Commands for the Windows client service
smc
in Symantec Endpoint Protection and Symantec Endpoint Security

You can run the Windows client service using the smc (or smc.exe) command-line interface. You can use the
smc
command in a script that runs the client remotely. For example, you may need to stop the client to install an application on multiple clients. You can then use the script to stop and restart all clients at one time.
The client service must be running for you to use the command-line parameters, with the exception of
smc -start
parameter. The command-line parameters are not case-sensitive. For some parameters, you may need the password. The client does not support UNC paths.
To run Windows commands using the
smc
command-line interface:
  1. On the client computer, click
    Start > Run
    , and then type
    cmd
    .
  2. In the Command Prompt window, do one of the following tasks:
    • If the parameter does not need a password, enter:
      smc -
      parameter
      Where
      parameter
      is a parameter.
    • If the parameter needs a password, enter:
      • smc -p
        password
        -
        parameter
      For example: smc -p
      password
      -exportconfig c:\profile.xml
      You must enter the installation path to the
      smc
      service before the command. For example, on a 64-bit Windows system on which
      Symantec Endpoint Protection
      is installed to the default location, enter:
      C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe
Parameters for
smc
Parameter
Description
Applies to
smc -start
*
Starts the client service.
Returns 0, -1
All supported versions
smc -stop
*†
Stops the client service and unloads it from memory.
If this command is password-protected, the client is disabled within one minute after the end user enters the correct password.
Returns 0, -1
All supported versions
smc -cloudmanaged path\to\Symantec_Agent_Setup.exe
Moves a cloud-managed device to another cloud domain or tenant.
Moves a client computer from
Symantec Endpoint Protection Manager
management to cloud console management.
Requires the
Symantec_Agent_Setup.exe
installation file for the destination cloud domain or tenant. You download this file from the cloud console.
As of 14.2 RU1
smc -enable -ntp
smc -disable -ntp
Enables/disables the
Symantec Endpoint Protection
firewall and Intrusion Prevention System.
All supported versions
Password requirement for
-disable
as of 14.2 RU1
smc -enable -mem
*
smc -disable -mem
*
Enables/disables the
Symantec Endpoint Protection
Memory Exploit Mitigation system.
As of version 14 MP1
Version 14:
smc -enable -gem
*
Version 14:
smc -disable -gem
*
Enables/disables the
Symantec Endpoint Protection
Generic Memory Exploit Mitigation system.
This feature is called Memory Exploit Mitigation in subsequent versions.
Version 14 only
smc -dismissgui
Closes the client user interface.
The client still runs and protects the client computer.
Returns 0
All supported versions
smc -exportconfig
*†
Exports the client's configuration file to an .xml file. The configuration file includes the following management server settings:
  • Policies
  • Groups
  • Security settings
  • User interface settings
You must specify the path name and file name. For example, you can enter the following command:
smc -exportconfig C:\My Documents\MyCompanyprofile.xml
Returns 0, -1, -5, -6
All supported versions
smc -exportlog
Exports the entire contents of a log to a
.txt
file.
To export a log, you use the following syntax:
smc -exportlog
log_type
0 -1 output_file
Where:
log_type
is:
  • 0 = System Log
  • 1 = Security Log
  • 2 = Traffic Log
  • 3 = Packet Log
  • 4 = Control Log
    For example, you might enter the following syntax:
    smc -exportlog 2 0 -1 c:\temp\TrafficLog
    Where
    0
    is the beginning of the file and
    -1
    is the end of the file.
    You can export only the Control log, Packet log, Security log, System log, and Traffic log.
The name
output_file
is the path name and file name that you assign to the exported file.
Returns 0, -2, -5
All supported versions
smc -exportadvrule
*†
Exports the client's firewall rules to an .xml file. The exported rules can only be imported into an unmanaged client or a managed client in client control mode or mixed mode. The managed client ignores these rules in server control mode.
