This article presents instructions for removing CylancePROTECT from Windows in a worst-case-scenario. This includes situations in which access to the console is no longer possible. It works even if the policy was previously set to not allow service shutdown and an unknown uninstall password was set. In the case where automation is required for mass uninstall, the information here should be adapted and customized for the environment. The solution provided here is based on a solution originally provided by Cylance which has been modified by Cyberforce.


Disclaimer:

Use at your own risk. This solution does not provide any guarantee.


Tested on:

Microsoft Windows 10 Enterprise

Agent 2.1.1560


Prerequisites:
Administrator account
https://download.sysinternals.com/files/PSTools.zip (optional)
CylanceCleanupTool-v0.1.0.5.zip


Steps:


1. Stop the Cylance Service


Option A (uses psexec for SYSTEM privileges)


i) Unzip pstools
ii) Open command prompt as administrator
iii) Navigate to the pstools directory
iv) Run this command: psexec -accepteula -h -s sc config cylancesvc start= disabled

v) Reboot


Option B (without psexec)


i) Open regedit and right click on the HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop folder
ii) Select Permissions>Advanced>Owner
iii) Change the Current Owner from System to an Administrator
iv) Select "Replace owner on subcontainers and objects", click Apply, then click OK
v) In the Security Tab, Click on Administrators
vi) Enable Full Control for Administrators, click Apply, then click OK.
vii) Delete the registry key called "LastStateRestorePoint"
viii) Add a DWORD32 bit value key called "SelfProtectionLevel" and set the value to 1
ix) Reboot
x) You should now be able to stop the Cylance service: sc stop cylancesvc


2. Run CylanceCleanupTool


a) Unzip CylanceCleanupTool-v0.1.0.5.zip and change to the resulting directory

b) Right click customized-CylanceCleanupTool.bat and run as administrator. (Be sure to use the customized version)

3. Check the following to verify the uninstall was successful:


  • CylancePROTECT should not show up under Programs and Features
  • CylancePROTECT should not show up on the taskbar
  • C:\Program Files\Cylance should no longer exist
  • C:\programdata\Cylance should no longer exist
  • C:\Windows\System32\drivers\CyProtectDrv64.sys should no longer exist



Files Attached Here:

  • customized-CylanceCleanupTool-v0.1.0.5.zip - Contains the files shown below
    • CylanceCleanupTool.txt - Documentation from Cylance
    • customized-CylanceCleanupTool.bat - Custom version of CylanceCleanupTool.bat modified by Cyberforce which ultimately calls CyCleanupSvc.exe
    • CylanceCleanupTool.bat - Old version of script from Cylance
    • CyCleanupSvc.exe - Cylance's cleanup tool
    • CyCleanupSvc.exe.config - Dependency



References:

(These links require login credentials)

https://support.cylance.com/s/article/Modifying-the-Self-Protection-on-CylancePROTECT46

https://support.cylance.com/s/article/Unified-Driver-Cylance-Cleanup-Tool

https://support.cylance.com/s/article/ka0440000000rLx/Unable-to-Stop-or-Start-the-CylancePROTECT-service91

https://support.cylance.com/s/article/Identifying-the-proper-GUID-string-to-use-for-Windows-uninstallsExample: