Sensor Installation Parameters
When you install sensors on Windows machines using the command line, you can optionally use command line parameters to set sensor features and configuration. These parameters override sensor personalization settings and settings adopted from the assigned sensor policy. Work with Technical Support when using command line parameters to ensure you are using the correct parameters for your environment.
Important
If you install the sensor using the command line and use installation parameters, we recommend that you perform any future sensor upgrades from the command line. While you can perform upgrades from the UI, these upgrades do not preserve the installation parameter settings.
In this topic:
Supported sensor installation parameters
The following table describes parameters available to use to install sensors for Windows.
Parameter |
Description |
Possible Values |
|---|---|---|
AP_APP_CTRL |
Enable or disable Application Control. |
1 - Enable Application Control. 2 (Default)- Disable Application Control. With this setting, Application Control is installed on the endpoint, but does not perform any actions. |
AP_CRS_SERVICE_MODE |
Install Anti-Ransomware and what actions to take if ransomware is detected. |
0 - Do not install the Anti-Ransomware solution. 1 - Detect ransomware but do not suspend or prevent it. 2 - Detect and suspend ransomware. 3 - Detect, suspend, and prevent ransomware from further local execution (if Application Control is enabled). Note Use of this parameter may cause unexpected results in Anti-Ransomware configuration. It is recommended to use the AP_POLICIES_INITIAL_POLICY_ID parameter to ensure the correct Anti-Ransomware configuration. |
ANTI_MALWARE |
Enable or disable Anti-Malware. |
0 - Disable Anti-Malware. 1 - Enable Anti-Malware. |
AP_POWERSHELL_SERVICE_MODE |
Enable or disable PowerShell and .NET protection. |
0 - Disable PowerShell protection. 1 - Enable PowerShell protection. Note Use of this parameter may cause unexpected results in Fileless Protection configuration. It is recommended to use the AP_POLICIES_INITIAL_POLICY_ID parameter to ensure the correct Fileless Protection configuration. |
AP_AV_MODE |
Set the Anti-Malware > Signatures mode. |
1 - Disable 2 - Detect only 3 - Detect and disinfect 5 - Prevent Note Use of this parameter may cause unexpected results in Anti-Malware > Signatures mode configuration. It is recommended to use the AP_POLICIES_INITIAL_POLICY_ID parameter to ensure the correct Anti-Ransomware configuration. |
AP_AV_PROXY_LIST |
Defines a proxy server used for communication between the sensor and the Anti-Malware Signatures database. Provide a comma-separated list of proxy servers in the following format: <server IP or DNS name>:<TCP Port> This parameter is specific to the Anti-Malware Signatures database. To define a proxy for communication between the sensor and the Detection and Registration servers, use the AP_SIGNON_PROXY_LIST parameter. |
Example: 10.24.31.241:1080. |
AP_AV_PROXY_TYPE |
Defines the communication type for the proxy server used for communication between the sensor and the Anti-Malware Signatures database. Values can be HTTP or PAC. HTTP is used when there is a single proxy or list of specific proxies in the AP_AV_PROXY_LIST parameter. PAC is used when there is a PAC file referenced in the AP_AV_PROXY_LIST parameter. This parameter is specific to the Anti-Malware Signatures database. To define a proxy for communication between the sensor and the Detection and Registration servers, use the AP_SIGNON_PROXY_TYPE parameter. |
Example: AP_AV_PROXY_LIST=<ProxyIP_Name>:<Proxy_Port> AP_AV_PROXY_TYPE=HTTP |
AP_GROUP_ID |
Parameter to preset the sensor’s group ID |
Example: 7ec27987-838a-47b9-87f8-3864a232a7d2 |
AP_ORGANIZATION |
Unique organization name, as defined in the server installation process. Your Cybereason Customer Success representative can provide you with this value. You can also find this value in the installer package name provided for your organization.) |
<organization_name> Example: ACMECORP |
AP_PORT |
Port used by the sensor to connect to the Cybereason Detection server. Your Cybereason Customer Success representative can provide you with this value. You can also find this value in the installer package name provided for your organization. Note Be sure to disable SSL inspection of sensor traffic to this server. |
