Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to uninstall a corrupt Windows sensor

EDR: How to uninstall a corrupt Windows sensor

Environment

  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • EDR is still present on the endpoint under Add/Remove programs in Control Panel and failed to uninstall in the previous attempt.
  • Previous attempt resulted in sensor physically being present on machine but not checking in.

Cause

Corrupt Uninstall.

Resolution

  1. Boot in Safe Mode
  2. Open Registry and delete the following:
    • HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config
    • HKEY_CLASSES_ROOT\Installer\Products\<Product Code of CarbonBlack Sensor>
      • Since the 'Product Code' is uniquely assigned by Windows, the most efficient way of finding the 'Product Code' mentioned above would be:
        1. With the Registry open, right click HKEY_CLASSES_ROOT, then click 'Find'
        2. Type 'carbonblack sensor', then click 'Find Next'
        3. A result should be found in the relative path above.
        4. If there are no results, search for 'carbon black EDR'
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CarbonBlack
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carbonblackk
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cbstream
  3. Open appwiz.cpl and select Cb Enterprise Response Sensor
  4. It will prompt, that the application is not present anymore and to which you can delete.
  5. Open services.msc and select Carbon Black Sensor
  6. It will prompt it does not exist, to delete this stale entry open cmd as admin and type the following.
    • sc delete CarbonBlack 
  7. Reboot Machine.

Additional Notes

A recent 7.x sensor version had updated the information in the HKEY_CLASSES_ROOT\Installer\Products\<Product Code of CarbonBlack Sensor> location so that it is referred to as Vmware Carbon Black. Previous versions used carbonblack sensor. So both searches should be done. 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎08-26-2020
Views:
11366
Contributors