Installation script cylance

msiexec /i CylanceProtect_x64.msi /qn PIDKEY=<INSTALLATION TOKEN> /L*v C:\temp\install.log

 

 

Agent Install

Without the Install Token

sudo installer -pkg CylancePROTECT.pkg -target /

With the Install Token

echo YOURINSTALLTOKEN >cyagent_install_token

sudo installer -pkg CylancePROTECT.pkg -target /
(Troubleshooting) With the Install Token and Verbose Installer Logging

echo YOURINSTALLTOKEN >cyagent_install_token

sudo installer -verboseR -dumplog -pkg CylancePROTECT.pkg -target /

 

NOTES:

  • Replace¬†YOURINSTALLTOKEN¬†in the echo line with the Installation Token on the Applications tab of the console.
  • The echo command outputs a cyagent_install_token file, which is a text file with one installation option per line. This file must be in the same folder as the installation package, CylancePROTECT.pkg.
  • For macOS Catalina - when installing the CylancePROTECT Agent using Terminal, a DYLD warning might display. This warning does not impact the installation. This warning is generated by the operating system, not by the CylancePROTECT installer.

With Optional Installation Parameters

echo YOURINSTALLTOKEN > cyagent_install_token
echo SelfProtectionLevel=# >> cyagent_install_token
echo VenueZone="zone_name" >> cyagent_install_token
echo LogLevel=# >> cyagent_install_token
sudo installer -pkg CylancePROTECT.pkg -target /

NOTE:

  • The cyagent_install_token file must be in the same folder as the installation package.
  • In the example above, replace¬†YOURINSTALLTOKEN¬†with your Installation Token from your Cylance console. For more information on how to find and use the Installation Token, please see:¬†Installation Tokens.
  • In the example above, replace¬†zone_name¬†with the name of the Zone that the device should be added to. Leading and trailing spaces will impact which zone the device is added to as spaces are valid characters in the current zone naming convention. So there is a difference between "ZoneA", " ZoneA" and "ZoneA ". Validate that there are no leading or trailing spaces when entering the zone name if they are not meant to be there. For more information on Zones, please see:¬†Zones.
  • In the example above, replace¬†#¬†with the desired value for SelfProtectionLevel and LogLevel. For more information, please see the definitions below.

1. YOURINSTALLTOKEN: Installation token available from the console

2. NoCylanceUI: (optional) Hidden Agent UI (default is Visible UI)

3. SelfProtectionLevel: Protection level for debugging purposes

  • 1: disables self-protection
  • 2: enables self-protection; prevents modification of Cylance files while the service is active

4. VenueZone: Name of the zone you want to add the device to at agent registration. Only one zone name entry allowed.

5. LogLevel: agent logging level

  • 0: Error
  • 1: Warning
  • 2: Information (default)
  • 3: Verbose
6. ProxyServer: Adds proxy server to device's registry and will appear in Agent log files.
  • ProxyServer=<ip_address>:<port_number>
  • Example: ProxyServer=123.45.67.89:1234
  • Requires Agent 1470 or higher

Agent Update

sudo /Applications/Cylance/CylanceUI.app/Contents/MacOS/CylanceUI --update

Agent Uninstall

Without Password

sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT

With Password

sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --password=thisismypassword

With Forgotten Password

1. Stop the service

sudo launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist

2. Delete the values.xml file

sudo rm /Library/Application\ Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/values.xml

3. Re-run uninstaller

Silent Uninstall

sudo /Applications/Cylance/Uninstall\ CylancePROTECT.app/Contents/MacOS/Uninstall\ CylancePROTECT --noui

Note: Will not be able to hide the red uninstall block from the dock. MacOS behavior comes in when launching the uninstall process. We do not have control to prevent the red block uninstall block from appearing even when using the -noui option.

User-added image

Start Cylance Service

sudo launchctl load /Library/launchdaemons/com.cylance.agent_service.plist

Stop Cylance Service

sudo launchctl unload /Library/launchdaemons/com.cylance.agent_service.plist

Enable Advanced UI (Debug Mode, Folder-Specific Background Scans, etc)

sudo /Applications/Cylance/CylanceUI.app/Contents/MacOS/CylanceUI -a

 

 

The CylancePROTECT Console contains a Cylance unified setup EXE or MSI file to install CylancePROTECT and CylanceOPTICS. With the unified setup installer, users can customize their installation and CylancePROTECT and CylanceOPTICS can be installed using various methods, such as GPO or SCCM. 

The unified setup download is available under Settings > Application or Settings > Deployments. If you do not see the download, please contact support. For instructions on downloading the Agent, please view the KB article here.

An unattended installation does not prompt for further information after starting. The program installs CylancePROTECT and CylanceOPTICS without requiring the user to select options or click Next at the end of each step. To perform an unattended install, use the /quiet or /qn options and the installation token in the command line. 

