Upgrade of SEP for Mac to version 14.3 MP1 leaves Symantec systemextension still loaded

book

Article ID: 197154

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Upgrade of SEP for Mac to version 14.3 MP1 leaves Symantec systemextension still loaded, even after several reboots:

[email protected] ~ % systemextensionsctl list
2 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	9PTGMPNXZ2	com.symantec.mes.systemextension (9.0.2/9.0.2)	Symantec System Extension	[activated enabled]
*	*	Y2CCP3S9W7	com.broadcom.mes.systemextension (9.0.4/9.0.4)	Symantec System Extension	[activated enabled]
[email protected] ~ %

You may also see com.symantec.mes.systemextension crash reports in /Library/Logs/Diagnostic reports, as the old extension continues to try loading.

Cause

This is a result of a deployment using the SEPRemote.pkg, and Apple's current requirement for user interaction when installing or removing *.systemextension.

SEP 14.3 MP1 and newer uses a Broadcom-signed extension instead of the older Symantec signature. This prevents SEP from directly upgrading the extension and it must be removed.

Symantec is aware of this issue and this article will be updated as new information becomes available.

Resolution

Workaround: do not use the SEPRemote.pkg to upgrade SEP for Mac versions older than 14.3 MP1; use the Symantec Endpoint Protection Installer app and you will be prompted for permission to move the old product to trash and this will uninstall the old *.systemextension as part of the upgrade. This will require local user interaction and a reboot after the upgrade to completely remove the old software.

To cleanup an installation that lists two versions of the SEP *.systemextensions: uninstall the new product using the product menu's "Uninstall" choice, re-install the old, and uninstall the old product by using its app menu or dragging app icon to trash. This should properly uninstall the old extension. Apple otherwise provides a "systemextensionsctl uninstall" command but also currently requires SIP to be disabled to use it.

There is some improvement in upgrades to SEP 14.3 RU1: the most recent 14.3.x system extension will be removed in such an upgrade but any older extensions already present (from previous upgrades) will still remain.