Red Hat Enterprise Linux (RHEL) 7.5
Symantec Endpoint Protection for Linux (SEPfL) 14 RU1 MP2 or 14.2
The RHEL server hangs or crashes halfway through the installation of SEPfL. After which SEPfL may not be able to be uninstalled. The server must be rebuilt to restore operations.
When SEPfL is installed, non-matching kernel modules are extracted from the SEPfL 14 RU1 MP2 or 14.2 RPM file. When SEPfL attempts to load the non-matching kernels the server hangs or crashes.
Auto-compile support for RHEL 7.5 was added in 14.2 MP1. For SEPfL 14 RU1 MP2 or 14.2. A workaround follows. The workaround is presented in the form of a commented script. Navigate to the folder that contains the SEPfL install.sh script, then issue the commands one by one, in the order presented.
# If present, uninstall SEPfL and remove any remaining traces.
rm -rf /opt/Symantec/symantec_antivirus /etc/symantec/sep /var/symantec/sep /etc/Symantec.conf /etc/savfl_install.cfg /root/sep*.log*
# We are going to follow http://www.symantec.com/docs/HOWTO101761 ("Installing the Symantec Endpoint Protection client for Linux"),
# but with a change before the installer is run, then another change after it is run.
# First make sure AutoProtect modules are not installed, nor loaded, by dropping them into /dev/null, as this is where it would crash.
ln -s /dev/null /opt/Symantec/autoprotect
# Now install as normal.
# Remove the symbolic link to /dev/null.
rm -f /opt/Symantec/autoprotect
# Next, we will http://www.symantec.com/docs/TECH132773 ("Manually compile Auto-Protect kernel modules for Endpoint Protection for Linux").
# Please note that your kernel module version number will be different if using 14.2.
./build.sh --kernel-dir /lib/modules/$(uname -r)/build
# This takes a few seconds and restarts the services.
# Update definitions - manually define a proxy if necessary (no need if you update via SEPM).
/opt/Symantec/symantec_antivirus/sav liveupdate -u
# After the update completes, wait 10 minutes to allow it to be fully processed, then perform some checks.
# Please note that the product version returned will be different if using 14.2.
/opt/Symantec/symantec_antivirus/sav info -d # will return a very recent definitions version
/opt/Symantec/symantec_antivirus/sav info -a # will return "Enabled"
/opt/Symantec/symantec_antivirus/sav info -e # will return "126.96.36.199"
/opt/Symantec/symantec_antivirus/sav info -p # will return "14.0.1 (14.0 RU1 MP2) build 3929 (14.0.3929.1200)"
/opt/Symantec/symantec_antivirus/sav info -s # will return "General Status: Done Manual Scan: Done"
# Now test by attempting to save EICAR standard antivirus test file to disk. For more details,
# see http://www.symantec.com/docs/HOWTO100330 ("Testing a Virus and Spyware Protection policy").
# Ignore any error message that may be shown.
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/test
# The above file will not be written to disk, but it will show in the logs as below.
00080000 0007fe9f 00000001 ffffffff 00000000 0000001e
00000160 01d3f829486ea7c8 01d3f82945118500 01d3f82945118500 00000001 30041E0F1106,5,1,2,test-689609,root,EICAR Test String,/tmp/test,5,1,1,256,33574980,"",0,,0,,725614592,11101,0,0,0,,,,20180530.002,193452,0,,0,,,,,,,00:50:56:b5:4f:ad,14.0.3929.1200,,,,,,,,,,,,,,,,0,,,0,,502 69 2 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267,,,,1