LINUX Endpoint Security Commands Summary

LINUX Endpoint Security Commands Summary


LINUX (Create an on-demand scan task)

To configure a scan with your custom settings, create an on-demand task. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the /bin folder of the software. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run a command using this syntax. 

./isecav --addodstask --name [task name] [additional options] 

Replace [task name] with the name that you want to set. The task name is a mandatory field and must be unique. 

Multiple tasks can be configured with different settings. 

Replace [additional options] with the settings that you need. 

Option 

Values 

Description 

Note 

--scanarchive 

enable (default) 

disable 

Examines the contents of archive (compressed) files, including .jar files. 

CAUTION: Scanning archives is resource-intensive and affects performance. 


--scanmime 

enable 

disable (default) 

Detects, decodes, and scans Multipurpose Internet Mail Extensions (MIME) encoded files. 


--scanpups 

enable (default) 

disable 

Detects, decodes, and scans potentially unwanted programs. 


--scanunknownprograms 

enable (default) 

disable 

Detects, decodes, and scans unknown program files. 


--scanunknownmacros 

enable (default) 

disable 

Detects, decodes, and scans unknown macro viruses. 


--scanlocaldrives 

enable 

disable 

Scans all regular files under locally mounted file systems. 

An on-demand task runs a scan on the configured files and directories. So you must set a scan path using one of these options. 

--scanlocaldrives enable 

--scantmpfolders enable 

--scannetworkdrives enable 

--scanpaths [path] 

--scanpaths 

Absolute file name, just the name of a file, or Absolute name of the directory, specified according to these guidelines: 

  • An Absolute file name and directory name must start with a slash [/]. 
  • A directory must end with a slash [/]. 
  • Multiple comma-separated values are allowed. 
  • If any values have spaces in between, specify the value in double quotes (""). 

Includes the specified files or directories to the scan. 

--scantmpfolders 

enable 

disable 

Scans all files under these directories in the system: 

/tmp 

/usr/local/tmp 

/var/tmp 

--scannetworkdrives 

enable 

disable 

Iterates and scans all network mount points on the system. 

Restricted to NFS and CIFS shares mounted on the system. 

--scansubfolders 

enable 

disable 

Iterates through the folders specified. 

Only applicable when specified with these options: 

scanlocaldrives 

scanpaths 

scantmpfolders 

scannetworkdrives 

--filetypestoscan 

  • all (default and recommended) — Scans all files. 
  • defaultandspecified — Scans the default files and files with specified extensions. 
  • onlyspecified — Scans only files as the user specifies. Mention at least one file type using addfiletype. 

Specifies which file types to scan. 


--scanmacros 

enable 

disable 

Scans for known macro threats in the list of default and specified files. 

Only applicable with filetypestoscan 

--addfiletype 

Extension name — The file types are specified as extension names and support the wildcard [?]. Duplicate entries are automatically removed. 

Adds file types to the default or specified user-defined list. 

--delfiletype [extension name] 

Extension names — Specify the entry to be deleted. 

Deletes file types from the user-defined list of the file. 

--noextension 

enable 

disable 

Specifies files to be scanned with no extension. 

--excludepaths 

Absolute file name, just the name of a file or Absolute name of the directory, specified according to these guidelines: 

  • Wildcards [*, ?] are allowed. 
  • An Absolute file name and directory name must start with a slash [/]. 
  • A directory must end with a slash[/]. 
  • Multiple comma-separated values are allowed. 
  • If any values have spaces in between, specify the values in double quotes (""). 

Excludes the specified files or directories from the scan. 


--excludefiletype 

Extension names, specified according to these guidelines: 

  • Wildcard [?] is allowed. 
  • Multiple comma-separated values are allowed. 
  • If any of the values have spaces in between, specify the value in double quotes (""). 

Specifies the extensions for exclusion. 


-- excludepathwithsubfolder 

Excludes the specified directory and it's all sub directories. 


Only applicable for directories specified as part of excludepaths. 

--usescancache 

enable 

disable 

Specifies to use the On-Access Scan cache lookup while scanning files for this task. 