You must specify the path name and file name. For example, you can enter the following command:
smc -exportadvrule C:\myrules.xml
Returns 0, -1, -5, -6
When you import configuration files and firewall rules, note that the following rule applies:
  • You cannot import configuration files or firewall rule files directly from a mapped network drive.
All supported versions
smc -importadvrule
*†
Imports the firewall rules to the client. The rules you import overwrite any existing rules. You can import the following:
  • Rules in .xml format that you exported through
    smc -exportadvrule
  • Rules in .sar format that you exported through the client user interface
You can only import firewall rules if the client is unmanaged or if the managed client is in client control mode or mixed mode. The managed client ignores these rules in server control mode.
To import firewall rules, you import an .xml or .sar file. For example, you can enter the following command:
smc -importadvrule C:\myrules.xml
An entry is added to the System log after you import the rules.
Returns 0, -1, -5, -6
To append rules instead of overwriting them, use
Import rule
from the within client user interface.
All supported versions
smc -importconfig
*†
Replaces the contents of the client's current configuration file with an imported configuration file and updates the client's policy. The client must run to import the configuration file's contents.
You must specify the path name and file name. For example, you can enter the following command:
smc -importconfig C:\My Documents\MyCompanyprofile.xml
.
Returns 0, 3, -1, -5, -6
All supported versions
smc -importsylink path\to\sylink.xml
Imports the client communications file (sylink.xml).
Equivalent to
-sepmmanaged
.
All supported versions
smc -enable -wss
smc -disable -wss
Enables or disables
Network Traffic Redirection
.
As of version 14.0.1 MP1
smc -p password
Used with a command that requires a password, where
password
is the required password. For example:
smc -p
password
-importconfig
All supported versions
smc -report
Creates a dump file (.dmp) that includes crashes and logical errors that occurred on the client. The file is sent automatically to Symantec Technical Support. Contact Technical Support to ask for help in diagnosing the error.
You can find the dump file at the following location:
SEP_Install
\Data\LocalDumps
Where
SEP_Install
is the installation folder. By default, this path is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\
version
.
As of version 14
smc -runhi
Runs a Host Integrity check.
Returns 0
All supported versions
smc -sepmmanaged
Reverts the client management from the cloud console back to the
Symantec Endpoint Protection Manager
that previously managed it.
As of 14.2 RU1
smc -sepmmanaged path\to\sylink.xml
Updates the client management to the
Symantec Endpoint Protection Manager
specified in the SyLink.xml file.
Equivalent to
-importsylink
.
As of 14.2 RU1
smc -showgui
Displays the client user interface.
Returns 0
All supported versions
smc -updateconfig
Initiates a client-server communication to ensure that the client's configuration file is up-to-date.
If the client's configuration file is out-of-date,
updateconfig
downloads the most recent configuration file and replaces the existing configuration file, which is serdef.dat.
Returns 0
All supported versions
smc -image
Unenrolls the Symantec Agent (
Symantec Endpoint Protection
client) and keeps it unenrolled.
The difference from a regular unenrollment is the removal of the hardware key and the persisted hardware key information.
As of 14.3 RU1 (Symantec Endpoint Security only)
smc -configure -proxy-mode <mode>
Used together with enrollment parameters to enable the client to enroll using the required proxy configuration. Can also be used to correct bad proxy options.
Possible modes are as follows:
system
,
manual
,
none
.
Specifying a proxy address switches automatically to
manual
mode. If you enter
manual
, but don't specify a proxy host, this mode will be ignored.
Not supported on the clients that are managed by
Symantec Endpoint Protection Manager
.
As of 14.3 RU1
smc -configure -proxy-address <host or IP>
Allows to manually specify the proxy host or the proxy address.
Required if the proxy mode is set to
manual
.
As of 14.3 RU1
smc -configure -proxy-port <port number>
Allows to manually specify the proxy port.
