This document describes the Command Line (CLI) switches available to use with the Cisco Secure Endpoint and ipsupporttool.exe.
Interaction with endpoints, both physically and through the Graphical User Interface (GUI) are not always available for accessibility in specific environments. Cisco Secure Endpoint provides multiple approaches for interaction, this document will provide the switches for the CLI.
Navigate to the folder on the command prompt. Default path: C:\Program Files\Cisco\AMP\X.X.X\, the X.X.X denotes the version number).
cd C:\Program Files\Cisco\AMP\6.1.7\
Execute the available switches provided.
Note: On execution of switches, there will be no output echoed back.
Switches Available to be used with sfc.exe
-s : Start Immunet Protect (Windows Connector) service. The service must already have been registered with SCM to be started.
-k : Stop Immunet Protect (Windows Connector) service. If Connector Protection is enabled, can stop the service using: sfc.exe -k _password_
sfc.exe -k sfc.exe -k examplepassword
-i : Install Immunet Protect (Windows Connector) service. It also sets the default action to take if the service crashes.
-u : Uninstall Immunet Protect (Windows Connector) service. De-register service with Windows Service Control Manager (SCM). This option is used by the uninstaller to uninstall the Windows connector service.
-r : Resets Immunet Protect (Windows Connector) service. This is very similar to -i option but does not install the service. This is useful to fix local.xml corruption.
-l start to enable AND -l stop to disable. (The trigger is a lower case L) - Toggle debug & kernel logging dynamically. This state will continue until toggled off, the service is restarted, or a new policy is configured to change the logging level.
sfc.exe -I start sfc.exe -I stop
-unblock SHA_of_the_file : This option is unblock a process from execution. After this command switch is run, the Application will be removed from the local kernel cache of the application blocking list. The situation to use this command switch is when an application is blocked because of false positive or mistake and we want to quickly unblock the application without waiting for 30 minutes or reboot the machine.
-reregister (from Connector v.6.2.1 onwards) : This option will clear the uuid and certs from local.xml and registry while the service is running, and triggers a re-enrollment. Local.xml and registry is updated with new values. However, this is blocked if ID Sync is enabled and essentially, the connector gets existing UUID again. If Connector Protection is enabled, you will need to enter the following: sfc.exe -reregister _password_