  • For quiet install: /quiet
  • For quiet and hidden: /qn
  • For displaying a progress bar with no interactive prompts: /passive
  • For preventing a restart after uninstall:¬†/norestart


Example Quiet Install of CylancePROTECT + CylanceOPTICS

Installation Parameters

Note: Currently, the AD=1 and AWS=1 parameters are not supported for the CylancePROTECT + CylanceOPTICS unified setup installer EXE file. If you wish to use these parameters, please use the unified setup installer MSI file. 

  • PIDKEY
    • <INSTALLATION TOKEN>¬†Replace this¬†value with the 24 character Installation Token from the Cylance Console's¬† Settings > Application page.¬†to auto input the installation token during install.¬†Example:¬†PIDKEY=AB1cDe2fGHijkL3m4nOPQRSt
  • SELFPROTECTIONLEVEL
    • 1: only Local Administrators can make changes to the registry and services.
    • 2: only the System Administrator can make changes to the registry and services (default).
  • LAUNCHAPP
    • 0: hidden (System tray icon and Start menu folder is hidden at run time (default).
    • 1: visible (System tray icon and start menu folder is not hidden at run time.
  • INSTALLFOLDER
    • <TARGET INSTALLATION FOLDER>:¬†Specifies the¬†agent install directory.
      • Default location of CylancePROTECT Agent:
        C:\Program Files\Cylance\Desktop
      • Default location of CylanceOPTICS Agent
        C:\Program Files\Cylance\Optics
  • REGWSC
    • 0: indicates that CylancePROTECT is not registered with Windows as an anti-virus program.¬†This allows CylancePROTECT and Windows Defender to run at the same time.
    • 1: registers CylancePROTECT as an anti-virus program in Windows (default).
    • Windows Server 2016 and 2019¬†does not offer a Security Center function. The REGWSC command will have no effect on Windows Server 2016 and 2019. If you wish to disable Windows Defender after installing CylancePROTECT on Windows Server 2016 and 2019,¬†the following registry value can be set:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
REG_DWORD
Value = 1
  • VENUEZONE
    • VENUEZONE=‚Äúzone_name‚ÄĚ Replace "Zone_Name" with the name of the zone.to add a¬†device to that zone.
    • If the zone does not exist, the zone is created using the name provided.
    • Note:¬†The use of the number sign / hash character¬†(#, U+0023) inside of a zone name will cause the install to fail due to a registry restriction, i.e. VENUEZONE="#zone_name"
    • Tabs, Carriage Returns, NewLines, or any other invisible characters are not permitted, i.e., VENUEZONE="My Cool \r\t\n Device"
  • INSTALLOPTICS
    • 0:¬†installs CylancePROTECT only on the endpoint (default).
    • 1:¬†installs both CylancePROTECT and CylanceOPTICS on the endpoint.
  • PROXY_SERVER
    • PROXY_SERVER=<ip_address>:<port_ number>
    • Specifies the IP address of the proxy server¬†through which the Agent must communicate. Proxy server settings are added to the¬†device‚Äôs registry. Proxy server information will¬†appear in the Agent log file.
    • Example:¬†PROXY_SERVER=123.45.67.89:1234
  • VDI
    • VDI="X" When installing CylancePROTECT on a Master Image, use the install parameter¬†VDI=X¬†where <X> is a "counter" for the total number of machines or images not connected to the domain (including the Master image) before creating a pool of workstations. The value for "X" determines when the Agent should start identifying the virtual machine utilizing VDI fingerprinting instead of the default Agent fingerprinting mechanism. By default, VDI is not enabled.¬†
    • For more information about¬†VDI Fingerprinting for Non-Persistent Virtual Machines, please see our knowledge base article¬†here.
    • The VDI fingerprinting for non-persistent virtual machines is designed for VMware products and works with Windows endpoints.


2. Unattended Uninstall of CylancePROTECT and CylanceOPTICS

You can use the command line for an unattended uninstall of the product(s) that were installed.

Notes:

  • The uninstall command will uninstall all of the products installed using the Cylance unified setup installer file.¬†For example, if you used the¬†CylanceUnifiedSetup.exe¬†to install CylancePROTECT + CylanceOPTICS, both products will be uninstalled using the uninstall command.
  • If you installed CylancePROTECT and CylanceOPTICS, you¬†cannot uninstall only one product, such as CylanceOPTICS.¬†
  • If you did not use the Cylance unified setup installer¬†to install the agent(s), you cannot use the unified setup installer to uninstall the agent(s).


Example
CylanceUnifiedSetup.exe /quiet /uninstall
or
CylanceUnifiedSetup_x64.msi /quiet /uninstall

Password Protected Uninstall Example

 

Uninstall Parameters

  • QUARANTINEDISPOSETYPE
    • 0: deletes all files and removes the quarantine "q" directory (default).
    • 1: restores all files.

