macOS - Software - Uninstall Kaspersky Software

What the Kaspersky removal Worklet does

This Automox Worklet™ removes Kaspersky Endpoint Security and related Kaspersky Lab artifacts from macOS endpoints. The remediation script unloads Kaspersky system and user launch entries with launchctl unload, then deletes the Kaspersky application bundle, extension directories, and support files left behind by the vendor uninstaller. Endpoints with no Kaspersky footprint pass the evaluation phase and are skipped.

The Worklet targets the locations Kaspersky ships its macOS components to: /Applications/Kaspersky Endpoint Security.app, /Library/Application Support/Kaspersky Lab, /Library/Extensions/Kaspersky*, /Library/LaunchAgents/com.kaspersky*.plist, and /Library/LaunchDaemons/com.kaspersky*.plist. After the rm -rf pass the script re-checks the same paths and process list, exiting non-zero if any Kaspersky artifact survives.

The script is the cleanup pass that runs after – or instead of – Kaspersky’s own kavremover tool. The vendor uninstaller is interactive and often exits with leftover launch daemons or extension caches still on disk. That residue is exactly what fails an audit. This Worklet replaces the kavremover workflow with a non-interactive removal you can invoke from FixNow for ad-hoc cleanup or schedule as a recurring policy until the fleet reports zero Kaspersky endpoints.

Why remove Kaspersky to clear sanctioned software

Kaspersky Lab products are subject to layered U.S. restrictions. The Department of Commerce Bureau of Industry and Security (BIS) added Kaspersky Lab to the Entity List in June 2024, then issued a Final Determination prohibiting Kaspersky antivirus software in the United States after 29 September 2024. CISA Binding Operational Directive 17-01 has required federal civilian agencies to remove Kaspersky-branded products since 2017, and FAR 52.204-23 with the matching DFARS clauses extend the prohibition to federal contractors and the systems they operate.

Holding even a single Kaspersky-licensed Mac in your fleet creates sanctions, contracting, and audit exposure. The BIS Final Determination put every Kaspersky Endpoint Security install onto a removal deadline, and CISA BOD 17-01 still applies to federal and federal-adjacent fleets. Running this Worklet on every macOS endpoint in scope – including remote and roaming Macs that never touch the corporate network – clears the residual /Library/Application Support/Kaspersky Lab content the vendor uninstaller leaves behind and produces a clean evaluation result you can attach to an audit response.

How Kaspersky removal works on macOS

1. Evaluation phase: The Worklet calls check_kaspersky_files to probe /Library/Application Support/Kaspersky Lab, /Library/Extensions/Kaspersky*, /Applications/Kaspersky*, /Library/LaunchAgents/com.kaspersky*, and /Library/LaunchDaemons/com.kaspersky*. It also calls check_kaspersky_processes, which runs ps aux | grep -i kaspersky | grep -v grep to detect any running Kaspersky process. If either check matches, the script prints "Kaspersky Endpoint Security is installed." and exits 1 so Automox triggers remediation. A clean endpoint exits 0 and is skipped.

2. Remediation phase: The script unloads each Kaspersky launch entry with launchctl unload /Library/LaunchAgents/com.kaspersky* and launchctl unload /Library/LaunchDaemons/com.kaspersky*. It then deletes /Library/Application Support/Kaspersky Lab, /Library/Extensions/Kaspersky*, /Applications/Kaspersky*, and the matching LaunchAgents and LaunchDaemons plist files with rm -rf. The script re-checks the same five paths and exits 0 on a clean removal or exits 1 with "Failed to completely uninstall Kaspersky Endpoint Security." written to stderr if any artifact survives.

Kaspersky removal requirements

• macOS endpoint with the Automox agent installed, including Apple Silicon Macs running macOS 14 Sonoma and macOS 15 Sequoia

• Root context for the Automox agent (the default install context already satisfies this); needed to write to /Library and to call launchctl unload on system-scope daemons

• Full Disk Access granted to the Automox agent in System Settings, Privacy and Security; without it, /Library/Application Support paths return permission denied even under root on recent macOS releases

• MDM profile that approves removal of any active Kaspersky kernel or system extension and matching PPPC entitlements before the Worklet runs

• Optional: disable the Kaspersky Endpoint Security self-defense password through Kaspersky Security Center before scheduling, so endpoints where the password is enforced do not block the uninstall

Expected endpoint state after Kaspersky removal

After remediation, /Applications/Kaspersky Endpoint Security.app no longer exists, the /Library/Application Support/Kaspersky Lab directory is absent, and /Library/Extensions holds no Kaspersky bundles. ls /Library/LaunchAgents /Library/LaunchDaemons returns no com.kaspersky.* plist files and ps aux | grep -i kaspersky | grep -v grep returns no rows. The next evaluation pass exits 0 with "Kaspersky Endpoint Security is not installed." and the endpoint is reported compliant in Automox.

For audit evidence, capture the pre- and post-remediation output of ls /Applications | grep -i kaspersky, ls /Library/LaunchDaemons | grep kaspersky, and systemextensionsctl list. Attach the policy run identifier from the Automox activity log to that output. The endpoint can then be reported clean against CISA BOD 17-01 inventory requirements and against the prohibited-software clauses in FAR 52.204-23 and the matching DFARS rules.