Symantec Endpoint Protection for Macintosh: Mac OS X 10.9 Kernel Signing Overview & Troubleshooting

book

Article ID: 158648

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

To improve Kernel Protection, Apple has mandated that third parties sign their Kernel Extensions in OS X 10.9 "Mavericks".

When a Kernel Extension is not signed, OS X 10.9 throws out a warning message to the end user:

Kernel extension is not from an identified developer
The kernel extension at "/System/Library/Extensions/SymInternetSecurity.kext" is not from an identified developer but will still be loaded.
Please contact the kernel extension vendor for updated software.

Cause

Signing can only be done using specialized kernel signing certificate -- application signing certificates cannot be used for this purpose.

Resolution

Symantec provides signed kernel extensions for SEP 12.1 RU4. Default location for auto-loading the signed kernel extension is from folder at /Library/Extensions/

Symantec kernel extensions and file locations

OS X 10.8 & 10.7 - unsigned:
/System/Library/Extensions/SymIPS.kext
/System/Library/Extensions/SymInternetSecurity.kext
/System/Library/Extensions/ndcengine.kext
/Library/Application Support/Symantec/Antivirus/SymAPComm.kext

OS X 10.9 - signed:
/Library/Extensions/SymIPS.kext
/Library/Extensions/SymInternetSecurity.kext
/Library/Extensions/ndcengine.kext
/Library/Application Support/Symantec/Antivirus/Signed/SymAPComm.kext

Troubleshooting
All kext related warnings and errors goes to system.log and kernel.log; search these logs with kext name as keyword

Use the kextstat command line to check if required kexts are loaded:

 

Maverick:~ admin$ kextstat | grep -i symantec
   41    3 0xffffff7f807db000 0xf000     0xf000     com.symantec.kext.internetSecurity (5.2f2) <5 4 3 1>
   42    1 0xffffff7f807ea000 0x70000    0x70000    com.symantec.kext.ndcengine (1.0f2) <41 4 1>
   43    0 0xffffff7f8085a000 0xb000     0xb000     com.symantec.kext.ips (3.5f2) <42 41 5 4 3 1>
   85    0 0xffffff7f819e9000 0x4000     0x4000     com.symantec.kext.SymAPComm (12.2f2) <41 7 5 4 1>



Use the kextutil to check if a kext is signed or not:

 

 

Maverick:~ admin$ kextutil -tn /Library/Extensions/SymIPS.kext
Warnings:
    The booter does not recognize symbolic links; confirm these files/directories aren't needed for startup:
        /Library/Extensions/SymIPS.kext/Contents/CodeDirectory
        /Library/Extensions/SymIPS.kext/Contents/CodeRequirements
        /Library/Extensions/SymIPS.kext/Contents/CodeResources
        /Library/Extensions/SymIPS.kext/Contents/CodeSignature
    Dependency lacks appropriate value for OSBundleRequired and may not be availalble during early boot:
        com.symantec.kext.ndcengine - OSBundleRequired not set
    Personality has no CFBundleIdentifier; the kext's identifier will be inserted when sending to the IOCatalogue:
        IOKitKernelExplorer

/Library/Extensions/SymIPS.kext appears to be loadable (including linkage for on-disk libraries).

 


Applies To

Macintosh OS X 10.9

Symantec Endpoint Protection 12.1 RU4 for Macintosh