簡介
本文檔介紹可在Linux和MacOS上與Secure Endpoint Connector一起使用的命令列介面(CLI)命令。
背景資訊
CLI命令可供系統上的所有使用者使用;但是,某些命令取決於策略配置和/或根許可權。依賴於此的命令將在本文中全面介紹。
Cisco Secure Endpoint Mac/Linux CLI
導航至CLI
在系統上安裝並運行Secure Endpoint聯結器後,即可使用Secure Endpoint CLI:
- 打開Mac/Linux上的「終端」窗口。
- 在以下路徑中運行CLI工具:
- 在Linux上:
/opt/cisco/amp/bin/ampcli
- 在Mac上:
/opt/cisco/amp/ampcli
- 當CLI啟動時,會顯示以下消息:
ampcli - Cisco Secure Endpoint Connector Command Line Interface
Interactive mode
Enter 'q' or Ctrl+c to Exit
[logger] Set minimum reported log level to notice
Trying to connect...
Connected.
ampcli>
可用的CLI命令
注意:所有可用的CLI命令也可直接從命令列運行,例如/opt/cisco/amp/bin/ampcli helpor/opt/cisco/amp/ampcli helpworks與啟動CLI和runhelp相同。
ampcli> help
about About Cisco Secure Endpoint connector
bp Show and sync behavioral protection signatures
* See 'bp help' for more.
clamav Show and sync ClamAV definitions
* See 'clamav help' for more.
connectivity-test Run connection tests
* See 'connectivity-test help' for more.
definitions Show virus definitions
defupdate Update virus definitions
exclusions List custom exclusions
history Show event history
* See 'history help' for more.
notify Toggle notifications
policy Show policy
quarantine List/restore quarantined file(s)
* See 'quarantine help' for more.
quit (or q) Quit ampcli interactive mode
scan Initiate/pause/stop a scan
* See 'scan help' for more.
status Get ampdaemon status
* See 'status help' for more.
sync Sync policy
verbose Toggle verbose mode
- 命令bp、clamav、connectivity-test、history、
scan和quarantinetake附加引數,這些引數將在使用者運行命令時隨附help進行說明:
ampcli> bp help
Supported bp parameters:
status Display engine and definition information
sync Synchronizes BP signatures
ampcli> clamav help
Supported clamav parameters:
status Display engine and definition information
sync Synchronizes ClamAV definitions
ampcli> connectivity-test help
Supported connectivity-test parameters:
all Performs all connectivity tests
bpsig Performs a Behavioral Protection signature fetch test
crashdump Performs an upload test of a crash diagnostic
event Verifies connectivity to the event intake server
hc Performs a minimal connection test with the registration server
orbitalupdate Performs an orbital update download test
policy Performs a policy fetch test of the current policy. A policy serial number can be provided to fetch a specific policy
* Usage: 'policy [serial number]' (optional serial number, must be greater than 0)
fileupload Performs a file upload test
update Performs a connector update download test
ampcli> history help
Supported history parameters:
list List history
* Listing starts at page 1. Each time 'list' is run we move to
the next page. Specify a page number to jump directly to
that page.
pagesize Set history page size (max: 12)
* e.g. 'ampcli> history pagesize 10'
ampcli> scan help
Supported scan parameters:
flash Perform a flash scan
full Perform a full scan
custom Perform a custom scan on a file or directory (recursive)
e.g. '...> scan custom file_or_directory_to_scan'
pause Pause a running scan
resume Resume a paused scan
cancel Cancel a running scan
list List scheduled scans
ampcli> quarantine help
Supported quarantine parameters:
list List currently quarantined files
* Listing starts at page 1. Each time 'list' is run we move to
the next page. Specify a page number to jump directly to
that page.
restore Restore file by quarantine id
e.g. '...> quarantine restore <quarantine id>'
run 'quarantine list' first to find <quarantine id> in listing
注意:使用helpparameter為給定命令提供支援的輸入引數,狀態幫助除外。使用status CLI命令發出幫助時,將顯示所有支援的聯結器狀態清單,以及每種狀態的簡短說明和可能原因。目前的聯結器狀態在表格中以**表示。
CLI命令用法
ampcli> about
Cisco Secure Endpoint Connector v1.16.0.123
Copyright (c) 2013-2021 Cisco Systems, Inc. All rights reserved.
This product incorporates open source software; refer to
/opt/cisco/amp/doc/acknowledgement.txt for details.
