Commands for the Windows client service smc in Symantec Endpoint Protection and Symantec Endpoint Security (2024)

You can run the Windows client service using the smc (or smc.exe) command-line interface. You can use the

smc

command in a script that runs the client remotely. For example, you may need to stop the client to install an application on multiple clients. You can then use the script to stop and restart all clients at one time.

The client service must be running for you to use the command-line parameters, with the exception of

smc -start

parameter. The command-line parameters are not case-sensitive. For some parameters, you may need the password. The client does not support UNC paths.

To run Windows commands using the

smc

command-line interface

On the client computer, click

Start > Run

, and then type

cmd

In theCommand Prompt window, do one of the following tasks:

See Also

What is Symantec Endpoint Protection?

For example:

smc -password-exportconfig c:\profile.xml

You must enter the installation path to the

smc

service before the command. For example, on a 64-bit Windows system on which

Symantec Endpoint Protection

is installed to the default location, enter:

C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe

Parameters for
smc
Parameter	Description	Applies to
smc -start *	Starts the client service. Returns 0, -1	All supported versions
smc -stop *†	Stops the client service and unloads it from memory. If this command is password-protected, the client is disabled within one minute after the end user enters the correct password. Returns 0, -1	All supported versions
smc -cloudmanaged <path toSymantec_Agent_Setup.exe>	Moves a cloud-managed device to another cloud domain or tenant. Moves a client computer from Symantec Endpoint Protection Manager management to cloud console management. Requires the Symantec_Agent_Setup.exe installation file for the destination cloud domain or tenant. You download this file from the cloud console.See: Using smc to switch Windows client between SEP and SES management or to change a device's tenant or domain	New in 14.2 RU1
smc -configure -proxy-mode <mode>	Used together with enrollment parameters to enable the client to enroll using the required proxy configuration.Can also be used to correct bad proxy options. Possible modes are as follows: system , manual , none . Specifying a proxy address switchesautomaticallyto manual mode. If you enter manual , but don't specify a proxy host, this mode will be ignored. Not supported on the clients that are managed by Symantec Endpoint Protection Manager . For more information, see the table: Combinations ofproxy settingsentered at a command prompt	New in 14.3 RU1
smc -configure -proxy-address <host or IP>	Allows to manually specify the proxy host or the proxy address. Required if the proxy mode is set to manual .	New in 14.3 RU1
smc -configure -proxy-port <port number>	Allows to manually specify theproxy port. The same port will be used both for HTTP and HTTPS connections. If no ports are specified, the ports are automatically set to 80 for HTTP and 443 for HTTPS.	New in 14.3 RU1
smc -configure -proxy-port-http <port number>	Allows to manually specify theproxy port for HTTP connections. Overwrites the default HTTP port or the port that has been specified by smc -configure -proxy-port .	New in 14.3 RU1
smc -configure -proxy-port-https <port number>	Allows to manually specify theproxy port for HTTPS connections. Overwrites the default HTTPS port or the port that has been specified by smc -configure -proxy-port .	New in 14.3 RU1
smc -configure -proxy-auth-mode basic	Possible authentication modes are as follows: basic , ntlm . Defaultauthentication mode is basic .	New in 14.3 RU1
smc.exe -configure -proxy-user-name <name>	Allows to manually specify theproxy user. For ntlm , you must specify domain/user.	New in 14.3 RU1
smc -configure -proxy-password <plain pwd>	Allows to manually specify theproxy password. Maximum length is 255 characters without null. The password is case sensitive.	New in 14.3 RU1
smc -enable -ntp smc -disable -ntp †	Enables/disables the Symantec Endpoint Protection firewall and Intrusion Prevention System.	All supported versions Password requirement for -disable new in 14.2 RU1
smc -enable -mem * smc -disable -mem *	Enables/disables the Symantec Endpoint Protection Memory Exploit Mitigation system.	New in version 14 MP1
smc -enable -gem * smc -disable -gem *	Enables/disables the Symantec Endpoint Protection Memory Exploit Mitigation system.	Version 14 only
smc -dismissgui	Closes the client user interface. The client still runs and protects the client computer. Returns 0	All supported versions
smc -exportconfig *†	Exports the client's configuration file to an .xml file. The configuration file includes the following management server settings: Policies Groups Security settings User interface settings You must specify the path name and file name. For example, you can enter the following command: smc -exportconfig C:\My Documents\MyCompanyprofile.xml Returns 0, -1, -5, -6	All supported versions
