Can’t Uninstall SentinelOne EDR from SolarWinds RMM

I’ve been running a trial of SentinelOne EDR as integrated into SolarWinds (now N-central) RMM. It’s very easy to install—just set up a policy in the EDR dashboard, turn on EDR in the RMM’s Device dialog, and up it comes. However, I found the integrated UI to be awkward and the machine seemed slower overall, so I wanted to uninstall it. It turns out that is not possible.

If you turn off EDR in the RMM, it does not uninstall. If you manually uninstall it from the EDR dashboard, uninstall proceeds promptly, but after a reboot and some unknown timeframe, EDR re-installs even though it’s turned off for the device. It’s like a virus that keeps re-installing itself.

After uninstalling EDR and rebooting, before re-installing, RMM shows EDR as “Pending,” even though it is Off in the device’s settings:

A Known Issue

Support tells me that this is a known issue and that the developers are working on a fix, but none has been provided in the four days since I opened a ticket. Their only workaround is to uninstall the entire RMM agent.

 

A Workaround

The installer is here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\Temp\SentinelInstaller_windows_v4_6_11_191.exe

Installation is logged here:

C:\ProgramData\SolarWinds MSP\Ecosystem Agent\log\Ecocutioner.log

I tried to set up Software Restriction Policies in Group Policy based on the path, hash, and even the SentinelOne certificate, but somehow the installer kept getting past that and re-installing the EDR.

However I noticed that this machine is the only one with the SolarWinds Ecosystem Agent installed:

Once I uninstalled the Ecosystem Agent as well as SentinelOne EDR, EDR stopped re-installing itself. It now shows as Active in the dashboard:

but the script check confirms that it is not installed:

Uninstall the Ecosystem Agent at your own risk! I have no idea what else it might be needed for. It looks like it might have been used for Patch Management on this machine some time ago (currently disabled). I did check another machine running Patch Management and it did not have the Ecosystem Agent.

Conclusion

It’s disappointing, but no longer surprising, that Solarwinds chooses to release programs without testing basic features like the ability to uninstall them. SentinelOne EDR seems like a good, comprehensive antivirus solution on its own, but the Solarwinds RMM integration feels rushed:  EDR features have been moved or removed and RMM dashboard integration, apart from a couple 24×7 checks, is limited to easy deployment that cannot be undone. They will eventually fix this bug, but if you want SentinelOne EDR, consider the non-integrated version until the integration is more mature.

Update March 15, 2021

One month after I opened a ticket on this, there is still no resolution. The Ecosystem Agent and SentinelOne EDR have not re-installed themselves, but the SentinelOne alerts are still failing and cannot be deleted.

Update March 19, 2021

Today at 3:52am, without any action or consent on my part, the SentinelOne agent re-installed itself on the machine on which EDR is deactivated. I see that the Ecosystem Agent was also re-installed. Support told me on March 15 that they are working on pushing a fix to the Ecosystem agent, but it is broken again for me.

Update April 15, 2021

On April 9, I received a generic notice that SolarWinds (now N-able) would be pushing an EDR update on April 13. Although the notice did not mention the blocked uninstall issue, I hoped that it would uninstall EDR on this device, since it had been set to Off for the past two months. It did not uninstall automatically, but after turning EDR On and back Off, it seems to have completed the uninstall.

It is beyond me how SolarWinds/N-able can release a product that cannot be uninstalled, then take two months to add an uninstall option. It’s difficult to trust a software vendor that has such poor testing and bug fix practices.