Skip Navigation

Troubleshooting: Removing the
Optics
agent from a
macOS
device

Verify that the
Optics
agent has been removed

Run the following command:
kextstat | grep -i cyoptic
For
macOS
Big Sur (11.x), run the following command as well:
systemextensionsctl list | grep -i cyoptics
The commands should return no output.
Confirm that the following paths and files are no longer present on the system:
  • /Library/Application Support/Cylance/Optics
  • /Library/Application Support/OpticsUninstall
  • /Applications/Cylance/Optics
  • /Library/LaunchDaemons/com.cylance.cyoptics_service.plist
  • /Library/LaunchDaemons/com.cylance.optics.postuninstall.plist
  • /Library/LaunchDaemons/com.cylance.cyopticsesfservice.plist

On a
macOS
Big Sur (11.x) device, after using an ssh session to silently uninstall the
Optics
agent, /Applications/Cylance/Optics/CyOpticsESFLoader.app remains and the system extension is still active

This issue occurs because
Apple
has no mechanism to silently uninstall system extensions without explicit confirmation by the end user.
To resolve, use the finder to locate CyOpticsESFLoader.app and drag it to the trashcan, then confirm the UI prompt to deactivate and remove the system extension.
If you get a permissions error when you drag the file to the trashcan, run the following command to temporarily disable
Protect Desktop
:
sudo launchctl unload /Library/LaunchDaemons/com.cylance.agent_service.plist
After you run the command, you can drag the file to the trashcan and confirm the UI prompt. If you want
Protect Desktop
to remain active, restart the device.
You must remove CyOpticsESFLoader.app in this way before removing the
Protect Desktop
agent from the device. If you remove the
Protect Desktop
agent before completing this task, /Applications/Cylance is removed from the device, including CyOpticsESFLoader.app, so you will not be able to manually delete it and deactivate the system extension.