smc -exportlog	Exports the entire contents of a log to a .txt file. To export a log, you use the following syntax: smc -exportlog log_type 0 -1 output_file Where: log_type is: 0 = System Log 1 = Security Log 2 = Traffic Log 3 = Packet Log 4 = Control Log For example, you might enter the following syntax: smc -exportlog 2 0 -1 c:\temp\TrafficLog Where is the beginning of the file and -1 is the end of the file. You can export only the Control log, Packet log, Security log, System log, and Traffic log. The name output_file is the path name and file name that you assign to the exported file. Returns 0, -2, -5	All supported versions
smc -exportadvrule *†	Exports the client's firewall rules to an .xmlfile. This command only works for firewall rules on an unmanaged client or a client that is in client control mode.For a client in server control mode or mixed mode, use -exportconfig . You must specify the path name and file name. For example, you can enter the following command: smc -exportadvrule C:\myrules.xml Returns 0, -1, -5, -6 You cannot import configuration files or firewall rule files directly from a mapped network drive. Preventing users from disabling the Symantec Endpoint Protection client	All supported versions
smc -image †	Unenrolls the Symantec Agent ( Symantec Endpoint Protection client) and keeps it unenrolled. The difference from a regularunenrollmentis the removal of the hardware key and the persisted hardware key information. Uses the Require a password to import or export a policy and to import client communication settings password option. Forclients that the SES cloud console manages,running the smc -image command also results in the client becomingunmanaged. You would then need to run another command to re-register the client with its cloud server. See: Installing Symantec Agent on a client device without automatically enrolling it	New in 14.3 RU1(Symantec Endpoint Security) New in 14.3 RU6(Symantec Endpoint Protection)
smc -importadvrule *†	Imports the firewall rules to the client. The rules you import overwrite any existing rules. You can import the following: Rules in .xml format that you exported through smc -exportadvrule Rules in .sar format that you exported through the client user interface You can only import firewall rules if the client is unmanaged or if the managed client is in client control mode or mixed mode. The managed client ignores these rules in server control mode. To import firewall rules, you import an .xml or .sar file. For example, you can enter the following command: smc -importadvrule C:\myrules.xml An entry is added to the System log after you import the rules. Returns 0, -1, -5, -6 To append rules instead of overwriting them, use Import rule from the within client user interface. For more information, see: Preventing and allowing users to change the client's user interface Exporting or importing firewall rules on the client	All supported versions
smc -importconfig *†	Replaces the contents of the client's current configuration file with an imported configuration file and updates the client's policy. The client must run to import the configuration file's contents. You must specify the path name and file name. For example, you can enter the following command: smc -importconfig C:\My Documents\MyCompanyprofile.xml . Returns 0, 3, -1, -5, -6	All supported versions
smc -importsylink <path to sylink.xml> †	Imports the client communications file (sylink.xml).	All supported versions
smc -enable -wss smc -disable -wss	Enables or disables Web and Cloud Access Protection .	New in version 14.0.1 MP1
smc -p password †	Used with a command that requires a password, where password is the required password. For example: smc -p password -importconfig	All supported versions
smc -report	Creates a dump file (.dmp) that includes crashes and logical errors that occurred on the client. The file is sent automatically to Symantec Technical Support. Contact Technical Support to ask for help in diagnosing the error. You can find the dump file at the following location: SEP_Install \Data\LocalDumps Where SEP_Install is the installation folder. By default, this pathis C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ version .	New in version 14
smc -restart	Stops and immediately starts the client, which performs the same task as -stop followed by -start .The command restarts the client without restarting the computer.Use this command as a troubleshooting tool to help diagnose an unknown problem.	New in 14.3 RU3
smc -runhi	Runs a Host Integrity check. Returns 0	All supported versions
smc -sepmmanaged	Reverts the client management from the cloud console back to the Symantec Endpoint Protection Manager that previously managed it.	New in 14.2 RU1
smc -sepmmanaged<path to sylink.xml>	Imports the client communications file (sylink.xml). Equivalent to -importsylink but does not require a password.	New in 14.2 RU1
smc -showgui	Displays the client user interface. Returns 0	All supported versions
smc -updateconfig	Initiates a client-server communication to ensure that the client's configuration file is up-to-date. If the client's configuration file is out-of-date, updateconfig downloads the most recent configuration file and replaces the existing configuration file, which is serdef.dat. Returns 0	All supported versions

