FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rduggal_FTNT
Staff
Staff
Article Id 361322
Description

This article describes how to to remove a FortiEDR collector from an endpoint when the regular process to uninstall fails.

Scope Applies to both On-prem and Cloud FortiEDR deployments.
Solution

Seldom due to config corruption or FortiEDR collector driver load failure uninstallation of collector may fail using FortiEDR Manager or manually from the endpoint.

Below Solutions can help in removing the FortiEDR collector from the endpoint:

 

Solution 1:

 

  1. Open the CMD as admin and run below command:

"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --clean

  1. Run the cleanup tool as an admin (even if service operation stopping is timed out, reboot the endpoint).

  2. After a reboot, run the cleanup tool again as admin.

 

Solution 2:

  1. Boot the machine into Safe mode. This can be done by holding down SHIFT and then selecting 'Restart' from the Windows power option. It will then go into Startup Options - press F5 for Safe Mode with Networking. Alternatively, press F8 upon a reboot of the machine.
  2. Run the clean-up tool in safe mode

 

Solution 3:

  1. Boot the machine into Safe mode. This can be done holding down SHIFT and then selecting 'Restart' from the Windows power option. It will then go into Startup Options - press F5 for Safe Mode with Networking. Alternatively, press F8 upon a reboot of the machine.
  2. Open a Command Prompt with elevated privileges and run the following service command:

sc config "FortiEDR Collector Service" start=disabled

 

(This should return a "SUCCESS" string of text).

 

  1. Reboot the machine normally.
  2. Then go into Programs and Features and uninstall FortiEDR.

Note: Contact Support to get the Cleanup Tool.

 

If there are still any problems encountered, open a new technical support ticket for further assistanceSupport Fortinet.