Uninstall the Traps Agent for Linux - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-01-04
Category
Administrator Guide

From the Traps management service you can uninstall the Traps agent on a Linux server (see Uninstall the Traps Agent in the Traps Management Service Administrator’s Guide). You can also uninstall the agent directly on the server. Successfully uninstalling the Traps program effectively removes the Traps agent from the server. On Linux servers, you can use the uninstall.sh script found in the /opt/traps/scripts directory to uninstall Traps. After you uninstall the agent, your server will no longer be protected your company’s security policies.

  1. On the Linux server, run the uninstall.sh script and confirm you want to uninstall the Traps.

    By default, the script removes all logs, keys, and other files related to the Traps agent. If you want to preserve the logs, run the uninstall script in light mode using the -l option.

    Note

    To use the uninstall script, you must run it from the default location in the scripts directory.

    root@ubuntu:/$ /opt/traps/scripts/uninstall.sh
    This operation will uninstall Traps, are you sure? [y/N]: y
    [1] Shutting down Traps services
    Done
    [2] Waiting on active AppArmor policy updates
    Done
    [3] Removing AppArmor policies
      * traps
    Done
    [4] Stopping Traps security services (systemd)
    Removed symlink /etc/systemd/system/multi-user.target.wants/traps_trapsd.service.
    Removed symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service.
    Removed symlink /etc/systemd/system/multi-user.target.wants/traps_authorized.service.
    Done
    [5] Removing Traps
    Done
  2. Confirm that the Traps agent is no longer installed.

    From the Linux server you can verify the removal of the traps folder in /opt/. From the Traps management service, you can also verify that the server was removed from the Endpoints page.