This was only tested on a 'partial' SentinelOne installation on the High Sierra beta, where SentinelOne was never allowed to enable it's kernel extension. (Some things failed while I was messing around with OS betas.)
A lot happens in 2+ years, at this point there's a good chance this script will do more harm than good. Read the comments before using!
| launchctl remove com.sentinelone.sentineld-helper | |
| launchctl remove com.sentinelone.sentineld-updater | |
| launchctl remove com.sentinelone.sentineld | |
| launchctl remove com.sentinelone.sentineld-guard | |
| killall SentinelAgent | |
| rm -rf /Library/Extensions/Sentinel.kext | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/Info.plist | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/MacOS/Sentinel | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/Resources/en.lproj/InfoPlist.strings | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature | |
| rm -rf /Library/Extensions/Sentinel.kext/Contents/_CodeSignature/CodeResources | |
| rm -rf /Library/LaunchAgents/com.sentinelone.agent.plist | |
| rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-guard.plist | |
| rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-helper.plist | |
| rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld-updater.plist | |
| rm -rf /Library/LaunchDaemons/com.sentinelone.sentineld.plist | |
| rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentinelctl.plist | |
| rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-guard.plist | |
| rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-helper.plist | |
| rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld-updater.plist | |
| rm -rf /Library/Preferences/Logging/Subsystems/com.sentinelone.sentineld.plist | |
| rm -rf /Library/Sentinel | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Resources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Sentinel | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Resources/Info.plist | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/Sentinel | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/A/_CodeSignature/CodeResources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/Sentinel.framework/Versions/Current | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Frameworks/sentinel.dylib | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Info.plist | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Info.plist | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/MacOS/SentinelAgent | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/AppIcon.icns | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Assets.car | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/Base.lproj/MainMenu.nib | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/CellView.nib | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/DebugMenu.nib | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/MenuPopupView.nib | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/divider.tiff | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/InfoPlist.strings | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/en.lproj/Localizable.strings | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/greenBadge.tiff | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/logo.tiff | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/Resources/redBadge.tiff | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app/Contents/_CodeSignature/CodeResources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sdiagnose | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_guard | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_helper | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentineld_updater | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/COPYRIGHT | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/arbiter.db.sig | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/signatures.db.sig | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/assets/whitelist-ext.db.sig | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/common.sb | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/en.lproj/InfoPlist.strings | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/guard.sb | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/helper.sb | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinel-labs.cer | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentineld.sb | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/sentinelone.cer | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/uninstall.sh | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/whitelist-ext.json | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeDirectory | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeRequirements-1 | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeResources | |
| rm -rf /Library/Sentinel/sentinel-agent.bundle/Contents/_CodeSignature/CodeSignature | |
| rm -rf /private/etc/asl/com.sentinelone.sentinel | |
| rm -rf /usr/local/share/man/man1/sentinelctl.1 | |
| killall SentinelAgent | |
| pkgutil --forget com.sentinelone.pkg.sentinel-agent |
It did not work for me at first, but I got it running on Recovery mode. Thanks.
This worked perfectly for me on High Sierra 10.13.6 in recovery mode (don't have permissions in regular mode)
this solved my mojave upgrade.
Hello @brianzhou13, here we go again.
This fixed my installation of Mojave as well.
@erickmendonca @jbartolozzi How did you do this? Copy paste in recovery mode? I'm having trouble with it and it's still not removing. The last part is saying something about no receipt.
@chris-robison After booting to recovery mode and opening a terminal, I did a chroot /Volumes/Macintosh\ HD - so the root as far as my shell can see is my regular startup disk (not the recovery disk). Then the script ran with no problem, and yes, it did fix my Mojave installation.
Thank you. This also saved my Mojave update.
For anyone looking for step-by-step:
Cmd + R after the restart chime plays. You should see a progress bar.chroot /Volumes/Macintosh\ HD into Terminal.
I ran it without recovery mode from the Terminal. Simply run: sudo su -
You will have to then enter your user password. This presumes you are logged in as an administrative user already, which is likely.
The other methods didn't quite work for me. I installed Mojave with SentinelOne and now needed to remove it because all the built-in Mac apps kept crashing. Thank goodness I had FireFox installed b/c Safari was DOA. The following removal procedure worked for me:
fixit.sh script in my user folder and chmod 777 fixit.shs|rm -rf /|rm -rf /Volumes/MacHD/|)/Volumes/MacHD/Users/myusername./fixit.shshutdown -r now
The process described by @mattmc3 worked for me on Mojave as well.
@odrobohm may I ask how you got the script to run correctly? I am able to run it from terminal in recovery mode but I receive an error for two of the lines and then when I restart the machine SentinelOne is still installed. When i run it from terminal logged in to adminstrator it gives a permission denied error after every line is executed.
- Prefix the root folder with "/Volumes/MacHD/"
@mattmc3 why do you need to do this step and what is the exact command to do it ? Thank you.
There's now also a com.sentinelone.sentineld-shell that needs to be removed.
Lines 9-17 and lines 29-98 are not necessary as you're using the -r flag and removing the higher level folders before their contents.
@avenjamin I was angry and wanted to make sure macOS really understood me when I told it I wanted it to get rid of this stuff. (Joking aside, I just took an ls or some other file list and prefixed it with rm -rf.)
The bad news: this broke my Catalina install. The good news: SentinelOne is gone! Heed the warning if you're using Catalina. If you get the big no-no icon when you reboot, boot into recovery mode, reinstall macos over your existing installation, and you'll probably be good to go with no lost files. I backed up my system drive using diskutility in recovery mode just to be safe, but it turned out I didn't need it.
@Ambroos given you said you didn’t allow the kernel extension what were you expecting SentinelOne to do?
@jmcmahan615 what issues did you have with SentinelOne?
We’re trialling it at work and haven’t had any issues yet but curious to know your experiences.
Thanks
@avenjamin We were also trialing. No specific issues with the product, other than resource usage was higher than I would like. It seems to have a ton of features but I can't really peak to it's effectiveness since the only thing I was alerted to during the trial was a false positive. When our trial expired, the agent was still installed on my machine and the sales people were slow to assist so I took matters into my own hands.
@avenjamin At my previous job IT had it installed as part of their setup image, but the machine I used was never part of the domain/network. I created this gist at some point when High Sierra was just in beta and I needed to upgrade, and the SentinelOne kext gave me some issues (can't remember exactly what). I then just yeeted it from my system.
I haven't done anything with SentinelOne since then, and I barely know anything about it, so it's likely this script has lots of issues.
I've rm the directories while I was in Recovery Mode, but they are all back when I log into the system after reboot. Disgusting SentinelOne!
When I run your scipt, all commands say ~"Permission denied"
Thanks for sharing your script. Helped me to remove the client temporary because I am running a beta version of Os X
You mentioned that SentinelOne doesn't do anything at all on a Mac. Did you test with a malware sample? Or allowed it other malware to run on your Mac?