This article covers frequently asked questions for Symantec Endpoint Protection (SEP) for Linux.

Which operating systems and kernel versions are supported?

For SEP client version 14.3 RU1 and later:

See Supported kernels of Symantec Linux Agent

For SEP client version 14.3 MP1 and earlier:

For a List of Linux Distributions and Kernels with Precompiled Auto-Protect Drivers/Modules for Symantec Endpoint Protection for Linux 14.x

For specific SEP version requirements, see Release notes, new fixes, and system requirements for all versions of Endpoint Protection.

Is SEPM on Linux Supported?

SEPM install is only supported on Windows Servers.

What are the requirements or pre-requisites for installing SEP for Linux?

See System requirements for Symantec Endpoint Protection (SEP) for information on installing SEP for Linux.

NOTE: SEP for Linux / Symantec Agent for Linux MUST be allowed to install into the Host instance with root access to the underlying system.  Installing SEP in a "container" is NOT supported because its denied access to run the required KMOD modules.  

What components are supported on SEP for Linux?

SEP for Linux supports AutoProtect (real-time scanning) and scheduled scans. Network protection components, such as IPS and firewall, are not available. 

Can I push deploy the SEP for Linux client from the SEP Manager?

Installing Symantec Endpoint Protection clients with Remote Push (using the Client Deployment Wizard) is NOT supported.

What if I wish to perform a major upgrade of OS or kernel with SEP installed? Is a reinstallation needed?

For SEP client version 14.3 RU1 and later:

See Updating the kernel modules for the Symantec Linux Agent

For SEP client version 14.3 MP1 and earlier:

For minor updates to the Linux OS, such as (RHEL) 5U6 to (RHEL) 5U7, the SEP client can remain in place. However, if the new kernel version is not supported by the pre-built Auto-Protect kernel modules provided with the SEP client, the modules must be recompiled after the Linux OS upgrade completes; this process is not automatic and must be initiated by the end-user.

For a major update to Linux OS on a client system (e.g. from RHEL 5 to RHEL 6), we require temporarily removing the SEP client and cleanly reinstalling the compatible version after an upgrade to avoid possible corruption to logs and Symantec Endpoint Protection components.

What if I want to upgrade SEP to a newer version?

For SEP client version 14.3 RU1 and later:

As of version 14.3 RU1, the Linux client installer detects and uninstalls the legacy Linux client (earlier than 14.3 RU1) and then performs a fresh install. Old configurations will not be retained.

See Upgrading the Symantec Linux Agent

For SEP client version 14.3 MP1 and earlier:

See Supported upgrade and migration paths to Symantec Endpoint Protection.

Can I use the feature Upgrade Groups with Package (auto-upgrade) for Linux machines?

No. AutoUpgrade does not work for Linux machines.

There's no Add or Remove programs for SEP. How do I uninstall?

See Uninstalling the Symantec Linux Agent or the Symantec Endpoint Protection client for Linux for information.

What are the different ways to update the content on SEP for Linux clients?

You can update the SEP client that is installed on Linux in the following ways:

• Directly from Symantec's LiveUpdate server.
• Using LiveUpdate Administrator (LUA). See Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Linux for information on how to configure LUA for this content.
• The Endpoint Protection Manager cannot host Linux LiveUpdate content the same way as it does for Windows clients. See Symantec Endpoint Protection Manager can be configured as a reverse proxy for downloading and caching the latest Linux LiveUpdate content on a SEPM server.
• Using the Intelligent Updater. See How to update a Linux-based computer with Intelligent Updater definitions for more information.

Can a SEP for Linux client get updates from a Group Update Provider (GUP)? And, can a SEP for Linux client act as a GUP?

No, the SEP for Linux client cannot act as GUP, nor can it receive updates from a GUP.

How often are updates for SEP for Linux released?

Daily, once usually in the morning Pacific Time (west coast, USA).

How do I know whether or not the SEP for Linux client is managed?

For SEP client version 14.3 RU1 and later:

Check last server the client connected to and when using command in a terminal window:

1. Enter the following command to display the last server the client connected and when:
   cat /var/symantec/sep/state.xml

For SEP client version 14.3 MP1 and earlier:

To check management status using commands in a terminal window:

1. Browse to:
   /opt/Symantec/symantec_antivirus
2. Enter the following command to display the management status:
   #./sav manage -s

To check in the client user interface, look under Management. Server shows the IP address or hostname of the management server.

