Use the security scanner command line

Ivanti® Endpoint Security for Endpoint Manager includes the Patch and Compliance tool as the main component of its comprehensive security management solution. Use this tool to download updates for various security content definitions and patches; create, configure, and run security assessment scans, compliance scans, and remediation scans; enable security alerts; generate security reports, and more. For more information, see Patch and Compliance and Patch and Compliance help.

This section provides supplemental information about using the Patch and Compliance security scanner.

Security scanner command-line parameters

The security scanner is called vulscan.exe. The scanner supports the following command-line parameters:

Parameter name Description

General parameters


Overwrites the default behavior of the security scanner (scan and repair settings) for only the current scan job. The ScanRepairSettings ID is a number value.

/ChangeBehaviors /AgentBehavior=ScanRepairSettingsID

Changes the default scan and repair settings for any subsequent security assessment or remediation scan job by writing the scan and repair settings to the device's local registry. Use the exact syntax to the left, with both switches in the command line. The ScanRepairSettings ID is a number value.

NOTE: You can use this option to change the default scan and repair settings for a device without having to do a full agent configuration deployment to the device.


Shows the scanner UI on the end-user device.


Shows a Cancel button on the scanner UI that lets the end user cancel the scan.


Timeout value in seconds.

NOTE: If the value is set to -1, then the scanner UI waits for the end user to manually close it.

/Scan=Number Code (0-8)

Identifies which security content type is being scanned for. The number codes for the different security content types are:

0 - vulnerability

1 - spyware

2 - security threat

3 - Ivanti updates

4 - custom definition

5 - blocked application

6 - software updates

7 - driver updates

8 - antivirus

100 - all types


Specifies the custom group that should be scanned. Find the custom group ID by selecting the group, right-clicking and selecting Info, and finding the Unique ID.

/AutoFix=True or False

Enables or disables the autofix feature.

Repair parameters

/Repair (Group=GroupID, or Vulnerability=VulnerabilityID, or Vulnerability=All)

Tells the scanner which group or vulnerability to repair (remediate). You can specify All to repair all detected vulnerabilities instead of a single vulnerability by its ID.


Removes the specified patch from the patch repository.


Lets you display a text message that prompts the end user.


A string that allows the end user to cancel repair if using a repair prompt.


A timeout value for the repair prompt in seconds. If it's set to -1, then the prompt waits for the end user to close it manually.


A string for the default action for vulscan to take if timeout expires for repair prompt. Acceptable values include start and close.


A string to retrieve the patch or patches needed for repair, without installing them.

/Local (get files from peer)

Forces peer only download.


Same as /local.


Maximum percentage of bandwidth to use when downloading.

Reboot parameters


Use this parameter to reboot a device if needed.


A string that determines vulscan's reboot behavior when repairing. Possible values: always, never


A string that displays a text message to the end user in a reboot prompt.


A string that allows the end user to cancel reboot if using a reboot prompt.


Timeout value of reboot prompt in seconds. If set to -1, then the UI waits for the user to close it manually.


A string that determines the action for vulscan to take if timeout value expires for reboot prompt. Acceptable values: reboot, close, snooze.


Number of snoozes. Vulscan decrements each time the user clicks Snooze on the reboot prompt.


Number of seconds for vulscan to sleep between snoozes.

MSI parameters


Path to original MSI location.


Username for MSI directory.


Password for MSI directory.

Disable parameters


Runs vulscan with the permissions of the user who is currently logged in.


Prevents sleeping during a vulnerability scan.


Doesn't get mutex, scans multiple instances.


Don't get a new version of vulscan.


Don't look for msxml.


Same as autofix=false. Overrides autofix settings if present.

Data files parameters


Dumps vulnerability data directly from the web service.


Pulls in vulnerability data (from /dump).


Outputs scan results to the specified file instead of to the core server.


Input scan results.


Overrides the log filename and location.


Removes the settings and files on the client. This does not delete the log files.

/Clear or /ClearScanStatus

Clears all vulnerability scan information on the core server. This removes the scan history.