Introduction
This document describes the Command Line (CLI) switches available to use with the Advanced Malware Protection (AMP) for Endpoints and ipsupporttool.exe.
Background Information
Interaction with endpoints, both physically and through the Graphical User Interface (GUI) are not always available for accesibility in specific environments. AMP for Endpoints provides multiple approaches for interaction, this document will provide the switches for the CLI.
Note: The CLI switches for the installer are available here. (https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118587-technote-fireamp-00.html)
AMP for Endpoints Command Line Switches
AMP sfc.exe switches
- Open up your command prompt on Windows.
- Navigate to the folder on the command prompt. Default path: C:\Program Files\Cisco\AMP\X.X.X\, the X.X.X denotes the version number).
cd C:\Program Files\Cisco\AMP\6.1.7\
- Execute the available switches provided.
Note: On execution of switches, there will be no output echoed back.
Switches Available to be used with sfc.exe
- -s : Start Immunet Protect (Windows Connector) service. The service must already have been registered with SCM to be started.
sfc.exe -s
- -k : Stop Immunet Protect (Windows Connector) service. If Connector Protection is enabled, can stop the service using: sfc.exe -k _password_
sfc.exe -k
sfc.exe -k examplepassword
- -i : Install Immunet Protect (Windows Connector) service. It also sets the default action to take if the service crashes.
sfc.exe -i
- -u : Uninstall Immunet Protect (Windows Connector) service. De-register service with Windows Service Control Manager (SCM). This option is used by the uninstaller to uninstall the Windows connector service.
sfc.exe -u
- -r : Resets Immunet Protect (Windows Connector) service. This is very similar to -i option but does not install the service. This is useful to fix local.xml corruption.
sfc.exe -r
- -x : This option is similar to -u but performs several additional steps.
- Similar to '/remove 1' with the installer package.
- De-register service with Windows Service Control Manager (SCM).
- Send uninstall event to the cloud
- De-register with Windows Security Centre
- Delete scheduled scans registered with Windows Task scheduler
sfc.exe -x
- -l start to enable AND -l stop to disable. (The trigger is a lower case L) - Toggle debug & kernel logging dynamically. This state will continue until toggled off, the service is restarted, or a new policy is configured to change the logging level.
sfc.exe -I start
sfc.exe -I stop
- -unblock SHA_of_the_file : This option is unblock a process from execution. After this command switch is run, the Application will be removed from the local kernel cache of the application blocking list.
The situation to use this command switch is when an application is blocked because of false positive or mistake and we want to quickly unblock the application without waiting for 30 minutes or reboot the machine.
sfc.exe -unblock f5b6ab29506d5818a2f8d328029bb2fcb5437695702f3c9900138140f3cd980c
- -reregister (from Connector v.6.2.1 onwards) : This option will clear the uuid and certs from local.xml and registry while the service is running, and triggers a re-enrollment. Local.xml and registry is updated with new values. However, this is blocked if ID Sync is enabled and essentially, the connector gets existing UUID again.
sfc.exe -reregister
AMP ipsupporttool.exe switches
- Open up your command prompt on Windows.
- Navigate to the folder on the command prompt. Default path:C:\Program Files\Cisco\AMP\X.X.X\, theX.X.Xdenotes the version number).
cd C:\Program Files\Cisco\AMP\6.1.7\
- Execute the available switches provided.
Note: On execution of switches, there will be no output echoed back.
Switches Available with ipsupporttool.exe:
Caution: Any switches which reference a folder choice, requires the folders to be created before specification.
- -d : Specifies the folder that the Windows Support Tool will retrieve files from.
- If unspecified, the Support Tool will retrieve files from the current connector directory.
ipsupporttool.exe -d C:\Program Files\Cisco\AMP\6.1.7\TestFolder\
- -o : Specifies the output folder for the Support Tool. Defaults to the desktop if this option is not specified.
ipsupporttool.exe -o C:\Program Files\Cisco\AMP\6.1.7\TestFolder\
- -t : Runs a Timed debug level diagnostic from the Windows Support Tool for the specified time. Time duration is specified in minutes.
ipsupporttool.exe -t 5
Related Information