Change Control Command Line Interface reference

Here are all commands available for Change Control when using the command line interface (CLI).

In the OS column, these abbreviations indicate the supported operating systems.

  • L — Linux
  • W — Windows

In the Mode column, these abbreviations indicate the supported mode for command.

  • E — Enabled mode
  • D — Disabled mode
  • U — Update mode

For more information about the Change Control commands, see McAfee Change Control 8.1.0 Product Guide for standalone mode.

Table 1: Command details
Command Description Syntax OS Mode
monitor Monitors changes to these actions on the system.

  • Files
  • Registry entries (Windows only)
  • Process execution or termination
  • User activity
  • Process

Also, you can add rules to track content changes for files in a directory. But, this is useful on McAfee ePO-managed configuration. The content change tracking for files can be viewed only at McAfee ePO.

sadmin monitor file [ -e ] filename L, W E, D, U
sadmin monitor file [ -e ] directoryname
sadmin monitor file [ -e ] volumename
sadmin monitor file [ -e ] pathname1 ... pathnameN
sadmin monitor file [ -i ] filename
sadmin monitor file [ -i ] directoryname
sadmin monitor file [ -i ] volumename
sadmin monitor file [ -i ] pathname1 ... pathnameN
sadmin monitor file [ -r ] filename
sadmin monitor file [ -r ] directoryname
sadmin monitor file [ -r ] volumename
sadmin monitor file [ -r ] pathname1 ... pathnameN
sadmin monitor file -f
sadmin monitor reg [ -e ] registrykey1 ... registrykeyN
sadmin monitor reg [ -i ] registrykey1 ... registrykeyN
sadmin monitor reg [ -r ] registrykey1 ... registrykeyN
sadmin monitor reg -f
sadmin monitor extn [ -e ] file_extension1 ... file_extensionN
sadmin monitor extn [ -i ] file_extension1 ... file_extensionN
sadmin monitor extn [ -r ] file_extension1 ... file_extensionN
sadmin monitor extn -f
sadmin monitor process [ -e ] processname1 ... processnameN
sadmin monitor process [ -i ] processname1 ... processnameN
sadmin monitor process [ -r ] processname1 ... processnameN
sadmin monitor process -f
sadmin monitor user [ -e ] username1 ... usernameN
sadmin monitor user [ -r ] username1 ... usernameN
sadmin monitor user -f
sadmin monitor procexec [ -e ] processpath | directoryname
sadmin monitor procexec [ -e ] directoryname1 ... directorynameN
sadmin monitor procexec [ -i ] processpath | directoryname
sadmin monitor procexec [ -i ] directoryname1 ... directorynameN
sadmin monitor procexec [ -r ] processpath | directoryname
sadmin monitor procexec [ -r ] directoryname1 ... directorynameN
sadmin monitor procexec -f
sadmin monitor file-diff-dir -i -d directoryname
sadmin monitor file-diff-dir -d directoryname
sadmin monitor file-diff-dir -d [ -n ENCODING ] directoryname
sadmin monitor file-diff-dir [ -a INCLUDE PATTERN ] -d directoryname
sadmin monitor file-diff-dir [ -b EXCLUDE PATTERN ] -d directoryname
sadmin monitor file-diff-dir [ -a INCLUDE PATTERN ] [ -c ] -d directoryname
sadmin monitor file-diff-dir [ -a INCLUDE PATTERN ] [ -c ] -d [ -n ENCODING ] directoryname
sadmin monitor file-diff-dir [[-i [[-a INCLUDE-PATTERN] ... [-b EXCLUDE-PATTERN] ... [-c] -d [-n ENCODING]]] directoryname]
sadmin monitor file-diff-dir -r directoryname
sadmin monitor file-diff-dir -f
sadmin monitor list
sadmin monitor flush
begin-update (bu) Initiates Update mode to help perform software updates and installations.

sadmin begin-update [ workflow-id [ comment ]]

sadmin bu [ workflow-id [ comment ]]

L, W E, D
cert Manages certificates for digitally signed files. You can add, remove, or list the certificates in the Change Control certificate store, which is a directory in the install directory <instlall_dir>/Certificates.

sadmin cert add certificate_name

W E, D, U

sadmin cert add -u certificate_name

sadmin cert add -c certificate_content

sadmin cert remove SHA1

sadmin cert remove SHA256

sadmin cert remove -c certificate_content

sadmin cert list

sadmin cert list -d

sadmin cert list -u

sadmin cert flush

config Allows you to:
  • Export current configuration settings to a file.
  • Import configuration settings from a file to an existing installation.

sadmin config export filename

L, W E, D, U

sadmin config import [ -a ] filename

sadmin config set name=value

sadmin config show

diag Runs diagnostics and offers suggestions on programs and applications to authorize (to perform updates).

sadmin diag

W E, U

sadmin diag fix [ -f ]

disable Activates Disabled mode. Restart the system to make sure that the command is applied. On the Linux platform, if Change Control is in Enabled mode, system restart is not required to apply this command. But, to uninstall the product, system restart is required.

