Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Uninstall Windows Sensor if Protection Password has Changed

EDR: Uninstall Windows Sensor if Protection Password has Changed

Environment

  • EDR Windows Sensors: 7.2+

Objective

Uninstall a Windows sensor while in Tamper Protection mode and the password has changed or was deleted.

Resolution

A)  If a tamper protection password was changed, the older password may reside in History.
1.  In the EDR Console > Sensors > Group > Settings > Advanced > Tamper Override Password.  Click History to list the recent passwords.
2.  The command to disable tamper protection is:
C:\Windows\CarbonBlack\CbEDRCLI.exe <override_password>
3.  Uninstall Carbon Black sensor from a directory outside of Carbon Black's directory.
C:\Windows\CarbonBlack\uninst.exe

B)  If the tamper protect password was deleted.
1. Disable Microsoft Protection API via Safe Mode.
a.  From the login page, hold down the Shift key + select Power > Restart.    Keep holding down the Shift key past reboot until a screen with options appears.
b.  Select "Troubleshoot" block.
c.  Select "Advanced Options" block.
d.  Select "Startup Settings" block.
e.  Read the options carefully as they may have changed.  Select the option similar to "Disable early launch anti-malware protection".  It was option 8 as of this writing.
2.  The system reboots and tamper protection should be removed. 
3.  Uninstall Carbon Black sensor.
C:\Windows\CarbonBlack\uninst.exe


 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-02-2022
Views:
187
Contributors