[ 22b608b3-b20e-4bd3-8b53-def824acce8a ]
bp(此選項僅適用於Linux和macOS上的聯結器版本1.22.0+)
status -顯示行為保護引擎和定義資訊
- 如果未啟用行為保護,則不會提供其他引擎或簽名資訊:
ampcli> bp status
Behavioral Protection is not enabled
ampcli> bp status
APDE Engine Version: 3.1.0.0
BP Mode: Protect
BP Signature Serial Number: 8071
BP Signature Last Loaded: 2023-05-02 05:44:09 PM
ampcli> clamav status
Definition Version: ClamAV(bytecode.cvd: 334, daily.cvd: 26893, main.cvd: 62)
Definitions Published: bytecode.cvd: 22 Feb 2023 16-33 -0500
daily.cvd: 01 May 2023 03-22 -0400
main.cvd: 16 Sep 2021 08-32 -0400
Definitions Last Updated: 2023-05-01 04:01:55 PM
connectivity-test
all -執行所有連線測試bpsig - 執行行為保護簽名獲取測試crashdump - 執行崩潰診斷的上傳測試event - 驗證到事件接收伺服器的連線hc - 執行與註冊伺服器的最小連線測試orbitalupdate - 執行軌道更新下載測試policy [serial number] - 執行當前策略的策略獲取測試。可以提供一個策略序列號來獲取特定策略fileupload - 執行檔案上傳測試update -執行聯結器更新下載測試
defupdate -向雲傳送請求以更新病毒定義。
exclusions -顯示聯結器的當前排除情況:
ampcli> exclusions
Exclusions:
Path /home
Path /mnt/hgfs
Regular Expression /var/log/.*\.log
歷史記錄
history list -列出聯結器活動的歷史記錄(掃描、隔離區等)history pagesize <numeric_value> -設定歷史記錄檢視的pagesize(最多12頁)
ampcli> history pagesize 12
Page size set to 12
isolate(此選項僅適用於Mac聯結器版本1.21.0及更高版本(不適用於Linux))
isolate stop <token> -使用用於啟動隔離會話的令牌停止終端隔離會話
notify -在CLI中打開/關閉聯結器通知。
- 連線器原則中也必須啟用此設定。
- 在Mac上,這不會影響UI中的通知。
ampcli> notify
Notifications set to on
ampcli> notify
Notifications set to off
ampcli> policy
Quarantine Behavior:
Quarantine malicious files.
Protection:
Monitor program install.
Monitor program start.
Passive on-execute mode.
Proxy: NONE
Notifications: Do not display cloud notifications.
Policy: Audit Policy for Cisco Secure Endpoint (#5755)
Last Updated: 2020-01-08 04:49 PM
Definition Version: ClamAV(bytecode.cvd: 331, daily.cvd: 25721, main.cvd: 59)
Definitions Last Updated: 2020-01-08 05:09 PM
對於Mac聯結器版本1.16.0和更高版本以及Linux聯結器版本1.17.0和更高版本,策略包括Orbal的策略狀態:
Orbital: Enabled
軌道政策設定有兩個值:
- 啟用:軌道功能透過策略啟用。
- 停用:透過策略停用軌道。
對於Mac聯結器版本1.21.0及更高版本(不適用於Linux),策略包括終端隔離的策略狀態:
Isolation: Enabled
隔離策略設定有兩個值:
- 已啟用:透過策略啟用終端隔離。
- 已停用:透過策略停用終端隔離。
posture - show connector posture in JSON格式
posture prettyprint - 使用pretty print JSON格式列印狀態
ampcli> posture
{"running": true, "connected": true, "connector_version": "1.19.1.1419", "agent_uuid": "e03ecde8-1aee-4d15-8bca-100e952ee4b9", "offline_engine": "ClamAV", "offline_engine_version": "0.103.5", "definition_version": "osx.cvd:1152", "last_definition_update_published": "osx.cvd: 05 May 2022 13-00 -0400", "last_definition_update_success": 1651857785, "last_scan": 1651857897, "last_scan_status": false, "protect_file_mode": true, "protect_process_mode": true, "scans": [{"scan_type": "flash", "scan_in_progress": false, "last_scan_finished": 1651857039}, {"scan_type": "full", "scan_in_progress": false, "last_scan_finished": 1651857897}, {"scan_type": "custom", "scan_in_progress": false, "last_scan_finished": 1651856819}], "engines": [{"enabled": true, "name": "ClamAV", "version": "0.103.5", "definitions": [{"version": 1152, "name": "osx.cvd", "timestamp": 1651770000, "last_successful_update": 1651857785}]}]}
quarantine(此選項僅對具有root許可權的使用者可用。)
quarantine list -列出系統上的隔離專案。quarantine restore <quarantine_id> -透過隔離id(可透過quarantine listcommand找到)恢復隔離的檔案。
