You find that, contrary to expectation, AutoProtect (AP) is not enabled on a system running Symantec Endpoint Protection (SEP) for Linux. When you run systemctl status autoprotect.service -l, it is indicated that one or more of our kernel modules could not be loaded.
[[email protected] /]# /opt/Symantec/symantec_antivirus/sav info -a
This article only applies to SEP for Linux versions 14.3 MP1 (build 14.3.1169) or older.
AP involves multiple parts:
If any of these parts is not functional, AP will not work. Possible root causes include:
Perform the following steps:
./install.sh -u && rm -rf /opt/Symantec /etc/symantec /var/symantec /etc/Symantec.conf /etc/savfl_install.cfg /root/sep*.log*
If feasible, clean all repositories, update all packages and reboot the system. For Red Hat-based Linux distributions (Red Hat Enterprise Linux, CentOS, Oracle Linux, etc.), run the following commands:
yum clean all
yum -y update --skip-broken
yum -y install yum-utils
shutdown -r now
Ensure all dependencies are in place. These are listed in the System Requirements article for your version of SEP for Linux, referred to in related article TECH163829. For RedHat-based Linux distributions, run the following command:
yum -y install glibc.i686 libgcc.i686 unzip bzip2 gcc kernel-devel-`uname -r`
Attempt to install SEP for Linux again. If both the installation and auto-compile (if applicable) succeed, but the AutoProtect status continues to be Disabled, then ensure symev and symap are loaded, by running systemctl status autoprotect.service -l. If they are, verify that rtvscand is running, using /etc/init.d/rtvscand status.
If rtvscand is running, run /opt/Symantec/symantec_antivirus/sav liveupdate -u. If it completes succesfully, check the AutoProtect status again. If its status remains Disabled, navigate to the virus definitions directory (cd /opt/Symantec/virusdefs) and verify whether or not at least one YYYYMMDD.xxx definitions folder is present and cat definfo.dat usage.dat indicates it is in use. If that should not be the case (or if the LiveUpdate failed, for that matter), then see the Related Articles section below this article and follow the instructions to update the system using Intelligent Updater definitions. The goal here is to exclude a possible definitions processing issue.
If the update succeeds, and AutoProtect is shown to be running, you may have a networking issue that prevents the download of definitions. If using SEPM, you will want to verify client-server communication is possible (using wget http://management_server_address:8014/secars/secars.dll?hello,secars). If this should fail, then refer to related article TECH160964. If you have an internal proxy, you will need to configure your system to use it (using export http_proxy=internal_proxy_ip_address:3128 –note that your proxy port may be different).
If the issue continues to persist, in spite of having tried all the aforementioned steps, then run /opt/Symantec/symantec_antivirus/sadiag.sh, generate a SymDiag (see related article TECH170752) and provide the resulting files to Symantec Support.