Turning off data collection doesn't reveal a "Delete agents" option; VMs continue to have 20+ unwanted processes.
Category: azure security center
Chris W. Rea on Thu, 22 Dec 2016 15:31:31
Hi folks. I'm stumped!
I'd like to remove Azure Security Center agents from my Windows Server VM instances. I found documentation at Enable data collection in Azure Security Center that indicates I should be able to delete the agents from my VMs using a "Delete agents" button that is supposed to appear in the ribbon of the "Security policy" panel for a subscription, once data collection has been turned off. Here's a snippet from one of the documentation screenshots:
However, after I have turned off data collection, I see no such "Delete agents" options for my own subscription. Witness:
I also came across the article at Azure Security Center–Data Collection and Storage which indicates that I need to turn data collection off first. I did set data collection to "Off" first, and saved. Yet, "Delete agents" did not subsequently appear. I also backed out of the pane and went back in again in case it was a refresh/rendering issue, but still no "Delete agents" showing in the ribbon.
Why wouldn't I see "Delete agents" as described by the documentation? Did I miss something, or is the feature no longer available? Is there another way to cleanly remove the 20+ unwanted processes that are running on my Windows Server VMs? (AsmAgentLauncher.exe x3, AsmMonitoringAgent x3, MonAgentManager x3, MonAgentCore x3, and associated cmd.exe and conhost.exe processes.)
Thanks for your help!
Chris W. Rea
Koreh Eli on Fri, 23 Dec 2016 05:24:49
Hi Chris, Thank you for detailed question. You can just select data collection to "off" and the agents will be removed within few hours. Sorry for not up to date documentation, we will fix that. Note that you will loose security visibility on your VMs. Will be glad to hear more feedback why you would like to remove security agents. Best regards, Eli Koreh Principal Eng Manager
Chris W. Rea on Wed, 04 Jan 2017 15:28:34
Thanks -- you're right, all I needed to do was give it more time. I had some VMs which were shut down when I had disabled data collection, and once I allowed them to run for a while the agents in question did disappear from the process list.
One more follow-up question: Will VMs that are shut down when data collection has been turned off _and_ remain in the shut down state for considerable time following still have the agents removed eventually when they are started up again? Or, might there be a limited window during which the portal will attempt to remove agents from active VMs only? Is it a process on the VM that queries the portal for data collection status and performs such cleanup at any time? Thanks.
Chris W. Rea