  • msiexec /L*vx C:\Temp\CylanceUninstall.log /x {2A4C0D3D-6C40-484F-B3BB-1D843748FB5F} /qn UNINSTALLKEY="MyUninstallPassword"
  • Note:¬†The GUID may change in a future Agent release. If this were to occur, this document would be updated to reflect that change.
  • Note:¬†If utilizing an uninstall password that contains a special character or symbol, ensure that there are quotations around the uninstall password string to prevent any syntax issues.

 

 

 

1. Install CylancePROTECT

 

MSI Installer (using Standard Installer options)

msiexec /package CylanceProtect_x64.msi /quiet PIDKEY=<INSTALLATION TOKEN> LAUNCHAPP=1

MSI Installer (using Windows Installer options)

msiexec /i CylanceProtect_x64.msi /qn PIDKEY=<INSTALLATION TOKEN> LAUNCHAPP=1

Capture Logs with Install:

  • msiexec /i CylanceProtect_x64.msi /qn PIDKEY=<INSTALLATION TOKEN> /L*vx C:\Temp\CylanceInstall.log
  • This will output a verbose MSI installer log file (CylanceInstall.log) to the C:\Temp directory.

EXE Installer

CylanceProtectSetup.exe /quiet PIDKEY=<INSTALLATION TOKEN> LAUNCHAPP=1
NOTE: 
If the .exe is used to install the application, and an uninstall password is setup in the console, you must use the .exe uninstaller commands as outlined below. Please read Unable to uninstall CylancePROTECT using Add/Remove Programs for additional information.

Installation Parameters

  • PIDKEY
    • <INSTALLATION TOKEN>: Replace this¬†value with the 24 character Installation Token from the Cylance Console > Settings > Application page. Example: PIDKEY=AB1cDe2fGHijkL3m4nOPQRSt
  • SELFPROTECTIONLEVEL
    • 1: only Local Administrators can make changes to the registry and services.
    • 2: only the System Administrator can make changes to the registry and services. This is the default setting.
  • LAUNCHAPP
    • 0: hidden (System tray icon and Start menu folder is hidden at run time)
    • 1: visible (System tray icon and start menu folder is not hidden at run time (default)
  • APPFOLDER
    • <TARGET INSTALLATION FOLDER>: specifies agent install directory
      • Default¬†location is:¬†C:\Program Files\Cylance\Desktop
  • REGWSC
    • 0: Indicates that CylancePROTECT is not registered with Windows as an anti-virus program. This allows CylancePROTECT and Windows Defender to run at the same time.
    • 1: Registers CylancePROTECT as an anti-virus program in Windows.
    • Note:¬†Windows Server 2016 and 2019 does not offer a Security Center function. The REGWSC installation parameter¬†will have no effect on Windows Server 2016 and 2019. If you wish to disable Windows Defender after installing CylancePROTECT on Windows Server 2016 and 2019,¬†the following registry value can be set:

      HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
      REG_DWORD
      Value = 1

      For more information on how to manage Windows Defender via Group Policy, please read Use Group Policy settings to configure and manage Windows Defender AV.

  • VENUEZONE="zone_name"
    • Requires Agent version 1380 or higher
    • Adds devices to a zone.
    • If the zone does not exist, the zone is created using the name provided.
    • Replace¬†zone_name¬†with the name of an existing zone or a zone you want to create.
    • Note:¬†The use of the number sign / hash character¬†(#, U+0023) inside of a zone name will cause the install to fail due to a registry restriction, i.e. VENUEZONE="#zone_name"
  • PROXY_SERVER
    • PROXY_SERVER=<ip_address>:<port_number>.
    • Example: PROXY_SERVER=123.45.67.89:1234
    • Requires Agent version 1470 or higher
    • Proxy server settings are added to the device's registry. Proxy server information will appear in the Agent log file.
  • VDI
    • X: .When installing CylancePROTECT on a Master Image, use the install parameter VDI=X where <X>; is a "counter" for the total number of machines or images not connected to the domain (including the Master image) before creating a pool of workstations. The value for <X> determines when the Agent should start identifying the virtual machine utilizing VDI fingerprinting instead of the default Agent fingerprinting mechanism.
    • The VDI parameter utilizes a counter "X" and has a delayed effect, whereas the AD parameter is immediate upon installation.
    • Requires Agent version 1490 or higher
    • Note: The VDI fingerprinting for non-persistent virtual machines is designed for VMware products and works with Windows endpoints.
    • For more information about¬†VDI Fingerprinting for Non-Persistent Virtual Machines, please see our knowledge base article¬†here.¬†
  • AD
    • Use the Active Directory (AD) parameter during initial installation on a master image that is domain connected. When installed on a domain connected master image, it will immediately utilize VDI fingerprinting on the master image and subsequently created pool of workstations.
    • Requires ¬†Agent version 1520 or higher.
    • Note: The VDI fingerprinting for non-persistent virtual machines is designed for VMware products and works with Windows endpoints.
    • For more information about¬†VDI Fingerprinting for Non-Persistent Virtual Machines, please see our knowledge base article¬†here.¬†
  • AWS
    • 1: Captures and includes the Amazon EC2 Instance ID to the Device Name field to help identify Amazon Cloud hosts.¬†The Device Name is modified to include Hostname + Instance ID. For example:¬†
      ABC-DE-123456789_i-0a1b2cd34efg56789 where the device name is ABC-DE-12345678 and the AWS EC2 ID is i-0a1b2cd34efg56789.
    • Requires Agent version 1500 or higher.
    • This feature is only for the Amazon EC2 Instance ID. This is not related to Amazon Linux.
  • PROTECTTEMPPATH
    • 1: Change the location of the CylanceDesktopArchive and CylanceDesktopRemoteFile folder to the Cylance ProgramData folder
      • Location with installation parameter: C:\ProgramData\Cylance\Desktop
    • Requires¬†Agent version 1480 or greater for Windows.¬†
    • For more information, please see our knowledge base article¬†here.

