
How to Completely Remove SentinelOne from Ubuntu 24.04
How to Completely Remove SentinelOne from Ubuntu 24.04.
SentinelOne is a powerful endpoint protection platform, but sometimes IT administrators need to remove it—especially when troubleshooting, performing a reinstallation, or switching solutions. Unfortunately, due to its security-focused nature, SentinelOne isn’t always easy to remove cleanly. This guide walks you through how to completely and forcefully remove SentinelOne from a Linux system, including residual files and stubborn processes.

Why Manual Removal?
SentinelOne installs deep hooks into the system using kernel modules, eBPF mounts, and active processes that may resist traditional removal. If the agent is misconfigured or the system is offline from the SentinelOne management console, automated uninstallers might not function as expected.
This script ensures you cleanly remove every component—even if the uninstall process was incomplete or roken.
What This Script Does
The script covers the full removal process:
- Kills all SentinelOne processes.
- Unmounts the eBPF mount point used by SentinelOne.
- Purges the SentinelOne DEB package (
sentinelagent
), if installed. - Deletes all known SentinelOne directories, ensuring no traces are left behind.
The Script
Here’s the complete script you can use:
#!/bin/bash echo "===========================================" echo "Force cleaning SentinelOne (and dpkg lock)..." echo "===========================================" # 1. Kill SentinelOne processes echo "[*] Killing SentinelOne processes..." sudo pkill -9 -f sentinelone || echo "No SentinelOne processes found or already stopped." # 2. Unmount stubborn mount (ignore if not mounted) echo "[*] Attempting to unmount /opt/sentinelone/ebpfs/bpf_mount..." sudo umount -lf /opt/sentinelone/ebpfs/bpf_mount 2>/dev/null || echo "No mount found or already unmounted." # 3. Purge SentinelOne package (if installed) echo "[*] Purging sentinelagent package..." sudo dpkg --purge sentinelagent 2>/dev/null || echo "SentinelOne package not found or already removed." # 4. Remove all residual SentinelOne directories echo "[*] Removing leftover directories..." sudo rm -rf /opt/sentinelone /etc/sentinelone /var/lib/sentinelone /var/log/sentinelone echo "SentinelOne has been forcefully removed from the system."
How to Run It
- Save the script to a file:
nano remove_sentinelone.sh
- Paste the code, then save and exit (Ctrl + X, then Y, then Enter).
- Make it executable:
chmod +x remove_sentinelone.sh
- Run the script as root:
sudo ./remove_sentinelone.sh
What to Expect
- The script may print messages like “No SentinelOne processes found” — that’s perfectly fine.
- It’s designed to be safe even if SentinelOne isn’t currently installed.
- You won’t need to reboot unless SentinelOne kernel modules are actively interfering with other software.
Troubleshooting Tips
- If you see “resource busy” errors, wait a few seconds and rerun the script.
- If
/opt/sentinelone/ebpfs/bpf_mount
is still mounted, check for any running services that might be accessing it. - Check if
sentinelctl
exists in/opt/sentinelone/bin/
— if so, runsudo /opt/sentinelone/bin/sentinelctl uninstall
only if you have uninstall permissions via the management console.
Final Thoughts
SentinelOne is designed to protect systems—so it’s expected to be a bit stubborn when it comes to removal. This script gives administrators a reliable, repeatable way to cleanly remove SentinelOne without leaving behind configuration files, mount points, or hanging processes.
This can be especially useful for:
- Re-deployments
- Migration to a different EDR solution
- Lab/test environments
- Recovering systems with corrupted SentinelOne installs
If you’re managing fleets of Linux devices and want to streamline security or software deployments, consider automating this script with Ansible, SaltStack, or your preferred configuration management tool.
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.