How do I uninstall Trend Micro Security Agent?

I just did this myself, here's what I learned while doing it.

A lot of the difficulty in uninstalling Trend Micro comes from the fact that it spawns processes that then interfere with removing it (this actually makes sense for an anti-virus, but it certainly makes it a challenge when we need to remove it by hand). Basically, we're going to take this in two major moves: 1) killing those interfering processes, 2) deleting all the files associated with Trend Micro.

You're going to need to do this through the Terminal program. If you've never used Terminal before, be careful -- nothing below should harm anything (other than the Trend Micro anti-virus), but it's a very powerful tool, and you can really mess stuff up if you aren't careful. You can find it at Applications/Utilities/Terminal.

Additionally, you will need to be an admin on your computer. If you do not have admin privileges, the below guide will not work.

Finally, it would probably be a good idea to make a back-up before starting, just in case something goes wrong.

Killing Interfering Processes

First, we need to knock out the processes that interfere with deleting Trend Micro. According to the uninstall guide from TrendMicro there are three main processes we want to kill (As a side note, it's a little unnerving that the names Trend Micro uses are so generic. It makes you worried they actually belong to something you want to keep):

  • iCoreService
  • TmLoginMgr
  • MainUI

You can use the command killall to kill processes that match by name, but I prefer to find the PID (Process ID number) associated with what I need to knock out, then issue kill commands for those PIDs. We can find the associated PIDs for each thing listed above with a command of this form:

ps -A | grep iCoreService

When you enter that command*, it will return a list off all processes that have iCoreService somewhere in their name. Each process will have a number at the very front: that is the PID. Take note of those numbers. (Note: Your grep command will be one of the processes that gets returned -- you can ignore that, but nothing bad will happen if you try to kill it either.)

*: If you're wary of people telling you to enter random terminal commands, good for you! Here's what each part does: "ps -A" lists all processes currently running; "|" pipes that into the next command (in other words, that info is passed along to the next part); "grep" searches for matches to whatever it is given, in this case 'iCoreService'. In total, we're pulling out all those processes that have 'iCoreService' in the name.

Now we're going to kill each of those processes. Use this command, running it for each PID you just found:

kill NUMBER_GOES_HERE

(E.g., you would write something like kill 1253, but using the numbers that came up from the previous command.)

At this point, it should tell you that you don't have the permissions to do that -- you need to prove that you really are an admin and should be allowed. Issue that same command, but now with sudo in front:

sudo kill NUMBER_GOES_HERE

The terminal will prompt you for your password. Type it in, hit enter, and that's it, the process should be gone now.

What's going on with this command? "sudo" means Super User Do, basically forcing the computer to do what you want because you're the admin; "kill" issues a signal to terminate the process with whatever PID number you pass in after.

When I did this, I got a total of 4 processes associated with iCoreService. After you've knocked that one out, remember that you'll also need to do it for TmLoginMgr (I got 1 process here) and for MainUI (I had 0 processes here, but it's possible that was due to a previous removal attempt by someone else.)

Great! Now that the boss' shields are down, we can attack!

Deleting Trend Micro Files

Now it's time to actually delete the files associated with the anti-virus.

Here's the list of directories (folders) we want to delete:

/System/Library/TrendMicro
/Library/StartupItems/iCoreService
/Applications/MainUI.app
/Library/Application Support/TrendMicro
/Library/Frameworks/TMAppCommon.framework/
/Library/Frameworks/TMAppCore.framework/
/Library/Frameworks/TMGUIUtil.framework/
/Library/Frameworks/iCoreClient.framework/
/Library/Frameworks/iCoreClientPb.framework/

[Note: When I did this, I was not able to find every single folder. It's possible some were gone due to a previous removal attempt by someone else. Could also be due to those Trend Micro uninstall docs being more than four years old... The specific folders I could not find were the first three in the list above. But if they exist on your installation, you should still remove them.]

To delete each of these, use this command:

rm -rf "FULL_PATH_IN_QUOTES_GOES_HERE"

In other words, you should copy each line from the above list and execute like this:
rm -rf "/Library/Application Support/TrendMicro". (The quotes are really important for the folder with 'Application Support' in its path because of the space, other directories don't need it, but it doesn't hurt to follow that pattern for each one.) Some of the folders might not exist, that's okay.

More than any other command, this is the one you need to be very careful with. "rm" is the command to remove (delete) things; "-rf" tells it to delete folders and to recurse downward (delete folders within folders and so on downward); the double-quotes ensure that paths with a space still get deleted correctly.

Like before, you will probably be told that you do not have the appropriate permissions to do that. You'll need to elevate with sudo as we did before:

sudo rm -rf "FULL_PATH_IN_QUOTES_GOES_HERE"

Do that for each of the directories in the list of Trend Micro folders to remove.

Note: I had a lot of difficulty trying to remove /Library/Application Support/TrendMicro. Even with sudo, I still got "Permission denied". Luckily, I happened to double-check that all the processes from part 1 were still dead (another ps -A | grep iCoreService): nope, iCoreService had come back. I played kill whack-a-mole with it a couple more times, killing its new PIDs, then tried to very quickly issue the rm -rf "/Library/Application Support/TrendMicro" command after having killed all those processes and eventually got it to work. I think something was respawning those processes, so it was a matter of timing to knock them out and delete those files before they came back. (Once that directory was gone, they never came back.)

