Frequently Asked Questions for Endpoint Protection for Linux

book

Article ID: 162054

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article covers frequently asked questions for Symantec Endpoint Protection (SEP) for Linux.

Resolution

Which operating systems and kernel versions are supported?

For a List of Linux Distributions and Kernels with Precompiled Auto-Protect Drivers/Modules for Symantec Endpoint Protection for Linux 14.x

For specific SEP version requirements, see Release notes, new fixes, and system requirements for all versions of Endpoint Protection.

Is SEPM on Linux Supported?

SEPM install is only supported on Windows Servers.

What are the requirements or pre-requisites for installing SEP for Linux?

See Installing the Symantec Endpoint Protection client for Linux for information on installing SEP for Linux.

What components are supported on SEP for Linux?

SEP for Linux supports AutoProtect (real-time scanning) and scheduled scans. Network protection components, such as IPS and firewall, are not available. 

Can I push deploy the SEP for Linux client from the SEP Manager?

Push deployment from the Symantec Endpoint Protection Manager (using the Client Deployment Wizard) is NOT supported.

What if I wish to perform a major upgrade of OS or kernel with SEP installed? Is a reinstallation needed?

For minor updates to the Linux OS, such as (RHEL) 5U6 to (RHEL) 5U7, the SEP client can remain in place. However, if the new kernel version is not supported by the pre-built Auto-Protect kernel modules provided with the SEP client, the modules must be recompiled after the Linux OS upgrade completes; this process is not automatic and must be initiated by the end-user.

For a major update to Linux OS on a client system (e.g. from RHEL 5 to RHEL 6), we require temporarily removing the SEP client and cleanly reinstalling the compatible version after an upgrade to avoid possible corruption to logs and Symantec Endpoint Protection components.

What if I want to upgrade SEP to a newer version?

See Supported upgrade and migration paths to Symantec Endpoint Protection.

Can I use the feature Upgrade Groups with Package (auto-upgrade) for Linux machines?

No. AutoUpgrade does not work for Linux machines.

There's no Add or Remove programs for SEP. How do I uninstall?

See Uninstalling the SEP client for Linux for information.

What are the different ways to update the content on SEP for Linux clients?

You can update the SEP client that is installed on Linux in the following ways:

Can a SEP for Linux client get updates from a Group Update Provider (GUP)? And, can a SEP for Linux client act as a GUP?

No, the SEP for Linux client cannot act as GUP, nor can it receive updates from a GUP.

How often are updates for SEP for Linux released?

Daily, once usually in the morning Pacific Time (west coast, USA).

How do I know whether or not the SEP for Linux client is managed?

To check management status using commands in a terminal window:

  1. Browse to:
    /opt/Symantec/symantec_antivirus
  2. Enter the following command to display the management status:
    #./sav manage -s

To check in the client user interface, look under Management. Server shows the IP address or hostname of the management server.

Is it possible to convert an unmanaged SEP for Linux client to a managed client?

Yes. See Importing client-server communication settings into the Linux client​.

Is Active Directory or LDAP integration supported for Linux clients?

Linux computers that are AD/LDAP members may not appear correctly in SEPM-imported OUs. This is by design. As of SEP 12.1 RU6, Mac and Linux SEP clients may only be managed using SEPM-defined groups.

I can send Linux clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?

Even though the command can be sent, these features are not supported for SEP for Linux clients.

How can I disable/enable the SEP client on Linux?

Virus and Spyware Protection can be disabled (or enabled) with the following commands:

# /etc/init.d/rtvscand stop
# /etc/init.d/symcfgd stop
# /etc/init.d/smcd stop

More options: {start|stop|status|report|restart|condrestart}

Is Location Awareness supported for SEP for Linux?

No.

Does SEP for Linux scan symbolic links?

By default, the SEP client for Linux does not scan symbolic links, commonly referred to as symlinks or soft links. This is a change in the scanning behavior from Symantec Antivirus (SAV) for Linux, which scanned symbolic links by default. See Enabling the scanning of symbolic links in Symantec Endpoint Protection for Linux for more information.

