How to troubleshoot errors, performance issues, or other unexpected behavior in SES/SEP for Mac (Symantec Endpoint Protection or Symantec Endpoint Security for Mac).
SEP/SES for Mac
First: one-at-a-time, disable or withdraw the AutoProtect, Firewall, Intrusion Prevention policies (Firewall & IPS), and Device Control. Re-test after each. For this testing it is often most convenient to unlock the corresponding policies at the management console so that the local user has control over the feature toggle switches in the client UI. If symptoms do not recur after disabling a particular component then stop and focus troubleshooting on that area. If you are working with an endpoint where client control is enabled, then these policies correspond to the "Advanced" settings area in the SEP client GUI and the toggle switches there for "Protect My Mac->Automatic Scans", "Intrusion Prevention->Vulnerability Protection & Firewall", and "Device Control".
If symptoms still recur after disabling all the features as directed above, open macOS System Preferences at the client and open Network settings. Look for "SEP Network Security" service. Select it and choose "Make Service Inactive" from gear menu at bottom. Click "Apply". Ignore any "At Risk - Finish Setup" prompts from SEP and test your networking performance and note if it is improved. If so, then you have isolated the problem to the SEP macOS networking extension.
Beginning in SEP 14.3 RU2 you can disable SEP Network security and there will be no request from SEP to re-enable it if you have also disabled or withdrawn Firewall and Intrusion Prevention (IPS). As soon as either of those policies is enabled SEP will ask to re-enabled the network content filter. Also starting with 14.3 RU2, you may disable the content filter remotely if the Mac is under Mobile Device Management (MDM): remove the approval for the SEP Mac Web Content Filter in MDM profile and if FW+IPS policy are disabled in RU2 then the "SEP Network Security" entry disappears from the macOS Network settings. If the content filter is reloaded and the local user approves it then MDM won't have any control over it and the local user must remove or disable it.
The SEP client can be deployed without the content filter enabled, under the following conditions:
su - "$loggedInUser" -c "'$SEP_APP' -loadNetworkProfile &"
This is what loads the NCF, despite there being no need for it in a package with FW+IPS disabled. To work around this, use Jamf Composer tool to open the pkg, convert to source, comment out the command in that script, and recompile into a new pkg.