Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Remove SentinelOne agent from Mac. Because honestly, it doesn't seem to do anything at all. Run as root, best is to do this from a recovery mode, single user mode with writeable filesystem, ...

USE AT OWN RISK

This was only tested on a 'partial' SentinelOne installation on the High Sierra beta, where SentinelOne was never allowed to enable it's kernel extension. (Some things failed while I was messing around with OS betas.)

This script is most likely outdated.

A lot happens in 2+ years, at this point there's a good chance this script will do more harm than good. Read the comments before using!

launchctl remove com.sentinelone.sentineld-helper
launchctl remove com.sentinelone.sentineld-updater
launchctl remove com.sentinelone.sentineld
launchctl remove com.sentinelone.sentineld-guard
killall SentinelAgent
rm -rf /Library/Extensions/Sentinel.kext
rm -rf /Library/Extensions/Sentinel.kext/Contents
rm -rf /Library/Extensions/Sentinel.kext/Contents/Info.plist
rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS
rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS/Sentinel
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature
rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature/CodeResources
rm -rf /Library/LaunchAgents/com.sentinelone.agent.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-guard.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-helper.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-updater.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentinelctl.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-guard.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-helper.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-updater.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld.plist
rm -rf /Library/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/Current
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/sentinel.dylib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS/SentinelAgent
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/AppIcon.icns
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Assets.car
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj/MainMenu.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/CellView.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/DebugMenu.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/MenuPopupView.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/divider.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/Localizable.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/greenBadge.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/logo.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/redBadge.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sdiagnose
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_guard
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_updater
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/COPYRIGHT
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/common.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/guard.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/helper.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinel-labs.cer
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentineld.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinelone.cer
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/uninstall.sh
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/whitelist-ext.json
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeDirectory
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements-1
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeSignature
rm -rf /private/etc/asl/com.sentinelone.sentinel
rm -rf /usr/local/share/man/man1/sentinelctl.1
killall SentinelAgent
pkgutil --forget com.sentinelone.pkg.sentinel-agent
@bvdlingen

This comment has been minimized.

Copy link

@bvdlingen bvdlingen commented Dec 11, 2017

Thanks for sharing your script. Helped me to remove the client temporary because I am running a beta version of Os X

You mentioned that SentinelOne doesn't do anything at all on a Mac. Did you test with a malware sample? Or allowed it other malware to run on your Mac?

@erickmendonca

This comment has been minimized.

Copy link

@erickmendonca erickmendonca commented Dec 13, 2017

It did not work for me at first, but I got it running on Recovery mode. Thanks.

@brianzhou13

This comment has been minimized.

Copy link

@brianzhou13 brianzhou13 commented Mar 22, 2018

@markturansky

This comment has been minimized.

Copy link

@markturansky markturansky commented Aug 23, 2018

This worked perfectly for me on High Sierra 10.13.6 in recovery mode (don't have permissions in regular mode)

@pulkit-chandra

This comment has been minimized.

Copy link

@pulkit-chandra pulkit-chandra commented Sep 26, 2018

this solved my mojave upgrade.

@erickmendonca

This comment has been minimized.

Copy link

@erickmendonca erickmendonca commented Sep 28, 2018

Hello @brianzhou13, here we go again.

@jbartolozzi

This comment has been minimized.

Copy link

@jbartolozzi jbartolozzi commented Oct 9, 2018

This fixed my installation of Mojave as well.

@chris-robison

This comment has been minimized.

Copy link

@chris-robison chris-robison commented Oct 17, 2018

@erickmendonca @jbartolozzi How did you do this? Copy paste in recovery mode? I'm having trouble with it and it's still not removing. The last part is saying something about no receipt.

@sacha

This comment has been minimized.

Copy link

@sacha sacha commented Oct 18, 2018

@chris-robison After booting to recovery mode and opening a terminal, I did a chroot /Volumes/Macintosh\ HD - so the root as far as my shell can see is my regular startup disk (not the recovery disk). Then the script ran with no problem, and yes, it did fix my Mojave installation.

@mintlodica

This comment has been minimized.

Copy link

@mintlodica mintlodica commented Oct 30, 2018

Thank you. This also saved my Mojave update.

For anyone looking for step-by-step:

  • Restart your machine to enter Recovery Mode. Press Cmd + R after the restart chime plays. You should see a progress bar.
  • Open Safari and navigate to this page. Copy the script.
  • Exist Safari and open Terminal.
  • Type chroot /Volumes/Macintosh\ HD into Terminal.
  • Paste script and hit enter.
@munchee13

This comment has been minimized.

