List of Commands for Application Control

When using Application Control in a standalone configuration, you can use different commands and arguments to manage the software and its features.

attr

This command changes or lists the software configuration attributes.

Command syntax conventions

  • sadmin attr add -a|-c|-h|-j|-l|-m|-p|-u filename
  • sadmin attr add -o parent= filename2 -i filename1
  • sadmin attr add -v filename (Windows 7 and later)
  • sadmin attr remove -a|-c|-h|-i|-j|-l|-m|-p|-u filename
  • sadmin attr remove -v filename (Windows 7 and later)
  • sadmin attr list -a|-c|-h|-i|-j|-l|-m|-p|-u filename
  • sadmin attr list -v filename
  • sadmin attr flush -a|-c|-h|-i|-j|-l|-m|-p|-u filename
  • sadmin attr add -n filename (Windows 64-bit)
  • sadmin attr remove -n filename (Windows 64-bit)
  • sadmin attr list -n filename (Windows 64-bit)
  • sadmin attr flush -n filename (Windows 64-bit)

auth

This command authorizes an application (executable, installer, or batch file) as a whitelist, or unauthorizes an application by adding to the blacklist. The application can be locally installed, invoked, or installed or invoked from a shared drive.

Command syntax conventions

  • sadmin auth -a [ -t rule id ] [ -u ] -c checksum
  • sadmin auth -b -c checksum
  • sadmin auth -b [ -t rule id] -c checksum
  • sadmin auth -f
  • sadmin auth -l
  • sadmin auth -r checksum

begin-update (bu)

This command initiates Update mode to help perform software updates and installations.

Command syntax conventions

  • sadmin begin-update/bu [workflow-id [ comment]]

cert

This command manages certificates for digitally signed files. You can add, remove, or list the certificates in the Application Control certificate store, which is a directory in the install directory <instlall_dir>/Certificates

Command syntax conventions

  • sadmin cert add certificate_name
  • sadmin cert add -u certificate_name
  • sadmin cert add -c certificate_content
  • sadmin cert remove SHA-1
  • sadmin cert remove SHA-256
  • sadmin cert remove -c certificate_content
  • sadmin cert list [-d|-u]
  • sadmin cert flush

check

This command validates and fixes the attributes of the specified file against the inventory.

Command syntax conventions

  • sadmin check [-r] file/directoryname/volumename...

config

This command exports current configuration settings to a file or imports configuration settings from a file to an existing installation.

Command syntax conventions

  • sadmin config export file
  • sadmin config import [-a]file
  • sadmin config set name=value
  • sadmin config show

diag

This command runs diagnostics and offers suggestions on programs and applications to authorize (to perform updates).

Command syntax conventions

  • sadmin diag
  • sadmin diag fix [ -f ]

disable

This command activates Disabled mode. Restart the system to make sure that the command is applied.

Command syntax conventions

  • sadmin disable

enable

This command activates Enabled mode. Restart the system to make sure that the command is applied.

Command syntax conventions

  • sadmin enable

end-update(eu)

This command ends Update mode and activates Enabled mode.

Command syntax conventions

  • sadmin end-update/eu

event

This command configures the log targets (sinks) for generated events.

Command syntax conventions

  • sadmin event sink [eventname sinkname]
  • sadmin event sink -a|-r { eventname | ALL } { sinkname | ALL }

features

This command enables, disables, or lists the features on an existing installation.

Command syntax conventions

  • sadmin features enable|disable|list featurename

help

This command provides information about basic commands.

Command syntax conventions

  • sadmin help [command]

help-advanced

This command provides information about advanced commands.

Command syntax conventions

  • sadmin help-advanced [command]

license

This command adds or displays licensing information.

Command syntax conventions

  • sadmin license add licensekey
  • sadmin license list

list-solidified (ls)

This command lists the whitelisted files, directories, and volumes.

Command syntax conventions

  • sadmin list-solidified/ls [-l] [filename|directoryname|volumename]

list-unsolidified (lu)

This command lists the files, directories, and volumes that are not whitelisted.

Command syntax conventions

  • sadmin list-unsolidified/lu [filename|directoryname|volumename]

lockdown

This command disables the local command line interface. After lockdown, you can only issue the help, help-advanced, status, version, and recover commands.

