Argument details

This table lists the commands with the supported arguments and their description. In the Argument column, the supported arguments for the commands are listed in alphabetical order.

You can use -z argument to prevent the system from prompting for the password. This argument can be used in all CLI commands to provide the CLI password (so that the system does not prompt for password). For example, if the CLI password is set and you issue the sadmin wp -i abc.txt command, the system immediately prompts you for the password. Using the -z argument, you can issue the sadmin wp -z <password> -i abc.txt command to provide the password with the issued command.

Table 1: Argument details
Command Argument Description
attr -a Always authorizes by file name. This is a deprecated technique. For more information, contact McAfee Support.
-b Configures the bypass, restore, list, and flush rules for a component protected using the Mangling technique. This is a deprecated technique. For more information, contact McAfee Support.
-c Configures the bypass, restore, list, and flush rules for a component protected using the Critical Address Space Protection technique.
-f Bypasses from full crawl attribute. This is a deprecated technique. For more information, contact McAfee Support.
-h Adds a binary to MP Compat protection.
-i Configures the bypass, restore, list, and flush rules for a binary using the Package Control feature.
-j Bypasses a binary from MP Compat protection.
-l Configures the bypass, restore, list, and flush rules for a component using the Anti-Debugging technique. This is a deprecated technique. For more information, contact McAfee Support.
-m Configures the add, remove, list, and flush rules for blocking the process in the interactive mode.
-n Configures the bypass, restore, list, and flush rules for a component using the mp-nx technique.
-y Includes child processes for a component to be bypassed using the mp-nx technique. This argument can only be specified with the -n argument.
-o Indicates to specify the DLL module name for a specified process. This argument can be used with -p, -v, and -i arguments. On the Linux platform, use this argument to specify the parent program for the -p attribute.
-p Bypasses from process context file operations attribute.
-u Always unauthorizes by file name. This is a deprecated technique. For more information, contact McAfee Support.
-v Bypasses from Forced DLL relocation attribute.
auth -a Authorizes a binary using the checksum value.
-b Bans a binary using the checksum value.
-c Specifies the checksum value.
-f Flushes all authorized or banned binaries.
-l Lists all authorized and banned binaries.
-r Removes the authorized or banned binaries.
-t Includes the associated tag name for a binary to be banned.
-u Authorizes a binary and also provides updater privileges when used with the -a and -c arguments.
begin-update (bu) workflow-id Indicates to specify an ID while switching to the Update mode. This ID can be used for tracking purposes in a change management for ticketing system.
comment Indicates to use a descriptive text for the workflow ID.
cert -c Specifies the certificate content as trusted.
-d Lists all details of the issuer and subject of the certificates added to the system.
-u Provides updater privileges to a certificate that is added as a trusted certificate or list the trusted certificates with updater privileges.
check -r Fixes any inconsistencies that are encountered.

config

-a Appends the configuration values.
diag -f Applies the diagnosed configuration changes for the restricted programs, such as winlogon.exe and svchost.exe.
disable NA NA
enable NA NA
end-update (eu) NA NA
event -a Adds sinks to the specified event.
-r Removes sinks from the specified event.
features -d Lists all features (including the hidden features).

For more information, contact McAfee Support.

help NA NA
help-advanced NA NA
license NA NA
list-solidified (ls) -l Lists details of the whitelisted files.
list-unsolidified (lu) NA NA
lockdown NA NA
passwd -d Removes the password for using Application Control.
read-protect (rp) -e Excludes specific components from a read-protected directory, or volume.
-f Flushes all components from read protection.
-i Includes files, directories, or volumes for read protection.
-l Lists the read-protected components.
-r Removes read‑protection applied to files, directories, or volumes.
recover -f Forcefully closes the McAfee ePO command and recover the local CLI.
ruleengine allow A rule type for adding or removing the allow rules on any attribute of a process.
block A rule type for adding or removing the block rules on any attribute of a process.
monitor A rule type for adding or removing the monitor rules on any attribute of a process.
command_line This attribute type specifies the command-line argument to execute a process. A rule type can be applied to either allow, block, or monitor a process when executed using command_line.
user This attribute type specifies the user who tries to execute a process. A rule can be applied to either allow, block, or monitor the process launched by a user.
parent_process_name This attribute type specifies a particular process which a parent process might tries to execute. A rule can be applied to either allow, block, or monitor its execution when a parent process tries to execute it.
path This attribute type denotes the path where the process resides whose execution is undetermined. A rule can be applied to allow, block, or monitor the process execution from that path.
regex A regular expression of one or more characters that defines the search pattern. It describes a grammar that can be constructed based on ECMA script. See this article for more details.
string Specifies a string of characters.
skiplist -c Skips path components from the monitoring feature. This command is applicable to Application Control only in Update mode where changes are tracked. User mode paths and paths with volume name do not work with this command.