--primaryaction 

  • continue — No action is taken and the event is logged. 
  • clean (default) — Removes the threat from the detected file, if possible. The original file is quarantined by default. 
  • delete — Deletes files with potential threats. The original file is quarantined by default. 

Sets the primary scan action for threat detection. If the primary action fails, the secondary action is performed. 


--secondaryaction 

  • continue — No action is taken and the event is logged. 
  • delete (default) — Deletes files with potential threats. The original file is quarantined by default. 

This action is performed when primary action fails. 

This option is only available when primaryaction is specified as clean. 

For the primary action Delete, the only secondary option valid is Continue. 

--primaryactionpup 

  • continue — No action is taken and the event is logged. 
  • clean(default) — Removes the threat from the detected file, if possible. The original file is quarantined by default. 
  • delete — Deletes files with potential threats. The original file is quarantined by default. 

Sets the primary scan action for potentially unwanted programs. If the primary action fails, the secondary action is performed. 


--secondaryactionpup 

  • continue — No action is taken and the event is logged. 
  • delete (default) — Deletes files with potential threats. The original file is quarantined by default. 

This action is performed when primary action for potentially unwanted programs fails. 

This option is only available when primaryaction is specified as clean. 

--gti 

  • enable — Enables McAfee GTI file rating. 
  • disable Disables McAfee GTI file rating. 
  • sensitivity Sets the sensitivity level of McAfee GTI file rating. 


The sensitivity option is available only when McAfee GTI file rating is enabled for the scan. 

Example: ./isecav --addodstask --name odstask --scanlocaldrives enable 

The command adds the on-demand task with task name odstask, which scans only the local drives on the system. 



Run an on-demand scan task

Run an on-demand task that you created. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the /bin folder of the software. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run a command using this syntax. 

./isecav --runtask --index [index number] 

Replace [index number] with the index number of the task that you want to run. The command does not run if the task is already running. 


Check the status of an on-demand scan status

Check whether an on-demand scan is enabled. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the /bin folder of the software. 

cd /opt/isec/ens/threatprevention/bin 

  1. Get details about all on-demand scan tasks. 

./isecav --listtasks 

  1. From the command results, check the value for the on-demand scan status. 
  • Not Started — The task has not yet started. 
  • Running — The task is in-progress. 
  • Stopped — The last run was stopped due to user intervention. 
  • Aborted — The last run was canceled because of some error. 
  • Completed — The last run completed without any errors. 


    Delete an on-demand scan task

  • Delete an on-demand scan task when you no longer need it. 
  • Task
  • Log on to your Linux system as root user. 
  • Change directory to the /bin folder of the software. 
  • cd /opt/isec/ens/threatprevention/bin 
  • Run a command using this syntax. 
  • ./isecav --deltask --index [index number] 
  • Replace [index number] with the index number of the task to delete. 




View the McAfee GTI status

View whether McAfee GTI is enabled or disabled for the on-access scan, and its sensitivity level, if enabled. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --getoasconfig --summary 

Enable McAfee GTI for On-Access Scan

Enable McAfee GTI for on-access scanning to get file reputation from the McAfee GTI database. 

Before you begin

You must have enabled On-Access Scan, and the system you intend to enable McAfee GTI must have Internet connection. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 
  • To enable McAfee GTI protection: ./isecav --setoasglobalconfig --gti --state enable 

Note: When you enable McAfee GTI without specifying the sensitivity level, the default sensitivity level medium is applied. 

  • To enableMcAfee GTI protection with a sensitivity level: ./isecav --setoasglobalconfig --gti --state enable --sensitivity verylow 




Disable McAfee GTI for On-Access Scan 

You can disable the McAfee GTI file reputation check for on-access scanning. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --setoasglobalconfig --gti --state disable 


View the McAfee GTI sensitivity level for On-Access Scan

You can view the sensitivity level defined in McAfee GTI presently for on-access scanning before changing it. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --getoasconfig --summary 


Configure the sensitivity level for McAfee GTI

You can define or change the sensitivity level of McAfee GTI detection. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 


cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --setoasglobalconfig --gti --sensitivity high 

The available parameters are: 

  • verylow — The detections and risk of false positives are the same as with regular DAT content files. A detection is made available to Threat Prevention when McAfee Labs publishes it instead of waiting for the next DAT content file update. 
  • low — This setting is the minimum recommendation for systems with a strong security footprint. 
  • medium — Use this level when the regular risk of exposure to malware is greater than the risk of a false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely to be malware. However, some detections might result in a false positive. With this setting, McAfee Labs checks that popular applications and operating system files don't result in a false positive. 
  • high — Use this setting for deployment to systems or areas which are regularly infected. 
  • veryhigh — Detections found with this level are presumed malicious, but haven't been fully tested to determine if they are false positives. McAfee recommends to use this level for systems that require highest security. 

