Definitions download but fail to update on Endpoint Protection for Mac version 14

book

Article ID: 171189

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Macintosh downloads definitions via LiveUpdate, but after the download completes, the new definitions fail to load.

Reviewing the Liveupdate log at '/Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/lux.log' shows the following:

[Session Results - START]
Session Result Code: 0x00010000
Session Result Message: OK
[Component Result - START]
Component ID: {57BC15BB-2B85-4081-B21C-1CF22DE8E987}
Display Name: AntiVirus Signatures
PVL: SEPC Virus Definitions Mac 14.0 RU1_MicroDefsB.CurDefs_SymAllLanguages
Result Code: 0x00010000
Result Message: OK
[Package Result - START]
File: 1519099791jtun_macnis7en180206020.osi
Result Code: 0x80012001
Result Message: UNKNOWN
[Package Result - END]
[Component Result - END]
[Component Result - START]
Component ID: {B9B49C58-D354-4E68-8351-82589FF0A4B0}
Display Name: Vulnerability Protection for Mac
PVL: SEPC CIDS Signatures Mac 14.0 RU1_14.0 RU1_SymAllLanguages
Result Code: 0x00010000
Result Message: OK
[Package Result - START]
File: 1518718096jtun_ips_sepmac12_2180214001.x02
Result Code: 0x80012001
Result Message: UNKNOWN
[Package Result - END]
[Component Result - END]
[Component Result - START]
Component ID: {3AA6B4DD-A60D-4EE8-96F5-6A5F58065FA5}
Display Name: Submission Control Data for Mac
PVL: Submission Control Data for Mac_6_SymAllLanguages
Result Code: 0x00010000
Result Message: OK
[Component Result - END]
[Session Results - END]
[Session Summary - START]
Components: 3
Packages:   2
Success:    0
Fail:       2
[Session Summary - END]
 
The 0x80012001 result code is an initialization failure.
 
As a result of this error run the GatherSymantecInfo tool.
Open the resulting SymantecInfo.txt file and look at the section called '12. Definitions avdefs group check'

In this scenario we see the following in the avdefs group check:
'WARNING: avdefs group does not exist'.
A list of files for our definitions will be listed with root user and 501 group instead of root and avdefs.

Cause

The avdefs group is being removed from the machine, potentially by a third party application. This will prevent the SEP client definitions from initializing after they are downloaded.

Environment

SEP 14.x for Mac
Mac OS X 10.9 or later

Resolution

Symantec is aware of this issue and will update this article when a solution becomes available.

A workaround for this issue is available in the form of a plist file that will check for the presence of the avdefs group every 5 minutes and will add it if it does not exist. To implement this workaround, follow the steps below:

  1. Download the attached plist file "com.symantec.avdefsgroupcreator.plist" on an impacted Mac.
  2. Copy this file to "/Library/LaunchDaemons/"
  3. Restart the system.

Attachments

com.symantec.avdefsgroupcreator.plist get_app