Removing the Aurora Focus agent from a macOS device
Verify that the Aurora Focus agent has been removed
Run the following command:
CODE
kextstat | grep -i cyoptic
For macOS Big Sur (11.x), run the following command as well:
CODE
systemextensionsctl list | grep -i cyopticsThe commands should return no output.
Confirm that the following paths and files are no longer present on the system:
- /Library/Application Support/Cylance/Optics
- /Library/Application Support/OpticsUninstall
- /Applications/Cylance/Optics
- /Library/LaunchDaemons/com.cylance.cyoptics_service.plist
- /Library/LaunchDaemons/com.cylance.optics.postuninstall.plist
- /Library/LaunchDaemons/com.cylance.cyopticsesfservice.plist
On a macOS Big Sur (11.x) device, after using an ssh session to silently uninstall the Aurora Focus agent, /Applications/Cylance/Optics/CyOpticsESFLoader.app remains and the system extension is still active
This issue occurs because Apple has no mechanism to silently uninstall system extensions without explicit confirmation by the end user.
To resolve, use the finder to locate CyOpticsESFLoader.app and drag it to the trashcan, then confirm the UI prompt to deactivate and remove the system extension.
If you get a permissions error when you drag the file to the trashcan, run the following command to temporarily disable Aurora Protect Desktop:
CODE
sudo launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plistAfter you run the command, you can drag the file to the trashcan and confirm the UI prompt. If you want Aurora Protect Desktop to remain active, restart the device.
Note: You must remove CyOpticsESFLoader.app in this way before removing the Aurora Protect Desktop agent from the device. If you remove the Aurora Protect Desktop agent before completing this task, /Applications/Cylance is removed from the device, including CyOpticsESFLoader.app, so you will not be able to manually delete it and deactivate the system extension.