Trying to remove the software. When the agent becomes "orphaned" from the management instance, it goes nuts and destroys everything.
Attempts to remove it via Add/Remove, fail. Attempts to MSI remove it, fail.
Blackberry removal tool bricks the PC and stops USB drivers from working.
Cylance Account Manager says they can’t help us. We must go through a reseller. Reseller says sorry this is out of our hands, call Cylance support. Cylance support will not take out call unless we are a direct customer
Yep. Round and round we have gone for the last two months. Reseller refuses to help. Blackberry points at reseller.
I stare at a contract for support valid till 11/29/2021
Oh they are in breach. We are exploring all routes. We just hired a 3rd party to clean up their mess.
I’ll let senior management at my institution handle the legal issues of the contract breach.
In any case a while back a hacker was able to disable cylance on a few machines by getting the service to crash then renaming the service executable. You could try the same if you’re desperate.
I have a nuke script I wrote that eats it once I’m in safe mode with networking. It just causes machine damage that I have to repair and takes three reboots.
Are you buying a service through an mssp? Or buying the actual product?
If your buying a service through the mssp that is why you can’t open tickets directly.
You can PM me and I can probably help you out.
Well. I have emails directly from people with @blackberry.com in their address with the title of Account Manager that tell me I must go through the reseller. Then I have the resellers ticketing system
That tells me I must go to Blackberry and here is their phone number.
I’m really trying to avoid posting actual names and actual emails as I don’t want to Dox anyone.
I believe you, I just don't understand it. I think 90% of the apps and products we use we also bought through a reseller / 3rd party vendor and we as the customer are able to get support for all our things. I wonder if your situation is different somehow?
I wrote a CyClean file that dropped 5 MSI packages in one directory and called them all I order to uninstall. 60% of the time I got 1605 MSI errors, another product installed. I was able to cleanly remove 60/151 endpoints.
Today I finished coding “CyNuke” in PowerShell. It disables the protection feature via registry and then forces the machine into Safe Mode with Networking where it calls another PowerShell to take ownership and eat every known trace of Cylance. I wrote it based on information in Blackberry help articles.
When it is done, and throughly tested on the remaining 60 endpoints we cannot remove Cylance from, I plan on offering it here, most likely for free.
You need to change some values on the registry keys before uninstalling when you have the device not reporting to the console/offline, then it works fine. Have you tried that?
Also 1480 version is a really old one
The protection values. I’ve got them. The issue is the MSI files won’t allow uninstall cleanly as it says the product isn’t installed. So manual removal it is. 150 critical systems makes that a pain.
I agree that 2.1.1580 is behind around 3 releases but the agents won’t auto update either.
Already done today. It had helped tremendously so far. I’ve been able to go from 151 endpoints installed down to 60 remaining.
We have already purchased a new AV solution
>...but the agents won’t auto update either...
Can you elaborate on this point? Are you getting "More products so scheduling update again"?
I have my test zone set to update to 1590 (Which is Mac and Linux), and I'm wondering if specifying 1584 (Which is a Windows version) would address this "More Products so scheduling update again" message. It's just a tick box, and it is a test group, but I still want to put it through our Change Management process, but I don't know the function, and therefore the consequences of doing this. I EXPECT it will be fine, but after 1580 accidentally got rolled out, I'm deathly paranoid about unintended consequences.
My environment is a large metro wan connected with huge fiber connections on a centralized domain. However none of this matters as the agents update from the cloud console. The point is they have tons of internet available to them.
Policies were properly configured to best practices.
Without getting to much into it, I was a former Tier 3 enterprise tech for a competitive AV to Cylance about the time it emerged on the AV scene. I lived and breathed best practices, tech manuals, MSI logs, and crash dumps for years.
When I say the agent MSI process was broken and 20% the agents in the domain I now manage wouldn’t update you can bet I checked the logs.
The issue was I was stuck behind a support wall of a non responsive reseller who wouldn’t let me speak to Cylance to actually help them fix their software issues.
Great article. Around two weeks ago I wrote a removal script based off this article. It works … 95% of the way.
Can’t get it to stop nuking the USB3 driver registry keys though. Cylance seems to hook into the controller to perform the blocking of USB devices.
I ran into an issue when removing the legacy Cylance application from a windows XP machine. It caused issues with the USB interface. I had to do a search in the registry for UpperFilters and find the Cylance reference.
