MSI command line reference for Symantec Endpoint Protection

Article:TECH102668  |  Created: 2007-01-16  |  Updated: 2013-11-20  |  Article URL
Article Type
Technical Solution


This is a list of the most commonly used MSI commands for Symantec Endpoint Protection (SEP) and Symantec Network Access Control (SNAC).


Windows Installer (MSI) command-line parameters

  • /QN - quiet (no UI)

  • /QB - quiet (basic UI)

  • /L*V log.txt - full verbose logging to file log.txt

  • PRODUCTINSTALLDIR = path (optional)

    • Default is C:\Program Files\Symantec\Symantec Endpoint Protection (32-bit) or C:\Program Files (x86)\Symantec\Symantec Endpoint Protection (64-bit)

    • Note: On SEP products prior to version 12.1.671.4971, use: INSTALLDIR = path

  • SYMREBOOT = value (SEP 12.1.x)
    REBOOT = value (SEP 11.x)

    where value is one of the following options:

    • Force - Requires that the computer is restarted.

    • Suppress - Prevents most reboots.

    • ReallySuppress - Prevents all restarts as part of the installation process, even a silent installation. During migration a reboot may be required. By suppressing a required reboot, full product functionality may not be available until a reboot has taken place. This may not be apparent on a silent install or migration as no user interface messages are displayed.

Additional client installation properties

 The variable val represents the values presented beneath the property, which are valid for that property.


    • 1 - Run LiveUpdate after install (default)

    • 0 - Do not run LiveUpdate after install


    • 1 - On (default)

    • 0 - Off

  • SYMPROTECTDISABLED=val      Note: This option is only valid with SEP 11.x.

    • 1 - On (default)

    • 0 - Off

  • CACHE_INSTALLER=val (SEP 12.1.x)
    CACHEINSTALL=val (SEP 11.x) 

    • 1 - Cache the installation files (default)

    • 0 - Don't cache the installation files


    • 0 - Don't preserve settings

    • 1 - Preserve all Sygate firewall/network access settings

    • 2 - Preserve SyLink.xml and logs only


    • 0 = Do not add program to the Start Menu folder

    • 1 = Add program to Start Menu folder (default)

  • SAV10UNINSTALLFIXRUN=val    Note: this option is only valid with SEP 11.x.

    • 1 = Already run

    • 0 = Not yet run

      Upgrading Symatec AntiVirus (SAV) 10.x or Symantec Client Security (SCS) 3.x requires modification of the cached install package or the upgrade will fail. If SAV 10.x or SCS 3.x are detected, the install will abort unless the user is an administrator of the local machine. Setting this property to 1 disables this check.

      Note: Enabling MSI to run with elevated privileges is not sufficient in this case. In addition to installing as a local administrator, the modification can be accomplished in two other ways:
      1. Temporarily grant users write access to the Windows\Installer directory for the duration of the upgrade.
      2. Run the tool Tools\Sav9UninstallFix under the credentials of an account with write access to Windows\Installer
      3. Execute the upgrade with the property SAV10UNINSTALLFIXRUN=1 on the command line.

Managed installation - Sylink.xml

For a managed client, the Sylink.xml file that is included with its installation defines the initial server that the client will contact for policy and other updates.


Setaid.ini is primarily used in installations exported from the Symantec Endpoint Protection Manager. Setaid.ini values always take precedence. The installation uses the following settings:


  • KeepPreviousSetting=val

    • 0 = Do not keep previous settings

    • 1 = Keep previous settings 
      Note: This setting pertains to maintain existing settings in the package creation tab.

  • DestinationDirectory=installation_path

  • AddProgramIntoStartMenu=val

    • 0 = Do not an entry to the Start menu

    • 1 = Add an entry to the Start menu

  • InstallUserInterfaceLevel=val

    • u = unattended

    • s = silent

    • f = interactive

In section [LU_CONFIG]:


    • 0 = Do not run LiveUpdate at the end of the install, which overrides the RUNLIVEUPDATE property

    • 1 = Use the default behavior for running LiveUpdate

In section [FEATURE_SELECTION], the following entries are valid for SEP 12.1.x (where val is 0 = Don't install the feature and 1 = Install the feature):

  • Core (required)

  • SAVMain=val

  • Download=val

  • OutlookSnapin=val

  • NotesSnapin=val

  • Pop3Smtp=val

  • PTPMain=val

  • TruScan=val

  • DCMain=val

  • NTPMain=val

  • ITPMain=val

  • Firewall=val

  • LANG1033=val

 For more information on which features these values represent and their dependencies, see "Symantec Endpoint Protection client features" linked in the Related Articles section.

In section [FEATURE_SELECTION], the following entries are valid for SEP 11.x (where val is 0 = Don't install the feature and 1 = Install the feature):

  • SAVMain=val

  • EMailTools=val

  • OutlookSnapin=val

  • NotesSnapin=val

  • Pop3Smtp=val

  • ITPMain=val

  • Firewall=val

  • PTPMain=val

  • COHMain=val

  • DCMain=val

For more information on what these features represent and their dependencies, see "SEP 11.x Features" below.

In section [UIRebootMode], valid values are:

  • 0 - Display a Yes / No option if reboot is needed

  • 1 - Display pop-up and do reboot when UI level is f, u or s

  • 3 - No pop-up and no reboot when UI level is f, u, or s

Windows Security Center features

These properties allow for the configuration of the interaction between users and the Windows Security Center (WSC) running on Windows XP Service Pack 2 or Windows Service Pack 3. They do not apply to clients that run Windows Vista, and do not apply to Windows Action Center in Windows 7 and Windows 8.

Note: These properties apply to unmanaged clients only.

    Allows an administrator of a non-managed network to configure the WindowsSecurityCenterControl value.

    • 0 - No action

    • 1 - Disable once

    • 2 - Disable always

    • 3 - Restore if disabled

    Allows an administrator of a non-managed network to configure the AntiVirusDisableNotify value for Windows Security Center.

    • 0 - Enable

    • 1 - Disable (default)

    • 2 - Do not control

    Allows an administrator of a non-managed network to configure the FirewallDisableNotify value for Windows Security Center.

    • 0 - Enable

    • 1 - Disable (default)

    • 2 - Do not control

  • WSCAVUPTODATE=val  (Integer value between 1 and 90; default is 30)
    Allows an administrator of a non-managed network to configure the number of days used to determine if threat definitions are up to date for Windows Security Center.


    • 1 - Disable Windows Defender (default)

    • 0 - Do not disable Windows Defender

Adding and removing features

To remove existing features:


To add new features:

ADDLOCAL=feature1,feature2,feature3,existing feature 1,existing feature 2, ...

Note: When adding new features using ADDLOCAL, any existing features on the target computer that you want to retain must be included or the installation will remove any features on the target computer that are not listed.

For instructions on how to silently remove Symantec Endpoint Protection, see Related Articles.

MSI logging

  • When run from the setup.exe stub, Symantec Endpoint Protection (SEP), Symantec Network Access Control (SNAC), and Symantec Endpoint Protection Manager (SEPM) automatically create installer logs to the %TEMP% folder (e.g. C:\Documents and Settings\USERNAME\Local Settings\Temp) named either SEP_INST.LOG, SNAC_INST.LOG or SEPM_INST.LOG respectively.

  • When the installers are run from either the Client Deployment Wizard (SEP 12.1.x), the Push Deployment Wizard or when upgrades are deployed to client groups from the SEPM, the installer logs are automatically created in the %WINDIR%\temp folder (e.g. C:\WINDOWS\temp).

  • These installer logs are vital in determining which installer failures are installed.

Please have these logs available when contacting Symantec Support.

Note: Localized operating systems may have slightly different folders for the log files. You can determine what these paths actually are by following the below steps:

  1. Click Start > Run and type one of the following environmental variables:
    • %TEMP% for the user's temp folder
    • %WINDIR%\temp for the Windows temp folder
  2. Press Enter.

Please see the “Reading Installer logs” section below for more information.

Reading Installer logs (SEP 11.x)

The common installer logs are SEP_INST.LOG, SNAC_INST.LOG, or SEPM_INST.LOG. These are standard MSI log files. You can search for an installer failure point by doing a text search for the string "value 3" (CTRL+F = find in Notepad). This is important in determining installer and migration failures, especially in silent scenarios. A small sample of common errors and messages are “This version of Symantec Endpoint Protection requires Internet Explorer 6 or later.” or “This version of Symantec Endpoint Protection does not support 64-bit platforms. Please install Symantec Endpoint Protection for Win64 instead.”

Note: Please have the installer log file and error message available when contacting Symantec Support.

Command line example (SEP 11.x)

This example demonstrates a silent Symantec Endpoint Protection installation. LiveUpdate is not run, and the system is not restarted even if it is required.

Sample command lines:

  • To install unattended without a reboot and a log generated with the name "log.txt":

    setup /s /v"/l*v log.txt /qn RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS"

  • To silently remove email tools from a SEP client:

    setup.exe /s /V"REMOVE=EMailTools /qn"

  • To silently remove the Firewall from a SEP client:

    MsiExec.exe /i{product GUID from registry} /qn REMOVE="Firewall"

  • To silently add the Firewall to a SEP client:

    MsiExec.exe /i{product GUID from registry} /qn ADDLOCAL="Firewall"


Technical Information

SEP 11.x Features

Core - Symantec Management Client, Symantec Network Access Control, and other components required for all installations.

SAVMain - AntiVirus and AntiSpyware Protection

    EMailTools - Antivirus Email Protection
      NotesSnapin - Lotus Notes Scanner
      OutlookSnapin - Microsoft Outlook Scanner
      Pop3Smtp - POP3/SMTP Scanner (not supported on 64-bit platforms)
    Rtvscan - required feature for AntiVirus support

    SymProtectManifest - required feature for AntiVirus support

PTPMain - Proactive Threat Protection

    COHMain - TruScan
    DCMain - Application and Device Control (not supported on 64-bit platforms

ITPMain - Network Threat Protection

    Firewall - Firewall and Intrusion Prevention

Note: The Pop3Smtp feature is not installed on Server OSes such as Windows 2003.

Important consideration when selecting features

As documented in our installation guide, we have a number of dependencies when it comes to the selection of features in the SEP client installation. Specifically: "COHMain and DCMain require two parents. COHMain is Proactive Threat Scan and requires PTPMain and SAVMain. DCMain, which is Application and Device Control, requires PTPMain and ITPMain."

The MSI installer will not compensate for these dependencies, and any lacking feature not only will result in a broken installation, but MSIEXEC will not return any fault condition on the missing components.

The diagram below shows the various dependencies:


This document is available in the following languages:


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices