• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos3 Stats

Control the firewall and antivirus via the command line!

hi everyone!

 

Just wanted to let you know that if you own Norton AntiVirus or Norton Internet Security, you can actually use the command line to manage your firewall and antivirus features. This can be useful if you are used to living in the terminal, like to make custom scripts, or just don't feel like opening the application.  The commands are "navx" for antivirus and "npfx" for firewall.  You can learn about them by typing in "navx -h" in the command line.  See below for more.

thanks,

mike


Antivirus commands:

computer:~ user$ navx -h

Usage: navx [OPTION]... [FILE]...
 Options are:
  -a        report all files scanned
  -A        enable alerting
  -c        scan inside of compressed files
  -f        force run, even if the file specified with -o can't be opened
  -h        report files that were inaccessible for scanning
  -L        enable logging
  -o <file> append output to <file>
  -P <secs> enable progress UI, updated every <secs> seconds
  -Q        quarantine files that can't be repaired
  -r        do not repair infected files (invalidates -Q)
  -U        cancel scan if disk unmounted
  -v        display the version number


Firewall commands:


computer:~ user$ npfx -h
    help              [command]
Show all commands, or show usage for a particular command.

    edit              <configuration-name> | "current"


Sets which configuration will be edited. This command only applies when in interactive mode. All future commands apply to that configuration unless the configuration is specified explicitly, in which case it overrides this setting. Defaults to the current configuration.

    enable            [-c <config>] [application-firewall | application-blocking | autoblock | autosetup | connection-blocking | location-awareness | norton-communitywatch | ports-firewall | vulnerability-protection | restrict-essential-services | suspicious-incoming | suspicious-outgoing | stealth-mode | udp | vpn-support]
    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
    -f    The feature you want to enable is the last parameter

Enables a particular feature.

    disable           [-c <config>] [application-firewall | application-blocking | autoblock | autosetup | connection-blocking | location-awareness | norton-communitywatch | ports-firewall | vulnerability-protection | restrict-essential-services | suspicious-incoming | suspicious-outgoing | stealth-mode | udp | vpn-support]    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
             The feature you want to disable is the last parameter


Disables a particular feature.

    import            -i filename [-p password]
    -i    The path to the file from which the settings should be imported
    -p    The password that was used to protect the settings file, if the settings file is password protected

Imports the settings for a particular feature from a file.

    export            -o filename [-c <config>] [all | application-firewall | application-blocking | autoblock | norton-communitywatch | location-awareness | ports-firewall | vulnerability-protection]    -c    The name of the configuration to export, "current" for the current configuration, or "all" to export all configurations. Defaults to "all".
    -f    The feature you want to export, or all for all settings.
    -o    The path to the file that will store the exported settings.
    -p    The password to use to protect the settings file (optional).

Exports the settings for a particular feature or set of features to a file.
(null)

    set-application   [-p path] [allow | deny]
    -p    The path to the application that should be added to the firewall.
Sets whether an application is trusted or blocked in Application Blocking. If the specified application does not exist, it is added to the applications list. The Application Blocking setting for the application is then changed to the setting specified. If no setting is specified, the default is to deny the application.

    add-application-rule [-c <config>] [-p path] [-d incoming | outgoing] [allow-all | deny-all | allow ... | deny ... | default allow/deny/ask ]
    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
    -p    The path to the application that should be restricted.
    -d    The direction of the rule that will be created.

Modifies the setting for the specified application. If the specified application does not exist in the list of applications, then a new application will be added to the list. To modify the default rule (which is used when no other more specific rule is found), specify the 'default' keyword.

    add-service       [-n name] [-p start-end] [-p port] ...
    -n    The user-specified name of the service.

    -p    A port specification as either a range of ports (start-end) or a single port. Use multiple -p parameters to create multiple ports.
Adds a new service to the global services list. This service can later be referenced from the command line using any port number used by the service. Note that port numbers in the firewall must be unique among all services, so if a port number is in use by another service (such as a well-defined service) then a new service cannot use that same port number.

    add-service-rule  [-c <config>] [-p port | -s <service name>] [-d incoming | outgoing] [allow-all | deny-all | allow ... | deny ... | default allow/deny ]
    -c    The name of the configuration to edit or "current" for the current configuration (default).
    -p    The port number of the service to modify.
    -d    The direction of the rule that will be created.

