How to determine if Endpoint Protection for Macintosh is installed and running

Article Id: 178268

Status: Published

Updated On: 29-05-2020 10:24

Legacy Id: HOWTO100463

Products:

Endpoint Protection Endpoint Protection

Issue/Introduction:

How to determine if Endpoint Protection for Macintosh is installed and running

Resolution:

How to determine if Symantec Endpoint Protection (SEP) for Macintosh 14.2 RU1 or 14.2 RU1 MP1 is installed and running:

Version check:

The following command line input will return version information, if SEP is installed:

defaults read /Applications/Symantec\ Solutions/Symantec\ Endpoint\ Protection.app/Contents/Info CFBundleShortVersionString

Example output: 14.2.4806.1100

SymDaemon check:

Using Activity Monitor, check for the running process named SymDaemon. This means SEP is installed and running.

Managed client check:

Serdef.dat will be present in /Library/Application Support/Symantec/SMC/data/ if SEP is managed

Kernel extension check:

From terminal run the command line:

kextstat | grep -i symantec

The four expected kernel extensions are:

com.symantec.internetSecurity.kext

com.symantec.nfm.kext

com.symantec.ips.kext

com.symantec.SymXIPS

Note that the kextstat output will still list an extension as loaded even if the related SEP component is disabled via product settings.

AutoProtect status check:

To check if AutoProtect (AP) is enabled, NAC vendors may use one of the attached "ShowSettings" tools. Use showsettings2 tool for SEP versions older than 14.2 RU2. Use signed ShowSettings tool for SEP 14.2 RU2 and newer

showsettings2 read --domain autoprotect | grep 'Enabled' | sed -n 3p

The output will be ‘Enabled : 0' or 'Enabled : 1' depending on Autoprotect status. 0 for disabled. 1 for enabled.

Error when running showsettings2 when SEP 14.2 RU2 is installed -

dyld: Library not loaded: @rpath/SymSharedSettings2.framework/Versions/A/SymSharedSettings2
Referenced from: /Users/admin/Desktop/./showsettings2
Reason: image not found

Solution: use signed ShowSettings tool for SEP 14.2 RU2 and newer

IPS check:

To determine the IPS status, grep /var/log/system.log for "IPS Enabled : 1" or "IPS Enabled : 0"

Additional Information:

REFERENCE ID : : 3635637, 4215361/n DESCRIPTION :

Need command-line method to determine status of Macintosh SEP IPS
Need standardized CLI API for NAC queries of SEP Mac client state

/n REFERENCE ID : : ESCRT-2829/n DESCRIPTION :

NAC software is not detecting AV running on SEP 14.2 RU2 for macOS

/n REFERENCE ID : : ESCRT-2829/n DESCRIPTION :

NAC software is not detecting AV running on SEP 14.2 RU2 for macOS