smc -checkinstallation

and

smc -checkrunning

are no longer supported.

* Parameters that only members of the Administrators group can use if the following conditions are met:

The client runs Windows Vista or Windows Server 2008, and users are members of the Windows Administrators group.

If the client runs Windows Vista, and User Account Control is enabled, the user automatically becomes a member of the groups Administrators and Users.

† Parameters that need a password. You password-protect the client in

Symantec Endpoint Protection Manager

See: Password-protecting the Symantec Endpoint Protection client

Combinations ofproxy settingsentered at a command prompt
proxy-mode	proxy-user-name	proxy-password	proxy-address	proxy-port	Action
system	no	no	no	no	Use system proxy
system	yes	no	no	no	ERROR_INVALID_COMMAND_LINE (missing password)
system	no	yes	no	no	ERROR_INVALID_COMMAND_LINE (missing user)
system	no	no	yes	no	Use system proxy (ignore server)
system	yes	yes	no	no	Use system proxy with authentication
system	yes	yes	yes	no	Use system proxy with authentication (ignore server)
system	yes	yes	yes	yes	Use system proxy with authentication (ignore server and ports)
manual	no	no	no	no	ERROR_INVALID_COMMAND_LINE
manual	yes	no	no	no	ERROR_INVALID_COMMAND_LINE
manual	no	yes	no	no	ERROR_INVALID_COMMAND_LINE
manual	no	no	yes	no	Valid "manual" (custom) proxy with default ports
manual	yes	yes	no	no	ERROR_INVALID_COMMAND_LINE
manual	yes	yes	yes	no	Valid "manual" (custom) proxy with default ports
manual	yes	yes	yes	yes	Valid "manual" (custom) proxy
manual	yes	no	yes	yes or no	ERROR_INVALID_COMMAND_LINE (no password)
manual	no	yes	yes	yes or no	ERROR_INVALID_COMMAND_LINE (no user)
none	no	no	no	no	Valid “none” proxy
none	yes	no	no	no	Valid “none” proxy
none	no	yes	no	no	Valid “none” proxy
none	no	no	yes	no	Valid “none” proxy
none	yes	yes	no	no	Valid “none” proxy
none	yes	yes	yes	no	Valid “none” proxy
none	yes	yes	yes	yes	Valid “none” proxy
no	no	no	no	no	No proxy settings
no	yes	no	no	no	No proxy settings (ignore user)
no	no	yes	no	no	No proxy settings (ignore password)
no	no	no	yes	no	Valid “manual” (custom) proxy with default ports
no	yes	yes	no	no	No proxy settings (ignore extra options)
no	yes	yes	yes	no	Valid “manual” (custom) proxy with default ports
no	yes	yes	yes	yes	Valid “manual” (custom) proxy

More information

command error codes