Patrick Domingues

How to Completely Remove SentinelOne from Ubuntu 24.04.
SentinelOne is a powerful endpoint protection platform, but sometimes IT administrators need to remove it—especially when troubleshooting, performing a reinstallation, or switching solutions. Unfortunately, due to its security-focused nature, SentinelOne isn’t always easy to remove cleanly. This guide walks you through how to completely and forcefully remove SentinelOne from a Linux system, including residual files and stubborn processes.

Why Manual Removal?

SentinelOne installs deep hooks into the system using kernel modules, eBPF mounts, and active processes that may resist traditional removal. If the agent is misconfigured or the system is offline from the SentinelOne management console, automated uninstallers might not function as expected.

This script ensures you cleanly remove every component—even if the uninstall process was incomplete or roken.

What This Script Does

The script covers the full removal process:

1. Kills all SentinelOne processes.
2. Unmounts the eBPF mount point used by SentinelOne.
3. Purges the SentinelOne DEB package (sentinelagent), if installed.
4. Deletes all known SentinelOne directories, ensuring no traces are left behind.

The Script

Here’s the complete script you can use:

#!/bin/bash

echo "==========================================="
echo "Force cleaning SentinelOne (and dpkg lock)..."
echo "==========================================="

# 1. Kill SentinelOne processes
echo "[*] Killing SentinelOne processes..."
sudo pkill -9 -f sentinelone || echo "No SentinelOne processes found or already stopped."

# 2. Unmount stubborn mount (ignore if not mounted)
echo "[*] Attempting to unmount /opt/sentinelone/ebpfs/bpf_mount..."
sudo umount -lf /opt/sentinelone/ebpfs/bpf_mount 2>/dev/null || echo "No mount found or already unmounted."

# 3. Purge SentinelOne package (if installed)
echo "[*] Purging sentinelagent package..."
sudo dpkg --purge sentinelagent 2>/dev/null || echo "SentinelOne package not found or already removed."

# 4. Remove all residual SentinelOne directories
echo "[*] Removing leftover directories..."
sudo rm -rf /opt/sentinelone /etc/sentinelone /var/lib/sentinelone /var/log/sentinelone

echo "SentinelOne has been forcefully removed from the system."

How to Run It

1. Save the script to a file: nano remove_sentinelone.sh
2. Paste the code, then save and exit (Ctrl + X, then Y, then Enter).
3. Make it executable: chmod +x remove_sentinelone.sh
4. Run the script as root: sudo ./remove_sentinelone.sh

What to Expect

• The script may print messages like “No SentinelOne processes found” — that’s perfectly fine.
• It’s designed to be safe even if SentinelOne isn’t currently installed.
• You won’t need to reboot unless SentinelOne kernel modules are actively interfering with other software.

Troubleshooting Tips

• If you see “resource busy” errors, wait a few seconds and rerun the script.
• If /opt/sentinelone/ebpfs/bpf_mount is still mounted, check for any running services that might be accessing it.
• Check if sentinelctl exists in /opt/sentinelone/bin/ — if so, run sudo /opt/sentinelone/bin/sentinelctl uninstall only if you have uninstall permissions via the management console.

Final Thoughts

SentinelOne is designed to protect systems—so it’s expected to be a bit stubborn when it comes to removal. This script gives administrators a reliable, repeatable way to cleanly remove SentinelOne without leaving behind configuration files, mount points, or hanging processes.

This can be especially useful for:

• Re-deployments
• Migration to a different EDR solution
• Lab/test environments
• Recovering systems with corrupted SentinelOne installs

If you’re managing fleets of Linux devices and want to streamline security or software deployments, consider automating this script with Ansible, SaltStack, or your preferred configuration management tool.

Patrick Domingues

See Full Bio