quit (or q) -退出Secure Endpoint Mac/Linux聯結器CLI。
-
scan flash -執行系統的快閃記憶體掃描。scan full - 執行系統的完全掃描。scan custom <path_to_scan> -掃描指定的檔案或目錄。scan pause -暫停當前正在運行的所有掃描。scan resume - 恢復當前暫停的任何掃描。scan cancel -取消當前正在運行的所有掃描。scan list -列出將在系統上執行的所有計畫掃描。
status -提供系統上聯結器的當前狀態。
狀態幫助-顯示一個表,其中包含所有聯結器狀態、當前聯結器狀態、每個狀態狀態的描述以及給定狀態的原因。
ampcli> status
Status: Connected
Mode: Normal
Scan: Ready for scan
Last Scan: 2020-01-22 03:57 PM
Policy: Audit Policy for Cisco Secure Endpoint (#5755)
Command-line: Enabled
Faults: None
如果終端存在故障,故障欄位將顯示每個嚴重性級別(嚴重/主要/次要)的故障數。自聯結器版本1.12.3起,CLI顯示aFault ID欄位,其中顯示終端上引發的每個故障的故障代碼。CLI輸出與終端上存在的每個故障相關的指南。
例如:
Faults: 1 Critical, 1 Major
Fault IDs: 1, 3
ID 1 - Critical: The system extensions failed to load. Approve the system extensions in Security & Privacy System Preferences.
ID 3 - Major: Full Disk Access not granted. Grant access to the ampdaemon executable in Security & Privacy System Preferences.
ampcli> status help
Status Description Reason(s)
=================================================================================
| Initializing... | Program starting/loading. | --
| | |
| Provisioning... | Endpoint identity | --
| | enrollment/subscription. |
| | |
| Provisioning | Endpoint identity | Cannot reach AMP services.
| failed, retrying | enrollment/subscription failed. | Missing SSL certificates.
| | Connector will retry. |
| | |
| Registering... | Registering endpoint identity. | --
| | |
| Registration | Endpoint identity registration | Cannot reach AMP services.
| failed, retrying | failed. Connector will retry. | Missing SSL certificates.
| | |
| Connecting... | Registering with disposition | --
| | service. |
| | |
| Connection failed, | Registration with disposition | Cannot reach AMP services.
| retrying | service failed. Connector will | Missing SSL certificates.
| | retry. |
| | |
| ** Connected | Enrollment and registration | --
| | succeeded. Connected to AMP |
| | services. Connector is operating |
| | normally. |
| | |
| Disabled | Connector is not operational. | AMP subscription is invalid
| | | or has expired.
| | |
| Disconnected, | Lost connection to the disposition | Network connection to the
| retrying | service after an initial | disposition service has been
| | connection was established. | interrupted.
| | Connector will attempt to |
| | reconnect. |
| | |
| Offline (the | The local network has been | Cable disconnected.
| network is down) | disconnected. | The network interface is
| | | disabled.
| | |
=================================================================================
** indicates the current status of the Connector
Run "ampcli connectivity-test" to help diagnose connection errors
對於Mac聯結器版本1.16.0和更新的版本,對於Linux聯結器版本1.17.0和更新的版本,狀態包括電腦上軌道的最新狀態:
Orbital: Enabled (Running)
軌道狀態有三個值:
- 已啟用(正在運行):表示當前策略已啟用軌道,並且軌道服務當前正在電腦上運行。
- 已啟用(未運行):表示當前策略已啟用軌道,但軌道服務當前未在電腦上運行。
- 已停用:表示當前策略未啟用Orbal。
對於Mac聯結器版本1.21.0及更高版本(不適用於Linux),狀態包括電腦上終端隔離的當前狀態:
Isolation: Isolated
軌道狀態有三個值:
- 隔離:表示當前策略已啟用終端隔離,並且電腦與網路隔離。
- 未隔離:表示當前策略已啟用終端隔離,並且電腦未隔離。
- 在策略中停用:表示當前策略未啟用終端隔離。
ampcli> verbose
Verbose mode set to on
ampcli> verbose
Verbose mode set to off
其他資訊
技術支援與文件 - Cisco Systems
思科安全終端-使用手冊
意見