Text added with this command is treated as complete component. For example, text can start with a slash (/) and end with a slash (\), dot (.), or null character.

No events are generated for files that contain the specified text. Also, the whitelist is not updated for such paths.

-d Skips path components from write protection to remove write protection applied to all files in that path. User mode paths and paths with volume name do not work with this command.

Text added with this command is treated as complete component. For example, text can start with a forward slash (/) and end with a backward slash (\), dot (.), or null character.

-f Skips path components from file operations and the script-auth feature.

User mode paths and paths with volume name do not work with this command.

Text added with this command is treated as substring in a path. No events are raised and the whitelist is not updated for the skipped path components. Also, script execution control does not work for paths added with this command.

-i

Skips path components from file operations using the ignore path list. This works similar to the sadmin add -f command.

User mode paths and paths with volume name do not work with this command.

When the path components are specified on Windows 64-bit platforms, even the deny-exec feature is skipped.

-r

Skips registry path components from write protection for registry to remove write protection applied on the registry paths.

Text added with this command is treated as complete component. For example, text can start with a forward slash (/) and end with a backward slash (\), dot (.), or null character.

-s

Removes files present under the specified path component and subdirectories from the whitelist.

Network path names cannot be specified with this command. Volume relative rules can also be specified using *\<vol_rel_name>.

-v

Bypasses volumes from attaching to Application Control. File system, such as NTFS or FAT, can also be specified with this argument. When you specify a volume name with this argument, Application Control is not attached to that volume. Script-auth and deny-exec features are also not effective on the specified volume. Components in that volume are allowed to execute on the system.

You can specify a path component using user mode volume names, such as C: and D:. Also, device names, such as \device\harddiskvolume1, and file systems, such as NTFS and FAT, can also be specified.

solidify (so) -q Suppresses all output except for errors.
-v Displays all processed components.
status NA NA
trusted -e Excludes one or more specified paths to the directories or volumes from a list of trusted directories or volumes.
-f Removes all directories and volumes from the trusted rule.
-i Adds one or more specified paths to the directories or volumes as trusted directories or volumes.
-l Lists all trusted directories and volumes.
-r Removes the specified directories or volumes from the trusted rule.
-u Provides updater privileges to all binaries and scripts in the trusted directories or volumes.
unsolidify (unso) -v Displays all processed components.
updaters -d Excludes the child processes of a binary file to be added as an updater from inheriting the updater privileges.
-l Includes the library name for an execution file to be added as an updater (for Windows).
-n Disables event logging for a file to be added as an updater.
-p Adds a file as an updater only when it is started by specified parent process.
-t Performs these operations:

  • Includes the tags for a file to be added as an updater.
  • Adds a user with a tag name as an updater.

-u Adds a user as an updater (for Windows).
version NA NA
write-protect (wp) -e Excludes specific components from a write-protected directory or volume.
-f Flushes all components from write protection.
-i Write-protects files, directories, or volumes.
-l Lists the write-protected components.
-r Removes write protection applied to files, directories, or volumes.
write-protect-reg (wpr) -e Excludes one or more registry keys from write protection.
-f Flushes all registry keys from write protection. Flushing the registry keys from write protection removes all write‑protection rules applied to the registry keys.
-i Write‑protects registry keys.
-l Lists all write-protected registry keys.
-r Removes write protection from one or more registry keys.