Uninstall Xprotect agents

Uninstall the Xprotect agent from a host when you no longer want to manage the host from Xprotect. You can uninstall the Xprotect agent in the following ways:

  • From the Xprotect UI - select One or more hosts and initiate the uninstall process. This deletes the Xprotect agent files and Policies from the host/s. See Uninstall from Xprotect UI for more details. This is recommended for bulk uninstalls.

  • From the host - copy a CLI uninstall command from the Xprotect UI. Run this command on the host. This deletes the Xprotect agent files and Policies from the host/s. The CLI commands vary by the OS family and Linux flavors. See Uninstall from a host for more details.

As a best practice, always initiate the agent uninstall process only when the hosts are reachable to the Xprotect instance (Status= Online on the Hosts page). This ensures a quick and seamless decommissioning of the hosts. 

Initiating the uninstall process when a host is not reachable to the instance (Status =Offline or Status=Unreachable) does not uninstall the agent and decommission the hosts. See Status of the host shows Uninstalling for more details.

What happens when you uninstall the agent

Uninstalling the agent from a host deletes the Xprotect agent files and Policies, and the Xprotect instance will no longer receive heartbeats and telemetry data from the host. The host is decommissioned from the Xprotect instance. 

However, the entries of the decommissioned hosts (Status= Uninstalled) are not deleted from the Hosts page. We retain the entries and all the records of the decommissioned hosts for 7 to 30 days and only the events, audit logs and fetched files for up to 150 days after that. You can install the agent again on a decommissioned host and the host's state in Xprotect is restored to the one when you decommissioned it.

If you do not plan to manage the decommissioned hosts soon, you must delete its entry manually from the Hosts page. See Delete entries of decommissioned hosts for more details.

Uninstall from Xprotect UI

  1. Go to Hosts on the Xprotect UI.

  2. Select One or more hosts and click Uninstall agent (in the floating panel on the top).

  3. From the Approval Source drop-down list, select a reason.

  4. Enter the details about why you want to isolate the file.

  5. Click Uninstall Agent.

    You will see a confirmation on the Xprotect UI when the agent is uninstalled from the hosts. Also, the Hosts page will list the host with Status=Uninstalled.

Uninstall from host

  1. Go to Settings > Agent on the Xprotect UI.

    You will see the Agent Installation page with the details of your instance and the options to download the agent installer file.

  2. Click Show Advanced (below the Download option for the OS on the host).

  3. Copy the uninstall command.

  4. Run the command on the host's CLI utility.

    You will see a confirmation when the agent is uninstalled from the host. Also, the Hosts page will list the host as Status=Uninstalled on the Xprotect UI.

Verify - hosts decommissioned successfully

Here are a couple of ways to verify if a host was decommissioned successfully.

Hosts page

The entry for the host must show Status=Uninstalled. Also, go to Hosts and click the down arrow for the host. You will see Completed next to the Uninstall label.

Files, services, and processes on the host

  • On a Windows host, the xprotect folder must be deleted from C:\Program Files\Colortokens (if the host is also managed by Xshield) or C:\Program Files, and the Task Manager must not list the Xprotect.exe and XprotectUpdater.exe services and processes.

  • On Linux and macOS hosts, the xprotect folder must be deleted from /opt/colortokens (if the host is also managed by Xshield) or from /opt/. Also, the xprotect and xprotect-updater processes must not be running.  

Issue - status of the hosts show Uninstalling

If you initiate the agent uninstall process when a host status is Offline or Unreachable, Xprotect schedules the uninstall but cannot reach the host to uninstall the agent. The host status shows Uninstalling until you make the host reachable to Xprotect. The status changes to Uninstalled after the agent is uninstalled.

Issue - cannot uninstall agents from Windows hosts

If you have enabled the Self Protect feature on a Windows host, the local administrator for the host cannot uninstall the agent from the host. To uninstall the agent, you must disable Self Protect on the host, uninstall the agent from the host, or uninstall the agent from the Xprotect UI.

See Manage hosts from Xprotect for more details.

Delete entries of decommissioned hosts

Remember that uninstalling agents does not delete the entries of the hosts on the Hosts page. If you do not want to manage decommissioned hosts, you must delete their entries manually.

  1. Filter the Hosts page by Status=Uninstalled. You can Status=Uninstalling too if you are sure that the unreachable hosts are scheduled for uninstalling and never going to be managed from this instance.

  2. Select all the decommissioned hosts and click More > Delete Hosts (in the floating panel on the top).

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.