End-of-Life (EoL)

Uninstall the Cortex® XDR™ Agent for Linux

Learn how to uninstall the Cortex® XDR™ agent from a Linux endpoint.
From Cortex XDR you can uninstall the Cortex XDR agent on a Linux server (see
Uninstall the Cortex XDR Agent
in the Administrator’s Guide for your license version—Cortex XDR Prevent or Cortex XDR Pro). You can also uninstall the agent directly on the server. Successfully uninstalling the Cortex XDR agent program effectively removes the agent from the server.
After you uninstall the agent, your server will no longer be protected by your organization’s security policies in Cortex XDR.
  • Uninstall using package manager.
    1. Depending on your Linux distribution, uninstall the Cortex XDR agent using one of the following commands:
      • For RHEL, CentOS, or Oracle distributions, use the
        yum remove cortex-agent
        or
        rpm —r cortex—agent
        command.
      • For Ubuntu or Debian distributions, use the
        apt—get remove cortex—agent
        command.
      • For SuSE distributions, use the
        zypper rm cortex—agent
        or
        rpm —r cortex—agent
        command.
  • Uninstall using a shell script.
    If you used the shell script to install the Cortex XDR agent, you can use the corresponding uninstall shell script to uninstall the agent. You cannot use the script to uninstall agents installed using other methods.
    1. On the Linux server, run the uninstall.sh script and confirm you want to uninstall the Cortex XDR agent.
      The
      uninstall.sh
      script is located in the
      /opt/traps/scripts
      directory. By default, the script removes all logs, keys, and other files related to the Cortex XDR agent. If you want to preserve the logs, run the uninstall script in light mode using the
      —l
      option.
      To use the uninstall script, you must run it from the default location in the scripts directory, and as root or with root permissions.
      root@ubuntu:/$
      /opt/traps/scripts/uninstall.sh
      This operation will uninstall Cortex XDR agent, are you sure? [y/N]:
      y
      [1] Shutting down Cortex XDR services Done [2] Waiting on active AppArmor policy updates Done [3] Removing AppArmor policies * cortex xdr Done [4] Stopping Cortex XDR security services (systemd) Removed symlink /etc/systemd/system/multi-user.target.wants/traps_trapsd.service. Removed symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service. Removed symlink /etc/systemd/system/multi-user.target.wants/traps_authorized.service. Done [5] Removing Cortex XDR agent Done
    2. Confirm that the agent is no longer installed.
      From the Linux server you can verify the removal of the traps folder in /opt/. From Cortex XDR, you can also verify that the server was removed from the
      Endpoints
      page.

Recommended For You