Removing the Assessment Tool from macOS Endpoints

Run the script to remove files and other objects related to the tool.

iCORE_LAUNCH_FILE_PATH="/Library/LaunchDaemons/com.trendmicro.icore.xdr.sa.plist"
iCORE_APP_INSTALL_PATH="/Applications/EDRMainUI.app/Contents/Resources/iCoreFlyWheel.app"
iCORECLIENT_PATH="/Library/Frameworks/iCoreClientSA.framework"
iCORECLIENTPB_PATH="/Library/Frameworks/iCoreClientPbSA.framework"
iCORE_INSTALL_PATH="/Library/Application Support/com.trendmicro.iCoreFlyWheel"
iCORE_LOG_PATH="/var/log/com.trendmicro.iCoreFlyWheel"

EDR_LAUNCH_FILE_PATH="/Library/LaunchDaemons/com.trendmicro.EDRAgent.plist"
EDR_MAINUI_LAUNCH_FILE_PATH="/Library/LaunchAgents/com.trendmicro.EDRMainUI.plist"
EDR_INSTALL_PATH="/Library/Application Support/com.trendmicro.iCoreFlyWheel/com.trendmicro.EDRAgent"
EDR_APP_INSTALL_PATH="/Applications/EDRMainUI.app"
# will be changed to current user below
EDR_LOG_PATH="/Library/Logs/com.trendmicro.iCoreFlyWheel"
EDR_SHARED_DATA_PATH="/Users/Shared/EDRAgent"

XBC_LAUNCH_FILE_PATH="/Library/LaunchDaemons/com.trendmicro.endpointbasecamp.plist"
XBC_INSTALL_PATH="/Library/Application Support/com.trendmicro.endpointbasecamp"

uninstall_icore()
{
	launchctl unload -w "$iCORE_LAUNCH_FILE_PATH"
	echo "uninstall icore"
	if [[ -e "$iCORE_APP_INSTALL_PATH" ]]; then
		osascript <<EOD
			tell application "Finder"
			set sourceFolder to POSIX file "$iCORE_APP_INSTALL_PATH"
			delete sourceFolder
		end tell
EOD
	fi
	rm -f "$iCORE_LAUNCH_FILE_PATH"
	rm -rf "$iCORECLIENT_PATH"
	rm -rf "$iCORECLIENTPB_PATH"
	rm -rf "$iCORE_INSTALL_PATH"
	rm -rf "$iCORE_LOG_PATH"
}

uninstall_EDRAgent()
{
	echo "uninstall EDRAgent"
	launchctl unload -w "$EDR_LAUNCH_FILE_PATH"

	USER=$(stat -f "%Su" /dev/console)
    uid=$(id -u "$USER")
	echo "current USER $USER uid $uid"
    launchctl asuser "$uid" launchctl unload "$EDR_MAINUI_LAUNCH_FILE_PATH"

	rm -f "$EDR_LAUNCH_FILE_PATH"
	rm -f "$EDR_MAINUI_LAUNCH_FILE_PATH"
	rm -rf "$EDR_INSTALL_PATH"
	rm -rf "$EDR_APP_INSTALL_PATH"
	rm -rf "$EDR_SHARED_DATA_PATH"
	rm -rf "/Users/$USER/$EDR_LOG_PATH"

	defaults delete com.trendmicro.EDRAgent
}

uninstall_XBCAgent()
{
	echo "uninstall XBCAgent"
	killall ws_communicator
	launchctl unload -w "$XBC_LAUNCH_FILE_PATH"
	rm -f "$XBC_LAUNCH_FILE_PATH"
	rm -rf "$XBC_INSTALL_PATH"

	defaults delete com.trendmicro.endpointbasecamp
}

uninstall_icore
uninstall_EDRAgent
uninstall_XBCAgent