Cisco Secure Endpoint Command Line Switches

Open up your command prompt on Windows.
Navigate to the folder on the command prompt. Default path: C:\Program Files\Cisco\AMP\X.X.X\, the X.X.X denotes the version number).
```
cd C:\Program Files\Cisco\AMP\6.1.7\
```
Execute the available switches provided.

Note: On execution of switches, there will be no output echoed back.

Switches Available to be used with sfc.exe

-s : Start Immunet Protect (Windows Connector) service. The service must already have been registered with SCM to be started.

sfc.exe -s

-k : Stop Immunet Protect (Windows Connector) service. If Connector Protection is enabled, can stop the service using: sfc.exe -k _password_

sfc.exe -k
sfc.exe -k examplepassword

-i : Install Immunet Protect (Windows Connector) service. It also sets the default action to take if the service crashes.

sfc.exe -i

-u : Uninstall Immunet Protect (Windows Connector) service. De-register service with Windows Service Control Manager (SCM). This option is used by the uninstaller to uninstall the Windows connector service.

sfc.exe -u

-r : Resets Immunet Protect (Windows Connector) service. This is very similar to -i option but does not install the service. This is useful to fix local.xml corruption.

sfc.exe -r

-l start to enable AND -l stop to disable. (The trigger is a lower case L) - Toggle debug & kernel logging dynamically. This state will continue until toggled off, the service is restarted, or a new policy is configured to change the logging level.

sfc.exe -I start
sfc.exe -I stop

-unblock SHA_of_the_file : This option is unblock a process from execution. After this command switch is run, the Application will be removed from the local kernel cache of the application blocking list.
The situation to use this command switch is when an application is blocked because of false positive or mistake and we want to quickly unblock the application without waiting for 30 minutes or reboot the machine.

sfc.exe -unblock f5b6ab29506d5818a2f8d328029bb2fcb5437695702f3c9900138140f3cd980c

-reregister (from Connector v.6.2.1 onwards) : This option will clear the uuid and certs from local.xml and registry while the service is running, and triggers a re-enrollment. Local.xml and registry is updated with new values. However, this is blocked if ID Sync is enabled and essentially, the connector gets existing UUID again. If Connector Protection is enabled, you will need to enter the following: sfc.exe -reregister _password_

sfc.exe -reregister
sfc.exe -reregister examplepassword

-forceupdate (from Connector v.7.2.7 onwards): This option will force the connector to update the TETRA definitions.

sfc.exe -forceupdate

Open up your command prompt on Windows.
Navigate to the folder on the command prompt. Default path:C:\Program Files\Cisco\AMP\X.X.X\, theX.X.Xdenotes the version number).
```
cd C:\Program Files\Cisco\AMP\6.1.7\
```
Execute the available switches provided.

Note: On execution of switches, there will be no output echoed back.

Switches Available with ipsupporttool.exe:

Caution: Any switches which reference a folder choice, requires the folders to be created before specification.

-d : Specifies the folder that the Windows Support Tool will retrieve files from.
- If unspecified, the Support Tool will retrieve files from the current connector directory.

ipsupporttool.exe -d C:\Program Files\Cisco\AMP\6.1.7\TestFolder\

-o : Specifies the output folder for the Support Tool. Defaults to the desktop if this option is not specified.

ipsupporttool.exe -o C:\Program Files\Cisco\AMP\6.1.7\TestFolder\

-t : Runs a Timed debug level diagnostic from the Windows Support Tool for the specified time. Time duration is specified in minutes.

ipsupporttool.exe -t 5

Related Information

Revision	Publish Date	Comments
3.0	12-Jan-2022	Removed switch options that are no longer supported.
2.0	03-Nov-2021	Rebranding updates.
1.0	18-Sep-2018	Initial Release