Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

[External] - AMP for Endpoint Command Line Switches

Available Languages

Download Options

  • PDF     (105.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (68.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 21, 2020
Document ID:213690

    Introduction

    This document describes the Command Line (CLI) switches available to use with the Advanced Malware Protection (AMP) for Endpoints and ipsupporttool.exe.

    Background Information

    Interaction with endpoints, both physically and through the Graphical User Interface (GUI) are not always available for accesibility in specific environments. AMP for Endpoints provides multiple approaches for interaction, this document will provide the switches for the CLI. 

    Note: The CLI switches for the installer are available here.  (https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118587-technote-fireamp-00.html)

    AMP for Endpoints Command Line Switches

    AMP sfc.exe switches

    1. Open up your command prompt on Windows.
    2. Navigate to the folder on the command prompt. Default path: C:\Program Files\Cisco\AMP\X.X.X\, the X.X.X denotes the version number).  
      cd C:\Program Files\Cisco\AMP\6.1.7\
    3. Execute the available switches provided.

    Note: On execution of switches, there will be no output echoed back.

    Switches Available to be used with sfc.exe

    •  -s : Start Immunet Protect (Windows Connector) service. The service must already have been registered with SCM to be started.
    sfc.exe -s
    • -k : Stop Immunet Protect (Windows Connector) service. If Connector Protection is enabled, can stop the service using: sfc.exe -k _password_
    sfc.exe -k
    sfc.exe -k examplepassword
    • -i : Install Immunet Protect (Windows Connector) service. It also sets the default action to take if the service crashes.
    sfc.exe -i
    • -u : Uninstall Immunet Protect (Windows Connector) service. De-register service with Windows Service Control Manager (SCM). This option is used by the uninstaller to uninstall the Windows connector service.
    sfc.exe -u
    • -r : Resets Immunet Protect (Windows Connector) service. This is very similar to -i option but does not install the service. This is useful to fix local.xml corruption.
    sfc.exe -r
    • -x : This option is similar to -u but performs several additional steps.
      - Similar to '/remove 1' with the installer package.
      - De-register service with Windows Service Control Manager (SCM).
      - Send uninstall event to the cloud
      - De-register with Windows Security Centre
      - Delete scheduled scans registered with Windows Task scheduler
    sfc.exe -x
    • -l start  to enable AND -l stop to disable. (The trigger is a lower case L) - Toggle debug & kernel logging dynamically. This state will continue until toggled off, the service is restarted, or a new policy is configured to change the logging level.
    sfc.exe -I start
    sfc.exe -I stop
    • -unblock SHA_of_the_file : This option is unblock a process from execution. After this command switch is run, the Application will be removed from the local kernel cache of the application blocking list.
      The situation to use this command switch is when an application is blocked because of false positive or mistake and we want to quickly unblock the application without waiting for 30 minutes or reboot the machine.
    sfc.exe -unblock f5b6ab29506d5818a2f8d328029bb2fcb5437695702f3c9900138140f3cd980c
    • -reregister (from Connector v.6.2.1 onwards) : This option will clear the uuid and certs from local.xml and registry while the service is running, and triggers a re-enrollment. Local.xml and registry is updated with new values. However, this is blocked if ID Sync is enabled and essentially, the connector gets existing UUID again. 
    sfc.exe -reregister
    • -forceupdate (from Connector v.7.2.7 onwards): This option will force the connector to update the TETRA definitions.
    sfc.exe -forceupdate

    AMP ipsupporttool.exe switches

    1. Open up your command prompt on Windows.
    2. Navigate to the folder on the command prompt. Default path:C:\Program Files\Cisco\AMP\X.X.X\, theX.X.Xdenotes the version number).  
      cd C:\Program Files\Cisco\AMP\6.1.7\
    3. Execute the available switches provided.

    Note: On execution of switches, there will be no output echoed back.

    Switches Available with ipsupporttool.exe:

    Caution: Any switches which reference a folder choice, requires the folders to be created before specification.

    • -d : Specifies the folder that the Windows Support Tool will retrieve files from.
      - If unspecified, the Support Tool will retrieve files from the current connector directory.
    ipsupporttool.exe -d C:\Program Files\Cisco\AMP\6.1.7\TestFolder\
    • -o : Specifies the output folder for the Support Tool. Defaults to the desktop if this option is not specified.
    ipsupporttool.exe -o C:\Program Files\Cisco\AMP\6.1.7\TestFolder\
    • -t : Runs a Timed debug level diagnostic from the Windows Support Tool for the specified time. Time duration is specified in minutes.
    ipsupporttool.exe -t 5

    Related Information

    TAC Authored

    Contributed by Cisco Engineers

    • Caly Hess
      Cisco AMP Escalation Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    Related Cisco Community Discussions

    This Document Applies to These Products

    About Us
    Contact Us
    Work with Us