Run CLI commands on hosts from Xprotect

At times you may need to run some CLI commands on the hosts remotely from the Xprotect UI. Running commands can help you get the health and operational status of the core services and apps installed on the hosts. You can also run commands to fetch more details related to the alerts generated on the hosts.

Xprotect currently supporting managing Windows, Linux, and macOS hosts. We have seen that you can run all natively supported commands on the hosts if you set the hosts to use the Bash shell prompt as the default terminal prompt.

The commands are run from the following directories on the hosts:

  • Windows - C/Windows/System32

  • Linux and macOS - /(root)

You run a CLI command on a host from the Hosts page and see the results of the command on the Commands page. Also, you can run a command on only one host at a time.

Run CLI commands

The Xprotect agents on the hosts look for Policy updates and commands scheduled from the Xprotect UI once every 30 seconds. You will see that the Status column for the row shows Scheduled until the Xprotect agent runs the command on a host. If the Xprotect agent can run the command on the host, the Status column soon shows Success.

You will not see the option to run a command on a host that is being actively upgraded to a newer version of the agent.

  1. Go to Hosts.

  2. Click the 3-dot menu for a host and click Run a Command.

  3. Go to Commands.

    You see a new row for the command you executed at the top of the page.

View results of successfully run commands

You can see the output/results of the commands you execute on the hosts on the Xprotect UI. For configuration commands such as ipconfig/flushdns, you can see if the command was successfully executed.

The results you see are not updated in real-time. If you are rerunning the command from the Xprotect UI, the results you see are the last time you rerun the command.

  • To see the result of a command, wait for the Status column to show Success, click the 3-dot menu next to the Status column and click View Results.

  • If needed, click the Copy icon and copy the command to use it again later.

  • If needed, copy the results of the command from the Results area.

View reasons for commands that failed to run

Sometimes, commands are not executed on the hosts. This may be due to incorrect syntax, unreachability of the hosts, or the inability to execute commands. When commands could not be executed on the hosts, the Status column shows Failed.

  • To view the reason why the command could not be executed on the host, click the 3-dot menu next to the Status column and click View Reasons.

Rerun CLI commands

  • To rerun the commands you executed on a host, click the 3-dot menu for the row and click Run Again.

    Xprotect fetches the updated results (if any) for the command.

Next steps

  • If you find any malicious or suspicious activities in the results for the commands, create new Xprotect Policies or update existing Policies to address the threats.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.