Can’t Uninstall SentinelOne EDR from SolarWinds RMM

I’ve been running a trial of SentinelOne EDR as integrated into SolarWinds (now N-central) RMM. It’s very easy to install—just set up a policy in the EDR dashboard, turn on EDR in the RMM’s Device dialog, and up it comes. However, I found the integrated UI to be awkward and the machine seemed slower overall, so I wanted to uninstall it. It turns out that is not possible.

If you turn off EDR in the RMM, it does not uninstall. If you manually uninstall it from the EDR dashboard, uninstall proceeds promptly, but after a reboot and some unknown timeframe, EDR re-installs even though it’s turned off for the device. It’s like a virus that keeps re-installing itself.

SolarWinds EDR 1

SolarWinds EDR 2

After uninstalling EDR and rebooting, before re-installing, RMM shows EDR as “Pending,” even though it is Off in the device’s settings:

SolarWinds EDR 3

A Known Issue

Support tells me that this is a known issue and that the developers are working on a fix, but none has been provided in the four days since I opened a ticket. Their only workaround is to uninstall the entire RMM agent.

 

A Workaround

The installer is here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\Temp\SentinelInstaller_windows_v4_6_11_191.exe

Installation is logged here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\log\Ecocutioner.log

I tried to set up Software Restriction Policies in Group Policy based on the path, hash, and even the SentinelOne certificate, but somehow the installer kept getting past that and re-installing the EDR.

However I noticed that this machine is the only one with the SolarWinds Ecosystem Agent installed:

SolarWinds EDR 4

Once I uninstalled the Ecosystem Agent as well as SentinelOne EDR, EDR stopped re-installing itself. It now shows as Active in the dashboard:

SolarWinds EDR 5

but the script check confirms that it is not installed:

SolarWinds EDR 6

Uninstall the Ecosystem Agent at your own risk! I have no idea what else it might be needed for. It looks like it might have been used for Patch Management on this machine some time ago (currently disabled). I did check another machine running Patch Management and it did not have the Ecosystem Agent.

Conclusion

It’s disappointing, but no longer surprising, that Solarwinds chooses to release programs without testing basic features like the ability to uninstall them. SentinelOne EDR seems like a good, comprehensive antivirus solution on its own, but the Solarwinds RMM integration feels rushed:  EDR features have been moved or removed and RMM dashboard integration, apart from a couple 24×7 checks, is limited to easy deployment that cannot be undone. They will eventually fix this bug, but if you want SentinelOne EDR, consider the non-integrated version until the integration is more mature.

Update March 15, 2021

One month after I opened a ticket on this, there is still no resolution. The Ecosystem Agent and SentinelOne EDR have not re-installed themselves, but the SentinelOne alerts are still failing and cannot be deleted.

SolarWinds EDR 7

Update March 19, 2021

Today at 3:52am, without any action or consent on my part, the SentinelOne agent re-installed itself on the machine on which EDR is deactivated. I see that the Ecosystem Agent was also re-installed. Support told me on March 15 that they are working on pushing a fix to the Ecosystem agent, but it is broken again for me.

Update April 15, 2021

On April 9, I received a generic notice that SolarWinds (now N-able) would be pushing an EDR update on April 13. Although the notice did not mention the blocked uninstall issue, I hoped that it would uninstall EDR on this device, since it had been set to Off for the past two months. It did not uninstall automatically, but after turning EDR On and back Off, it seems to have completed the uninstall.

It is beyond me how SolarWinds/N-able can release a product that cannot be uninstalled, then take two months to add an uninstall option. It’s difficult to trust a software vendor that has such poor testing and bug fix practices.

4 thoughts on “Can’t Uninstall SentinelOne EDR from SolarWinds RMM

  1. Wiechert

    Hi Mark,

    Did it really work? I experience the same problem but with 800+ of our client computers. I did try to uninstall the Ecosystem agent as well as the SentinelOne but the Ecosystem agent get’s reinstalled after a reboot and then the SeninelOne also. I now try to get the license disabled and hopes this will work.

  2. Mark Berry Post author

    @Wiechert – Yes, still “working” here–Ecosystem and EDR did not re-install themselves. I wonder if you have other features enabled that cause the Ecosystem agent to re-install itself. I don’t know what those might be, maybe network discovery? I do still have failing EDR checks that cannot be deleted. I added an update to the main post above.

  3. Mark Berry Post author

    Today at 3:52am, without any action or consent on my part, the SentinelOne agent re-installed itself on the machine on which EDR is deactivated. I see that the Ecosystem Agent was also re-installed. Also updating the post above.

  4. Wiechert

    Hi Mark, I’ve spend hours figuring out how to prevent this reinstalling. The best solution was to uninstall the ecosystem agent and recreate the “SolarWinds MSP” folder in the PF x86 and disable inheritance and not placing any rights.
    In the “C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini” you will find the [ECOSYSTEM] header and now you will see an INSTALL_ERROR_COUNT=..
    In the end reinstalling the RMM agent is the best solution if it’s only a couple of computer. Since we have around 1100 with failing checks we build a powershell which creates a fake service en rewrites the script check so it passes. It works but is not the permanent solution for a failing integration from Solarwinds (N-Able).

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.