Command-line basics

Activate agent with manager at the specified URL in this format:

dsm://<host>:<port>/

where:

<host> could be either the manager's fully qualified domain name (FQDN), IPv4 address, or IPv6 address

<port> is the manager's listening port number

Optionally, after the argument, you can also specify some settings such as the description to send during activation. See Agent-initiated heartbeat command ("dsa_control -m"). They must be entered as key:value pairs (with a colon as a separator). There is no limit to the number of key:value pairs that you can enter, but the key:value pairs must be separated from each other by a space. Quotation marks around the key:value pair are required if it includes spaces or special characters.

Create an update bundle.

Not supported on macOS

Identify the certificate file.

Not supported on macOS

Generate an agent package.

For more detailed instructions, see Create an agent diagnostic package via CLI on a protected computer.

Agent URL.

Defaults to https://localhost:<port>/ where <port> is the manager's listening port number.

Not supported on macOS

Force the agent to contact the manager now.

-p <str> or --passwd=<str>

Authentication password that you might have configured in Server & Workload Protection previously. See Configure self-protection through Workload Security for details.

If configured, the password must be included with all dsa_control commands except dsa_control -a, dsa_control -x, and dsa_control -y.

Example: dsa_control -m -p MyPa$w0rd

If you type the password directly into the command line, it is displayed on the screen. To hide the password with asterisks (*) while you type, enter the interactive form of the command, -p \*, which prompts you for the password.

Example:

Reset the agent's configuration. This will remove the activation information from the agent and deactivate it.

Restore a quarantined file. On Windows, you can also restore cleaned and deleted files.

Enable agent self-protection (1: enable, 0: disable). Self-protection prevents local end-users from uninstalling, stopping, or otherwise controlling the agent. For details, see Enable or disable agent self-protection. Note: Although dsa_control lets you enable self-protection, it does not let you configure an associated authentication password. You'll need Server & Workload Protection for that. See Configure self-protection through Workload Security for details. Once configured, the password will need to be entered at the command line using the -p or --passwd= option.

If dsa_control cannot contact the agent service to carry out accompanying instructions, this parameter instructs dsa_control to retry <num> number of times. There is a 1 second pause between retries. Not supported on macOS

Used in conjunction with the -x option to specify the proxy's username and password, if the proxy requires authentication. Separate the username and password by a colon (:). For example, # ./dsa_control -x dsm_proxy://<str> -u <new username>:<new password>. To remove the username and password, type an empty string (""). For example, # ./dsa_control -x dsm_proxy://<str> -u <existing username>:"". If you only want to update the proxy's password without changing the proxy's username, you can use the -u option without -x. For example, # ./dsa_control -u <existing username>:<new password>. Basic authentication only. Digest and NTLM are not supported. Note: Using dsa_control -u only applies to the agent's local configuration. No security policy is changed on the manager as a result of running this command.

Used in conjunction with the -y option to specify the proxy's user name and password, if the proxy requires authentication. Separate the username and password by a colon (:). For example, # ./dsa_control -y relay_proxy://<str> -w <new username>:<new password>. To remove the username and password, type an empty string (""). For example, # ./dsa_control -y relay_proxy://<str> -w <existing username>:"". If you only want to update the proxy's password without changing the proxy's username, you can use the -w option without -y. For example, # ./dsa_control -w <existing username>:<new password>. Basic authentication only. Digest and NTLM are not supported. Note: Using dsa_control -w only applies to the agent's local configuration. No security policy is changed on the manager as a result of running this command.

Configure a proxy between the agent and manager. Provide the proxy's IPv4/IPv6 address or FQDN and port number, separated by a colon (:). Square brackets must surround IPv6 addresses. For example: dsa_control -x "dsm_proxy://[fe80::340a:7671:64e7:14cc]:808/". To remove the address, instead of a URL, type an empty string (""). See also the -u option. For more information, see Connect to Server & Workload Protection via proxy. Note: Using dsa_control -x only applies to the agent's local configuration. No security policy is changed on the manager as a result of running this command.

Configure a proxy between an agent and relay. Provide the proxy's IP address or FQDN and port number, separated by a colon (:). Square brackets must surround IPv6 addresses. For example: dsa_control -y "relay_proxy://[fe80::340a:7671:64e7:14cc]:808/". To remove the address, instead of a URL, type an empty string (""). See also the -w option. For more information, see Connect to relays via proxy. Note: Using dsa_control -y only applies to the agent's local configuration. No security policy is changed on the manager as a result of running this command.

Build the baseline for Integrity Monitoring. Not supported on macOS

Scan for changes for Integrity Monitoring. Not supported on macOS

Number of times to retry an activation. Valid values are 0 to 100, inclusive. The default value is 30.

Approximate delay in seconds between retrying activations. Valid values are 1 to 3600, inclusive. The default value is 300.

A flag to enable/disable auto-detect OS proxy. The flag is controlled by agent configuration in C1WS. Values are 1: Enable, 0: Disable.

