Uninstalling LevelBlue HIDS Agents

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance and LevelBlue OSSIM provide host intrusion detection services (HIDS) functionality using LevelBlue HIDS Services. The service is extended through HIDS agents installed on Linux or Windows hosts. USM Appliance simplifies the installation of these HIDS agents by providing an automatic deployment script for Windows Hosts. However, due to the nature of how remote install is executed on Windows systems, this functionality can't be extended to uninstalling the agents.

To uninstall an HIDS agent

  1. Login to the host and uninstall the program:

    • On Windows:

      1. Go to the Control Panel.
      2. Select Programs > Uninstall a program.
      3. Select the program named OSSEC HIDS 2.9.1 and click Uninstall.
    • On Linux:

      1. Run the following command

        /var/ossec/bin/ossec-control stop && rm -rf /var/ossec && rm /etc/init.d/*ossec* && rm /etc/ossec-init.conf

  2. In USM Appliance, go to Environment > Detection.
  3. Click the Agents tab to see a list of agents.
  4. Select the agent that you've uninstalled and click the trash can icon () to remove it from the list.
  5. After you've removed all the agents, click the HIDS Control tab, and then click Restart to restart the HIDS service.

If you wish to remove the HIDS agent from multiple hosts, you'll need to use a third-party tool or script to facilitate bulk removal. If your organization is using any group policy for administration, you may want to discuss using a Windows Management Instrumentation Command-line (WMIC) script governed by a group policy object (GPO). Please contact your Active Directory administrator or consultant for more information on how to use this Windows feature.

Agent removal for Linux hosts may also be managed by a number of package installation utilities. Please contact your Linux Administrator to determine if your organization is utilizing a package management solution that can facilitate bulk removal.