Finally, we can now remove the "Trend Micro Security Agent" app from our Applications folder. You can go do that in the finder (navigate to it in finder, right-click, move to trash [it will prompt for password]) or you can do it via the Terminal if you're comfortable with that.

Bonus: Removing Start-Up Processes

At this point, we've deleted pretty much everything from the Trend Micro anti-virus, but there's still some start-up stuff that we ought to go tear out. Run this:

launchctl unload /Library/LaunchDaemons/com.trendmicro.icore.av.plist

"launchctl" is a utility for interacting with 'launchd', a utility that manages other processes; "unload" tells 'launchctl' to disable processes associated with whatever you pass it next; the "/Library/LaunchDaemons/com.trendmicro.icore.av.plist" is the thing you're unloading.

Now delete the launchdaemon and launchagent files which invoke the processes associated with Trend Micro at boot time:

rm /Library/LaunchDaemons/com.trendmicro.*
rm /Library/LaunchAgents/com.trendmicro.*

"rm" is the same remove (delete) command as before; "/Library/LaunchDaemons/com.trendmicro.*" tells it to delete all files in that path with that starting structure, the * means anything that matches up to that point will get deleted.

[Note: It's possible this should happen earlier in the steps. I'm not sure what caused the iCoreService processes to come back, if I had done the unloading earlier it might have made the actual deletion in part 2 more direct with no need to re-issue kills on iCoreService processes. If you try it that way and it works better, please leave a comment!]

And We're Done!

Whew! At this point, Trend Micro should be fully uninstalled. Reboot your computer to make sure everything is still working fine and that Trend Micro really is gone.

Other Notes

  • This was basically cobbled together from the Trend Micro guide linked near the top and this other uninstall script I found.

  • The uninstall guide from Trend Micro says to run /Library/Application\ Support/TrendMicro/TmccMac/TmLoginMgr.app/Contents/MacOS/TmLoginMgr -u, but when I did that I got this "LoginItem(/Library/Application Support/TrendMicro/TmccMac/TmLoginMgr.app) has already been removed": it could have been from a previous person's attempt to remove Trend Micro, but it also could have been something else. You might want to include it when you try to uninstall, just in case, but it also might be pointless.

  • I actually took on root user (using sudo su) to do a lot of this when I got stuck trying to remove /Library/Application Support/TrendMicro. In retrospect, I don't think that was actually necessary, it was just due to those iCoreService child processes blocking things, but if you have trouble, give that a shot.

  • I included removing /Library/Frameworks/iCoreClientPb.framework/, but it was not referenced in either uninstall guide I linked. I'm almost certain it's part of Trend Micro, but caveat lector.


here, i made a bash script version of what @Erdős-Bacon and @IconDaemon cobbled together above (easier copy-pasta—also, before running, become a superuser, i.e. run su, and after you're done, exit superuser mode by running exit):

# grab all process IDs (PIDs) associated with Trend Micro
pids=$(ps -A | grep iCoreService | ag -o '\d{3,4}(?=\s[\?t])')

# build array of all files associated with Trend Micro
trend_micro_files=(\
  '/System/Library/TrendMicro' \
  '/Library/StartupItems/iCoreService' \
  '/Applications/MainUI.app' \
  '/Library/Application Support/TrendMicro' \
  '/Library/Frameworks/TMAppCommon.framework/' \
  '/Library/Frameworks/TMAppCore.framework/' \
  '/Library/Frameworks/TMGUIUtil.framework/' \
  '/Library/Frameworks/iCoreClient.framework/' \
  '/Library/Frameworks/iCoreClientPb.framework/' \
)

# loop through all Trend Micro processes and KILL THEM ALL
for pid in ${pids[@]}; do
  sudo kill $pid
done;

# loop through all Trend Micro files and REMOVE THEM ALL
for f in ${trend_micro_files[@]}; do
  sudo rm -rf $f
done;

# remove the launchers for Trend Micro (so it doesn't come back on restart)
launchctl unload /Library/LaunchDaemons/com.trendmicro.icore.av.plist
sudo rm /Library/LaunchDaemons/com.trendmicro.*
sudo rm /Library/LaunchAgents/com.trendmicro.*

Thank you Erdős-Bacon for doing that work! Your hunch is correct that your problems with processes coming back were because the launch daemons had not been unloaded. I took your work and changed the order around, resulting in a shorter script (must be run with sudo):

#!/bin/bash

set -e

launchctl unload /Library/LaunchDaemons/com.trendmicro.* /Library/LaunchAgents/com.trendmicro.*

rm -rf /Library/LaunchDaemons/com.trendmicro.* /Library/LaunchAgents/com.trendmicro.* \
  /System/Library/TrendMicro /Library/StartupItems/iCoreService /Applications/MainUI.app \
  /Library/Application\ Support/TrendMicro /Library/Frameworks/TMAppCommon.framework/ \
  /Library/Frameworks/TMAppCore.framework/ /Library/Frameworks/TMGUIUtil.framework/ \
  /Library/Frameworks/iCoreClient.framework/ /Library/Frameworks/iCoreClientPb.framework/

Also I did not get your errors about missing directories when I deleted; so I assume that they were missing because the prior failed run of TM's uninstaller had deleted them, as you suspected.

I do note that the menu bar item is still there until after a reboot. I'm not sure if there's a way to kill that without rebooting. Unlike you, I am "blessed" with many machines infested with this malware, so I have more chances to test if anyone has further suggestions.