Help

Script to remove Carbon Black Protection from active computer

woodsb
Contributor

Posted on ‎06-04-2018 06:33 AM

Hello,

Does anyone know of a script to remove Carbon Black Protection from an active Mac?
The only way I know to remove it currently involves booting to Recovery mode.

0 Kudos
Reply
4 REPLIES 4

steve_summers
Contributor III

Posted on ‎06-04-2018 08:01 AM

Hey @woodsb , when CarbonBlack gets installed, if you look in the Applications folder, there is another folder named CBSensor (I think). If you open it up, there is a CBSensorRemove.sh, or something very similar.

When we experienced Kernel Panics with CB installed machines, we were able to boot to safe mode, open terminal, then enter sudo <path to remove.sh file>, then press enter. It removed CB. Upon rebooting, the client was fine.

That should work.

0 Kudos
Reply

bmcintire2
New Contributor II

Posted on ‎06-04-2018 08:17 AM

There are uninstallers, but they fail often due to the tamper protect being broken. I threw this together to rip out the kexts, then you can kill the uninstaller. This is for CB and Bit9. Make sure you run kextcache so it doesn't boot to the cache which will still have the kexts even if removed. We had success with this - YMMV.

sudo kextunload /Library/Extensions/b9kernel.kext
sudo kextunload /Library/Extensions/CbOsxSensorNetmon.kext
sudo kextunload /Library/Extensions/CbOsxSensorProcmon.kext
sudo rm -rf /Library/Extensions/b9kernel.kext
sudo rm -rf /Library/Extensions/CbOsxSensorNetmon.kext
sudo rm -rf /Library/Extensions/CbOsxSensorProcmon.kext
sudo kextcache -u /
sudo kextcache -i /

(I know it all runs as root, sudo makes me sleep at night).

Good luck - this thing is a nightmare.

Reply

woodsb
Contributor

Posted on ‎07-18-2018 01:01 PM

@bmcintire2 I have a few dumb questions:

  1. Does this only work for macs with broken tamper protection?
  2. Do I have the delete the uninstaller or run it from the /Applications folder?
  3. I'm not that familiar with kextcache. Do I need to run this like "sudo kextcache", or can I just use what you have posted at the bottom of your post?
  4. Is this a script or a series of commands?

Thanks for pointing me in the right direction.

0 Kudos
Reply

swapple
Contributor III

Posted on ‎06-17-2019 12:57 PM

Where do the server settings get stored? I have ran the uninstall and reinstalled with a new installer but the old server settings come back.

0 Kudos
Reply