I have come across a situation, where I am unable to remove traps agent from a windows systems, Below are the findings from this situations.
1) This perticular windows endpoint is unlicensed now meaning there is no communication between this endpoint and traps ESM server.
2) We tried removing traps using traps cleaner tool but while running this tool it says "SPROT is enabled please enter password to disabled it"
3) When we enter the password it says incorrect password (we know pssword is correct"
4)When we try to remove traps through control panel , it asks for the password and hence not accpeting the password.
5) We tried to install traps by overrighting the current installation. but during the traps setup window, The ESM server name and port number comes already hardcoded means we cant change the things which are already there.
6) This unlicensed traps is blocking a perticular pdf on the system, so evenif i whielist that pdf , those changes will not take effect untill the communication is established.
I have opened a ticket with support people, but still if anyone has any clue , Please assist.
At the very begining: it is possbile to get rid of Traps agent without password. It needs to manual cleaning of registry (tricky part, you have to know what are you doing) and I wen thru this process with and without PANW's support.
Even if agent's services protects itself you can always boot windows in safe mode and use registry editor then just delete agent's files.
I have seen that in some cases, the Traps installation is not correct. In those cases, the cleaner does not work and the solution is to execute it in safe mode.
I have seen that if traps is stopped with the cytool, the you can execute the cleaner correctly. For those Endpoints that you can not access in safe mode because of different issues, you can try this.
Error: "Cleaner failed to disable SPROT or the current user is not privileged"
cd /d C:\Program Files\Palo Alto Networks\Traps\
cytool protect disable
Go to add or remove programs and select Cortex then click "Yes" on restarting and Cortex should be removed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!