Typically, 443 or 8443 |
AP_POLICIES_INITIAL_POLICY_ID |
Assign the specified sensor policy to the sensor. If this parameter is left blank, the Default policy is assigned. Note Sensor policy parameters are not available when upgrading from 19.1 to a later version. See Sensor Policies for more information on sensor policy management. |
Policy ID (string) Default - blank string Example: 32174ae6-0117-49a4-a48c-b2419228221e |
AP_POLICIES_KEEP_SENSOR_CONFIGURATION |
Used mainly when upgrading to 19.1 or later from a version prior to 19.1. When set to 1, sensors will keep any individual security configurations on top of the policy defined with the AP_POLICIES_INITIAL_POLICY_ID parameter. We recommend setting the parameter to 0 for new installs, and 1 for upgrades. Note Sensor policy parameters are not available when upgrading from 19.1 to a later version. See Sensor Policies for more information on sensor policy management. |
0 - Clear all individual configurations and apply security settings specified by the assigned policy. 1 - Keep all individual configurations in addition to the assigned policy. 9 (Default) - Uses the following logic: If AP_POLICIES_INITIAL_POLICY_ID is set, assign that policy and clear individual overrides. If not set, keep individual sensor security settings. |
AP_SA_DETECT_MODE |
Sensitivity level for the Anti-Malware AI Detect mode. |
1 - Disable 2 - Cautious 3 - Moderate 4 - Aggressive |
AP_SA_PREVENT_MODE |
Sensitivity level for the Anti-Malware AI Prevent mode. |
1 - Disable 2 - Cautious 3 - Moderate 4 - Aggressive |
AP_SERVER |
URL or IP address of the Cybereason Detection server. Your Cybereason Customer Success representative can provide you with this value. You can also find this value in the installer package name provided for your organization. Note Be sure to disable SSL inspection of sensor traffic to this server. |
Valid URL or IP address |
AP_SIGNON_SERVER |
URL or IP address of the Cybereason Registration server. This is mutually exclusive with AP_SERVER/AP_PORT. |
Valid URL or IP address |
AP_SIGNON_PORT |
Port used by the sensor to connect to a Cybereason Registration server. This is mutually exclusive with AP_SERVER/AP_PORT. |
Typically, 443 or 8443 |
AP_DETECTION_PROXY_AS_SIGNON |
Whether the sensor should use the proxy settings configured for the Registration server. When enabled (1), the sensor uses the proxy defined in AP_SIGNON_PROXY_LIST and AP_SIGNON_PROXY_TYPE for communication between the sensor and the Detection server. Any proxy settings defined in the Detection servers screen are ignored. When disabled (0), the sensor uses the proxy settings defined in the Detection servers screen. |
0 - Sensor uses the proxy settings configured in the Detection servers screen. 1 (Default) - Sensor uses the proxy settings configured for the Registration server. |
AP_SIGNON_PROXY_LIST |
For environments with a Registration server. A comma-separated list of proxy servers in the following format: <server IP or DNS name>:<TCP Port> AP_SIGNON_PROXY_LIST and AP_PROXY_LIST are mutually exclusive. Note This parameter defines a proxy for the Registration server. To also define a proxy for the Detection server, either set the AP_DETECTION_PROXY_AS_SIGNON parameter to 1, or define a proxy for the Detection server via the Detection servers screen in the UI. |
Example: 10.24.31.241:1080.” |
AP_SIGNON_PROXY_TYPE |
For environments with a Registration server. Values can be HTTP or PAC. HTTP is used when there is a single proxy or list of specific proxies in the AP_SIGNON_PROXY_LIST parameter. PAC is used when there is a PAC file referenced in the AP_SIGNON_PROXY_LIST parameter. AP_SIGNON_PROXY_TYPE and AP_PROXY_TYPE are mutually exclusive. |
Example: AP_SIGNON_PROXY_LIST=<ProxyIP_Name>:<Proxy_Port> AP_SIGNON_PROXY_TYPE=HTTP |
AP_STATE |
The sensor state at installation. See sensor data collection states for more information. |
ACTIVE_NORMAL (Default) ACTIVE_DELAYED INACTIVE |
AP_UNINSTALL_CODE |
When uninstalling a sensor that has been protected with an uninstall password, use this parameter to enter the uninstall password. To obtain this password, contact Technical Support. |
