While using the SCCM console to administer, SCEP is always the preferred method; you may find yourself in a situation where you will need to perform SCEP tasks without the use of the SCCM console. If there was a major virus outbreak on your network and SCCM was knocked offline, it would be critical to maintain control of your SCEP clients.
Additionally, you may have staff members that need to be able to launch full scans and force definition updates remotely, but you do not wish to grant them access to the SCCM console. This recipe will show you how to leverage MpCmdRun.exe
and a great free utility from Microsoft named PsExec to accomplish SCEP administration without the SCCM console.
For this recipe, you will need to be using an account that has local administrator privileges on the targeted PC. You will also need to download PsExec from the following website:
Follow these steps:
PsExec.exe
from your own workstation. The exe needs to be run with a command prompt with elevated privileges.psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" -scan -2
Scan starting... Scan finished. C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe exited on TargetPCsName with error code 0.
psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" -SignatureUpdate –MMPC
Signature update started . . . Signature update finished. C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe exited on TargetPCsName with error code 0.
psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" –getfiles
Files successfully created in C:ProgramDataMicrosoftMicrosoft AntimalwareSupportMpSupportFiles.cab
cab
file.
MpCmdRun.exe
is a very useful executable file that can be found on any PC or server that has a SCEP client installed. By using PsExec.exe
, we are able to execute remote SCEP commands either in crisis situation or as part of normal administrative procedures.
If an administrator is going to routinely be performing any of the tasks in this recipe, it might make sense to build MpCmdRun into a script.
Additional MpCmdRun functions:
The options in this recipe represent just a handful of the tasks the MpCmdRun can be used for. For your reference, the complete usage output for MpCmdRun can be found as follows:
Usage: MpCmdRun.exe [command] [-options] Command Description -? / -h Displays all available options for this tool -Scan [-ScanType #] [-File <path> [-DisableRemediation]] Scans for malicious software -Trace [-Grouping #] [-Level #] Starts diagnostic tracing -GetFiles Collects support information -RemoveDefinitions [-All] Restores the installed signature definitions to a previous backup copy or to the original default set of signatures [-DynamicSignatures] Removes only the dynamically downloaded signatures -SignatureUpdate [-UNC [-Path <path>] | -MMPC] Checks for new definition updates -Restore -Name <name> [-All] Restore the most recently or all quarantined item(s) based on threat name -AddDynamicSignature [-Path] Loads a dynamic signature -ListAllDynamicSignatures List the loaded dynamic signatures -RemoveDynamicSignature [-SignatureSetID] Removes a dynamic signature Additional Information: Support information will be in the following directory: c:ProgramDataMicrosoftMicrosoft AntimalwareSupport -Scan [-ScanType value] 0 Default, according to your configuration 1 Quick scan 2 Full system scan 3 File and directory custom scan [-File <path>] Indicates the file or directory to be scanned, only valid for custom scan. [-DisableRemediation] This option is valid only for custom scan. When specified: - File exclusions are ignored. - Archive files are scanned. - Actions are not applied after detection. - Event log entries are not written after detection. - Detections from the custom scan are not displayed in the user interface. Return code is 0 if no malware is found or malware is successfully remediated and no additional user action is required 2 if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning. Please check History for more information. -Trace [-Grouping value] [-Level value] Begins tracing Microsoft Antimalware Service's actions. You can specify the components for which tracing is enabled and how much information is recorded. If no component is specified, all the components will be logged. If no level is specified, the Error, Warning and Informational levels will be logged. The data will be stored in the support directory as a file having the current timestamp in its name and bearing the extension BIN. [-Grouping] 0x1 Service 0x2 Malware Protection Engine 0x4 User Interface 0x8 Real-Time Protection 0x10 Scheduled actions 0x20 NIS/GAPA [-Level] 0x1 Errors 0x2 Warnings 0x4 Informational messages 0x8 Function calls 0x10 Verbose 0x20 Performance -GetFiles Gathers the following log files and packages them together in a compressed file in the support directory - Any trace files from Microsoft Antimalware Service - The Windows Update history log - All Microsoft Antimalware Service events from the System event log - All relevant Microsoft Antimalware Service registry locations - The log file of this tool - The log file of the signature update helper tool -RemoveDefinitions Restores the last set of signature definitions [-All] Removes any installed signature and engine files. Use this option if you have difficulties trying to update signatures. [-DynamicSignatures] Removes all Dynamic Signatures. -SignatureUpdate Checks for new definition updates
[-UNC [-Path <path>]] Performs update directly from UNC file share specified in <path> If -Path is not specified, update will be performed directly from the preconfigured UNC location [-MMPC] Performs update directly from Microsoft Malware Protection Center -Restore -Name <name> Restores the most recently quarantined item based on threat name One Threat can map to more than one file [-All] Restores all the quarantined items based on name -AddDynamicSignature -Path <path> Adds a Dynamic Signature specified by <path> -ListAllDynamicSignatures Lists SignatureSet ID's of all Dynamic Signatures added to the client via SpyNet and MPCMDRUN -AddDynamicSignature -RemoveDynamicSignature -SignatureSetID <SignatureSetID> Removes a Dynamic Signature specified by <SignatureSetID>