Symantec Endpoint Protection Linux agent is reporting licensing errors and was unable to update its definitions.
search cancel

Symantec Endpoint Protection Linux agent is reporting licensing errors and was unable to update its definitions.

book

Article ID: 413941

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection Linux Agent is reporting licensing errors and was unable to update its definitions. This issue often occurs after installation, when attempting to manually update definitions using the ./sav liveupdate -u command.

The error message “Antimalware feature is not licensed” and accompanying internal communication errors indicate a breakdown between key Symantec processes.

Environment

14.3 RU6 (14.3.2571.6000)

Cause

The agent logs were filled with an internal communication error, "IPS agent is not running-32603 Internal error," which indicated a breakdown between the `cafagent` and `sisipsdaemon` processes.

Resolution

To resolve this issue, verify and correct the permissions on the RPC pipe files used by the Symantec daemons.

1. Check File Permissions

Inspect the pipe files to ensure they have the correct ownership and permission format.

Example of a correct permission set:

prw-rw----+ 1 sisips dcscaf rpc_event.pipe

2. View the Restrictive ACL

Use the getfacl command to check if extended Access Control Lists (ACLs) are restricting the cafagent from communicating properly:

getfacl /opt/Symantec/sdcssagent/IPS/rpc/rpc_request.pipe

Save or note the output for reference before making changes.

3. Remove the ACLs

Remove all extended ACLs from the three pipe files using the following commands (requires root or sudo privileges):

sudo setfacl -b /opt/Symantec/sdcssagent/IPS/rpc/rpc_event.pipe
sudo setfacl -b /opt/Symantec/sdcssagent/IPS/rpc/rpc_response.pipe
sudo setfacl -b /opt/Symantec/sdcssagent/IPS/rpc/rpc_request.pipe

4. Verify ACL Removal

Recheck the files to ensure the ACLs were successfully removed. The + symbol at the end of the permissions string should no longer be present:

ls -l /opt/Symantec/sdcssagent/IPS/rpc/

5. Restart the Symantec Agent Service

Restart the cafagent service to reinitialize communication between processes:

sudo systemctl restart cafagent

After restarting, monitor the cafagent.log to confirm the issue is resolved. The -32603 RPC error should no longer appear, and the agent should be able to update its definitions successfully.

By removing restrictive ACLs and correcting IPC pipe permissions, the Symantec Endpoint Protection Linux Agent restores proper communication between cafagent and sisipsdaemon. This resolves the “Antimalware feature is not licensed” and internal error messages, allowing the agent to perform updates and licensing checks normally.

Powered by Wolken Software