Upgrade of SEP for Mac to version 14.3 MP1 leaves Symantec systemextension still loaded, even after several reboots:
[email protected] ~ % systemextensionsctl list 2 extension(s) --- com.apple.system_extension.endpoint_security enabled active teamID bundleID (version) name [state] * * 9PTGMPNXZ2 com.symantec.mes.systemextension (9.0.2/9.0.2) Symantec System Extension [activated enabled] * * Y2CCP3S9W7 com.broadcom.mes.systemextension (9.0.4/9.0.4) Symantec System Extension [activated enabled] [email protected] ~ %
You may also see com.symantec.mes.systemextension crash reports in /Library/Logs/Diagnostic reports, as the old extension continues to try loading.
Symantec is investigating this symptom.
This is a result a silent deployment using the SEPRemote.pkg and Apple's current requirement for user interaction when installing or removing *.systemextension. If you upgrade SEP by using the Symantec Endpoint Protection Installer app instead of the remote pkg, you will be prompted for permission and admin credentials to move the old product to trash. Apple provides a "systemextensionsctl uninstall" command but also currently requires SIP to be disabled to use it.
There is some improvement in upgrades to SEP 14.3 RU1: the most recent 14.3.x system extension will be removed in such an upgrade but any older extensions already present (from previous upgrades) will still remain.
This article will be updated as new information becomes available.