The same port will be used both for HTTP and HTTPS connections.
If no ports are specified, the ports are automatically set to 80 for HTTP and 443 for HTTPS.
As of 14.3 RU1
smc -configure -proxy-port-http <port number>
Allows to manually specify the proxy port for HTTP connections.
Overwrites the default HTTP port or the port that has been specified by
smc -configure -proxy-port
.
As of 14.3 RU1
smc -configure -proxy-port-https <port number>
Allows to manually specify the proxy port for HTTPS connections.
Overwrites the default HTTPS port or the port that has been specified by
smc -configure -proxy-port
.
As of 14.3 RU1
smc -configure -proxy-auth-mode basic
Possible authentication modes are as follows:
basic
,
ntlm
.
Default authentication mode is
basic
.
As of 14.3 RU1
smc.exe -configure -proxy-user-name <name>
Allows to manually specify the proxy user.
For
ntlm
, you must specify domain/user.
As of 14.3 RU1
smc -configure -proxy-password <plain pwd>
Allows to manually specify the proxy password.
Maximum length is 255 characters without null. The password is case sensitive.
As of 14.3 RU1
smc -checkinstallation
and
smc -checkrunning
are no longer supported.
* Parameters that only members of the Administrators group can use if the following conditions are met:
  • The client runs Windows Vista or Windows Server 2008, and users are members of the Windows Administrators group.
    If the client runs Windows Vista, and User Account Control is enabled, the user automatically becomes a member of the groups Administrators and Users.
† Parameters that need a password. You password-protect the client in
Symantec Endpoint Protection Manager
.
Combinations of proxy settings entered at a command prompt
Combinations of proxy settings
Action
proxy-mode
proxy-user-name
proxy-password
proxy-address
proxy-port
system
no
no
no
no
Use system proxy
system
yes
no
no
no
ERROR_INVALID_COMMAND_LINE
(missing password)
system
no
yes
no
no
ERROR_INVALID_COMMAND_LINE
(missing user)
system
no
no
yes
no
Use system proxy
(ignore server)
system
yes
yes
no
no
Use system proxy with authentication
system
yes
yes
yes
no
Use system proxy with authentication
(ignore server)
system
yes
yes
yes
yes
Use system proxy with authentication
(ignore server and ports)
manual
no
no
no
no
ERROR_INVALID_COMMAND_LINE
manual
yes
no
no
no
ERROR_INVALID_COMMAND_LINE
manual
no
yes
no
no
ERROR_INVALID_COMMAND_LINE
manual
no
no
yes
no
Valid "manual" (custom) proxy with default ports
manual
yes
yes
no
no
ERROR_INVALID_COMMAND_LINE
manual
yes
yes
yes
no
Valid "manual" (custom) proxy with default ports
manual
yes
yes
yes
yes
Valid "manual" (custom) proxy
manual
yes
no
yes
yes
or no
ERROR_INVALID_COMMAND_LINE
(no password)
manual
no
yes
yes
yes
or no
ERROR_INVALID_COMMAND_LINE
(no user)
none
no
no
no
no
Valid “none” proxy
none
yes
no
no
no
Valid “none” proxy
none
no
yes
no
no
Valid “none” proxy
none
no
no
yes
no
Valid “none” proxy
none
yes
yes
no
no
Valid “none” proxy
none
yes
yes
yes
no
Valid “none” proxy
none
yes
yes
yes
yes
Valid “none” proxy
no
no
no
no
no
No proxy settings
no
yes
no
no
no
No proxy settings
(ignore user)
no
no
yes
no
no
No proxy settings
(ignore password)
no
no
no
yes
no
Valid “manual” (custom) proxy with default ports
no
yes
yes
no
no
No proxy settings
(ignore extra options)
no
yes
yes
yes
no
Valid “manual” (custom) proxy with default ports
no
yes
yes
yes
yes
Valid “manual” (custom) proxy