Upgrade of SEP for Mac to version 14.3 MP1 leaves Symantec systemextension still loaded

book

Article ID: 197154

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Upgrade of SEP for Mac to version 14.3 MP1 leaves Symantec systemextension still loaded, even after several reboots:

[email protected] ~ % systemextensionsctl list
2 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	9PTGMPNXZ2	com.symantec.mes.systemextension (9.0.2/9.0.2)	Symantec System Extension	[activated enabled]
*	*	Y2CCP3S9W7	com.broadcom.mes.systemextension (9.0.4/9.0.4)	Symantec System Extension	[activated enabled]
[email protected] ~ %

You may also see com.symantec.mes.systemextension crash reports in /Library/Logs/Diagnostic reports, as the old extension continues to try loading.

Cause

This is a result of a silent/unattended deployment using the SEPRemote.pkg and Apple's macOS API requirement for user interaction when installing or removing *.systemextension.

SEP 14.3 MP1 and newer uses a Broadcom-signed extension instead of the older Symantec signature. Silently upgrading the extension is allowed by the macOS API only as long as the signatures match. So the old extension must be removed. When performing a local upgrade of SEP with the interactive Symantec Endpoint Protection Installer app, the old SEP app is moved to the trash and the user is asked for approval for this operation, which allows for the removal of the old extension.

Resolution

This will be resolved in SEP 14.3 RU2 and newer. Until then, you may use the local interactive Symantec Endpoint Protection Installer app to ensure removal of the old extension when upgrading. 

Otherwise, when deploying SEP in an silent/unattended fashion by using the SEPRemote.pkg, include also the Symantec Endpoint Protection Legacy.app.pkg attached at the bottom of this article. This Legacy.app.pkg will upgrade the Symantec-signed system extension to a version that does nothing and will not interfere with new versions of SEP. The Legacy.app.pkg may be installed before or after the SEP upgrade, and a reboot will be necessary. The Legacy app may optionally be completely removed afterwards by using the macOS Finder to navigate to Applications/Symantec Solutions folder, pressing Shift-Apple-Period (or Shift-Cmd-Period) to reveal hidden files, and drag the revealed ".Symantec Endpoint Protection Legacy" app to the trash.

The Legacy.app.pkg will not be necessary in SEP 14.3 RU2—the replacement of legacy Symantec extensions will be included automatically in the those versions.

Attachments

1621018011541__Symantec Endpoint Protection Legacy.app.pkg get_app