Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033607 - How to uninstall/reinstall RSA ECAT agents remotely for Troubleshooting issues

Document created by RSA Customer Support

on Aug 2, 2016•Last modified by RSA Customer Support on Jan 19, 2021

Version 5Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000033607
Applies To	RSA Product Set: ECAT, NetWitness Endpoint RSA Version/Condition: 4.x Platform: Windows Server 2012 R2
Issue	Due to issues such as an unavailable agent, incorrect version information in the UI, or general troubleshooting problems, the ECAT agent may need to be removed from a target client. The challenge with this is that the agent machine may not allow for an RDP or other remote sessions to the device. In this scenario, it is useful to have a means to remotely run commands against the target machine to try and remove the ECAT agent from the machine remotely to avoid disruption to other users at the time.
Resolution	UNINSTALLING AGENTS REMOTELY To uninstall a single agent: Install psexec from the Microsoft Sysinternals tools. Run the following command. It is not necessary to use the -u or -p flags if the current user has administrative privileges on the target machine. It is more reliable generally to use an IP address for the connection to the remote machine than a hostname but either is possible. You will see an error code 0 if the update is successful. >psexec \\<insert_ip_address> -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589} cmd exited on 192.168.0.2 with error code 0. To uninstall multiple agents: >psexec @textfile.txt -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589} Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise, it may fail to update some or all of the agents. INSTALLING AGENTS REMOTELY To install a single agent: 1. Ensure you have installed psexec and it is in the current directory (or else System32 folder) and place the ECAT agent installer package in the same directory (this avoids needing to specify an exact path to the package file when running the command). 2. Run the following command to upload the file in your current directory to the remote system: >psexec \\<insert_ip_address> -u <username> -p <password> -c <packagefile> To install multiple agents at once: >psexec @textfile.txt -u <username> -p <password> -c <packagefile> Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise, it may fail to update some or all of the agents. It is useful to check and verify with the sc command the status of the agent service following the update: sc //IP_address query "service_name
Notes	Additional Information: The utility "psexec" was developed by Mark Russinovich of Sysinternals (now part of Microsoft). This KB article was prepared to demonstrate a specific use case with the RSA NW Endpoint product. More details on use of this tool can be found with below link. https://adamtheautomator.com/psexec-ultimate-guide/ This article should be updated once a similar method is available for Mac and Linux agents.

Attachments

Outcomes

0 Comments

Recommended Content