Note: These parameters values (verylow, low, medium, high, and veryhigh are case sensitive. 

If you already configured the sensitivity level, the latest update replaces the existing sensitivity level. McAfee GTI sensitivity level is set to Medium by default for on-access scanning. 

Tip: You can also set McAfee GTI state and its sensitivity level using the command 

./isecav --setoasglobalconfig --gti --state enable --sensitivity high 


Create an on-demand scan with McAfee GTI enabled

Enable McAfee GTI file detection for the scheduled scans wherever required. 

Task

Log on to the system as root user. 

  1. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 



  1. Run the command. 

./isecav --addodstask --name <task_name> --parameter1 <value> --parameter2 <value> --gti --state enable --sensitivity veryhigh

The default sensitivity level for on-demand scanning is veryhigh. 

Note: For standalone systems, you can't change the existing on-demand scan settings. For managed systems, you can change the on-demand scan policies for the policy-based on-demand scans such as Full Scan and Quick Scan. 


Create a DAT update task

Create a DAT update task from the command-line. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Create a DAT update task. 

./isecav --addupdatetask --name <task_name> --updatetype --<type_of_update> 

  1. View the tasks list to confirm that the DAT update task is created. 

./isecav --listtasks 

Example: Create a DAT update task

./isecav --addupdate task --name datupdate --updatetype dat 

When you run the command from the /opt/isec/ens/threatprevention/bin directory, the software creates a DAT update task. 






Run a DAT update task

Run the DAT update task immediately. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. View the tasks list to identify the index number of your DAT update task. 

./isecav --listtasks 

  1. Run the DAT update task. 

./isecav --runtask --index <index_number>. 

Example to run a DAT update task

If the index number of your DAT update task is 3, you must run the command. 

./isecav --runtask --index 3

Schedule a DAT update task

Run the DAT update task at a specified time or at periodic intervals. 

Before you begin

You must have created a DAT update task. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. View the tasks list to confirm that the DAT update task is created. 

./isecav --listtasks 


  1. Schedule the task. 

./isecav --scheduletask --index <index_number> --daily --starttime <HH:MM> 

Example: Schedule a DAT update task to run every day at 12.45

./isecav --scheduletask --index 3 --daily --starttime 12:45 

When you run the command from the /opt/isec/ens/threatprevention/bin directory, the software runs the DAT update task everyday at 12:45. 

 

Enable or disable the product logging

Enable or disable the product logging as required. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run these commands as required. 
  • ./isecav --productlog enable — Enables the product log. 
  • ./isecav --productlog disable — Disables the product log. 


Configure the Product log file size

Configure the maximum Product log file size in megabytes. 

Task

  1. Log on to the system as root user. 
  2. Navigate to the directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --setmaxproductlogsize <Number> 

You can specify the file size between 1 MB and 999 MB. The default value is 10 MB 


Example: Configure the Product log file size to 25 MB

This command sets the maximum Product log file size to 25 MB. 

./isecav --setmaxproductlogsize 25 

Configure the software to send events to SYSLOG

Configure the software to log the information to SYSLOG in addition to storing the information in the product log. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the /bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --usesyslog enable 


Configure the quarantine directory

Specify the directory where you want to store the quarantined items. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the /bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command. 

./isecav --setquarantinefolder /directory_path/ 

You must specify the absolute path directory. 

Note: You can't configure the existing directories to quarantine the detections. You should specify a new directory name. 


