Uninstalling AIR responders
There are several ways to uninstall the AIR responder from assets and these include using the AIR console or working on the actual asset.
It is important to understand that you should only remove the agent if you have no intention of revisiting the asset for further investigations. If you do need to do so, then a fresh agent deployment will be needed.
From the Assets button in the Main Menu it is possible to select one or multiple assets and then, via the Bulk Action Bar, choose to either 'Uninstall agent' or to 'Uninstall agent and purge console data'.
It is also possible to uninstall an agent from the individual asset's, Asset Info page by selecting option from the Asset Actions drop down menu:
The 'Uninstall agent' will remove the AIR application from any selected assets.
The 'Uninstall agent and purge console data' option will remove the AIR application from the selected assets and delete the data saved from the assets for the console. All associated Tasks (eg; Timeline) will also be deleted from the console. Data saved to Remote Storage, and locally saved data on the asset will remain intact. interACT or normal asset management tools can be used to remove this data.
Password Protection for AIR Responder Uninstallation
Agent uninstallation through the local OS UI is disabled.
Local users of assets can only uninstall the AIR Agent if they have access to the AIR generated password to do so.
The agent can only be uninstalled using shell commands with the protection password as an argument, locally or remotely (e.g., SCCM).
Uninstallation via the AIR UI or API remains possible without requiring a password.
AIR provides Tamper Detection for the AIR Agent - Your audit logs will record
Uninstalling on Windows assets
Graphical User Interface (GUI) Method
To gracefully uninstall the responder application from your Windows operating system, follow these steps:
Navigate to the Control Panel.
Access the "Add/Remove Programs" feature.
Locate and select the
Binalyze AIR Agent
application from the list.Choose the option to uninstall.
Command Prompt Method
You can also uninstall the responderapplication using the command prompt with the following methods:
Using Product Code
To uninstall via the product code, execute the following steps:
Identify the product code of the responder using PowerShell:
Copy the identified product code.
Uninstall the Agent using
msiexec
:
Using Original MSI File
If you possess the original MSI file of the Agent, you can proceed as follows:
In either method, you can efficiently uninstall the Agent application from your system.
Uninstalling a Password-Protected responder
To uninstall a password-protected agent, you can specify your uninstall password with the property UNINSTALL_PASSWORD
by using the command prompt with the following command:
msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"
Uninstallation File and Directory Cleanup Process
When uninstalling the Binalyze AIR Agent
program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the agent before the service is deleted.
Utils Directory: The utils binaries located in the agent's installation directory are removed. If the installation directory is
C:\Program Files (x86)\Binalyze\AIR\agent
, folder can be found in:C:\Program Files (x86)\Binalyze\AIR\agent\utils\
Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.
C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp
C:\Windows\TEMP\BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.
C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp
C:\Windows\TEMP\BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading MSI binaries, If the windows system directory is
C:\
, the path can be found as follows.C:\BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is
C:\Windows\TEMP\
, the paths can be found as follows.C:\Windows\TEMP\Binalyze
C:\Windows\TEMP\BinalyzeTemp
On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.
Uninstalling on Linux assets
On Ubuntu and Debian
Open a terminal window.
To uninstall the
binalyze-air-agent
package, use the following command:sudo apt remove binalyze-air-agent
This command will uninstall the package.
On CentOS, Fedora, Redhat and similar distributions (using dnf)
Open a terminal window.
To uninstall the
binalyze-air-agent
package, run the following command:sudo dnf remove binalyze-air-agent
This command will uninstall the package.
Uninstallation File and Directory Cleanup Process
When uninstalling the binalyze-air-agent
program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.
Drone Config File: Drone config file located in the agent’s installation directory. If the installation directory is
/opt/binalyze/air/agent
, file can be found in:/opt/binalyze/air/agent/DRONE.Config.yml
Utils Directory: The utils binaries located in the agent's installation directory are removed before the uninstallation of the service. If the installation directory is
/opt/binalyze/air/agent
, folder can be found in:/opt/binalyze/air/agent/utils
Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.
/var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.
/var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is
/tmp
, the folder can be found as follows./tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is
/tmp
, the folders can be found as follows./tmp/Binalyze
/tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
/var/lib/binalyze
Config File: Config file located in the agent’s installation directory. After deleting the agent, the configuration file is deleted. If the installation directory is
/opt/binalyze/air/agent
, file can be found in:/opt/binalyze/air/agent/config.yml
On Linux systems, it returns $TMPDIR if non-empty, else /tmp.
Uninstalling on macOS assets
To initiate the uninstallation process for the Agent via the Terminal on macOS, execute the following command:
sudo /opt/binalyze/air/agent/air --uninstall
This command, executed within the Terminal, will seamlessly guide you through the removal of the Agent application from your macOS system.
Uninstalling a Password-Protected Agent
To uninstall a password-protected agent, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD
by using the command prompt with the following command:
AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/agent/air --uninstall
Uninstallation File and Directory Cleanup Process
When uninstalling the com.binalyze.air-agent
program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the agent after the package info is deleted.
Utils Directory: The utils binaries located in the agent's installation directory are removed before the uninstallation of the service. If the installation directory is
/opt/binalyze/air/agent
, folder can be found in:/opt/binalyze/air/agent/utils
Binaries: If the installation directory is
/opt/binalyze/air/agent
, these files located in:/opt/binalyze/air/agent/air
/opt/binalyze/air/agent/tactical
/opt/binalyze/air/agent/drone
Config File: This file located in the agent’s installation directory. If the installation directory is
/opt/binalyze/air/agent
, file can be found in:/opt/binalyze/air/agent/config.yml
Drone Config File: This file located in the agent’s installation directory. If the installation directory is
/opt/binalyze/air/agent
, file can be found in:/opt/binalyze/air/agent/DRONE.Config.yml
Service File: This file can be found in:
/Library/LaunchDaemons/com.binalyze.air-agent.plist
Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.
/var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.
/var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading pkg binaries, If unix temp directory is
/tmp
, the folder can be found as follows./tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is
/tmp
, the folders can be found as follows./tmp/Binalyze
/tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
/var/lib/binalyze
On Unix systems, it returns $TMPDIR if non-empty, else /tmp.
Last updated