The timeout values of the proxy resolver, which can be set in seconds, can be set by dsa_control --osProxyResolveTimeout=<resolveTimeout>;<connectTimeout>;<sendTimeout>;<receiveTimeout>. Note they are separated by semicolons and each timeout value ranges from 10 to 180.

Configures a Proxy Auto-Configuration (PAC) server to resolve the corresponding proxy for the agent. Provide the PAC server's IP address or FQDN, port number, and path of the PAC file. For example: http://<Host>:<Port>/<PAC file>To clear the PAC proxy setting, type an empty string ("").

The command must assign a certain component type, for example:

Set a PAC server for resolving proxy to communicate between Manager

Set a PAC server for resolving proxy to communicate between Relay

Set both of the above commands at once:

Clear existing settings:> dsa_control --pacproxyunpw "" manager relay

For more information, see Connect to relays via proxy.

Used in conjunction with the --pacproxy option. It specifies the PAC resolved proxy's user name and password, if the proxy requires authentication. Separate the username and password with a colon (:).To clear the username and password, type an empty string ("").The command must assign a certain component type, for example:Set a PAC server for resolving proxy to communicate between Manager> dsa_control --pacproxyunpw <username>:<password> managerSet a PAC server for resolving proxy to communicate between Relay> dsa_control --pacproxyunpw <username>:<password> relaySet both of the above commands at once:> dsa_control --pacproxyunpw <username>:<password> manager relayClear existing settings:> dsa_control --pacproxyunpw "" manager relayTo update the proxy's password without changing the proxy's username, use the --pacproxyunpw option without --pacproxy:> dsa_control --pacproxyunpw <existing username>:<new password>.

Boolean. Cancels an on-demand ("manual") scan that is currently occurring on the computer.

no

yes

Boolean. Initiates an on-demand ("manual") anti-malware scan on the computer.

no

yes

String. Sets the computer's description. Maximum length 2000 characters.

yes

yes

String. Sets the display name shown in parentheses next to the hostname on Computers. Maximum length 2000 characters.

yes

yes

Integer. Sets the externalid value. This value can be used to uniquely identify an agent. The value can be accessed using the legacy SOAP web service API.

yes

yes

String. Sets which group the computer belongs to on Computers. Maximum length 254 characters per group name per hierarchy level. The forward slash ("/") indicates a group hierarchy. The group parameter can read or create a hierarchy of groups. This parameter can only be used to add computers to standard groups under the main "Computers" root branch. It cannot be used to add computers to groups belonging to directories (Microsoft Active Directory), VMware vCenters, or cloud provider accounts.

yes

yes

Integer.

yes

yes

String. Maximum length 254 characters. The hostname can specify an IP address, hostname or FQDN that the manager can use to connect to the agent.

yes

no

Boolean. Initiates an integrity scan on the computer.

no

yes

String. Maximum length 254 characters. The policy name is a case-insensitive match to the policy list. If the policy is not found, no policy will be assigned. A policy assigned by an event-based task will override a policy assigned during agent-initiated activation.

yes

yes

Integer.

yes

yes

String. Links the computer to a specific relay group. Maximum length 254 characters. The relay group name is a case-insensitive match to existing relay group names. If the relay group is not found, the default relay group will be used. This does not affect relay groups assigned during event-based tasks. Use either this option or event-based tasks, not both.

yes

yes

Integer.

yes

yes

Integer.

yes

yes

tenantID and token

String. If using agent-initiated activation as a tenant, both tenantID and token are required. The tenantID and token can be obtained from the deployment script generation tool.

"tenantID:12651ADC-D4D5" and "token:8601626D-56EE"

yes

yes

Boolean. Initiate a recommendation scan on the computer.

no

yes

Boolean. Instructs Server & Workload Protection to perform a security update. When using the UpdateComponent parameter on version 12.0+ agents, make sure the relay is also at version 12.0 or later. Learn more.

no

yes

Boolean. Rebuilds the Integrity Monitoring baseline on the computer.

no

yes

Boolean. Instructs Server & Workload Protection to perform a "Send Policy" operation.

no

yes

Authentication password used with the optional agent self-protection feature. Required if you specified a password when enabling self-protection. Note: For some query-commands, authentication can be bypassed directly, in such case, password is not required.

Execute query-command against the agent. The following commands are supported: "GetHostInfo": to query which identity is returned to the manager during a heartbeat "GetAgentStatus": to query which protection modules are enabled, the status of Anti-Malware or Integrity Monitoring scans in progress, and other miscellaneous information "GetComponentInfo": to query version information of anti-malware patterns and engines "GetPluginVersion": to query version information of the agent and protection modules

Returns the same query-command information as "-c" but in raw data format for third party software interpretation.

Wild card pattern to filter result. Optional. Example: dsa_query -c "GetComponentInfo" -r "au" "AM*"