topic Re: Scripted uninstall of AMP client in Endpoint Security

Scripted uninstall of AMP client

OwenBrearley2691 — Fri, 21 Feb 2020 05:08:59 GMT

I am trying to automate the removal of the AMP client using our remote management software. I have been testing on a single workstation using the local CLI and have been unable to get a silent uninstall to work correctly. I am finding no errors in the event logs and am not getting any feedback at the prompt.

I have tried:

"C:\Program Files\Cisco\AMP\6.2.3\uninstall.exe" /R /S /remove 1 /uninstallpassword password

"C:\Program Files\Cisco\AMP\6.2.3\sfc.exe" -X -K password

and many variants of the 2. If I use the uninstall.ext without the silent options the uninstall window does come up but obviously this will not work for removing the software on a large scale.

Thanks.

Re: Scripted uninstall of AMP client

Matthew Franks — Tue, 07 May 2019 19:44:02 GMT

The remote uninstall needs to be run against the installer, not the uninstall.exe or sfc.exe. For instance:

C:\Users\mafranks\Downloads\AMPSetup.exe /R /S /remove 1 /uninstallpassword Cisco123

/remove 1 will remove all associated files, while 0 will keep them for a later install. If you're on a version less than 5.1.13, use /S instead of /R /S.

Hope that helps!

Matt

Re: Scripted uninstall of AMP client

OwenBrearley2691 — Tue, 07 May 2019 20:07:14 GMT

Thanks Mathew! That worked. We inherited these installs so I am not entirely sure how they were initially deployed. I logged into the portal and pulled down the workstation installer. Will this also work for other groups such as the servers or do they need to use their own customer .exe for the uninstall?

Re: Scripted uninstall of AMP client

Matthew Franks — Tue, 07 May 2019 21:19:34 GMT

I just tested with an exe from a different group and policy. It uninstalled properly with no issues. If you have policies with different passwords or without a password, you'll need to use a different commands but the exe shouldn't cause any conflicts.

Thanks,

Matt

Re: Scripted uninstall of AMP client

AliceRenn10153 — Thu, 31 Oct 2019 16:36:13 GMT

If we do no have the password, will the

/uninstallpassword Cisco123 work?

Re: Scripted uninstall of AMP client

Matthew Franks — Thu, 31 Oct 2019 17:58:29 GMT

If you do not have the connector protection password, you'll need to boot into safe mode and uninstall the connector. Then, install with a new installer for the new version. This is possible since the service doesn't start in safe mode.

Re: Scripted uninstall of AMP client

dgcapel — Thu, 31 Oct 2019 18:07:09 GMT

Hi Alice,

if the product is protected by password, you need the password to uninstall. Example: /uninstallpassword <password>

If not, omit the previous command.

Re: Scripted uninstall of AMP client

AliceRenn10153 — Thu, 31 Oct 2019 18:43:02 GMT

What if we do NOT have the password? Is there a way to uninstall the application without it?

Re: Scripted uninstall of AMP client

dgcapel — Thu, 31 Oct 2019 18:55:27 GMT

It’s not possible. Sorry.

Re: Scripted uninstall of AMP client

Jim2k — Tue, 12 Nov 2019 17:26:51 GMT

If you have access to the console and you see the endpoint communicating back. then just make a copy of the current policy uncheck the box "Enable connector protection" create a new group apply the modified policy to the group. then just move the endpoint or endpoints to the group. they will get the new policy with no password as they check in

Re: Scripted uninstall of AMP client

Chekol Retta — Fri, 02 Oct 2020 19:05:05 GMT

Mathew

That is really helpful. I am able to uninstall and re-install amp remotely.

we have to reinstall AMP to lot of computers as TAC told us that reinstallation will change the GUID. Our problem is duplicated GUID The removal and installation are going well will all systems but some systems kept their GUID and TAC has no idea why. Do you know why some systems are not changing their GUID?

Re: Scripted uninstall of AMP client

Matthew Franks — Tue, 06 Oct 2020 10:44:01 GMT

When you uninstall AMP, there is a question asked whether you plan to install AMP in the future. If you select Yes, some information is saved in the registry such as the GUID for continuity in the console. I recommend selecting No if you have a duplicate GUID issue. You may also need to restart after the uninstall for this information to be flushed but I haven't tested that.

Thanks,
Matt

Re: Scripted uninstall of AMP client

Chekol Retta — Tue, 06 Oct 2020 15:51:06 GMT

Mathew

Thank you for your replay

Yes I always select the 'NO" option at the end of uninstallation

I have also been uninstalling AMP from the command line locally and remotely. C:\temp\AMPSetup.exe /R /S /remove 1

Both method helped me change the GUID for a lot of systems. But now some are not playing well and kept their original GUID.

Re: Scripted uninstall of AMP client

Matthew Franks — Tue, 06 Oct 2020 17:08:06 GMT

Have you checked for Identity Persistence on those policies? If it is enabled, it will keep the same GUID. If it is not enabled, try "C:\Program Files\Cisco\AMP\7.3.3\sfc.exe -reregister" to perform a new registration. Replace 7.3.3 with your current version if you're not on the latest.

Thanks,

Matt

Re: Scripted uninstall of AMP client

Ahmed-Madibbo — Mon, 06 Jun 2022 07:13:22 GMT

hello

if I forget the uninstallation password and I don't have access to the AMP management console, there is any possibility to remove it?

Re: Scripted uninstall of AMP client

jasonfrank2010 — Tue, 06 Dec 2022 19:52:40 GMT

Greetings,

We are trying to script this to remove from our Remote Macintosh Users. I have been unsuccessful in finding a thread to assist with this. I did find some manual uninstall instructions, but I am not leveled when it comes to scripting for Mac's.
Maybe someone else here in the community knows, or can point me in the right direction?

Kind regards,
Jason F.
"https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216232-manual-uninstall-procedure-for-amp-for-e.html#anc6" is what I have found to date.

Re: Scripted uninstall of AMP client

dmiddlebrooks — Wed, 26 Apr 2023 17:53:24 GMT

Hello Matthew,

I am attempting to uninstall via intune, would the referenced above instructions also apply. I am currently using Amp.exe /R /S /remove 1 /uninstallpassword

Re: Scripted uninstall of AMP client

David Janulik — Thu, 27 Apr 2023 05:10:49 GMT

Do you mean that anybody with no access to the mgmt console want to uninstall password protected agent? Of course that is not possible.

Re: Scripted uninstall of AMP client

ADS_18 — Tue, 18 Jul 2023 02:06:06 GMT

Hello All,

I'm just wondering if Cisco will soon release a standalone\independent uninstall tool to uninstall Cisco AMP/SE from several PCs running different versions. Or will Cisco stick with this uninstall procedure using the installer of the same version that is currently running on the PC?

In other vendor, there is a standalone uninstall tool you can use to remove a couple of their endpoint security products and the tool expires every after 3 months.

Thanks.

Re: Scripted uninstall of AMP client

Gazza80 — Fri, 11 Aug 2023 05:37:26 GMT

Sorry to hijack this thread, but it is fairly relevant. I'm trying to perform the uninstall via command line (Amp.exe /R /S /remove 1 /uninstallpassword [password]) and it refuses to uninstall.
Running Amp.exe /R /remove 1 /uninstallpassword [password] brings up the uninstall window which then prompts for the password so i know the password is correct. Any ideas as to why this would not be uninstalling?