sadmin disable

L, W E, U
enable Activates Enabled mode.Restart the Change Control service to apply this command.

sadmin enable

L, W D
end-update (eu) Ends Update mode and activates Enabled mode.

sadmin end-update

sadmin eu

L, W U
event Configures the log targets (sinks) for generated events.

sadmin event sink

L, W E, D, U

sadmin event sink eventname sinkname

sadmin event sink -a { eventname | ALL } { sinkname | ALL }

sadmin event sink -r { eventname | ALL } { sinkname | ALL }

features Enables, disables, or lists the features on an existing installation.

sadmin features

L, W E, D, U

sadmin features enable featurename

sadmin features disable featurename

sadmin features list

help Provides information about basic commands.

sadmin help

L, W E, D, U

sadmin help [ command ]

help-advanced Provides information about advance commands.

sadmin help-advanced

L, W E, D, U

sadmin help-advanced [ command ]

license Adds or displays licensing information.

sadmin license add licensekey

L, W D

sadmin license list

lockdown Disables the local command line interface. After lockdown, you can only issue the help, help‑advanced, status, version, and recover commands.

sadmin lockdown

L, W E, D, U
passwd

Sets a password for the command line interface.

If the password is set, you must verify the password before executing critical commands.

Using sadmin passwd -d command removes the password.

sadmin passwd

L, W E, D, U

sadmin passwd -d

read-protect (rp) Displays or changes the read protection rules. You must specify complete file or directory names with this command.

sadmin read-protect -e pathname1 ... pathnameN

L, W E, D, U

sadmin read-protect -i pathname1 ... pathnameN

sadmin read-protect -r pathname1 ... pathnameN

sadmin read-protect -l

sadmin read-protect -f

recover Recovers the local command line interface.

sadmin recover

L, W E, D, U

sadmin recover -f

status Displays the status of Change Control. You can view the operational mode, operational mode on system restart, connectivity with McAfee® ePolicy Orchestrator® (McAfee® ePO™) , access status, and whitelist status of the local CLI.

sadmin status

L, W E, D, U

sadmin status volumename

trusted Identifies a local or remote share as a trusted volume or directory. You can include, exclude, remove, list, or flush the trusted volumes or directories.

sadmin trusted -e pathname1 ... pathnameN

L E, D, U

sadmin trusted -r pathname1 ... pathnameN

sadmin trusted -l

sadmin trusted -f

sadmin trusted -e volumesetname1 ... volumesetnameN

W E, D, U

sadmin trusted -e pathname1 ... pathnameN

sadmin trusted -r volumesetname1 ... volumesetnameN

sadmin trusted -r pathname1 ... pathnameN

sadmin trusted -l

sadmin trusted -f

sadmin trusted -u <network path>

updaters Adds, deletes, lists, or flushes programs from the list of authorized updaters.

sadmin updaters add [ -d ] { binaryname }

L E, D, U

sadmin updaters add [ -n ] { binaryname }

sadmin updaters add [ -p parent-programname ] { binaryname }

sadmin updaters add [ -t rule-id ] { binaryname }

sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] [ -p parent-programname ] { binaryname }

sadmin updaters remove { binaryname }

sadmin updaters remove [ -p parent-programname ] { binaryname }

sadmin updaters list

sadmin updaters flush

sadmin updaters add [ -d ] { binaryname }

W E, D, U

sadmin updaters add [ -l libraryname ] { binaryname }

sadmin updaters add [ -n ] { binaryname }

sadmin updaters add [ -p parent-binaryname ] { binaryname }

sadmin updaters add [ -t rule-id ] { binaryname }

sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] [ -l libraryname ] { binaryname }

sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] [ -p parent-binaryname ] { binaryname }

sadmin updaters add [ -t rule-id ] -u username

sadmin updaters remove { binaryname }

sadmin updaters remove [ -l libraryname ] { binaryname }

sadmin updaters remove [ -p parent-binaryname ] { binaryname }

sadmin updaters remove -u username

sadmin updaters list

sadmin updaters flush

version Displays the version of the installed Change Control product.

sadmin version

L, W E, D, U
write-protect (wp) Write-protects specified files including the whitelisted files. You must specify complete file or directory names with this command.

sadmin write-protect -e pathname1 ... pathnameN

L, W E, D, U

sadmin write-protect -i pathname1 ... pathnameN

sadmin write-protect -r pathname1 ... pathnameN

sadmin write-protect -l

sadmin write-protect -f

write-protect-reg (wpr) Write-protects specified registry keys including the whitelisted registry keys.

sadmin write-protect-reg -e registrykeyname1 ... registrykeynameN

W E, D, U

sadmin write-protect-reg -i registrykeyname1 ... registrykeynameN

sadmin write-protect-reg -r registrykeyname1 ... registrykeynameN

sadmin write-protect-reg -l

sadmin write-protect-reg -f