Modifies the setting for the specified port or service. If the specified service does not exist in the list of services, then a new service will be created using the specified port number and added to the list. If a predefined service with the same port number exists, then the predefined service will be used.

    add-zone-rule     [-c <config>] [-t | -b] [<ip address> | current-subnet] ...
    -c   The name of the configuration to edit. Use "current" for the current configuration or "global" to make the changes apply to no particular location.
    -t   Adds the IP address to the Trust Zone
    -b   Adds the IP address to the Block Zone
    <ip address> is one or more IPv4 addresses in dotted quad notification, or one or more IPv6 addresses in hex notation. An optional mask may be specified at the end of each address using <ip address>/mask. If no mask is specified the full 32 or 128 bits of the address are matched.

Adds an IP address to the specified zone. Use current-subnet to add a special IP address that matches all local network traffic.

    delete-ip         [-c <config>] [-t | -b | -p <port> | -a <app> | -s <service name>] [-d incoming | outgoing] [-A allow | deny] [<ip address> | current-subnet] ...
    -c   The name of the configuration to edit. Use "current" for the current configuration or "global" to make the changes apply to no particular location (only valid when editing the Trust/Block IP zone).
    -a    Remove the IP address from the settings for the application with the specified path
    -d   The direction of the rule (incoming or outgoing); only valid when adding IP addresses to applications firewall or ports firewall
    -p    Remove the IP address from the settings for the specified port number
    -t    Remove the IP address from the Trust Zone
    -b    Remove the IP address from the Block Zone
    -A   The action of the IP address to remove
    <ip address> is one or more IPv4 addresses in dotted quad notification, or one or more IPv6 addresses in hex notation. An optional mask may be specified at the end of each address using <ip address>/mask. If no mask is specified the full 32 or 128 bits of the address are matched.

Removes an IP address from the specified list. Use current-subnet to remove the special IP address that matches all local network traffic.

    create-configuration [-c <configuration name>] [-u]
    -c    The name of the configuration to create
    -u    Make all further commands apply to this location (same as calling set-location on the newly created configuration)

Creates a new configuration.

    delete-configuration [-c <configuration name>]
    -c    The name of the configuration to delete
Deletes a configuration. You cannot delete a configuration that is currently in use, so if the named configuration is the current configuration this command will fail.

    duplicate-configuration [-o <old configuration name>] [-n <new configuration name> [-u]
    -o    The name of the configuration to duplicate
    -n    The name of the new configuration to create
    -u    Make all further commands apply to this location (same as calling set-location on the newly created configuration)

Duplicates a configuration.

    set-location      [-l <location name>] [-s <setting name>]
    -c    Change the setting for the current location or currently applied configuration. This option is mutually exclusive with the -l option.
    -l    The name of the location that should be modified
    -s    The name of the setting

Changes the configuration for the specified location or network to the specified setting. When location awareness is not enabled, use the -c option to change the configuration currently in use while location awareness is off. When location awareness is enabled, this changes the setting for the location currently in use.

    set-reporting     [-f [application-blocking | connection-blocking | location-awareness | restrict-essential-services | stealth-mode | suspicious | vulnerability-protection] -d [incoming | outgoing] -a [allowed | denied] [-w signatureID | application-path | service-name | service-port] -r [log notify none]
    -f    The name of the feature whose reporting settings should be modified
    -d    The direction of the connection (applies only to connection-blocking)
    -a    The action taken by the firewall (applies only to connection-blocking)
    -w    Which application, service or intrusion signature should be modified, to override the defaults settings (applies only to connection-blocking or vulnerability-protection). If omitted, the default settings are modified.n    -r    The reporting flags, comma-separated. Valid values are log, notify and none. Example value is log,notify to enable logging and notifications.
Changes the reporting settings for the specified feature. If the -w flag is used, then the reporting settings for a particular application, service or signature will be modified. Otherwise the global reporting settings for that feature are modified.


 

Replies

Kudos0

Re: Control the firewall and antivirus via the command line!

hi everyone!

