Crowdstrike Uninstall Script

daniel_ross
Contributor III

So I've looked through various posts but haven't seen an exact way to do this yet. We've got Crowdstrike deploying properly but have two machines return the error below. We tried to re-install Crowdstrike, but I think it's a bad install, and we might need to remove it entirely and try again.

Script result: Error: This machine is already licensed

I tried to craft an uninstall to do it, but it's not working the way we had hoped. Hoping someone might know a quick fix or a best practice for silently uninstalling the sensor remotely.

16 REPLIES 16

jpuebs
New Contributor III

Hi @daniel_ross , if you try the uninstall commands manually do they work?

With Uninstall and maintenance protection disabled: 
sudo  /Applications/Falcon.app/Contents/Resources/falconctl uninstall
With Uninstall and maintenance protection enabled: 
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token

Sorry for not replying to this sooner! Yes, it indeed works, and we now have no more barriers dealing with this as we also figured out ways to re-licenses the end point and other tricks thanks to the folks in MacAdmins Slack and Crowdstrikes legendary support team.

How did you relicense the endpoint?

jschlimmer
New Contributor III

This script takes into account that the falconctl binary moved from /Library/CS to /Applications/Falcon.app during the jump from 5.x to 6.x.

#!/usr/bin/env bash
# Joe Schlimmer
# Uninstall Crowdstrike Falcon sensor

ERROR=0

if [[ -f "/Applications/Falcon.app/Contents/Resources/falconctl" ]]; then
    echo "Falcon 6.x installed, removing"
    /Applications/Falcon.app/Contents/Resources/falconctl uninstall
elif [[ -f "/Library/CS/falconctl" ]]; then
    echo "Falcon 5.x installed, removing"
    /Library/CS/falconctl uninstall
else
    echo "Falcon sensor app not found"
    ERROR=1
fi

exit $ERROR

mm2270
Legendary Contributor III

Note that with the above script from @jschlimmer you might need to add in a place to drop a maintenance token, like what @jpuebs shows, if your org is like ours and the security team enabled "Sensor Uninstall Protection". Otherwise you won't get far as far as uninstalling it goes.

We had a weird issue where some older versions of CS stopped communicating with the CS servers and after a certain period of disconnectedness, the console removed the clients, so we can no longer get an uninstall maintenance token for those machines. In those cases I had to craft an uninstall script that could be run from Recovery mode, so the uninstall protection wasn't active and the CS files could be scoured from the machine, allowing a proper new version to be installed. Kind of a PITA, but it worked.

tseaines
New Contributor

Sorry yall I'm not very good at creating scripts and came across this as I need to remove the old sensor for a lot of machines. I just spoke with CS and the tech informed me of having to basically input the token after being prompted. Does anyone know if someone has created a script like this.?

tseaines
New Contributor

@mm2270 We are having the same issue it was sensor version 6.12 for us. I have a lot of machines to do and do it remotely. I am able to retrieve the token via jamf but to uninstall is a pain because of the prompt. So I am looking for a script to help with that.

jlombardo
Contributor

@mm2270 would you be able to share that script?

I am hoping to find a better solution to this. We had a handful of machines where the CS installed but never showed up in the server, so a maintenance token was never generated but the protection is turned on. Quite a dilemma. It's not that ideal to have to go into recovery, but it would be worth a test.

jlombardo
Contributor

To follow up on this, for my issue going into safe mode with no network and running the standard uninstall command allowed me to uninstall the program and reinstall it.

I still got the "This machine is already licensed" error, but it showed up in CS portal and that is all that mattered in my scenario.

Still hoping to find a better solution in the long term, but this can at least move the POC forward. Thank you @mm2270 for getting me in the right direction

tseaines
New Contributor

Here is the script we got from CS to allow you to be able to pull the token from machines that have fallen off of CS console. sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agentID

Mithrandir
New Contributor III

I took as my baseline a Python script I found on Github, taking the commands I needed and making it into a shell script instead, as follows:

 

#!/bin/bash
 
/usr/bin/launchctl unload "/Applications/Falcon.app/Contents/Library/SystemExtensions/com.crowdstrike.falcon.Agent.systemextension",
/usr/bin/launchctl unload "/Library/LaunchAgents/com.crowdstrike.falcon.UserAgent.plist",
/usr/bin/killall -9 "/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon Notifications.app/Contents/MacOS/Falcon Notifications",
/sbin/kextunload -b "/Applications/Falcon.app/Contents/Extensions/Agent.kext"
/bin/rm -r "/Applications/Falcon.app"
/bin/rm "/Library/LaunchAgents/com.crowdstrike.falcon.UserAgent.plist"
/usr/local/bin/jamf recon
## $4 = CID with Checksum
 
n=0
until [ $n -ge 5 ]
do
echo "Register attempt number: $n"
 
## $4 = CID with Checksum
/Applications/Falcon.app/Contents/Resources/falconctl --verbose license [your license key goes here] $4 && break # must end with '&& break' for success

n=$[$n+1]
sleep 15
done
 
In every case this has worked to remove existing version(s) and then to successfully install the updated version(s).

