Account changed - TDR host sensor
we upgraded to our box but in MSSP model which managed by vendors.
The troublesome part is the TDR host sensor need to point to new account (in vendor account). So, we have to manual uninstall at each machine and most of staff work from home, we face challenge to go to each machine to uninnstall.
Is there anyway that to change account UUID without unistall host sensor?
Thanks in advance if anyone know alternative solution instead of manual uninstall.
Sign In to comment.
You can change the account ID using a command line option in a batch script:
ON EVERY DEPLOYED HOST SENSOR, there are two ways to go about this:
a. Uninstall every host, delete the TDR folder and reinstall
b. Use the following commands:
net stop TDRSensorService64
cd c:\Program Files (x86)\WatchGuard\Threat Detection and Response\amd64\
host_sensor.exe /setAccountUUID= XXXXX-XXXX-XXXX-XXXX
net start TDRSensorService64
i. Replace XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX with the new Account UUID.
ii. This can be set in a batch script or run manually at a command line.
iii. If “Prevent Host Sensor Service Changes” is enabled, this will need to be turned off in the TDR Web UI prior to running these commands.
Don’t forget to check other places:
1. On the Firebox, under Subscription Services> Threat Detection and Response.
2. If using AD Helper, in the Account UUID section of the Properties screen
3. Mac and Linux sensors are similar but have a different syntax, e.g. “sudo ./host_sensor --setAccountUUID=”
**If you simply uninstall/reinstall the sensor, you need to also remove the properties files left behind in “C:\Program Files (x86)\WatchGuard\Threat Detection and Response”.
Regarding facing a challenge to go to each machine to uninstall, if they are running Windows 10 and you also are running Windows 10, you can use Quick Assist that is built into Windows 10. It is free and works well for attended remote access.
Thanks a lot. Will give a try!