Can SEP for Linux clients be switched to User Mode?

SEP for Linux will register only in computer mode and cannot be switched to user mode.

How can I lock down settings for SEP for Linux clients?

There are not many changes that the end-user can make. As of 12.1 RU6, the client user interface for SEP for Linux has only one button, LiveUpdate

How can I prevent SEP for Linux users from manually launching LiveUpdate from the client user interface?

SEP for Linux does not support the Client User Interface Control Settings.

Does SEP for Linux perform email scanning?

No. SEP for Linux is only a file system antivirus and anti-spyware solution.

How do I perform the secars test on a system where SEP for Linux is installed?

Use the following command to perform a test, where SEPM_IP_OR_HOSTNAME is the IP address or hostname of the management server, and PORT is the appropriate port number.

# wget http://SEPM_IP_OR_HOSTNAME:PORT/secars/secars.dll?hello,secars

Where can I find logs for troubleshooting?

LiveUpdate: LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/liveupdt.log.

LiveUpdate logging is always on. You can change the default LiveUpdate log file path by editing /etc/liveupdate.conf. See The default contents of liveupdate.conf in Symantec Endpoint Protection for Linux for more information.

defutil: By default, defutil logging is saved to /opt/Symantec/virusdefs/defutil.log.

You check defutil logs if the LiveUpdate log indicates a successful session, but the definitions do not update. For example, you might see the error "Failure in post processing" error at LiveUpdate command line.

To debug these errors, enable defutil logging:

  1. Edit or create the file /etc/symc-defutils.conf.
  2. In this file, create the section [defutillog], if it does not exist.
  3. Under this section heading, add the line defutillog_name=defutil.log.

Example of an entry in symc-defutils.conf:

[defutillog]
defutillog_name=defutil.log

What about Communication Module/Sylink debugging?

Communication Module/Sylink logging is saved to /var/symantec/Logs/debug.log.

To enable debug logging:

  1. Create a new text file named /etc/symantec/log4j.properties, with the following contents:
    log4j.appender.A1=org.apache.log4j.FileAppender
    log4j.appender.A1.fileName=/var/symantec/Logs/debug.log
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.layout.ConversionPattern=%d{%Y-%m-%dT%H:%M:%S.%l%Z} %t %p %c{2.EN_US} %m%n
    log4j.rootCategory=DEBUG, A1
  2. Restart the smc daemon:
    sudo service smcd restart

For remote scan, which file systems are supported by Auto-Protect?

Auto-Protect only supports five file system types: SMBFS, CIFS, AFS, NFS, and VMHGFS

How do I enable vpdebug logging?

Use the following command to enable vpdebug logging:

# ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data 'ALL' --type REG_SZ

Repeat the same command with no value for data to turn it OFF:

# ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data '' --type REG_SZ

How do I collect diagnostic information for the SEP for Linux client?

There are two methods for gathering diagnostic information on Linux clients:

  1. sadiag.sh (preferred)
    See: How to collect diagnostic information for the SEP for Linux client. This utility is installed with the SEP client. It is found on a Linux client at /opt/Symantec/symantec_antivirus/sadiag.sh, by default. This option creates a tar.bz2 file.
     
  2. Symdiag for Linux
    You can download this utility through the following article: Download SymDiag to detect Symantec product issues2
    This option creates a .sdbz file which can be analyzed by Symantec Support.

For information on viewing individual log files and configuring addtional logging options on a Linux client, see Overview of log and configuration files in Symantec Endpoint Protection for Linux.

What are the common disk space requirements for SEP for Linux?

See the online Symantec Endpoint Protection Installation and Administration Guide and "System Requirements" section. As of SEP 14.3 MP1,  Symantec Endpoint Protection client for Linux system requirements are 1 GB of RAM and 7 GB of available hard disk space.

Does SEP for Linux support XFS file systems that contain inode64 attributes?

XFS file systems that contain inode64 attributes are only supported if SEP 14.2 MP1 (14.2.1015.0100) or newer is installed.