Utilizing MpCmdRun.exe
One of the most vital tools for a SCEP admin is MpCmdRun.exe. With this command-line utility, you can perform a definition rollback, force a signature update, restore a file from quarantine, or kick off a scan. Almost any operational scripting tasks you wish to perform will center on MpCmdRun.exe.
Getting Ready…
By default, MpCmdRun is stored in the C:\Program Files\Microsoft Security Client\Antimalware directory. Although MpCmdRun can be used to accomplish many tasks with SCEP, this recipe will only describe how to launch a full scan from the command line.
How to do it…
- Open the Command Prompt window.
- Navigate to
C:\ProgramFiles\MicrosoftSecurityClient\Antimalwaredirectory. - Enter the following command:
MpCmdRun -scan -2 - Once the full scan is completed, close the Command Prompt window.
How it works…
To view all options available for the utility, enter MpCmdRun -? in the Command Prompt window. A partial output is included for reference in the following example. The full contents of the MpCmdRun help file can be found in the appendix.
Usage: MpCmdRun.exe [command] [-options] Command Description -? / -h Displays all available options for this tool -Scan [-ScanType #] [-File <path> [-DisableRemediation]] Scans for malicious -Scan [-ScanType value] 0 Default, according to your configuration 1 Quick scan 2 Full system scan 3 File and directory custom scan [-File <path>]
There's more...
Below are some alternate examples of ways in which MpCmdRun could be utilized.
One example of how MpCmdRun could be useful is a scenario where your WSUS infrastructure has gone offline and you want to temporarily force your clients to pull a definition from an alternate source without modifying the SCEP policy.
In this case, you would need to either manually enter the following command or create a script that contains the command:
MpCmdRun –signatureupdate –servername\sharename
The -restore option can utilized to restore files that have been erroneously quarantined, without having to directly access the client UI. This could be done remotely using a tool such as PsExec.