRT that is appropriate for the Sensor version installed (see chart below)
  4. Right click on program, "cmd", and select "Run as Administrator"
  5. Execute the the applicable removal command (see chart below)
    SRT VersionSRT NameApplicable Sensor VersionsRemoval Command
    64-bit v1.0Sensor10RemovalToolx64.exe1.0.7.xSensor10RemovalToolx64.exe /cleanup
    32-bit v1.0Sensor10RemovalToolx86.exe1.0.7.xSensor10RemovalToolx86.exe /cleanup
    64-bit v3.6.0.1672Sensor3.6.0.1672RemovalToolx64.exe2.0.x - 3.5.0.xSensor3.6.0.1672RemovalToolx64.exe /cleanup /force <uninstall code>
    32-bit v3.6.0.1672Sensor3.6.0.1672RemovalToolx86.exe2.0.x - 3.5.0.xSensor3.6.0.1672RemovalToolx86.exe /cleanup /force <uninstall code>
  6. Verify in Enrollment page in Cb Defense Dashboard that the device has moved to Deregistered status
  7. If the device still shows as Active or Inactive, check the box for the machine on the Enrollment page, select Take Action -> Uninstall. The device will move to Deregistered
     

Additional Notes

  • Carbon Black Cloud Sensor (formerly CB Defense) 3.4.x.x and higher installed on Windows 10 v1703 (Redstone 2) or higher will still require the SRT to be run in Safe Mode
    1. Boot into Safe Mode
    2. Execute the applicable removal command (see chart above)
    3. Boot normally
    4. Execute the applicable removal command (see chart above)
    5. Reboot normally to complete Sensor removal
  • If, after following the instructions, as described in this document, the sensor does not properly uninstall, or if the device still shows up as Active or Inactive, but not Deregistered in the Endpoints page of the PSC Console, please perform the following steps:
    1. Copy and paste the SRT output from the command prompt to a txt file
    2. Collect the following log: C:\Users\<username>\AppData\Local\Temp\srt-msi.log
    3. Go to https://community.carbonblack.com/t5/Getting-Started-in-Your-Support/How-To-Open-a-Support-Case-In-t... open a case and receive further assistance
  • SHA-256 hashes of the SRT
    FilenameHash
    confer-clean-up/SensorRemovalTool.exe60339d3fe1e07cb676f8d32d7e8f56150fa5c5a3cdc708d87776b8e81648d8bd
    SensorRemovalTool/Sensor10RemovalToolx64.exec8fe7084ecce6841c795a922e431cdfa59212676947e6823ec722d148e6f47d6
    SensorRemovalTool/Sensor10RemovalToolx86.exe892be182352d2d086ac508627f5bb4bf5cf465bf473c48b303e3d1e47d29470c
    SensorRemovalTool/Sensor3.6.0.1672RemovalToolx64.exebb4ad91c0331f44fb5d45be7f865cfa62105bfd82a5edbdd17a9dd5e70b4fe92
    SensorRemovalTool/Sensor3.6.0.1672RemovalToolx86.exe7daef7d7ac578d27288c997f28025d33dafbeae68f2c12047a0439435f4abdef

Related Content


Was this article helpful? Yes No
82% helpful (9/11)
Article Information
Author:
Creation Date:
‎12-13-2018
Views:
47272