Skip to content

Uninstalling/Disabling SentinelOne

Due to the tamper protection feature in the SentinelOne agent, the easiest way to uninstall or disable the agent is to open a ticket with the SolCyber SOC. We will send an uninstallor disable command to the device. In instances when the device in question is offline or otherwise unreachable by the SentinelOne console, local uninstalls/disable can be performed, but each device’s unique passphrase is required to complete the action due to the tamper protection. The SolCyber SOC can provide you with the passphrase.

Windows#

Disabling the SentinelOne Agent#

When encountering interoperability issues that you believe are caused by SentinelOne, try disabling the agent in order to troubleshoot.

  1. Run Command Prompt as as Administrator.
  2. cd "Program Files\SentinelOne\Sentinel Agent <full_version>", where full_version is the version of the agent, for example: 12.6.4.5961 - you can use TAB to let cmd auto-complete pathnames)
  3. run the following commands:
text
sentinelctl.exe unload -a -m -k "The agent Passphrase"
 
sentinelctl unprotect -k "The agent Passphrase"

A reboot is required after disabling the agent.

Enabling the SentinelOne Agent#

text
sentinelctl.exe load -a -m

sentinelctl.exe protect

To uninstall a Windows Agent EXE package silently with CLI#

Run Command Prompt as as Administrator:

text
> cd "C:\Program Files\SentinelOne\Sentinel Agent <version>"
> uninstall.exe /uninstall /norestart /q /k "<passphrase>"

On success, there is no output. When uninstallation is done, the prompt shows. After a few seconds, the taskbar icon is removed.

If Tamper Protection is disabled, the passphrase is not required.

A reboot is required to fully complete the uninstallation process.

To uninstall a Windows Agent MSI package silently with CLI#

Run Command Prompt as as Administrator:

text
> cd "Full_Path_to_MSI_FILE"
> msiexec.exe /quiet /norestart /x Agent_version.msi UNINSTALL_KEY="passphrase"

On success, there is no output. When uninstallation is done, the prompt shows. After a few seconds, the taskbar icon is removed.

If Tamper Protection is disabled, the passphrase is not required.

A reboot is required to fully complete the uninstallation process.

MacOs#

To uninstall a local macOS Agent with CLI#

text
$ sudo sentinelctl unprotect --passphrase "passphrase"

===Sentinel protection has been disabled 

$ sudo sentinelctl uninstall --local

Linux#

Uninstall the Linux Agent with sentinelctl CLI#

Note: A reboot is not required. You can install the Agent again immediately after the uninstallation.

  1. Log in as root (sudo is not enough).
  2. Run the sentinelctl command with this syntax:
shell
sudo /opt/sentinelone/bin/sentinelctl control uninstall --passphrase "string" [--output] [--unquarantine]

If you use the –unquarantine flag, quarantined files are restored. If you do not use this flag, quarantined files are deleted.

Uninstall the Linux Agent using linux OS commands#

Only use these commands if using sentinelctl was not successful.

  1. Log in as root (sudo is not enough).
  2. Run the command appropriate for your operating system (copy and paste the entire single line command):

Debian systemd#

bash
cd ~ ; ps aux | grep 's1-\|sentinelone-watchdog' | awk '{print $2}' | xargs kill -9 2> /dev/null ; systemctl disable sentinelone.service ; rm -rf /usr/lib/systemd/system/sentinelone.service ; rm -rf /lib/systemd/system/sentinelone.service ; systemctl daemon-reload ; systemctl reset-failed ; umount -l /opt/sentinelone/mount ; umount -l /opt/sentinelone/cgroups/memory ; umount -l /opt/sentinelone/rpm_mount ; umount -l /opt/sentinelone/ebpfs/bpf_mount ; rm -rf /opt/sentinelone/ ; rm -rf /opt/sentinelone ; rm -rf /var/lib/dpkg/info/sentinelagent.* ; dpkg --purge --force-all sentinelagent 2> /dev/null ; echo "Almost Done..." ; sleep 5 ; userdel sentinelone ; groupdel sentinelone ; rm -rf /opt/sentinelone ; rm -rf /opt/sentinelone/ ; echo "SentinelOne Agent Successfully Uninstalled"

RHEL systemd#

shell
cd ~ ; ps aux | grep 's1-\|sentinelone-watchdog' | awk '{print $2}' | xargs kill -9 2> /dev/null ; systemctl disable sentinelone.service ; rm -rf /usr/lib/systemd/system/sentinelone.service ; rm -rf /lib/systemd/system/sentinelone.service ; systemctl daemon-reload ; systemctl reset-failed ; umount -l /opt/sentinelone/mount ; umount -l /opt/sentinelone/cgroups/memory ; umount -l /opt/sentinelone/rpm_mount ; umount -l /opt/sentinelone/ebpfs/bpf_mount ; rm -rf /opt/sentinelone/ ; rm -rf /opt/sentinelone ; rpm -ev --noscripts SentinelAgent 2> /dev/null ; echo "Almost Done..." ; sleep 5 ; userdel sentinelone ; groupdel sentinelone ; rm -rf /opt/sentinelone ; rm -rf /opt/sentinelone/ ; echo "SentinelOne Agent Successfully Uninstalled"

Non-systemd Debian#

bash
cd ~ ; ps aux | grep 's1-\|sentinelone-watchdog' | awk '{print $2}' | xargs kill -9 2> /dev/null ; chkconfig --del sentineld ; rm -f /etc/init.d/sentineld ; umount -l /opt/sentinelone/mount ; umount -l /opt/sentinelone/cgroups/memory ; umount -l /opt/sentinelone/rpm_mount ; umount -l /opt/sentinelone/ebpfs/bpf_mount ; rm -rf /opt/sentinelone/ ; rm -rf /opt/sentinelone ; rm -rf /var/lib/dpkg/info/sentinelagent.* ; dpkg --purge --force-all sentinelagent 2> /dev/null ; echo "Almost Done..." ; sleep 5 ; userdel sentinelone ; groupdel sentinelone ; rm -rf /opt/sentinelone ; rm -rf /opt/sentinelone/ ; echo "SentinelOne Agent Successfully Uninstalled"

Non-systemd RHEL#

bash
cd ~ ; ps aux | grep 's1-\|sentinelone-watchdog' | awk '{print $2}' | xargs kill -9 2> /dev/null ; chkconfig --del sentineld ; rm -f /etc/init.d/sentineld ; umount -l /opt/sentinelone/mount ; umount -l /opt/sentinelone/cgroups/memory ; umount -l /opt/sentinelone/rpm_mount ; umount -l /opt/sentinelone/ebpfs/bpf_mount ; rm -rf /opt/sentinelone/ ; rm -rf /opt/sentinelone ; rpm -ev --noscripts SentinelAgent 2> /dev/null ; echo "Almost Done..." ; sleep 5 ; userdel sentinelone ; groupdel sentinelone ; rm -rf /opt/sentinelone ; rm -rf /opt/sentinelone/ ; echo "SentinelOne Agent Successfully Uninstalled"