Solved: Scripted uninstall of AMP client

OwenBrearley2691 · ‎05-07-2019

I am trying to automate the removal of the AMP client using our remote management software. I have been testing on a single workstation using the local CLI and have been unable to get a silent uninstall to work correctly. I am finding no errors in the event logs and am not getting any feedback at the prompt.

I have tried:

"C:\Program Files\Cisco\AMP\6.2.3\uninstall.exe" /R /S /remove 1 /uninstallpassword password

"C:\Program Files\Cisco\AMP\6.2.3\sfc.exe" -X -K password

and many variants of the 2. If I use the uninstall.ext without the silent options the uninstall window does come up but obviously this will not work for removing the software on a large scale.

Thanks.

Matthew Franks · ‎05-07-2019

The remote uninstall needs to be run against the installer, not the uninstall.exe or sfc.exe. For instance:

C:\Users\mafranks\Downloads\AMPSetup.exe /R /S /remove 1 /uninstallpassword Cisco123

/remove 1 will remove all associated files, while 0 will keep them for a later install. If you're on a version less than 5.1.13, use /S instead of /R /S.

Hope that helps!

Matt

View solution in original post

Matthew Franks · ‎05-07-2019

I just tested with an exe from a different group and policy. It uninstalled properly with no issues. If you have policies with different passwords or without a password, you'll need to use a different commands but the exe shouldn't cause any conflicts.

Thanks,

Matt

View solution in original post

Matthew Franks · ‎05-07-2019

The remote uninstall needs to be run against the installer, not the uninstall.exe or sfc.exe. For instance:

C:\Users\mafranks\Downloads\AMPSetup.exe /R /S /remove 1 /uninstallpassword Cisco123

/remove 1 will remove all associated files, while 0 will keep them for a later install. If you're on a version less than 5.1.13, use /S instead of /R /S.

Hope that helps!

Matt

OwenBrearley2691 · ‎05-07-2019

Thanks Mathew! That worked. We inherited these installs so I am not entirely sure how they were initially deployed. I logged into the portal and pulled down the workstation installer. Will this also work for other groups such as the servers or do they need to use their own customer .exe for the uninstall?

Matthew Franks · ‎05-07-2019

I just tested with an exe from a different group and policy. It uninstalled properly with no issues. If you have policies with different passwords or without a password, you'll need to use a different commands but the exe shouldn't cause any conflicts.

Thanks,

Matt

Matthew Franks · ‎10-31-2019

If you do not have the connector protection password, you'll need to boot into safe mode and uninstall the connector. Then, install with a new installer for the new version. This is possible since the service doesn't start in safe mode.

AliceRenn10153 · ‎10-31-2019

If we do no have the password, will the

/uninstallpassword Cisco123 work?

dgcapel · ‎10-31-2019

Hi Alice,

if the product is protected by password, you need the password to uninstall. Example: /uninstallpassword <password>

If not, omit the previous command.

AliceRenn10153 · ‎10-31-2019

What if we do NOT have the password? Is there a way to uninstall the application without it?

dgcapel · ‎10-31-2019

It’s not possible. Sorry.

Jim2k · ‎11-12-2019

If you have access to the console and you see the endpoint communicating back. then just make a copy of the current policy uncheck the box "Enable connector protection" create a new group apply the modified policy to the group. then just move the endpoint or endpoints to the group. they will get the new policy with no password as they check in

Chekol Retta · ‎10-02-2020

Mathew

That is really helpful. I am able to uninstall and re-install amp remotely.

we have to reinstall AMP to lot of computers as TAC told us that reinstallation will change the GUID. Our problem is duplicated GUID The removal and installation are going well will all systems but some systems kept their GUID and TAC has no idea why. Do you know why some systems are not changing their GUID?

Matthew Franks · ‎10-06-2020

When you uninstall AMP, there is a question asked whether you plan to install AMP in the future. If you select Yes, some information is saved in the registry such as the GUID for continuity in the console. I recommend selecting No if you have a duplicate GUID issue. You may also need to restart after the uninstall for this information to be flushed but I haven't tested that.

Thanks,
Matt

Chekol Retta · ‎10-06-2020

Mathew

Thank you for your replay

Yes I always select the 'NO" option at the end of uninstallation

I have also been uninstalling AMP from the command line locally and remotely. C:\temp\AMPSetup.exe /R /S /remove 1

Both method helped me change the GUID for a lot of systems. But now some are not playing well and kept their original GUID.

Matthew Franks · ‎10-06-2020

Have you checked for Identity Persistence on those policies? If it is enabled, it will keep the same GUID. If it is not enabled, try "C:\Program Files\Cisco\AMP\7.3.3\sfc.exe -reregister" to perform a new registration. Replace 7.3.3 with your current version if you're not on the latest.

Thanks,

Matt

jasonfrank2010 · ‎12-06-2022

Greetings,

We are trying to script this to remove from our Remote Macintosh Users. I have been unsuccessful in finding a thread to assist with this. I did find some manual uninstall instructions, but I am not leveled when it comes to scripting for Mac's.
Maybe someone else here in the community knows, or can point me in the right direction?

Kind regards,
Jason F.
"https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216232-manual-uninstall-procedure-for-amp-for-e.html#anc6" is what I have found to date.