01-05-2025 09:35 AM
Hello,
Because of my previous work, I had to install Cortex XDR to work remotely from home and access to the VPN.
Now that I'm no longer working for them, I would like to uninstall Cortex XDR from my laptop (MacBook Pro M2) but it is impossible. I tried to install the uninstaller but it impossible, the installation don't ever finish.
Someone know howt to delete Cortex XDR ?
Kind regards.
01-15-2025 03:13 AM
Hi @Rixals ,
It's probably not "Macintosh_HD" but rather "Macintosh HD" (with a space).
If the name was changed to something else then I don't know what it is and you can check it via Finder (Open Finder then use the menu Go > Computer).
Eitherway if it contains a space then you'll need to use a backslash to prevent the shell command from interpreting that space.
Notice how the same happens for "Application Support". In the command it's written as "Application\ Support" with a backslash to prevent the space from being interpreted by the shell command (it's a shell script thing).
/Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
Hope this helps,
Kim.
01-15-2025 09:27 AM
Hello @kiwi,
Thank you, I learned something thank you !
So I ran my MacBook in Safe Mode, without File Vault, and ran this command :
chmod +x /Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
/Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
And it said "This tool should run as sudo" whereas I tried with "sudo" and "su" in front of the command, I don't understand :
01-16-2025 12:08 AM
Hi @Rixals ,
If you want to run a command with root privileges you can prefix that command with 'sudo'. Then it will ask you for the password to the account you are logged in with (not the root account). Assuming that account is an administrator, of course.
Hope this helps,
-Kim.
01-16-2025 01:42 AM
Hi @Rixals ,
Yes, these are 2 separate commands.
The chmod +x command adds the execute (x) permission to the file. By doing that, you will allow the file to be executed as a program.
After that is the 2nd command where you will actually execute the file.
Try using sudo on both commands.
Hope this helps,
-Kim.
01-16-2025 12:33 PM
Hello @kiwi,
Okay thank you I didn't know !
So I entered these commands :
sudo chmod +x /Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settings
sudo /Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settingsAnd this appeared :
Failed to verify Recovery OS. Error: 8
This tool should run from Recovery OS
I executed the previous commands in Recovery OS but it said "command not found", I don't understand.
Kind regards,
Rixals
01-16-2025 01:10 PM
I booted my MacBook in Recovery OS, I used the terminal and entered first :
chmod +x /Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settingsAnd then :
/Volumes/Macintosh\ HD/Library/Application\ Support/PaloAltoNetworks/Traps/download/content/reset_agent_settingsBecause I couldn't use Enter to go to the line and this appeared : "Successfully reset agent settings"
I thought that it was finally finished but when I entered "Password1" in the uninstaller, it didn't work again ... Did I do something wrong ?
Kind regards,
Rixals
01-16-2025 11:45 PM
Hi @Rixals ,
Looks like you're getting closer !
Once you get confirmation that the agent settings were reset successfully you'll need to reboot to normal mode and run the Cortex XDR Agent uninstaller tool again and specify the default password "Password1"
If it still doesn't take the default Password1, you can perform these extra steps to remove these agent persistence database files:
Open Terminal and enter the following commands:
1.Unload the Cortex Daemon:
sudo launchctl unload /Library/LaunchDaemons/com.paloaltonetworks.cortex.pmd.plist
2.Remove database files:
sudo rm -rf /Library/Application\ Support/PaloAltoNetworks/Traps/persist/agent_settings.db
sudo rm -rf /Library/Application\ Support/PaloAltoNetworks/Traps/persist/cloud_frontend.db
sudo rm -rf /Library/Application\ Support/PaloAltoNetworks/Traps/persist/content_settings.db
3.Load the Cortex Daemon:
sudo launchctl load /Library/LaunchDaemons/com.paloaltonetworks.cortex.pmd.plist
4.Run the Cortex Uninstaller Tool again with the default pwd:
sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortex_xdr_uninstaller_tool Password1
5.Crossing fingers
Hope this helps !
Kim.
01-17-2025 01:30 PM
Hello @kiwi,
I launched the 4 commands in Safe Mode and finally the uninstaller began to work ! But I waited more than 2 hours and the uninstaller kept on going without finishing : « Starting uninstall of Cortex XDR agent » and nothing more ..
I tried to run the uninstaller directly and enter "Password1", it didn't worked either, the Uninstaller froze.
Kind regards
01-22-2025 09:58 AM
Finally succeded to reach my former employer and they uninstalled it from the console.
Thank you @kiwi for all your hard work, I'll remember your help !
Have a nice day all !
01-23-2025 01:08 AM
Hi @Rixals ,
That's great news !
Kind regards,
-Kiim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
