Skip to content

Instantly share code, notes, and snippets.

@Ambroos Ambroos/WARNING.md
Last active Oct 22, 2019

Embed
What would you like to do?
Remove SentinelOne agent from Mac. Because honestly, it doesn't seem to do anything at all. Run as root, best is to do this from a recovery mode, single user mode with writeable filesystem, ...

USE AT OWN RISK

This was only tested on a partial SentinelOne installation on the High Sierra beta, where SentinelOne was never allowed to enable it's kernel extension.

launchctl remove com.sentinelone.sentineld-helper
launchctl remove com.sentinelone.sentineld-updater
launchctl remove com.sentinelone.sentineld
launchctl remove com.sentinelone.sentineld-guard
killall SentinelAgent
rm -rf /Library/Extensions/Sentinel.kext
rm -rf /Library/Extensions/Sentinel.kext/Contents
rm -rf /Library/Extensions/Sentinel.kext/Contents/Info.plist
rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS
rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS/Sentinel
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj
rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature
rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature/CodeResources
rm -rf /Library/LaunchAgents/com.sentinelone.agent.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-guard.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-helper.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-updater.plist
rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentinelctl.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-guard.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-helper.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-updater.plist
rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld.plist
rm -rf /Library/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Sentinel
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/Current
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/sentinel.dylib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Info.plist
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS/SentinelAgent
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/AppIcon.icns
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Assets.car
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj/MainMenu.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/CellView.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/DebugMenu.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/MenuPopupView.nib
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/divider.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/Localizable.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/greenBadge.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/logo.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/redBadge.tiff
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sdiagnose
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_guard
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_updater
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/COPYRIGHT
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db.sig
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/common.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj/InfoPlist.strings
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/guard.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/helper.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinel-labs.cer
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentineld.sb
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinelone.cer
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/uninstall.sh
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/whitelist-ext.json
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeDirectory
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements-1
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeResources
rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeSignature
rm -rf /private/etc/asl/com.sentinelone.sentinel
rm -rf /usr/local/share/man/man1/sentinelctl.1
killall SentinelAgent
pkgutil --forget com.sentinelone.pkg.sentinel-agent
@bvdlingen

This comment has been minimized.

Copy link

commented Dec 11, 2017

Thanks for sharing your script. Helped me to remove the client temporary because I am running a beta version of Os X

You mentioned that SentinelOne doesn't do anything at all on a Mac. Did you test with a malware sample? Or allowed it other malware to run on your Mac?

@erickmendonca

This comment has been minimized.

Copy link

commented Dec 13, 2017

It did not work for me at first, but I got it running on Recovery mode. Thanks.

@brianzhou13

This comment has been minimized.

Copy link

commented Mar 22, 2018

@markturansky

This comment has been minimized.

Copy link

commented Aug 23, 2018

This worked perfectly for me on High Sierra 10.13.6 in recovery mode (don't have permissions in regular mode)

@pulkitpivotal

This comment has been minimized.

Copy link

commented Sep 26, 2018

this solved my mojave upgrade.

@erickmendonca

This comment has been minimized.

Copy link

commented Sep 28, 2018

Hello @brianzhou13, here we go again.

@jbartolozzi

This comment has been minimized.

Copy link

commented Oct 9, 2018

This fixed my installation of Mojave as well.

@chris-robison

This comment has been minimized.

Copy link

commented Oct 17, 2018

@erickmendonca @jbartolozzi How did you do this? Copy paste in recovery mode? I'm having trouble with it and it's still not removing. The last part is saying something about no receipt.

@sacha

This comment has been minimized.

Copy link

commented Oct 18, 2018

@chris-robison After booting to recovery mode and opening a terminal, I did a chroot /Volumes/Macintosh\ HD - so the root as far as my shell can see is my regular startup disk (not the recovery disk). Then the script ran with no problem, and yes, it did fix my Mojave installation.

@mintlodica

This comment has been minimized.

Copy link

commented Oct 30, 2018

Thank you. This also saved my Mojave update.

For anyone looking for step-by-step:

  • Restart your machine to enter Recovery Mode. Press Cmd + R after the restart chime plays. You should see a progress bar.
  • Open Safari and navigate to this page. Copy the script.
  • Exist Safari and open Terminal.
  • Type chroot /Volumes/Macintosh\ HD into Terminal.
  • Paste script and hit enter.
@munchee13

This comment has been minimized.

Copy link

commented Oct 31, 2018

I ran it without recovery mode from the Terminal. Simply run: sudo su -
You will have to then enter your user password. This presumes you are logged in as an administrative user already, which is likely.

@mattmc3

This comment has been minimized.

Copy link

commented Jan 29, 2019

The other methods didn't quite work for me. I installed Mojave with SentinelOne and now needed to remove it because all the built-in Mac apps kept crashing. Thank goodness I had FireFox installed b/c Safari was DOA. The following removal procedure worked for me:

  • Make a fixit.sh script in my user folder and chmod 777 fixit.sh
  • Add this gist to fixit.sh
  • Prefix the root folder with "/Volumes/MacHD/" (ie: s|rm -rf /|rm -rf /Volumes/MacHD/|)
  • Remove/comment out the launchctl, killall, and pkgutil commands
  • Reboot to recovery mode (⌘-R)
  • Use Disk Utility to mount the drive
  • Open Terminal in recovery mode
  • Navigate to /Volumes/MacHD/Users/myusername
  • Run ./fixit.sh
  • shutdown -r now
  • Everything worked after the reboot
@odrotbohm

This comment has been minimized.

Copy link

commented Jul 10, 2019

The process described by @mattmc3 worked for me on Mojave as well.

@tapion3675

This comment has been minimized.

Copy link

commented Jul 30, 2019

@odrobohm may I ask how you got the script to run correctly? I am able to run it from terminal in recovery mode but I receive an error for two of the lines and then when I restart the machine SentinelOne is still installed. When i run it from terminal logged in to adminstrator it gives a permission denied error after every line is executed.

@anwarchk

This comment has been minimized.

Copy link

commented Oct 22, 2019

  • Prefix the root folder with "/Volumes/MacHD/"

@mattmc3 why do you need to do this step and what is the exact command to do it ? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.