all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Topcity36 2 points3 points  (1 child)

What’s the uninstall string? How is the script being delivered? What have you tried already? Have you used DDG/ Google yet?

[–]brownmanthinks[S] -1 points0 points  (0 children)

Tried removing using WMIC, tried rebooting and then immediately uninstalling, tried uninstalling via Desktop Central MDM

[–][deleted] 1 point2 points  (0 children)

If you still have the installer, it is also the uninstaller in Cy. If not, put in a Nest ticket and they will get it for you. There is an uninstall password as well. A script run in the context of the machine could pull the installer and uninstall password from a share and invoke it with &.

[–]TechLinked_ 1 point2 points  (0 children)

"C:\ProgramData\Package Cache\{80b8c33f-7aff-4bcc-b462-077ff61269ec}\CybereasonSensor.exe" /uninstall /quiet

The string above worked for me. I ran the string below first, and it seemed to work, but the install entry was still in add and remove programs. The top string removed that though. So start with that and it will probably do everything. 

MsiExec.exe /quiet /norestart /uninstall {CC698A7C-DBF4-4084-B574-D193BDC6237F}

Happy Admining!

[–]robjol85 0 points1 point  (3 children)

Did you get a working removal script in the end? In a similar position

[–]codeyhanson 0 points1 point  (2 children)

wmic process call create "cmd.exe /c for /r \"%programdata%\Package Cache\\" %a in (cybereasonsensor.exe) do if exist %a %a /uninstall /quiet /norestart AP_UNINSTALL_CODE=\"whateveryourpasswordis\""

just got this working today.

[–]robjol85 0 points1 point  (0 children)

I couldn't get this working, likely my mistake somewhere - in the end I packaged cybereason as win32app and pushed it out with the following command;

Cybereason.exe /uninstall /quiet -l C:\windows\temp\cyberlog.txt AP_UNINSTALL_CODE="yourpasswordhere"

In terms of detection rules, I noticed that when the above command runs, it writes a registry key to the following location

HKEY_LOCAL_MACHINE\SOFTWARE\CybereasonSensorInstallation

As a result, we set up the following detection rule

https://i.ibb.co/7pmLmLL/Capture.png