 

Just wanted to let you know that if you own Norton AntiVirus or Norton Internet Security, you can actually use the command line to manage your firewall and antivirus features. This can be useful if you are used to living in the terminal, like to make custom scripts, or just don't feel like opening the application.  The commands are "navx" for antivirus and "npfx" for firewall.  You can learn about them by typing in "navx -h" in the command line.  See below for more.

thanks,

mike


Antivirus commands:

computer:~ user$ navx -h

Usage: navx [OPTION]... [FILE]...
 Options are:
  -a        report all files scanned
  -A        enable alerting
  -c        scan inside of compressed files
  -f        force run, even if the file specified with -o can't be opened
  -h        report files that were inaccessible for scanning
  -L        enable logging
  -o <file> append output to <file>
  -P <secs> enable progress UI, updated every <secs> seconds
  -Q        quarantine files that can't be repaired
  -r        do not repair infected files (invalidates -Q)
  -U        cancel scan if disk unmounted
  -v        display the version number


Firewall commands:


computer:~ user$ npfx -h
    help              [command]
Show all commands, or show usage for a particular command.

    edit              <configuration-name> | "current"


Sets which configuration will be edited. This command only applies when in interactive mode. All future commands apply to that configuration unless the configuration is specified explicitly, in which case it overrides this setting. Defaults to the current configuration.

    enable            [-c <config>] [application-firewall | application-blocking | autoblock | autosetup | connection-blocking | location-awareness | norton-communitywatch | ports-firewall | vulnerability-protection | restrict-essential-services | suspicious-incoming | suspicious-outgoing | stealth-mode | udp | vpn-support]
    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
    -f    The feature you want to enable is the last parameter

Enables a particular feature.

    disable           [-c <config>] [application-firewall | application-blocking | autoblock | autosetup | connection-blocking | location-awareness | norton-communitywatch | ports-firewall | vulnerability-protection | restrict-essential-services | suspicious-incoming | suspicious-outgoing | stealth-mode | udp | vpn-support]    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
             The feature you want to disable is the last parameter


Disables a particular feature.

    import            -i filename [-p password]
    -i    The path to the file from which the settings should be imported
    -p    The password that was used to protect the settings file, if the settings file is password protected

Imports the settings for a particular feature from a file.

    export            -o filename [-c <config>] [all | application-firewall | application-blocking | autoblock | norton-communitywatch | location-awareness | ports-firewall | vulnerability-protection]    -c    The name of the configuration to export, "current" for the current configuration, or "all" to export all configurations. Defaults to "all".
    -f    The feature you want to export, or all for all settings.
    -o    The path to the file that will store the exported settings.
    -p    The password to use to protect the settings file (optional).

Exports the settings for a particular feature or set of features to a file.
(null)

    set-application   [-p path] [allow | deny]
    -p    The path to the application that should be added to the firewall.
Sets whether an application is trusted or blocked in Application Blocking. If the specified application does not exist, it is added to the applications list. The Application Blocking setting for the application is then changed to the setting specified. If no setting is specified, the default is to deny the application.

    add-application-rule [-c <config>] [-p path] [-d incoming | outgoing] [allow-all | deny-all | allow ... | deny ... | default allow/deny/ask ]
    -c    The name of the configuration to edit or "current" for the current configuration. Uses the configuration previously specified with the "edit" command when omitted.
    -p    The path to the application that should be restricted.
    -d    The direction of the rule that will be created.

Modifies the setting for the specified application. If the specified application does not exist in the list of applications, then a new application will be added to the list. To modify the default rule (which is used when no other more specific rule is found), specify the 'default' keyword.

    add-service       [-n name] [-p start-end] [-p port] ...
    -n    The user-specified name of the service.

    -p    A port specification as either a range of ports (start-end) or a single port. Use multiple -p parameters to create multiple ports.
Adds a new service to the global services list. This service can later be referenced from the command line using any port number used by the service. Note that port numbers in the firewall must be unique among all services, so if a port number is in use by another service (such as a well-defined service) then a new service cannot use that same port number.

    add-service-rule  [-c <config>] [-p port | -s <service name>] [-d incoming | outgoing] [allow-all | deny-all | allow ... | deny ... | default allow/deny ]
    -c    The name of the configuration to edit or "current" for the current configuration (default).
    -p    The port number of the service to modify.
    -d    The direction of the rule that will be created.

