Uninstall the Cortex XDR Agent for Linux - 7.9 - 7.8 - Cortex XDR - Cortex XDR Agent - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

From Cortex XDR you can uninstall the Cortex XDR agent on a Linux server (see Uninstall the Cortex XDR Agent in the Administrator’s Guide for your license version (Cortex XDR Prevent Administrator Guide— or Cortex XDR Pro Administrator Guide). You can also uninstall the agent directly on the server. Successfully uninstalling the Cortex XDR agent program effectively removes the agent from the server.Cortex XDR Prevent Administrator GuideCortex XDR Pro Administrator Guide

After you uninstall the agent, your server will no longer be protected by your organization’s security policies in Cortex XDR.

  1. Uninstall using package manager.

    1. Depending on your Linux distribution, uninstall the Cortex XDR agent using one of the following commands:

      • For RHEL, CentOS, or Oracle distributions, use the yum remove cortex-agent or rpm —e cortex—agent command.

      • For Ubuntu or Debian distributions, use the apt—get remove cortex—agent command.

      • For SuSE distributions, use the zypper rm cortex—agent or rpm —e cortex—agent command.

  2. Uninstall using a shell script.

    If you used the shell script to install the Cortex XDR agent, you can use the corresponding uninstall shell script to uninstall the agent. You cannot use the script to uninstall agents installed using other methods.

    1. On the Linux server, run the uninstall.sh script and confirm you want to uninstall the Cortex XDR agent.

      The uninstall.sh script is located in the /opt/traps/scripts directory. By default, the script removes all logs, keys, and other files related to the Cortex XDR agent. If you want to preserve the logs, run the uninstall script in light mode using the —l option.

      Note

      To use the uninstall script, you must run it from the default location in the scripts directory, and as root or with root permissions.

      								root@ubuntu:/$
      								/opt/traps/scripts/uninstall.sh
      								This operation will uninstall Cortex XDR agent, are you sure? [y/N]:
      								y
      								[1] Shutting down Cortex XDR services
      								Done
      								[2] Waiting on active AppArmor policy updates
      								Done
      								[3] Removing AppArmor policies
      								* cortex xdr
      								Done
      								[4] Stopping Cortex XDR security services (systemd)
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_trapsd.service.
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service.
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_authorized.service.
      								Done
      								[5] Removing Cortex XDR agent
      								Done
      							
    2. Confirm that the agent is no longer installed.

      From the Linux server you can verify the removal of the traps folder in /opt/. From Cortex XDR, you can also verify that the server was removed from the Endpoints page.