Red Hat Enterprise Linux 7.5 hangs or crashes when attempting to install Endpoint Protection

book

Article ID: 171827

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Red Hat Enterprise Linux (RHEL) 7.5

Symantec Endpoint Protection for Linux (SEPfL) 14 RU1 MP2 or 14.2

The RHEL server hangs or crashes halfway through the installation of SEPfL. After which SEPfL may not be able to be uninstalled. The server must be rebuilt to restore operations.

Cause

When SEPfL is installed, non-matching kernel modules are extracted from the SEPfL 14 RU1 MP2 or 14.2 RPM file. When SEPfL attempts to load the non-matching kernels the server hangs or crashes.

Environment

  • RHEL 7.5
  • SEPfL 14 RU1 MP2 or 14.2

Resolution

Auto-compile support for RHEL 7.5 was added in 14.2 MP1. For SEPfL 14 RU1 MP2 or 14.2. A workaround follows. The workaround is presented in the form of a commented script. Navigate to the folder that contains the SEPfL install.sh script, then issue the commands one by one, in the order presented.

# If present, uninstall SEPfL and remove any remaining traces.
./install.sh -u
rm -rf /opt/Symantec/symantec_antivirus /etc/symantec/sep /var/symantec/sep /etc/Symantec.conf /etc/savfl_install.cfg /root/sep*.log*

# We are going to follow http://www.symantec.com/docs/HOWTO101761 ("Installing the Symantec Endpoint Protection client for Linux"),
# but with a change before the installer is run, then another change after it is run.

# First make sure AutoProtect modules are not installed, nor loaded, by dropping them into /dev/null, as this is where it would crash.

mkdir /opt/Symantec
ln -s /dev/null /opt/Symantec/autoprotect

# Now install as normal.

./install.sh -i

# Remove the symbolic link to /dev/null.

rm -f /opt/Symantec/autoprotect
mkdir /opt/Symantec/autoprotect
/etc/init.d/autoprotect stop

# Next, we will http://www.symantec.com/docs/TECH132773 ("Manually compile Auto-Protect kernel modules for Endpoint Protection for Linux").
# Please note that your kernel module version number will be different if using 14.2.

cd /opt/installs/sep-sym/src/ap-kernelmodule-14.0.3929-1200
./build.sh --kernel-dir /lib/modules/$(uname -r)/build

# This takes a few seconds and restarts the services.
# Update definitions - manually define a proxy if necessary (no need if you update via SEPM).

#export http_proxy=internal_proxy:3128
/opt/Symantec/symantec_antivirus/sav liveupdate -u

# After the update completes, wait 10 minutes to allow it to be fully processed, then perform some checks.
# Please note that the product version returned will be different if using 14.2.

/opt/Symantec/symantec_antivirus/sav info -d # will return a very recent definitions version
/opt/Symantec/symantec_antivirus/sav info -a # will return "Enabled"
/opt/Symantec/symantec_antivirus/sav info -e # will return "151.1.4.39"
/opt/Symantec/symantec_antivirus/sav info -p # will return "14.0.1 (14.0 RU1 MP2) build 3929 (14.0.3929.1200)"
/opt/Symantec/symantec_antivirus/sav info -s # will return "General Status: Done Manual Scan: Done"

# Now test by attempting to save EICAR standard antivirus test file to disk. For more details, 
# see http://www.symantec.com/docs/HOWTO100330 ("Testing a Virus and Spyware Protection policy").
# Ignore any error message that may be shown.

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/test

# The above file will not be written to disk, but it will show in the logs as below.

cat /var/symantec/sep/Logs/AVMan.log

00080000        0007fe9f        00000001        ffffffff        00000000        0000001e

00000160        01d3f829486ea7c8        01d3f82945118500        01d3f82945118500        00000001        30041E0F1106,5,1,2,test-689609,root,EICAR Test String,/tmp/test,5,1,1,256,33574980,"",0,,0,,725614592,11101,0,0,0,,,,20180530.002,193452,0,,0,,,,,,,00:50:56:b5:4f:ad,14.0.3929.1200,,,,,,,,,,,,,,,,0,,,0,,502          69      2       131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267,,,,1