Uninstall password. |
AV_SIGNATURE_PATH |
When installing sensors with the Anti-Malware signatures database included (Windows only), you can optionally place the Signatures database zip file in a different folder than the installation exe file (e.g. in a shared network folder). In this case, you must use this parameter to provide the path to the Signatures zip file. Enter the full path, not including the file name. Note The Signatures zip file is named cumulative.zip. For the AV_SIGNATURE_PATH to refer to the Signatures zip file correctly, do not rename the file. |
Full path to folder (on local machine or network drive). Example: C:\temp\x64. |
AP_PROXY_LIST |
This parameter is relevant for legacy environments that do not include a Registration server. As a best practice, we recommend to use the AP_SIGNON_PROXY_LIST parameter instead of this parameter. Comma-separated list of proxy servers or PAC files in the following format: <server IP or DNS name>:<TCP Port>,<server IP or DNS name>:<TCP Port> It is not possible to define more that one PAC proxy. This parameter may be omitted if the proxy is not in use or if the proxy can be auto-detected by the sensor. |
Example: 10.24.31.241:1080,10.24.31.241:8080 Important: If you define more than one HTTP proxy using the AP_PROXY_LIST parameter, you must repeat the HTTP value in the AP_PROXY_TYPE parameter according to the number of proxies or files. For example: AP_PROXY_LIST=10.24.31.241:1080,10.24.31.241:18080 AP_PROXY_TYPE=HTTP,HTTP |
AP_PROXY_TYPE |
This parameter is relevant for legacy environments that do not include a Registration server. As a best practice, we recommend to use the AP_SIGNON_PROXY_TYPE parameter instead of this parameter. HTTP or PAC. HTTP is used when the AP_PROXY_LIST parameter contains a single proxy or list of specific proxies. PAC is used when the AP_PROXY_LIST parameter references a PAC file. Define the proxy type in the following format: For HTTP proxies: AP_PROXY_LIST=<ProxyIP_Name>:<Proxy_Port> AP_PROXY_TYPE=HTTP For PAC files: AP_PROXY_LIST=<PAC_file_path> AP_PROXY_TYPE=PAC Note This parameter may be omitted if the proxy is not in use or if the proxy can be auto-detected by the sensor. This parameter must be omitted if the AP_PROXY_LIST parameter is not provided in the command line. |
Examples: HTTP proxy: AP_PROXY_LIST=10.24.31.241:1080,10.24.31.241:18080 AP_PROXY_TYPE=HTTP PAC file: AP_PROXY_LIST=http://10.24.31.241:80/proxypac.pac AP_PROXY_TYPE=PAC Important: If you define more than one HTTP proxy using the AP_PROXY_LIST parameter, you must repeat the HTTP value in the AP_PROXY_TYPE parameter according to the number of proxies or files. For example: AP_PROXY_LIST=10.24.31.241:1080,10.24.31.241:18080 AP_PROXY_TYPE=HTTP,HTTP |
Note
In most cases, it is not necessary to set the AP_ORGANIZATION, AP_SERVER, AP_SIGNON_SERVER, AP_PORT, AP_SIGNON_PORT and AP_STATE parameters, as these parameters are usually preset by Technical Support using sensor personalization. Modifying these parameters should be done in cooperation with Technical Support. Technical Support can also assist with additional configuration options, such as options for core dumps.
Sensor installation parameters usage examples
This section demonstrates the recommended usage for commonly used sensor installation parameters.
Example 1
The following example shows how to specify a logfile path, proxy list, proxy type, and enable App Control:
<installer file name> /install /quiet /norestart -l C:\\Temp\\CybereasonInstall.log AP_SIGNON_PROXY_LIST=10.24.31.241:1080
AP_SIGNON_PROXY_TYPE=HTTP AP_APP_CTRL=1
Example 2
The following example shows how to assign a specific sensor security policy during installation while keeping any existing configurations. AP_POLICIES_KEEP_SENSOR_CONFIGURATION is used mainly for upgrades, so that upon upgrade, your sensors retain all current settings.
Note
Cybereason does not recommend overriding policies, because individual overrides can be difficult to manage at scale.
<installer file name> /install /quiet /norestart -l C:\\Temp\\CybereasonInstall.log
AP_POLICIES_INITIAL_POLICY_ID=32174ae6-0117-49a4-a48c-b2419228221e AP_POLICIES_KEEP_SENSOR_CONFIGURATION=1