Issue
Instructions needed with available options for uninstalling the Carbon Black EDR (formerly CB Response) sensor from each OS.
Environment
Carbon Black EDR (formerly CB Response)
Resolution
Before you get started, document your Tamper Override Password for each Sensor Group, which can be used as a global passphrase to uninstall any lingering, uncommunicative, or corrupt sensors from your endpoints. Your current code can found or generated under Sensors > Edit Sensor Group > Advanced > Tamper Protection Level > Show.
If migrating away from Carbon Black as your EDR vendor, it is recommended to set Tamper Protection Level under each of your sensor groups to Detection or Disabled to simplify removal of lingering sensors. Failure to do so may result in complications uninstalling sensors after access to the EDR console has been revoked.
Windows
- Uninstall from the Carbon Black EDR console (preferred)
- Uninstall Windows Sensor via Add/Remove Programs or Local Uninstaller
- Uninstall Windows Sensor via Command Prompt
- Uninstall Windows Sensor if also using App Control
- Uninstall Windows Sensor if Tamper Override Password is Unavailable
- Uninstall a Corrupt Windows Sensor (last resort)
macOS
Linux
Cause
Only Windows and macOS sensors can be uninstalled from the Carbon Black EDR console, while Linux requires a command line uninstall. Any command line uninstall methods provided in these links can be used in scripts and pushed to endpoints using your preferred software deployment utility.
Click here to learn more about endpoint threat protection with Red Canary