Use the security scanner command line

Ivanti® Endpoint Security for Endpoint Manager includes the Patch and Compliance tool as the main component of its comprehensive security management solution. Use this tool to download updates for various security content definitions and patches; create, configure, and run security assessment scans, compliance scans, and remediation scans; enable security alerts; generate security reports, and more. For more information, see Patch and Compliance and Patch and Compliance help.

This section provides supplemental information about using the Patch and Compliance security scanner.

Security scanner command-line parameters

The security scanner is called vulscan.exe. The scanner supports the following command-line parameters:

Parameter name Description

General parameters

/AgentBehavior=ScanRepairSettingsID

Overwrites the default behavior of the security scanner (scan and repair settings) for only the current scan job. The ScanRepairSettings ID is a number value.

/ChangeBehaviors /AgentBehavior=ScanRepairSettingsID

Changes the default scan and repair settings for any subsequent security assessment or remediation scan job by writing the scan and repair settings to the device's local registry. Use the exact syntax to the left, with both switches in the command line. The ScanRepairSettings ID is a number value.

NOTE: You can use this option to change the default scan and repair settings for a device without having to do a full agent configuration deployment to the device.

/ShowUI

Shows the scanner UI on the end-user device.

/AllowUserCancelScan

Shows a Cancel button on the scanner UI that lets the end user cancel the scan.

/AutoCloseTimeout=Number

Timeout value in seconds.

NOTE: If the value is set to -1, then the scanner UI waits for the end user to manually close it.

/Scan=Number Code (0-8)

Identifies which security content type is being scanned for. The number codes for the different security content types are:

0 - vulnerability

1 - spyware

2 - security threat

3 - Ivanti updates

4 - custom definition

5 - blocked application

6 - software updates

7 - driver updates

8 - antivirus

100 - all types

/Group=GroupID

Specifies the custom group that should be scanned. Find the custom group ID by selecting the group, right-clicking and selecting Info, and finding the Unique ID.

/AutoFix=True or False

Enables or disables the autofix feature.

Repair parameters

/Repair (Group=GroupID, or Vulnerability=VulnerabilityID, or Vulnerability=All)

Tells the scanner which group or vulnerability to repair (remediate). You can specify All to repair all detected vulnerabilities instead of a single vulnerability by its ID.

/RemovePatch=PatchName

Removes the specified patch from the patch repository.

/RepairPrompt=MessageText

Lets you display a text message that prompts the end user.

/AllowUserCancelRepair

A string that allows the end user to cancel repair if using a repair prompt.

/AutoRepairTimeout=Number

A timeout value for the repair prompt in seconds. If it's set to -1, then the prompt waits for the end user to close it manually.

/DefaultRepairTimeoutAction

A string for the default action for vulscan to take if timeout expires for repair prompt. Acceptable values include start and close.

/StageOnly

A string to retrieve the patch or patches needed for repair, without installing them.

/Local (get files from peer)

Forces peer only download.

/PeerDownload

Same as /local.

/SadBandwidth=Number

Maximum percentage of bandwidth to use when downloading.

Reboot parameters

/RebootIfNeeded

Use this parameter to reboot a device if needed.

/RebootAction

A string that determines vulscan's reboot behavior when repairing. Possible values: always, never

/RebootMessage

A string that displays a text message to the end user in a reboot prompt.

/AllowUserCancelReboot

A string that allows the end user to cancel reboot if using a reboot prompt.

/AutoRebootTimeout=Number

Timeout value of reboot prompt in seconds. If set to -1, then the UI waits for the user to close it manually.

/DefaultRebootTimeoutAction

A string that determines the action for vulscan to take if timeout value expires for reboot prompt. Acceptable values: reboot, close, snooze.

/SnoozeCount=Number

Number of snoozes. Vulscan decrements each time the user clicks Snooze on the reboot prompt.

/SnoozeInterval=Number

Number of seconds for vulscan to sleep between snoozes.

MSI parameters

/OriginalMSILocation=path

Path to original MSI location.

/Username=username

Username for MSI directory.

/Password=password

Password for MSI directory.

Disable parameters

/NoElevate

Runs vulscan with the permissions of the user who is currently logged in.

/NoSleep

Prevents sleeping during a vulnerability scan.

/NoSync

Doesn't get mutex, scans multiple instances.

/NoUpdate

Don't get a new version of vulscan.

/NoXML

Don't look for msxml.

/NoRepair

Same as autofix=false. Overrides autofix settings if present.

Data files parameters

/Dump

Dumps vulnerability data directly from the web service.

/Data

Pulls in vulnerability data (from /dump).

/O=Path\Filename

Outputs scan results to the specified file instead of to the core server.

/I=Path\Filename

Input scan results.

/Log=Path\Filename

Overrides the log filename and location.

/Reset

Removes the settings and files on the client. This does not delete the log files.

/Clear or /ClearScanStatus

Clears all vulnerability scan information on the core server. This removes the scan history.