Can’t Uninstall SentinelOne EDR from SolarWinds RMM

I’ve been running a trial of SentinelOne EDR as integrated into SolarWinds (now N-central) RMM. It’s very easy to install—just set up a policy in the EDR dashboard, turn on EDR in the RMM’s Device dialog, and up it comes. However, I found the integrated UI to be awkward and the machine seemed slower overall, so I wanted to uninstall it. It turns out that is not possible.

If you turn off EDR in the RMM, it does not uninstall. If you manually uninstall it from the EDR dashboard, uninstall proceeds promptly, but after a reboot and some unknown timeframe, EDR re-installs even though it’s turned off for the device. It’s like a virus that keeps re-installing itself.

SolarWinds EDR 1

SolarWinds EDR 2

After uninstalling EDR and rebooting, before re-installing, RMM shows EDR as “Pending,” even though it is Off in the device’s settings:

SolarWinds EDR 3

A Known Issue

Support tells me that this is a known issue and that the developers are working on a fix, but none has been provided in the four days since I opened a ticket. Their only workaround is to uninstall the entire RMM agent.

A Workaround

The installer is here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\Temp\SentinelInstaller_windows_v4_6_11_191.exe

Installation is logged here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\log\Ecocutioner.log

I tried to set up Software Restriction Policies in Group Policy based on the path, hash, and even the SentinelOne certificate, but somehow the installer kept getting past that and re-installing the EDR.

However I noticed that this machine is the only one with the SolarWinds Ecosystem Agent installed:

SolarWinds EDR 4

Once I uninstalled the Ecosystem Agent as well as SentinelOne EDR, EDR stopped re-installing itself. It now shows as Active in the dashboard:

SolarWinds EDR 5

but the script check confirms that it is not installed:

SolarWinds EDR 6

Uninstall the Ecosystem Agent at your own risk! I have no idea what else it might be needed for. It looks like it might have been used for Patch Management on this machine some time ago (currently disabled). I did check another machine running Patch Management and it did not have the Ecosystem Agent.

Conclusion

It’s disappointing, but no longer surprising, that Solarwinds chooses to release programs without testing basic features like the ability to uninstall them. SentinelOne EDR seems like a good, comprehensive antivirus solution on its own, but the Solarwinds RMM integration feels rushed:  EDR features have been moved or removed and RMM dashboard integration, apart from a couple 24×7 checks, is limited to easy deployment that cannot be undone. They will eventually fix this bug, but if you want SentinelOne EDR, consider the non-integrated version until the integration is more mature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.