The client part of Symantec’s (sorry Broadcom’s) Endpoint Protection can be controlled via command line in various ways.
Here is the list of parameters you can use for the smc.exe as of Version 14.3:
| Parameter | Description | Applies to |
|---|---|---|
| smc -start * | Starts the client service. Returns 0, -1 | All supported versions |
| smc -stop *† | Stops the client service and unloads it from memory. If this command is password-protected, the client is disabled within one minute after the end user types the correct password. Returns 0, -1 | All supported versions |
| smc -checkinstallation | Checks whether the smc client service is installed. Returns 0, -3 | All supported versions |
| smc -checkrunning | Checks whether the smc client service is running. Returns 0, -4 | All supported versions |
| smc -cloudmanaged path\to \Symantec_Agent_Setup.exe | Moves a cloud-managed device to another cloud domain or tenant. Moves a client computer from Symantec Endpoint Protection Manager management to cloud console management. Requires the Symantec_Agent_Setup.exe installation file for the destination cloud domain or tenant. You download this file from the cloud console. Using smc to change a device’s tenant or domain | As of 14.2 RU1 |
| smc -enable -ntpsmc -disable -ntp † | Enables/disables the Symantec Endpoint Protection firewall and Intrusion Prevention System. | All supported versions Password requirement for -disable as of 14.2 RU1 |
| smc -enable -mem *smc -disable -mem * | Enables/disables the Symantec Endpoint Protection Memory Exploit Mitigation system. | As of version 14 MP1 |
| Version 14: smc -disable -gem *Version 14: smc -disable -gem * | Enables/disables the Symantec Endpoint Protection Generic Memory Exploit Mitigation system. This feature is called Memory Exploit Mitigation in subsequent versions. | Version 14 only |
| smc -dismissgui | Closes the client user interface. The client still runs and protects the client computer. Returns 0 | All supported versions |
| smc -exportconfig *† | Exports the client’s configuration file to an .xml file. The configuration file includes the following management server settings: – PoliciesGroups – Security settings – User interface settings You must specify the path name and file name. For example, you can type the following command: smc -exportconfig C:\My Documents\MyCompanyprofile.xmlReturns 0, -1, -5, -6 | All supported versions |
| smc -exportlog | Exports the entire contents of a log to a .txt file. To export a log, you use the following syntax: smc -exportlog log_type0 -1 output_fileWhere log_type is: – 0 = System Log – 1 = Security Log – 2 = Traffic Log – 3 = Packet Log – 4 = Control Log For example, you might type the following syntax: smc -exportlog 2 0 -1 c:\temp\TrafficLogWhere 0 is the beginning of the file and -1 is the end of the file. You can export only the Control log, Packet log, Security log, System log, and Traffic log. The name output_file is the path name and file name that you assign to the exported file. Returns 0, -2, -5 | All supported versions |
| smc -exportadvrule *† | Exports the client’s firewall rules to an .xml file. The exported rules can only be imported into an unmanaged client or a managed client in client control mode or mixed mode. The managed client ignores these rules in server control mode. You must specify the path name and file name. For example, you can type the following command: smc -exportadvrule C:\myrules.xmlReturns 0, -1, -5, -6Note: When you import configuration files and firewall rules, note that the following rule applies: You cannot import configuration files or firewall rule files directly from a mapped network drive. | All supported versions |
| smc -importadvrule *† | Imports the firewall rules to the client. The rules you import overwrite any existing rules. You can import the following: – Rules in .xml format that you exported through smc -exportadvrule – Rules in .sar format that you exported through the client user interface You can only import firewall rules if the client is unmanaged or if the managed client is in client control mode or mixed mode. The managed client ignores these rules in server control mode. To import firewall rules, you import an .xml or .sar file. For example, you can type the following command: smc -importadvrule C:\myrules.xmlAn entry is added to the System log after you import the rules. Returns 0, -1, -5, -6 To append rules instead of overwriting them, use Import rule from the within client user interface. Preventing and allowing users to change the client’s user interfaceExporting or importing firewall rules on the client | All supported versions |
| smc -importconfig *† | Replaces the contents of the client’s current configuration file with an imported configuration file and updates the client’s policy. The client must run to import the configuration file’s contents. You must specify the path name and file name. For example, you can type the following command: smc -importconfig C:\My Documents\MyCompanyprofile.xml.Returns 0, 3, -1, -5, -6 | All supported versions |
| smc -importsylink path\to\sylink.xml † | Imports the client communications file (sylink.xml). Equivalent to -sepmmanaged. | All supported versions |
| smc -enable -wsssmc -disable -wss | Enables or disables WSS Traffic Redirection. | As of version 14.0.1 MP1 |
| smc -p password † | Used with a command that requires a password, where password is the required password. For example:smc -p password -importconfig | All supported versions |
| smc -report | Creates a dump file (.dmp) that includes crashes and logical errors that occurred on the client. The file is sent automatically to Symantec Technical Support. Contact Technical Support to ask for help in diagnosing the error. You can find the dump file at the following location: SEP_Install\Data\LocalDumpsWhere SEP_Install is the installation folder. By default, this path is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\version. | As of version 14 |
| smc -runhi | Runs a Host Integrity check. Returns 0 | All supported versions |
| smc -sepmmanaged | Reverts the client management from the cloud console back to the Symantec Endpoint Protection Manager that previously managed it. | As of 14.2 RU1 |
| smc -sepmmanaged path\to\sylink.xml | Updates the client management to the Symantec Endpoint Protection Manager specified in the SyLink.xml file. Equivalent to -importsylink. | As of 14.2 RU1 |
| smc -showgui | Displays the client user interface. Returns 0 | All supported versions |
| smc -updateconfig | Initiates a client-server communication to ensure that the client’s configuration file is up-to-date. If the client’s configuration file is out-of-date, updateconfig downloads the most recent configuration file and replaces the existing configuration file, which is serdef.dat. Returns 0 | All supported versions |
* Parameters that only members of the Administrators group can use if the following conditions are met:
- The client runs Windows Vista or Windows Server 2008
- The User is member of the Windows Administrators group.
Note:
If the client runs Windows Vista, and User Account Control is enabled, the user automatically becomes a member of the groups Administrators and Users.
† Parameters that need a password. You password-protect the client in Symantec Endpoint Protection Manager.