Uninstall the Cortex XDR Agent for Linux - Administrator Guide - 8.3 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Cortex XDR
Cortex XDR Agent
Creation date
Last date published
Administrator Guide

Learn how to uninstall the Cortex XDR agent from a Linux endpoint.

From the Cortex XDR management console you can uninstall the Cortex XDR agent on a Linux server (refer to Uninstall the Cortex XDR Agent in the Administrator’s Guide for your license version. You can also uninstall the agent directly on the server. Successfully uninstalling the Cortex XDR agent program effectively removes the agent from the server.

After you uninstall the agent, your server will no longer be protected by your organization’s security policies in Cortex XDR.

  1. Uninstall using package manager.

    1. Depending on your Linux distribution, uninstall the Cortex XDR agent using one of the following commands:

      • For RHEL, CentOS, or Oracle distributions, use the yum remove cortex-agent or rpm —e cortex—agent command.

      • For Ubuntu or Debian distributions, use the apt—get remove cortex—agent command.

      • For SuSE distributions, use the zypper rm cortex—agent or rpm —e cortex—agent command.

  2. Uninstall using a shell script.

    If you used the shell script to install the Cortex XDR agent, you can use the corresponding uninstall shell script to uninstall the agent. You cannot use the script to uninstall agents installed using other methods.

    1. On the Linux server, run the uninstall.sh script and confirm you want to uninstall the Cortex XDR agent.

      The uninstall.sh script is located in the /opt/traps/scripts directory. By default, the script removes all logs, keys, and other files related to the Cortex XDR agent. If you want to preserve the logs, run the uninstall script in light mode using the —l option.


      To use the uninstall script, you must run it from the default location in the scripts directory, and as root or with root permissions.

      								This operation will uninstall Cortex XDR agent, are you sure? [y/N]:
      								[1] Shutting down Cortex XDR services
      								[2] Waiting on active AppArmor policy updates
      								[3] Removing AppArmor policies
      								* cortex xdr
      								[4] Stopping Cortex XDR security services (systemd)
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_trapsd.service.
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service.
      								Removed symlink /etc/systemd/system/multi-user.target.wants/traps_authorized.service.
      								[5] Removing Cortex XDR agent
    2. Confirm that the agent is no longer installed.

      From the Linux server you can verify the removal of the traps folder in /opt/. From Cortex XDR, you can also verify that the server was removed from the Endpoints page.