macOS - Software - Uninstall Kaspersky Software

What the Kaspersky uninstaller does

This Automox Worklet™ removes Kaspersky software from macOS endpoints by uninstalling the application and eliminating all associated files, directories, and system components. The Worklet targets multiple Kaspersky installation locations including /Library/Application Support/Kaspersky Lab, /Library/Extensions, /Applications, and system launch agents and daemons.

The Worklet uses a bash script to systematically locate and remove all Kaspersky-related components from the endpoint. It terminates any running Kaspersky processes before deletion to maintain clean removal.

Why remove Kaspersky from your endpoints

Kaspersky software installations create compliance violations and supply chain security risks for organizations operating under government and regulatory frameworks. Following sanctions and security directives from CISA and other government agencies, organizations face mandatory removal deadlines for Kaspersky products to maintain FedRAMP authorization and compliance with federal cybersecurity standards. Incomplete manual removal leaves behind system extensions, launch daemons, and kernel modules that continue intercepting network traffic and maintaining privileged system access, creating ongoing security exposure even after the main application is deleted.

This Worklet eliminates manual removal steps and maintains consistent uninstallation across your fleet. By automating Kaspersky removal, you reduce deployment time and maintain no residual files or processes remain that could impact endpoint performance or security.

How Kaspersky uninstallation works

1. Evaluation phase: The Worklet checks for Kaspersky installation by scanning /Library/Application Support/Kaspersky Lab, /Library/Extensions/Kaspersky*, /Applications/Kaspersky*, and launch agent and daemon plist files. If any Kaspersky files or running processes are detected, the evaluation indicates that remediation is needed.

2. Remediation phase: The Worklet unloads launch agents and daemons using launchctl, then removes all Kaspersky directories and files from /Library, /Applications, and launch configuration directories. It then verifies that all Kaspersky components have been successfully removed.

Kaspersky uninstallation requirements

• macOS 10.13 or later

• Administrative privileges required on the endpoint

• Bash shell availability

• Standard file system utilities (rm, launchctl)

Expected Kaspersky removal state

After the Worklet completes successfully, all Kaspersky software, associated files, directories, and system launch components will be removed from the endpoint. You can verify successful removal by checking the Applications folder or by searching for the application in Spotlight. No Kaspersky processes will be running and no Kaspersky-related plist files will remain.

You can verify successful removal by checking that the /Library/Application Support/Kaspersky Lab directory no longer exists, no files matching Kaspersky* patterns are present in /Applications or /Library/Extensions, and no Kaspersky launch agents or daemons are listed in the system configuration.

How to validate uninstall kaspersky software changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for uninstall kaspersky software.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as check_kaspersky_files, return, else.

4. Validate remediation effects from script operations such as exit, launchctl, rm, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for uninstall kaspersky software. This supports repeatable software lifecycle workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as check_kaspersky_files, return, else and remediation operations such as exit, launchctl, rm. Use these indicators to verify that endpoint changes match intended policy outcomes.