Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide

Uninstalling FortiEDR Collectors

5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:257081
Download PDF

Uninstalling FortiEDR Collectors

You can uninstall a FortiEDR Collector using the following methods:

  • From the Central Manager INVENTORY > Collectors page

    This method is recommended for Windows, Linux, and macOS 10.11 to 10.15.

    For macOS 11 or later, due to a macOS design limitation, this method does not remove the FortiEDR Collector system extension, which can only be uninstalled using an MDM solution.

  • Through the operating system’s application management (for example, Add or Remove Programs on Windows)
  • Using dedicated FortiEDR scripts

The following section describes how to uninstall a FortiEDR Collector with Fortinet scripts.

Windows

Uninstall the Collector by running either of the following commands as administrator. Replace REGPWD with the registration password used for the installation, which is available in Component Authentication.

  • msiexec.exe /x GUID /qn UPWD=REGPWD RMCONFIG=1 /l*vx log.txt

    Replace GUID with the FortiEDR uninstallation product key, which can be found by following the steps below:

    1. Select Start >> Run.
    2. Type regedit to open the Registry Editor window.
    3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\.
    4. Expand the Uninstall subkeys in the left-hand pane and search for "FortiEDR" to locate the subkey for FortiEDR.
    5. Open the FortiEDR subkey and copy the UninstallString value in the right pane, for example, {01C88AE6-6782-4798-81C6-954E0D14FCF5}.
    6. Close the Registry Editor window.

  • msiexec /x FortiEDRCollectorInstaller_X.msi /qn UPWD=REGPWD RMCONFIG=1

    You must run this command from same directory as the msi installer. Or you can replace the msi filename with the full path to the msi file, such as C:\Users\Allen\Desktop\FortiEDRCollectorInstaller64_4.1.0.491.msi, which allows you to run the command anywhere.

macOS
To uninstall the Collector on macOS with versions prior to Big Sur (11), such as Catalina or Mojave: 
sudo /Library/FortiEDR/fortiedr_uninstaller.sh 'REGISTRATION PASSWORD'
Note

It is good practice to use REGISTRATION PASSWORD wrapped with single quotes so that it is interpreted correctly by the shell. For example,

sudo /Library/FortiEDR/fortiedr_uninstaller.sh '!EPdzv30break'
To uninstall the Collector on macOS with Big Sur (version 11) or above: 
/Applications/FortiEDR.app/fortiedr_uninstaller.sh 'REGISTRATION PASSWORD'
Linux

Uninstalling a Linux Collector removes all configuration files. You must reconfigure all settings after installing a new Linux Collector.

If you are uninstalling a non-customized Linux Collector installer and would like to retain the configuration for later use, Fortinet recommends that you upgrade the Linux Collector instead of uninstalling the current Collector and re-installing a new one. However, you cannot perform an upgrade on a custom Linux Collector.
To uninstall a Collector on Linux:
  1. Check the status of the Collector using the following command: 
    /opt/FortiEDRCollector/control.sh --status

    The Collector should be stopped before running the uninstall command.

  2. If the status is not stopped, stop the Collector using the following command: 
     /opt/FortiEDRCollector/control.sh --stop <registration password>

    For example: 

    / opt/FortiEDRCollector/control.sh --stop 12345678
  3. Uninstall the Collector using the following command:
    • CentOS, RHEL, Oracle, AMI, SLES:
      • yum remove <package name>

        • OR

      • rpm -qa | grep fortiedr | xargs rpm –e
    • Ubuntu:
      sudo dpkg --purge fortiedrcollectorinstaller
Previous
Next

Uninstalling FortiEDR Collectors

You can uninstall a FortiEDR Collector using the following methods:

  • From the Central Manager INVENTORY > Collectors page

    This method is recommended for Windows, Linux, and macOS 10.11 to 10.15.

    For macOS 11 or later, due to a macOS design limitation, this method does not remove the FortiEDR Collector system extension, which can only be uninstalled using an MDM solution.

  • Through the operating system’s application management (for example, Add or Remove Programs on Windows)
  • Using dedicated FortiEDR scripts

The following section describes how to uninstall a FortiEDR Collector with Fortinet scripts.

Windows

Uninstall the Collector by running either of the following commands as administrator. Replace REGPWD with the registration password used for the installation, which is available in Component Authentication.

  • msiexec.exe /x GUID /qn UPWD=REGPWD RMCONFIG=1 /l*vx log.txt

    Replace GUID with the FortiEDR uninstallation product key, which can be found by following the steps below:

    1. Select Start >> Run.
    2. Type regedit to open the Registry Editor window.
    3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\.
    4. Expand the Uninstall subkeys in the left-hand pane and search for "FortiEDR" to locate the subkey for FortiEDR.
    5. Open the FortiEDR subkey and copy the UninstallString value in the right pane, for example, {01C88AE6-6782-4798-81C6-954E0D14FCF5}.
    6. Close the Registry Editor window.

  • msiexec /x FortiEDRCollectorInstaller_X.msi /qn UPWD=REGPWD RMCONFIG=1

    You must run this command from same directory as the msi installer. Or you can replace the msi filename with the full path to the msi file, such as C:\Users\Allen\Desktop\FortiEDRCollectorInstaller64_4.1.0.491.msi, which allows you to run the command anywhere.

macOS
To uninstall the Collector on macOS with versions prior to Big Sur (11), such as Catalina or Mojave: 
sudo /Library/FortiEDR/fortiedr_uninstaller.sh 'REGISTRATION PASSWORD'
Note

It is good practice to use REGISTRATION PASSWORD wrapped with single quotes so that it is interpreted correctly by the shell. For example,

sudo /Library/FortiEDR/fortiedr_uninstaller.sh '!EPdzv30break'
To uninstall the Collector on macOS with Big Sur (version 11) or above: 
/Applications/FortiEDR.app/fortiedr_uninstaller.sh 'REGISTRATION PASSWORD'
Linux

Uninstalling a Linux Collector removes all configuration files. You must reconfigure all settings after installing a new Linux Collector.

If you are uninstalling a non-customized Linux Collector installer and would like to retain the configuration for later use, Fortinet recommends that you upgrade the Linux Collector instead of uninstalling the current Collector and re-installing a new one. However, you cannot perform an upgrade on a custom Linux Collector.
To uninstall a Collector on Linux:
  1. Check the status of the Collector using the following command: 
    /opt/FortiEDRCollector/control.sh --status

    The Collector should be stopped before running the uninstall command.

  2. If the status is not stopped, stop the Collector using the following command: 
     /opt/FortiEDRCollector/control.sh --stop <registration password>

    For example: 

    / opt/FortiEDRCollector/control.sh --stop 12345678
  3. Uninstall the Collector using the following command:
    • CentOS, RHEL, Oracle, AMI, SLES:
      • yum remove <package name>

        • OR

      • rpm -qa | grep fortiedr | xargs rpm –e
    • Ubuntu:
      sudo dpkg --purge fortiedrcollectorinstaller
Previous
Next