How to determine if Endpoint Protection for Macintosh is installed and running

book

Article ID: 178268

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to determine if Endpoint Protection for Macintosh is installed and running

Resolution

How to determine if Symantec Endpoint Protection (SEP) for Macintosh 14.2 RU1 or 14.2 RU1 MP1 is installed and running:

Version check:

The following command line input will return version information, if SEP is installed:

defaults read /Applications/Symantec\ Solutions/Symantec\ Endpoint\ Protection.app/Contents/Info CFBundleShortVersionString       

Example output: 14.2.4806.1100
 

SymDaemon check:

Using Activity Monitor, check for the running process named SymDaemon. This means SEP is installed and running.


Managed client check:

Serdef.dat will be present in /Library/Application Support/Symantec/SMC/data/ if SEP is managed


Kernel extension check:

From terminal run the command line:

kextstat  | grep -i symantec

The four expected kernel extensions are:

com.symantec.internetSecurity.kext
com.symantec.nfm.kext
com.symantec.ips.kext
com.symantec.SymXIPS
 
Note that the kextstat output will still list an extension as loaded even if the related SEP component is disabled via product settings.

AutoProtect status check:

To check if AutoProtect (AP) is enabled, NAC vendors may use one of the attached "ShowSettings" tools. Use showsettings2 tool for SEP versions older than 14.2 RU2. Use signed ShowSettings tool for SEP 14.2 RU2 and newer

showsettings2 read --domain autoprotect | grep 'Enabled' | sed -n 3p

The output will be ‘Enabled : 0' or 'Enabled : 1' depending on Autoprotect status. 0 for disabled. 1 for enabled.

Error when running showsettings2 when SEP 14.2 RU2 is installed -

dyld: Library not loaded: @rpath/SymSharedSettings2.framework/Versions/A/SymSharedSettings2
Referenced from: /Users/admin/Desktop/./showsettings2
Reason: image not found

Solution: use signed ShowSettings tool for SEP 14.2 RU2 and newer.

Note: If the error: "Failed to open domain: 251" is encountered, then run the ShowSettings tool from the /tmp folder.

IPS check:

To determine the IPS status, grep /var/log/system.log for "IPS Enabled : 1" or "IPS Enabled : 0"

 

Additional Information

REFERENCE ID : : 3635637, 4215361/n DESCRIPTION :

Need command-line method to determine status of Macintosh SEP IPS
Need standardized CLI API for NAC queries of SEP Mac client state

/n REFERENCE ID : : ESCRT-2829/n DESCRIPTION :

NAC software is not detecting AV running on SEP 14.2 RU2 for macOS

/n REFERENCE ID : : ESCRT-2829/n DESCRIPTION :

NAC software is not detecting AV running on SEP 14.2 RU2 for macOS

Attachments

1583452821965__ShowSettingsTools.zip get_app
Powered by Wolken Software