Modifies the setting for the specified port or service. If the specified service does not exist in the list of services, then a new service will be created using the specified port number and added to the list. If a predefined service with the same port number exists, then the predefined service will be used.

    add-zone-rule     [-c <config>] [-t | -b] [<ip address> | current-subnet] ...
    -c   The name of the configuration to edit. Use "current" for the current configuration or "global" to make the changes apply to no particular location.
    -t   Adds the IP address to the Trust Zone
    -b   Adds the IP address to the Block Zone
    <ip address> is one or more IPv4 addresses in dotted quad notification, or one or more IPv6 addresses in hex notation. An optional mask may be specified at the end of each address using <ip address>/mask. If no mask is specified the full 32 or 128 bits of the address are matched.

Adds an IP address to the specified zone. Use current-subnet to add a special IP address that matches all local network traffic.

    delete-ip         [-c <config>] [-t | -b | -p <port> | -a <app> | -s <service name>] [-d incoming | outgoing] [-A allow | deny] [<ip address> | current-subnet] ...
    -c   The name of the configuration to edit. Use "current" for the current configuration or "global" to make the changes apply to no particular location (only valid when editing the Trust/Block IP zone).
    -a    Remove the IP address from the settings for the application with the specified path
    -d   The direction of the rule (incoming or outgoing); only valid when adding IP addresses to applications firewall or ports firewall
    -p    Remove the IP address from the settings for the specified port number
    -t    Remove the IP address from the Trust Zone
    -b    Remove the IP address from the Block Zone
    -A   The action of the IP address to remove
    <ip address> is one or more IPv4 addresses in dotted quad notification, or one or more IPv6 addresses in hex notation. An optional mask may be specified at the end of each address using <ip address>/mask. If no mask is specified the full 32 or 128 bits of the address are matched.

Removes an IP address from the specified list. Use current-subnet to remove the special IP address that matches all local network traffic.

    create-configuration [-c <configuration name>] [-u]
    -c    The name of the configuration to create
    -u    Make all further commands apply to this location (same as calling set-location on the newly created configuration)

Creates a new configuration.

    delete-configuration [-c <configuration name>]
    -c    The name of the configuration to delete
Deletes a configuration. You cannot delete a configuration that is currently in use, so if the named configuration is the current configuration this command will fail.

    duplicate-configuration [-o <old configuration name>] [-n <new configuration name> [-u]
    -o    The name of the configuration to duplicate
    -n    The name of the new configuration to create
    -u    Make all further commands apply to this location (same as calling set-location on the newly created configuration)

Duplicates a configuration.

    set-location      [-l <location name>] [-s <setting name>]
    -c    Change the setting for the current location or currently applied configuration. This option is mutually exclusive with the -l option.
    -l    The name of the location that should be modified
    -s    The name of the setting

Changes the configuration for the specified location or network to the specified setting. When location awareness is not enabled, use the -c option to change the configuration currently in use while location awareness is off. When location awareness is enabled, this changes the setting for the location currently in use.

    set-reporting     [-f [application-blocking | connection-blocking | location-awareness | restrict-essential-services | stealth-mode | suspicious | vulnerability-protection] -d [incoming | outgoing] -a [allowed | denied] [-w signatureID | application-path | service-name | service-port] -r [log notify none]
    -f    The name of the feature whose reporting settings should be modified
    -d    The direction of the connection (applies only to connection-blocking)
    -a    The action taken by the firewall (applies only to connection-blocking)
    -w    Which application, service or intrusion signature should be modified, to override the defaults settings (applies only to connection-blocking or vulnerability-protection). If omitted, the default settings are modified.n    -r    The reporting flags, comma-separated. Valid values are log, notify and none. Example value is log,notify to enable logging and notifications.
Changes the reporting settings for the specified feature. If the -w flag is used, then the reporting settings for a particular application, service or signature will be modified. Otherwise the global reporting settings for that feature are modified.


 

Kudos0

Re: Control the firewall and antivirus via the command line!

And this is also great for administrators because it means that you can run it on a remote Mac through ssh :-)

Corentin 

This thread is closed from further comment. Please visit the forum to start a new thread.