Is it possible to convert an unmanaged SEP for Linux client to a managed client?

For SEP client version 14.3 RU1 and later:

Symantec Agent or Symantec Endpoint Protection for Linux 14.3 RU1 and later cannot run as an unmanaged client.

For SEP client version 14.3 MP1 and earlier:

Yes. See Importing client-server communication settings into the Linux client​.

Is Active Directory or LDAP integration supported for Linux clients?

Linux computers that are AD/LDAP members may not appear correctly in SEPM-imported OUs. This is by design. As of SEP 12.1 RU6, Mac and Linux SEP clients may only be managed using SEPM-defined groups.

I can send Linux clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?

For SEP client version 14.3 RU1 and later:

As of 14.3 RU1, enabling the Linux client as an unmanaged detector is deprecated. See Configuring a client to detect unmanaged devices for more information.

For SEP client version 14.3 MP1 and earlier:

Even though the command can be sent, these features are not supported for SEP for Linux clients.

How can I disable/enable the SEP client on Linux?

For SEP client version 14.3 RU1 and later:

# /usr/lib/symantec/stop.sh

To start the SEP services:

# /usr/lib/symantec/start.sh

For SEP client version 14.3 MP1 and earlier:

Virus and Spyware Protection can be disabled (or enabled) with the following commands:

# /etc/init.d/rtvscand stop
# /etc/init.d/symcfgd stop
# /etc/init.d/smcd stop

More options: {start|stop|status|report|restart|condrestart}

Is Location Awareness supported for SEP for Linux?

No.

Does SEP for Linux scan symbolic links?

By default, the SEP client for Linux does not scan symbolic links, commonly referred to as symlinks or soft links. This is a change in the scanning behavior from Symantec Antivirus (SAV) for Linux, which scanned symbolic links by default. See Enabling the scanning of symbolic links in Symantec Endpoint Protection for Linux for more information.

Can SEP for Linux clients be switched to User Mode?

SEP for Linux will register only in computer mode and cannot be switched to user mode.

How can I lock down settings for SEP for Linux clients?

For SEP client version 14.3 RU1 and later:

Symantec Agent for Linux versions 14.3 RU1 and later do not have a graphical user interface.

For SEP client version 14.3 MP1 and earlier:

There are not many changes that the end-user can make. As of 12.1 RU6, the client user interface for SEP for Linux has only one button, LiveUpdate. 

How can I prevent SEP for Linux users from manually launching LiveUpdate from the client user interface?

SEP for Linux does not support the Client User Interface Control Settings.

Does SEP for Linux perform email scanning?

No. SEP for Linux is only a file system antivirus and anti-spyware solution.

How do I perform the secars test on a system where SEP for Linux is installed?

Use the following command to perform a test, where <SEPM_IP_OR_HOSTNAME> is the IP address or hostname of the management server, and <PORT> is the appropriate port number.

# wget http://<SEPM_IP_OR_HOSTNAME>:<PORT>/secars/secars.dll?hello,secars

Where can I find logs for troubleshooting?

For SEP client version 14.3 RU1 and later:

You find the Symantec Linux Agent logs at the following locations:

• AMD log - provides information related to scanning - /var/log/sdcsslog/amd.log
• CAF log - provides information related to agent activities such as communication with the server, enrollment, commands, events, policy version, content version, etc. - /var/log/sdcss-caflog/cafagent.log
• Agent log - provides some consolidated information related to agent activities (scan info, update info)  - /var/log/sdcsslog/SISIDSEvents*.csv
• CVE log - provides information related to communication between Symantec Endpoint Protection Manager and the agent - /var/log/sdcss-caflog/cve.log

For SEP client version 14.3 MP1 and earlier:

LiveUpdate: LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/liveupdt.log.

LiveUpdate logging is always on. You can change the default LiveUpdate log file path by editing /etc/liveupdate.conf. See The default contents of liveupdate.conf in Symantec Endpoint Protection for Linux for more information.

defutil: By default, defutil logging is saved to /opt/Symantec/virusdefs/defutil.log.

You check defutil logs if the LiveUpdate log indicates a successful session, but the definitions do not update. For example, you might see the error "Failure in post processing" error at LiveUpdate command line.

To debug these errors, enable defutil logging:

1. Edit or create the file /etc/symc-defutils.conf.
2. In this file, create the section [defutillog], if it does not exist.
3. Under this section heading, add the line defutillog_name=defutil.log.

Example of an entry in symc-defutils.conf:

[defutillog]
defutillog_name=defutil.log

What about Communication Module/Sylink debugging?

For SEP client version 14.3 RU1 and later:

/var/log/sdcss-caflog/cve.log - provides information related to communication between Symantec Endpoint Protection Manager and the agent. By default, the CVE logging level is info.

To enable debug logging:

1. You can change the logging level from INFO to DEBUG in the /opt/Symantec/cafagent/bin/log4j.properties file.
2. After changing the file, you must restart the cafagent service.
   
   systemctl restart cafagent

NOTE: CVE logging does not exist in the cloud-managed SEP agent (SES)

For SEP client version 14.3 MP1 and earlier:

Communication Module/Sylink logging is saved to /var/symantec/Logs/debug.log.

To enable debug logging:

1. Create a new text file named /etc/symantec/log4j.properties, with the following contents:
   log4j.appender.A1=org.apache.log4j.FileAppender
log4j.appender.A1.fileName=/var/symantec/Logs/debug.log
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d{%Y-%m-%dT%H:%M:%S.%l%Z} %t %p %c{2.EN_US} %m%n
log4j.rootCategory=DEBUG, A1
2. Restart the smc daemon:
   sudo service smcd restart

For remote scan, which file systems are supported by Auto-Protect?

Auto-Protect only supports five file system types: SMBFS, CIFS, AFS, NFS, and VMHGFS

How do I enable vpdebug logging?

For SEP client version 14.3 RU1 and later:

/usr/lib/symantec/stop.sh 

/opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini.1
/opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini

amdmanagement.antimalware.trace.level=trace

/usr/lib/symantec/start.sh 

For SEP client version 14.3 MP1 and earlier:

Use the following command to enable vpdebug logging:

# ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data 'ALL' --type REG_SZ

Repeat the same command with no value for data to turn it OFF:

# ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data '' --type REG_SZ

How do I collect diagnostic information for the SEP for Linux client?

For SEP client version 14.3 RU1 and later:

You can use GetAgentInfo script to collect all log files into a ZIP file that you can send to customer support.

1. Login to Symantec Linux Agent system
2. Navigate to /opt/Symantec/sdcssagent/IPS/tools/
3. Run ./getagentinfo.sh as root. A ZIP file will be created in /tmp/ directory
4. The name of the file will look similar to 20201208_184935_0001_CU_mihsan-rhel8.zip
   -out <directory> lets you change the location and the name of the generated ZIP file.

For SEP client version 14.3 MP1 and earlier:

There are two methods for gathering diagnostic information on Linux clients:

1. sadiag.sh (preferred)
   See: How to collect diagnostic information for the SEP for Linux client. This utility is installed with the SEP client. It is found on a Linux client at /opt/Symantec/symantec_antivirus/sadiag.sh, by default. This option creates a tar.bz2 file.
    
2. Symdiag for Linux
   You can download this utility through the following article: Download SymDiag to detect Symantec product issues
   This option creates a .sdbz file which can be analyzed by Symantec Support.

For information on viewing individual log files and configuring additional logging options on a Linux client, see Overview of log and configuration files in Symantec Endpoint Protection for Linux.

What are the common disk space requirements for SEP for Linux?

For SEP client version 14.3 RU1 and later:

For SEP client version 14.3 MP1 and earlier:

See the online Symantec Endpoint Protection Installation and Administration Guide and "System Requirements" section. As of SEP 14.3 MP1, Symantec Endpoint Protection 14.3 MP1 Release Notes are 1 GB of RAM and 7 GB of available hard disk space.

Does SEP for Linux support XFS file systems that contain inode64 attributes?

XFS file systems that contain inode64 attributes are only supported if SEP 14.2 MP1 (14.2.1015.0100) or newer is installed.