Learn how to uninstall the Cortex XDR agent from a Linux endpoint.
From the Cortex XDR management console you can uninstall the Cortex XDR agent on a Linux server (refer to Uninstall the Cortex XDR Agent in the Administrator’s Guide for your license version. You can also uninstall the agent directly on the server. Successfully uninstalling the Cortex XDR agent program effectively removes the agent from the server.
After you uninstall the agent, your server will no longer be protected by your organization’s security policies in Cortex XDR.
Uninstall using package manager.
Depending on your Linux distribution, uninstall the Cortex XDR agent using one of the following commands:
For RHEL, CentOS, or Oracle distributions, use the
yum remove cortex-agent
orrpm —e cortex—agent
command.For Ubuntu or Debian distributions, use the
apt—get remove cortex—agent
command.For SuSE distributions, use the
zypper rm cortex—agent
orrpm —e cortex—agent
command.
Uninstall using a shell script.
If you used the shell script to install the Cortex XDR agent, you can use the corresponding uninstall shell script to uninstall the agent. You cannot use the script to uninstall agents installed using other methods.
On the Linux server, run the uninstall.sh script and confirm you want to uninstall the Cortex XDR agent.
The
uninstall.sh
script is located in the/opt/traps/scripts
directory. By default, the script removes all logs, keys, and other files related to the Cortex XDR agent. If you want to preserve the logs, run the uninstall script in light mode using the—l
option.Note
To use the uninstall script, you must run it from the default location in the scripts directory, and as root or with root permissions.
root@ubuntu:/$
/opt/traps/scripts/uninstall.sh
This operation will uninstall Cortex XDR agent, are you sure? [y/N]:y
[1] Shutting down Cortex XDR services Done [2] Waiting on active AppArmor policy updates Done [3] Removing AppArmor policies * cortex xdr Done [4] Stopping Cortex XDR security services (systemd) Removed symlink /etc/systemd/system/multi-user.target.wants/traps_trapsd.service. Removed symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service. Removed symlink /etc/systemd/system/multi-user.target.wants/traps_authorized.service. Done [5] Removing Cortex XDR agent DoneConfirm that the agent is no longer installed.
From the Linux server you can verify the removal of the traps folder in /opt/. From Cortex XDR, you can also verify that the server was removed from the Endpoints page.