Copy link

@munchee13 munchee13 commented Oct 31, 2018

I ran it without recovery mode from the Terminal. Simply run: sudo su -
You will have to then enter your user password. This presumes you are logged in as an administrative user already, which is likely.

@mattmc3

This comment has been minimized.

Copy link

@mattmc3 mattmc3 commented Jan 29, 2019

The other methods didn't quite work for me. I installed Mojave with SentinelOne and now needed to remove it because all the built-in Mac apps kept crashing. Thank goodness I had FireFox installed b/c Safari was DOA. The following removal procedure worked for me:

  • Make a fixit.sh script in my user folder and chmod 777 fixit.sh
  • Add this gist to fixit.sh
  • Prefix the root folder with "/Volumes/MacHD/" (ie: s|rm -rf /|rm -rf /Volumes/MacHD/|)
  • Remove/comment out the launchctl, killall, and pkgutil commands
  • Reboot to recovery mode (⌘-R)
  • Use Disk Utility to mount the drive
  • Open Terminal in recovery mode
  • Navigate to /Volumes/MacHD/Users/myusername
  • Run ./fixit.sh
  • shutdown -r now
  • Everything worked after the reboot
@odrotbohm

This comment has been minimized.

Copy link

@odrotbohm odrotbohm commented Jul 10, 2019

The process described by @mattmc3 worked for me on Mojave as well.

@tapion3675

This comment has been minimized.

Copy link

@tapion3675 tapion3675 commented Jul 30, 2019

@odrobohm may I ask how you got the script to run correctly? I am able to run it from terminal in recovery mode but I receive an error for two of the lines and then when I restart the machine SentinelOne is still installed. When i run it from terminal logged in to adminstrator it gives a permission denied error after every line is executed.

@anwarchk

This comment has been minimized.

Copy link

@anwarchk anwarchk commented Oct 22, 2019

  • Prefix the root folder with "/Volumes/MacHD/"

@mattmc3 why do you need to do this step and what is the exact command to do it ? Thank you.

@bouk

This comment has been minimized.

Copy link

@bouk bouk commented Jul 8, 2020

There's now also a com.sentinelone.sentineld-shell that needs to be removed.

@avenjamin

This comment has been minimized.

Copy link

@avenjamin avenjamin commented Jul 23, 2020

Lines 9-17 and lines 29-98 are not necessary as you're using the -r flag and removing the higher level folders before their contents.

@Ambroos

This comment has been minimized.

Copy link
Owner Author

@Ambroos Ambroos commented Jul 23, 2020

@avenjamin I was angry and wanted to make sure macOS really understood me when I told it I wanted it to get rid of this stuff. (Joking aside, I just took an ls or some other file list and prefixed it with rm -rf.)

@jmcmahan615

This comment has been minimized.

Copy link

@jmcmahan615 jmcmahan615 commented Sep 17, 2020

The bad news: this broke my Catalina install. The good news: SentinelOne is gone! Heed the warning if you're using Catalina. If you get the big no-no icon when you reboot, boot into recovery mode, reinstall macos over your existing installation, and you'll probably be good to go with no lost files. I backed up my system drive using diskutility in recovery mode just to be safe, but it turned out I didn't need it.

@avenjamin

This comment has been minimized.

Copy link

@avenjamin avenjamin commented Sep 17, 2020

@Ambroos given you said you didn’t allow the kernel extension what were you expecting SentinelOne to do?

@jmcmahan615 what issues did you have with SentinelOne?

We’re trialling it at work and haven’t had any issues yet but curious to know your experiences.

Thanks

@jmcmahan615

This comment has been minimized.

Copy link

@jmcmahan615 jmcmahan615 commented Sep 18, 2020

@avenjamin We were also trialing. No specific issues with the product, other than resource usage was higher than I would like. It seems to have a ton of features but I can't really peak to it's effectiveness since the only thing I was alerted to during the trial was a false positive. When our trial expired, the agent was still installed on my machine and the sales people were slow to assist so I took matters into my own hands.

@Ambroos

This comment has been minimized.

Copy link
Owner Author

@Ambroos Ambroos commented Sep 18, 2020

@avenjamin At my previous job IT had it installed as part of their setup image, but the machine I used was never part of the domain/network. I created this gist at some point when High Sierra was just in beta and I needed to upgrade, and the SentinelOne kext gave me some issues (can't remember exactly what). I then just yeeted it from my system.

I haven't done anything with SentinelOne since then, and I barely know anything about it, so it's likely this script has lots of issues.

@arifmasood

This comment has been minimized.

Copy link

@arifmasood arifmasood commented Oct 13, 2020

Has anyone tried removing it on macOS catalina without any issues.

What are the privacy concerns of having this installed on mac. Does it give remote access to IT team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.