Command syntax conventions

  • sadmin lockdown

passwd

This command sets a password for the command line interface. If the password is set, you must verify the password before executing critical commands. Using sadmin passwd -d command removes the password.

Command syntax conventions

  • sadmin passwd
  • sadmin passwd -d

read-protect (rp)

This command displays or changes the read protection rules. You must specify complete file or directory names with this command.

Command syntax conventions

  • read-protect/rp [-e | -i | -r ] PATH...

recover

This command recovers the local command line interface from locked down state.

Command syntax conventions

  • sadmin recover [-f]

ruleengine

This command specifies rules on various attributes of a process whose execution is undetermined. This enables the user to allow, block, or monitor its execution. You can combine one or more unique attribute types in one rule using AND operator.

Command syntax conventions

  • sadmin ruleengine add allow processname command_line { matches | not matches } regex
  • sadmin ruleengine add allow processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine add block processname command_line { matches | not matches } regex
  • sadmin ruleengine add block processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine add monitor processname command_line { matches | not matches } regex
  • sadmin ruleengine add monitor processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine remove allow processname command_line { matches | not matches } regex
  • sadmin ruleengine remove allow processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine remove block processname command_line { matches | not matches } regex
  • sadmin ruleengine remove block processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine remove monitor processname command_line { matches | not matches } regex
  • sadmin ruleengine remove monitor processname { command_line | user | parent_process_name | path } { equals | not equals } string
  • sadmin ruleengine list
  • sadmin ruleengine flush

skiplist

This command bypasses a path component from a feature to remove the protection applied by that feature. You can also define skip rules to skip path components from the whitelist. Use caution and take advice from McAfee Support before applying skiplist rules because doing so can affect the core functionality of the product and can make your system vulnerable to security threats.

Command syntax conventions

  • sadmin skiplist add -c|-d|-f|-i|-r|-s|-v pathname
  • sadmin skiplist remove -c|-d|-f|-i|-r|-s|-v pathname
  • sadmin skiplist list -c|-d|-f|-i|-r|-s|-v
  • sadmin skiplist flush -c|-d|-f|-i|-r|-s|-v

solidify (so)

This command adds specified files in a directory or system volume to the whitelist.

Command syntax conventions

  • sadmin solidify/so
  • sadmin solidify [filename|directoryname|volumename] [-q|-v]

status

This command displays the status of Application Control. You can view the operational mode, operational mode on system restart, connectivity with McAfee ePO, access status, and whitelist status of the local CLI.

Command syntax conventions

  • sadmin status

trusted

This command identifies a local or remote share as a trusted file path, volume, or directory. You can include, exclude, remove, list, or flush the trusted volumes or directories.

Command syntax conventions

  • sadmin trusted -e|-i|-r|-f|-l [pathname|volumename]

unsolidify (unso)

This command removes specified files from the whitelist.

Command syntax conventions

  • sadmin unsolidify [ -v ] [filename|directoryname|volumename]

updaters

This command adds, deletes, lists, or flushes programs from the list of authorized updaters.

Command syntax conventions

  • sadmin updaters add [-d|-n] binaryname
  • sadmin updaters add [-p parent-binaryname] binaryname
  • sadmin updaters add [-t rule-id] binaryname
  • sadmin updaters add [-d] [-n] [-t rule-id] [-p parent-binaryname] binaryname
  • sadmin updaters add [-l libraryname] binaryname
  • sadmin updaters remove [-p parent-binaryname] binaryname
  • sadmin updaters remove [-l libraryname] binaryname
  • sadmin updaters remove -u username
  • sadmin updaters list
  • sadmin updaters flush

version

This command displays the version of Application Control that you have installed in your system.

Command syntax conventions

  • sadmin version

write-protect (wp)

This command write-protects specified files including the whitelisted files. You must specify complete file or directory names with this command.

Command syntax conventions

  • sadmin write-protect -e|-i|-r pathname
  • sadmin write-protect -f|-l

write-protect-reg (wpr)

This command write-protects specified registry keys including the whitelisted registry keys.

Command syntax conventions

  • sadmin write-protect-reg -e|-i|-r registrykeyname
  • sadmin write-protect-reg -f|-l