Unattended Install

An unattended installation does not prompt for further information after starting. The program installs without requiring the user to select options or click Next at the end of each step. To perform an unattended install, use the /quiet or /qn options and the installation token in the command line. See the MSI and EXE examples above.

  • For quiet install / uninstall: /quiet
  • For quiet and hidden: /qn
  • For displaying a progress bar with no interactive prompts: /passive
  • For preventing a restart after uninstall:¬†/norestart

2. Uninstall CylancePROTECT

MSI Installer (using Standard Installer options)

msiexec /uninstall CylanceProtect_x64.msi /quiet

Password Protected Uninstall: msiexec /L*vx C:\Temp\CylanceUninstall.log /uninstall CylanceProtect_x64.msi /quiet UNINSTALLKEY="MyUninstallPassword"

MSI Installer (using Windows Installer options)

msiexec /x CylanceProtect_x64.msi /qn

Password Protected Uninstall:

  • msiexec /L*vx C:\Temp\CylanceUninstall.log /x CylanceProtect_x64.msi /qn UNINSTALLKEY="MyUninstallPassword"

MSI Installer (Using GUID)

msiexec /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954} /qn

Password Protected Uninstall:

  • msiexec /L*vx C:\Temp\CylanceUninstall.log /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954} /qn UNINSTALLKEY="MyUninstallPassword"
  • Note:¬†The GUID may change in a future Agent release. If this were to occur, this document would be updated to reflect that change.
  • Note:¬†If utilizing an uninstall password that contains a special character or¬†symbol, ensure that there are quotations around the uninstall password string to prevent any syntax issues.

EXE Installer

CylanceProtectSetup.exe /quiet /uninstall

Password Protected Uninstall: CylanceProtectSetup.exe /quiet /L*vx C:\Temp\CylanceUninstall.log UNINSTALLKEY="MyUninstallKey" /uninstall

Note: If utilizing an uninstall password that contains a special character or symbol, ensure that there are quotations around the uninstall password string to prevent any syntax issues.

Uninstallation Parameters

  • QUARANTINEDISPOSETYPE
    • 0: deletes all files and removes the q directory (default)
    • 1: restores all files

3. Agent Update

CylanceUI.exe -update

4. To expose the option to enable Debug Logging and start the UI in "Advanced Mode"

CylanceUI.exe -a

 

Change Log

Description Date Changed
Changed PROTECT references to CylancePROTECT 5-Sep-19
Updated description for VDI parameter

Added AD parameter

Removed the following note from VENUEZONE:
Note: Adding leading or trailing spaces to the zone name may create a new zone if that zone does not already exist in the Cylance console. For example, VENUEZONE="zone_name", VENUEZONE=" zone_name" and VENUEZONE="zone_name " are 3 different zone names
4-Sep-19
Added quotation marks around the UNINSTALLKEY parameter with the following note:

Note: If utilizing an uninstall password that contains a special character or symbol, ensure that there are quotations around the uninstall password string to prevent any syntax issues.
1-Feb-19
Added the following parameter:
  • AWS
    • 1: Captures and includes the Amazon EC2 Instance ID to the Device Name field to help identify Amazon Cloud hosts.¬†The Device Name is modified to include Hostname + Instance ID. For example:¬†
      ABC-DE-123456789_i-0a1b2cd34efg56789 where the device name is ABC-DE-12345678 and the AWS EC2 ID is i-0a1b2cd34efg56789.
    • Requires Agent version 1500 or higher.
    • This feature is only for the Amazon EC2 Instance ID. This is not related to Amazon Linux