RocketCyber agent uninstallation and tamper protection

This article explains how to uninstall the RocketCyber agent on supported operating systems and clarifies how RocketCyber and Microsoft Defender Tamper Protection affect agent management.

RocketCyber does not implement a proprietary anti‑tamper mechanism that prevents local administrators from stopping or uninstalling the agent. Instead, RocketCyber relies on operating‑system permission controls to prevent removal by non‑privileged users while allowing legitimate administrative actions.

Installation and uninstallation permissions

Any user with local administrator rights can uninstall the RocketCyber agent.
Standard (non-administrator) users cannot uninstall the agent.
RocketCyber does not restrict uninstall actions performed by local administrators.

Agent uninstallation

Administrator privileges are required to uninstall the RocketCyber agent on all supported operating systems. Standard (non‑administrator) users cannot uninstall the agent.

Windows uninstall methods

Powershell (Windows)

A PowerShell script is available to automate agent removal: rocketagent_uninstall.ps1

This method is suitable for scripted or RMM‑based uninstall scenarios.

Command line uninstall (Windows)

The RocketCyber Agent uninstaller is located at C:\Program Files\RocketAgent\uninstall.exe

Running uninstall.exe without parameters launches the graphical installer and requires user interaction.

To run a silent uninstall, use the /S parameter: C:\Program Files\RocketAgent\uninstall.exe /S

This method runs silently and can be executed through an RMM or automation tool.

macOS uninstall

The macOS uninstaller is located at /usr/local/rocketcyber/mac-agent-updater

To uninstall the agent, run sudo /usr/local/rocketcyber/mac-agent-updater UNINSTALL "" "" ""

The command is case‑sensitive
It must be entered exactly as shown

This method runs silently and supports automation.

Linux uninstall (recommended)

To uninstall using the Linux agent updater, run:

sudo /usr/local/rocketcyber/linux-agent-updater UNINSTALL "" "" ""

This removes:

The agent from systemctl
The agent installation directory at /usr/local/rocketcyber

Manual Linux uninstall

If required, the agent can be removed manually.

Stop the agent:

  sudo systemctl stop rocketcyber.service

Verify the agent is stopped:

  sudo systemctl status rocketcyber.service

Check the Active and Main PID values.

Remove the agent service file:

  sudo rm /etc/systemd/system/rocketcyber.service

Reload system services

  sudo systemctl daemon-reload

Remove agent files:

  sudo rm -rf /usr/local/rocketcyber

Windows‑Specific Visibility and Permissions

On Windows systems:

The RocketCyber agent appears in Control Panel > Programs and Features only for the administrator account that installed it.

Standard users:

Cannot see the agent in Programs and Features
Cannot uninstall the agent

The uninstaller executable:

Is visible to all users
Can only be executed successfully by users with local administrator privileges

If the agent is stopped or uninstalled, it stops checking in and visibility is lost until it is restarted or reinstalled.

Microsoft Defender Tamper Protection

Microsoft Defender Tamper Protection is a Windows OS feature that prevents certain Defender settings from being modified by third‑party tools, including RocketCyber’s Defender Manager.

Affected Defender Settings

When Tamper Protection is enabled, RocketCyber cannot disable the following settings (but may be able to enable them):

Enable Windows Defender
Real‑time Monitoring
Behavioral Monitoring
Scan all downloaded files and attachments
Script scanning

Tamper Protection does not prevent uninstalling the RocketCyber agent.

For full details, refer to Microsoft documentation:

https://docs.microsoft.com/en-us/windows/security/threat-protec

tion/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection

Scope and Limitations

These controls ensure:

Standard users cannot uninstall or remove the RocketCyber agent
Agent removal requires explicit local administrative access
Accidental or casual end‑user removal is prevented

RocketCyber does not prevent a local administrator (legitimate or compromised) from stopping, disabling, or uninstalling the agent and does not claim hardened tamper resistance against privileged users.

IMPORTANT RocketCyber relies on administrative trust boundaries, not hardened anti‑tamper mechanisms, to protect agent integrity. Organizations concerned about hostile administrator scenarios should restrict local administrator access and monitor for agent removal or service stoppage events.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.