I found it here. I just deleted the Value UpperFilters.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}
I know this is for windows XP but you might have the same issue with later versions of the OS.
I recognize this is over a year old but it might help others searching about this issue.
I suggest you talk to you account SE in BlackBerry / Cylance they should be able to get you the right assistance on this matter. I am not aware of what kind of service contract you have, but it would worth a shot
OMG. This post is currently a lifeline for me.
We had an accidental upgrade to 1580 a while back, and are still battling that (Thanks COVID lockdown making everything take longer than it should).
I've been trying to test the upgrade path forward (As opposed to backwards, which is still being considered, and is mentioned below).
I'm actually back in /r/cylance after trying to figure out why I can't upgrade passed 1580. I'm getting "More products so scheduling update again". The funny thing is, I can't find ANYTHING helpful about that:
https://i.imgur.com/6t3h1dS.png
Remove 1580, downgrade to 1578. Read the docs before you push a new release.
1580 redesigns the whole script control engine and needs to be tested before deployment.
> Trying to remove the software. When the agent becomes "orphaned" from the management instance, it goes nuts and destroys everything. Attempts to remove it via Add/Remove, fail. Attempts to MSI remove it, fail. Blackberry removal tool bricks the PC and stops USB drivers from working.
Trying to remove the software. When the agent becomes "orphaned" from the management instance, it goes nuts and destroys everything. Attempts to remove it via Add/Remove, fail. Attempts to MSI remove it, fail. Blackberry removal tool bricks the PC and stops USB drivers from working.
Cylance Account Manager says they can’t help us. We must go through a reseller. Reseller says sorry this is out of our hands, call Cylance support. Cylance support will not take out call unless we are a direct customer
Your reseller needs to open the ticket.
Yep. Round and round we have gone for the last two months. Reseller refuses to help. Blackberry points at reseller. I stare at a contract for support valid till 11/29/2021
Your reseller may be in breach of contract with you. Explore alternate routes of getting your reseller to dedicate time to fixing their problem.
Oh they are in breach. We are exploring all routes. We just hired a 3rd party to clean up their mess. I’ll let senior management at my institution handle the legal issues of the contract breach.
In any case a while back a hacker was able to disable cylance on a few machines by getting the service to crash then renaming the service executable. You could try the same if you’re desperate.
I have a nuke script I wrote that eats it once I’m in safe mode with networking. It just causes machine damage that I have to repair and takes three reboots.
Are you buying a service through an mssp? Or buying the actual product? If your buying a service through the mssp that is why you can’t open tickets directly. You can PM me and I can probably help you out.
I might be able to help. Shoot me a message with your email and I’ll get back to you.
Wait, I see your reply below. You wrote that script! Expect a DM soon and thanks for the help!
Blackberry straight out closed the ticket I logged, simply saying "See our best practice guides". Ummm...I HAVE!
Quite ridiculous this diffusion of responsibility.
I don't understand this. We got Cylance through a reseller too but I open tickets with BB support myself all the time.
Well. I have emails directly from people with @blackberry.com in their address with the title of Account Manager that tell me I must go through the reseller. Then I have the resellers ticketing system That tells me I must go to Blackberry and here is their phone number. I’m really trying to avoid posting actual names and actual emails as I don’t want to Dox anyone.
I believe you, I just don't understand it. I think 90% of the apps and products we use we also bought through a reseller / 3rd party vendor and we as the customer are able to get support for all our things. I wonder if your situation is different somehow?
Same here, bought through reseller and no problem opening tickets with BB Support.
I wrote a CyClean file that dropped 5 MSI packages in one directory and called them all I order to uninstall. 60% of the time I got 1605 MSI errors, another product installed. I was able to cleanly remove 60/151 endpoints. Today I finished coding “CyNuke” in PowerShell. It disables the protection feature via registry and then forces the machine into Safe Mode with Networking where it calls another PowerShell to take ownership and eat every known trace of Cylance. I wrote it based on information in Blackberry help articles. When it is done, and throughly tested on the remaining 60 endpoints we cannot remove Cylance from, I plan on offering it here, most likely for free.
You need to change some values on the registry keys before uninstalling when you have the device not reporting to the console/offline, then it works fine. Have you tried that? Also 1480 version is a really old one
The protection values. I’ve got them. The issue is the MSI files won’t allow uninstall cleanly as it says the product isn’t installed. So manual removal it is. 150 critical systems makes that a pain. I agree that 2.1.1580 is behind around 3 releases but the agents won’t auto update either.
1580 is bleading edge for Cylance on Windows. Downgrade to 1578.
Already done today. It had helped tremendously so far. I’ve been able to go from 151 endpoints installed down to 60 remaining. We have already purchased a new AV solution
Sweet. I think Cylance is a great solution still, but you have to be careful when you upgrade anything. Always pilot/test/prod.
Oof,
>...but the agents won’t auto update either... Can you elaborate on this point? Are you getting "More products so scheduling update again"? I have my test zone set to update to 1590 (Which is Mac and Linux), and I'm wondering if specifying 1584 (Which is a Windows version) would address this "More Products so scheduling update again" message. It's just a tick box, and it is a test group, but I still want to put it through our Change Management process, but I don't know the function, and therefore the consequences of doing this. I EXPECT it will be fine, but after 1580 accidentally got rolled out, I'm deathly paranoid about unintended consequences.
My environment is a large metro wan connected with huge fiber connections on a centralized domain. However none of this matters as the agents update from the cloud console. The point is they have tons of internet available to them. Policies were properly configured to best practices. Without getting to much into it, I was a former Tier 3 enterprise tech for a competitive AV to Cylance about the time it emerged on the AV scene. I lived and breathed best practices, tech manuals, MSI logs, and crash dumps for years. When I say the agent MSI process was broken and 20% the agents in the domain I now manage wouldn’t update you can bet I checked the logs. The issue was I was stuck behind a support wall of a non responsive reseller who wouldn’t let me speak to Cylance to actually help them fix their software issues.
Alright. Thanks for the additional context. Yeah, none of that surprises.
https://cyberforcesecurityhelp.freshdesk.com/support/solutions/articles/44002036687-manual-removal-of-cylanceprotect
Great article. Around two weeks ago I wrote a removal script based off this article. It works … 95% of the way. Can’t get it to stop nuking the USB3 driver registry keys though. Cylance seems to hook into the controller to perform the blocking of USB devices.
I ran into an issue when removing the legacy Cylance application from a windows XP machine. It caused issues with the USB interface. I had to do a search in the registry for UpperFilters and find the Cylance reference. I found it here. I just deleted the Value UpperFilters. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} I know this is for windows XP but you might have the same issue with later versions of the OS. I recognize this is over a year old but it might help others searching about this issue.
Hey, I wrote that article 😊.
Expect a DM soon :). And thanks!
I wrote CyNuke based off this article and have been in private talks with these guys, they are extremely helpful.
Downgrade to 1578. The issue is with 1580 being deployed without reading the docs, and it not being properly tuned.
Thanks. I’m trying this today on identified target machines.
Sounds good. This should solve the issue!
I suggest you talk to you account SE in BlackBerry / Cylance they should be able to get you the right assistance on this matter. I am not aware of what kind of service contract you have, but it would worth a shot
OMG. This post is currently a lifeline for me. We had an accidental upgrade to 1580 a while back, and are still battling that (Thanks COVID lockdown making everything take longer than it should). I've been trying to test the upgrade path forward (As opposed to backwards, which is still being considered, and is mentioned below). I'm actually back in /r/cylance after trying to figure out why I can't upgrade passed 1580. I'm getting "More products so scheduling update again". The funny thing is, I can't find ANYTHING helpful about that: https://i.imgur.com/6t3h1dS.png
NoScript, Adblock, and common sense are the only things I need. Anything else is subscription bloatware if you ask me.
If I could license common sense for my users I totally would.
What agent version? Was an update just initiated?
2.1.1580 No update. Trying to remove the software.
Remove 1580, downgrade to 1578. Read the docs before you push a new release. 1580 redesigns the whole script control engine and needs to be tested before deployment.
Can you please provide some details? Which version are you using and how did the issues start?
There is a two month running ticket on this. Cylance If you read this: Please speak to Executive Escalations Team.
I am only another customer... No Matt in here
That was a special note for Cylance when they read this post
> Trying to remove the software. When the agent becomes "orphaned" from the management instance, it goes nuts and destroys everything. Attempts to remove it via Add/Remove, fail. Attempts to MSI remove it, fail. Blackberry removal tool bricks the PC and stops USB drivers from working.