Mithrandir
New Contributor III

My script above only works with unprotected installations, e.g. ones not requiring a maintenance token.

AVmcclint
Honored Contributor

This is a problem that has long plagued me. I hate hate hate security programs that don't do us admins any favors by locking themselves down. I understand the need to protect the tools that protect the computers, but the extreme step of requiring a unique, one-time use only key to remove the software makes our lives a nightmare. Since there is no way to get InfoSec to issue maybe a universal token that applies to all computers, I have come up with a solution that works. It isn't perfect, but this is the best I could come up with. The biggest caveat is that there is no way around using the maintenance tokens, so you have to get your security team to provide you with the tokens and the computers they go with. Our computer names are based on serial numbers so I found it easier to use serial numbers. You probably could use your actual hostnames or whatever ID they are listed as in Crowdstrike, but you'll have to modify the script accordingly. In the list the serial numbers are appended with "TOKEN" and the tokens are associated with their respective computers. Then it's a matter of getting the script to run the uninstall command with the token that is specific to THAT computer.  I had to do some variable voodoo to get it to work. It may not be the most efficient way of doing it, but it works.  it is an imperfect solution to an imperfect situation.

 

#!/bin/bash

# The scenario when you would use this script is when Crowdstrike is installed and you
# need to uninstall it, but InfoSec has set a maintenance token on their end for the computer to make any changes at all.
# Unfortunately these tokens are unique to each and every computer. They are also unique to that
# specific installation which means the tokens are not reusable across reinstalls.
# If you need to do a mass uninstallation from a bunch of Macs, the first thing you need to do
# is to get the Maintenance Tokens from Infosec for each computer. Then add them below using the provided format.

# variable for computer serial number which is also our hostnames. Using the serial number is more reliable since that's the one thing the user can't change.
SERIAL=$( /usr/sbin/ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/{print $(NF-1)}')

# This is just to make absolutely sure we don't have an old version in place.
if [[ -f "/Library/CS/falconctl" ]]; then
echo "Falcon 5.x installed. Use a different method to uninstall" ; exit 
fi

# list of Crowdstrike uninstall tokens - these must be obtained from InfoSec. Use the serial number instead of the computername.
# Then append TOKEN to the end of the serial number.
# Format: SERIALNUMBERTOKEN="long-string-maintenance-token-code"
# example: C02ABC123DEFTOKEN="34UY5TI2U3Y4T5IU23T5IU23T5IUY23T"
C02DEF567DEFTOKEN="ab67997752f804a2896aa2333ddc10c3049f917"
C02ABC123ABCTOKEN="1234poiu1234opiu1234opiu1234oiu1234poiu"
C02XYZ098XYZTOKEN="zxcv0987zxcv0987zxcv987zxcv897zxcv987zx"
C02QRS456QRSTOKEN="c0c8153fe79c472f1d74f13ffc01a801473b4ad"
# ... and so on for all the computers you need to run this on.

SERIALTOKEN="${SERIAL}TOKEN"
export TEMP=${SERIAL}TOKEN 
echo ${!TEMP}

# this is just to make sure that the output and variables are what they should be and recorded in the policy log
echo "$SERIAL and $SERIALTOKEN and ${!TEMP}"

expect <<- DONE
spawn /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t
expect "Falcon Maintenance Token:"
send -- "${!TEMP}"
send -- "\r"
expect eof
DONE

# Discovered during testing, it appears that the built-in uninstaller may not completely kill all the falcon processes
# even though it does delete all the files. This command is an attempt to make sure the falcon
# processes are in fact dead after the removal of all the files. If it is not killed,
# you may not be able to reinstall it.
killall -m 'falcon*'
killall -m 'Falcon*'

 

 

 

gachowski
Valued Contributor II

You can get the maintenance token from the API and CS can be configured to use the same key for every machine.

I would look at this 

https://github.com/franton/Crowdstrike-API-Scripts/blob/main/uninstall-csf.sh

 

and read this

https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/

C

 

 

AVmcclint
Honored Contributor

If only InfoSec would let outsiders into their secretive systems. They only tell us what they deem we need - not one bit more than that. Sometimes even asking for the maintenance token for a single computer requires filling our requests in triplicate and submitting to a committee for review. That is good to know that it is POSSIBLE to get the info though.

See, for us, it's the complete opposite, and have full admin access with the understanding if we change something its documented and reviewed or we add it to our Endpoint Release changes meeting weekly we have. We partnered with our NetOps and InfoSec teams to get the access we need for support tickets, Tokens, etc. for any systems; etc. we are asked to help deploy so that we can jump in and act as a second or third set of hands for them. In some cases, we helped prevent issues they didn't see as they aren't always in the release notes or forums on macAdmins Slack or here.

I'd see about working with your management to get something, if even read-only access (can be done in CS from what I understand), so you can at least snag those tokens.