Proofpoint | ObserveIT On-Premises Insider Threat Management

Removing the Windows Agent

When an ObserveIT Windows Agent is uninstalled, the Agent folder is removed from the installation directory together with all its subfolders including the FAM (File Activity Monitoring) folder. When File Activity Monitoring is enabled in a recording policy, the Agent Service creates an OBSFAM folder outside the Agent folder containing duplicate files from the FAM folder. This means that if the Agent is uninstalled, the OBSFAM folder containing all the File Activity Monitoring data will remain.
Upon uninstallation of an Agent that was using File Activity Monitoring, the OBSFAM folder will only be removed upon the next restart. If you reinstall the Agent, you do not need to restart your machine, unless you want to disable File Activity Monitoring and remove the OBSFAM folder.

You can remove ObserveIT Agents from monitored Windows server(s) by one of two methods:

  • Using the Control Panel > Programs and Features applet.

  • Using the ObserveIT.AgentUninstall.cmd which is included in the ObserveITAgent setup directory.

Removing or uninstalling Agents does not delete the data related to the Agents from the ObserveIT database. You will still be able to view recorded sessions from these servers.

To uninstall an ObserveIT Windows Agent using the Control Panel

  1. From the Control Panel, select Programs and Features.

  2. From the list of installed programs, select ObserveIT Agent and click Remove.

  3. Click Yes to confirm.

  4. If the Application Server was configured to require a security password on Agent uninstallation, you must provide the security password in the following dialog box. For further details, see Enabling Installation Security (in the Configuration Guide).

  5. Click Next to complete the uninstallation procedure.

To remove a Windows Agent using ObserveIT.AgentUninstall.cmd

  • Locate the ObserveIT.AgentUninstall.cmd which is included in the ObserveITAgent setup directory.

    In the removal script, use the .msi file you downloaded and used for the installation.

    Removal script example:

    msiexec /uninstall "%~dp0WinAgent64bit.msi" /quiet PWD="" /leo "%~dp0ObserveIT_setup.txt

Note the following:

  • If the Application Server was configured to require a security password on Agent uninstallation, you must provide the security password in the dialog box that opens. For further details, see Enabling Installation Security (in the Configuration Guide).

  • The ObserveIT Agent will only terminate after you log off from all existing user sessions.

  • After successfully removing the Agent, the Agent's status in the Web Console will change to Uninstalled and Disabled. The removed server's data is still retained inside the database, and you can perform searches and view recorded sessions from these servers.

Related Topic:

Downloading the Latest Version

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint