Endpoint Protection Linux AutoProtect modules fail to load or crash system when other software is hooked into syscall table

book

Article ID: 157812

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Linux AutoProtect modules fail to load or crash system when other software is hooked into syscall table.

example of command line errors:
# service autoprotect restart
Stopping AP: symap: not currently loaded
Starting AP: insmod: error inserting '/opt/Symantec/autoprotect/symev-custom-2.6.18-308.24.1.el5-x86_64.ko': -1 Module has wrong symbol version
insmod: error inserting '/opt/Symantec/autoprotect/symev-rh-ES-5-2.6.18-274.3.1.el5-x86_64.ko': -1 Module has wrong symbol version
insmod: error inserting '/opt/Symantec/autoprotect/symev-rh-ES-5-2.6.18-274.3.1.el5-x86_64.ko': -1 Module has wrong symbol version
insmod: error inserting '/opt/Symantec/autoprotect/symev-rh-ES-5-2.6.18-274.3.1.el5-x86_64.ko': -1 Module has wrong symbol version

errors in /var/log/messages:
symev: Module has wrong symbol version
symev: unable to locate installation points [ or "failed to locate the ia32 syscall table's address"]
symev: failed to locate the syscall table's address

Cause

Typically this is cause by other security software that is installing similar hooks into the Linux OS syscall table, which compete with SEP's AutoProtect (AP) modules.

Products known to have caused this issue include the following:

  • Symantec Data Center Security
  • Symantec Critical Services Protection
  • Tripwire
  • Vormetric / Cloudhesive 

Resolution

The solution generally is to use the newest version of Symantec Endpoint Protection but the problem appears to re-occur as other competing products are updated.

For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

Sometimes a solution may be found in changing the installation order of multiple security products on the same machine. That is, the syscall conflict may occur if SEP is installed after product X, but if X is removed and SEP installed first and followed by X, syscall conflict is resolved. 

As a workaround, SEP for Linux may also be installed without the autoprotect modules. Manual or scheduled scans can then be used to provide security. To install SEP this way, navigate to the "Repository" directory of the expanded sep-rpm.zip or sep-deb.zip and install all packages except sepap.