For example,./isecav --setquarantinefolder /root/ensl_quarantinedir/ 

The default quarantine directory for standalone systems is /Quarantine. For systems managed by McAfee ePO, you can use the Common Policy to configure the quarantine directory. The default directory configured in the Common Policy is /quarantine/. 


Enable Access Protection

Use Access Protection commands to protect your standalone systems from external attacks. Enable, disable, or view the status of Access Protection using isecav commands. 

Task

  1. Log on to your Linux system as root user. 
  2. Change the directory to the Threat Prevention bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. To enable Access Protection, run: 

./isecav --setapstatus [enable] 

Note: To disable Access Protection, run: 

./isecav --setapstatus [disable] 


View the status of Access Protection

Print the status of Access Protection, whether it is enabled or disabled. 

Task

  1. Log on to your Linux system as root user. 
  2. Change the directory to the Threat Prevention bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command: 

./isecav --getapstatus 


Create Access Protection rules

You can create Access Protection rules, edit the rule settings, or delete the rules from the command line. 

Task

  1. Log on to your Linux system as root user. 
  2. Change the directory to the/bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. Run the command: 

./isecav --createaprule --rulename [value] --block [enable |disable] --report [enable |disable] --subrulename [value] --subruletype [file | process] --operations [value(s)] --includetargetfile [file1, file2...] 

Example: Create a rule to block create file operation

./isecav --createaprule --rulename test1 --block enable --report enable --subrulename stest1 --subruletype file --operations create --includetargetfile /tmp/testfile1 

When you run the command from the /opt/isec/ens/threatprevention/bin directory, a rule test1 with a subrule stest1 is created that blocks the user from creating a file or directory with the name testfile1 in the /tmp directory. 


Commands specific to Access Protection rules

When you create a rule, use parameters to block enable/disable, to apply the rule to specific users, files, or processes. You can also use parameters to report the number of tries made to access the rule-enabled files. You can also edit any rule using rule index. The getallaprules command lists all access protection rules with rule index created for a system. 

Table 1: Access Protection parameters to create rules 

Options 

Description 

--rulename [value] 

This command is used to name the Access Protection custom rule. Here, value can be alphanumeric and can take a maximum of 256 characters. Each custom rule name must be unique. When creating a rule, this parameter is mandatory. 

--block [enable | disable] 

This command is used to enable or disable blocking of access attempts defined in the rule. This parameter is mandatory. 

The parameter to enable or disable the block command:--block [enable | disable] 

Note: When creating a rule, both --block or --report parameters are mandatory. A rule is disabled when both --block and –report are disabled. If both rules exist, then block is given the higher precedence. 

--report [enable | disable] 

This command is used to enable or disable reporting of access tries. This parameter is mandatory. 

Note: When creating a rule, both --block or --report parameters are mandatory. A rule is disabled when both --block and –report are disabled. If both rules exist, then block is given the higher precedence. 

  • --includeprocess [name1:file1, name2:file2,…] 
  • --excludeprocess [name1:file1, name2:file2,…] 

This is an optional parameter and specifies the applicable process that triggers the rule if there is a subrule violation. You can identify a process with a name and a file. File can be either the file name or path. Wildcards [*, ?, and **] and comma-separated values are also accepted. 

Note: 

When --includeprocess and --excludeprocess are not specified, the rule becomes applicable to all processes. 

When the same process is mentioned in --includeprocess and --excludeprocess, then --excludeprocess takes higher precedence. 

  • --includeusers [user1, user2,…] 
  • --excludeusers [user1, user2,…] 

--includeusers triggers the rule for the specified users when there is a violation, whereas --excludeusers does not trigger the rule even when there is a rule violation. These parameters are optional and can accept comma-separated values. Local and Domain users are supported. 

Note: 

When --includeusers and --excludeusers are not specified, the rule becomes applicable to all users. 

When the same user is mentioned in --includeusers and --excludeusers then --excludeusers takes higher precedence. 


Subrule parameters

Edit a custom Access Protection rule identified by ruleindex. 

Table 1: Parameters to create and edit subrules 

Command 

Description 

--addsubrule 

This command is used to add subrules to a rule. 

--editaprule [ruleindex] 

Edits a custom Access protection rule identified by ruleindex. 


Table 2: Parameters to manage subrules 

Command 

Description 

--subrulename [value] 

This command is used to name the subrule that is added to the rule. The subrule name must be unique within a rule. This parameter is mandatory. 

--subruletype [file | process] 

This command is used to set the type of subrule. The type can be file or process. This parameter is mandatory. 

--operations [value(s)] 

This command is used to specify the operations associated with the subrule. Operations can vary based on the type of the subrule. 

Possible values for file subrule — create, delete, execute, change permission, read, rename, write, change owner, symlink, and hardlink. 

Possible values for process subrule — terminate and run. 

This parameter is mandatory. Single or comma-separated values are allowed. 


Access Protection subrule targets

Targets are files or processes on which a subrule action is applied. 

Depending on the --subruletype, the targets can differ. A subrule must have at least one target. 

Multiple targets can be added at the same time for a subrule. 

When --subruletype is file, the following target parameters can be used. 

Table 1: Commands for subrule target file

Command 

Description 

--includetargetfile [file1, file2…] 

Specifies the target files that are included in a file subrule. The values for file can be file, name, or path. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 

--includetargetdstfile [file1, file2…] 

Specifies the destination file or paths that are included in a file subrule. The target operations available for a file subrule are Rename, Hardlink, or Symlink. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 

--excludetargetfile [file1, file2…] 

Specifies the target files that are excluded when defining the subrule target based on either the file, name, or path. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 

--excludetargetdstfile [file1, file2…] 

Specifies the target destination file or paths that are excluded for a file subrule. The target operations available for a file subrule are Rename, Hardlink, or Symlink. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 

Subrule targets when the subrule type is process: 

Table 2: Commands for subrule target process

Command 

Description 

--includetargetprocess [name1:file1, name2:file2,…] 

Specifies the target process that is included when applying the subrule. The target process has a name and a file. The value for file can be either the file name or path. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 

--excludetargetprocess [name1:file1, name2:file2,…] 

Specifies the target process that must be excluded when applying the subrule. The target process has a name and a file. The value for file can be either the file name or path. 

Wildcards [*, ?, and **] and comma-separated values are also allowed. 


Access Protection global exclusions

Processes in the global exclusions list are excluded from rules. 

Exclusions are useful when you want to exclude system-specific files or processes to run as configured. 

Command 

Description 

--setapexclusions [name1:processfile1, name2: processfile2,…] 

Excludes the specified processes, identified by a name and file, for all Access Protection rules. processfile can either be the file name or path. Wildcards [*, ?, and **] and comma-separated values are allowed. 

Note: Adding a [*] in this setting ensures that all processes are excluded. 

--getapexclusions 

Prints the processes that are excluded for all rules. 


Add Access Protection global exclusions

Exclude processes from triggering a rule when there is a violation. 

Task

  1. Log on to your Linux system as root user. 
  2. Change directory to the bin directory. 

cd /opt/isec/ens/threatprevention/bin 

  1. To add the exclusion: 

./isecav --setapexclusions [name1:processfile1, name2: processfile2,…] 

  1. To view the list of exclusions: 

./isecav --getapexclusions 

  1. To remove the process from the exclusion: 

./isecav --deleteapexclusions [name1:processfile1, name2: processfile2,…] 


Other Access Protection commands

You can view all Access Protection rules and their configuration details. 

Table 1: Commands to manage Access Protection rules

Commands 

Description 

--getallaprules 

Prints all the Access Protection rules (irrespective of whether the rules are enabled or disabled). Information displayed includes rule index, rule name, actions, and origin (McAfee-defined or User-defined). 

To view all Access protection rules, run:./isecav --getallaprules 

--getapruleconfig [ruleindex] 

Prints the details of the Access Protection rule identified by ruleindex. Information displayed includes actions, processes/users to which the rule applies, subrule and their associated targets. 

To print the Access Protection rules, run: 

./isecav --getapruleconfig [ruleindex] 

--deleteaprule [ruleindex] 

To delete the Access Protection rule identified by ruleindex. 

Rule name cannot be used when deleting rules. 

Note: McAfee-defined rules cannot be deleted. 

To delete an Access Protection rule, run: ./isecav --deleteaprule [ruleindex]