![]() ![]() Scope the policy to the Static Group you created (Falcon Uninstall via Maintenance Token)Ĥ.)Edit your script and insert the Maintenance Token from the Crowdstrike Console for a sensor you wish to uninstall.ĥ.) Add the expected host you're uninstalling to your static group. Add Maintenance Configure to the policy to force inventory update Send - "InsertTheMaintenanceTokenHere_BeSuretoleaveTheQuotationMarks"Ģ.) Create a static group called "Falcon Uninstall via Maintenance Token"Ģ.) Create a policy and apply the script to the policy Either way, it's a win in making the uninstall work cleanly without user interaction. Each Maintenance Token is unique for every host so it is a one by one process. Note that this is a slow process since it is not using a Bulk Maintenance Token. This worked for Falcon Sensors with maintenance and uninstall protection enabled. Going on what I found this reddit thread similar to your script. # processes are in fact dead after the removal of all the files. This command is an attempt to make sure the falcon ![]() # even though it does delete all the files. # Discovered during testing, it appears that the built-in uninstaller may not completely kill all the falcon processes Spawn /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t SERIAL=$( /usr/sbin/ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/" Using the serial number is more reliable since that's the one thing the user can't change. # variable for computer serial number which is also our hostnames. Then add them below using the provided format. # is to get the Maintenance Tokens from Infosec for each computer. # If you need to do a mass uninstallation from a bunch of Macs, the first thing you need to do # specific installation which means the tokens are not reusable across reinstalls. # Unfortunately these tokens are unique to each and every computer. # need to uninstall it, but InfoSec has set a maintenance token on their end for the computer to make any changes at all. # The scenario when you would use this script is when Crowdstrike is installed and you it is an imperfect solution to an imperfect situation. It may not be the most efficient way of doing it, but it works. I had to do some variable voodoo to get it to work. ![]() Then it's a matter of getting the script to run the uninstall command with the token that is specific to THAT computer. In the list the serial numbers are appended with "TOKEN" and the tokens are associated with their respective computers. You probably could use your actual hostnames or whatever ID they are listed as in Crowdstrike, but you'll have to modify the script accordingly. Our computer names are based on serial numbers so I found it easier to use serial numbers. The biggest caveat is that there is no way around using the maintenance tokens, so you have to get your security team to provide you with the tokens and the computers they go with. It isn't perfect, but this is the best I could come up with. Since there is no way to get InfoSec to issue maybe a universal token that applies to all computers, I have come up with a solution that works. I understand the need to protect the tools that protect the computers, but the extreme step of requiring a unique, one-time use only key to remove the software makes our lives a nightmare. I hate hate hate security programs that don't do us admins any favors by locking themselves down. This is a problem that has long plagued me. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |