Endpoint Protection

 View Only
Expand all | Collapse all

EndPoint protection just quits on a Mac

  • 1.  EndPoint protection just quits on a Mac

    Posted Apr 13, 2016 04:05 PM

    SEP appears to just stop updating signatures and running scheduled scans on Mac clients - w/o as much as a peep from SEPM or the clients. The only indication we could get so far is an "old signatures" report - which we have adjusted since from 14 to 2 days, and programmatically check for certain log file age giving us an idea when the last scan was run.

    I'd like reiterate that this loss of protection appears to be silent: there's no indication in the icon, or in the management console, that a client's last sigs update failed, and that it didn't run a scheduled scan.

    Note in the screenshots below how the "last updated" timestamp is April 4 while the Definitions are from March 25 - over 10 days old.

    This started happening on 12.1.5 and keeps happening on 12.1.6 (12.1.6465.6200f1), on random systems.

    Screen Shot 2016-04-04 at 2.33.37 PM.jpg

    How do we fix this?

    Thanks!



  • 2.  RE: EndPoint protection just quits on a Mac

    Posted Apr 13, 2016 06:13 PM

    Since it's an on-going issue, have you engaged support?



  • 3.  RE: EndPoint protection just quits on a Mac

    Posted Apr 14, 2016 12:08 PM

    Not yet - but I will. The purpose of my post was to engage other users and experts who might have experienced this issue, and who could perhaps explain how to configure SEPM and SEP clients to actually report failures.



  • 4.  RE: EndPoint protection just quits on a Mac

    Posted Apr 20, 2016 04:58 PM

    Support case 10375913 initiated. Took awhile: neither we nor Symantec couldn't find our "support ID" in their system.

    Here is a little more info on what's transpiring, for posterity.

    Symptoms of Symantec EndPoint Protection (SEP) LiveUpdate failure:

    1. Outdated definitions (older than 1-2 days)
    2. Failure to run a scheduled daily scan (supposed to run daily at 4am on our systems)
    3. Failure to initiate a full scan (nothing happens when starting a full or a "custom" scan)
    4. LiveUpdate reports downloading and updating definitions yet the definitions timestamp and version aren't updated, remain as they were
    5. (Optionally) "Virus and Spyware Protection is disabled" in SEP
    6. No errors or alerts in SEPM/CLU or other indications of SEP failing.
    7. "Symantec Endpoint Protection could not verify the integrity of one of its components" and other errors in system logs.

    Systems get affected seemingly randomly, at a rate of 2-3 per week.

    Screenshots:

    As of today, two scheduled scans did not run and it's been two days since the last AutoUpdate ran.

    VideoHub-Master Screen Shot 2016-04-20 at 9.34.50 AM.png

     

    Last definitions - three days old, last update - two days old.

    VideoHub-Master Screen Shot 2016-04-20 at 9.35.07 AM.png

     

    Attempting to run a full scan does nothing (normally a new window with scan progress appears).

    VideoHub-Master Screen Shot 2016-04-20 at 9.35.42 AM.png

    A scheduled scan is supposed to run daily at 4am.

    VideoHub-Master Screen Shot 2016-04-20 at 9.39.14 AM.png

    Running LiveUpdate manually:

    VideoHub-Master Screen Shot 2016-04-20 at 9.39.43 AM.png

    Signatures downloaded.

    VideoHub-Master Screen Shot 2016-04-20 at 9.40.20 AM.png

    We're "up to date" now, allegedly.

    VideoHub-Master Screen Shot 2016-04-20 at 9.40.31 AM.png

    Confirming that LiveUpdate ran.

    VideoHub-Master Screen Shot 2016-04-20 at 9.45.45 AM.png

    ...yet the definitions / signatures are still old.

    VideoHub-Master Screen Shot 2016-04-20 at 9.46.01 AM.png



  • 5.  RE: EndPoint protection just quits on a Mac

    Trusted Advisor
    Posted Apr 21, 2016 03:02 AM

    I am suspecting the definitions are corrupted - try removing them and then doing the update again. However I can't find where the definitions are located. But if you do find it, it should hopefully resolve this issue.



  • 6.  RE: EndPoint protection just quits on a Mac

    Posted Apr 21, 2016 10:02 AM

    I am suspecting the definitions are corrupted - try removing them and then doing the update again. 

    If the definitions were corrupted, a restart of the system wouldn't relibly resolve (even only temporarily) the issue - yet it does.

    I suspect a code bug.



  • 7.  RE: EndPoint protection just quits on a Mac

    Posted May 11, 2016 04:09 PM

    To update the thread:

    • Symantec support posited that possibly SEP client installations get corrupted, possibly by an upgrade to a newer version, and suggested a clean re-install for affected systems using RemoveSymantecMacFiles tool. I had my doubts about it (the older SEP version, 12.1.5, was exhibiting the same symptoms, too) - but we ran with it.
    • Did not fix the issue: today one of the systems on which SEP was cleanly re-installed, got affected again: went offline in SEPM, missed a scheduled scan, refused to initiate manual scans, refused to update definitions despite displaying "your software is up to date" in LiveUpdate.

    So we're back to square 1: SEP fail silently w/o any sort of alerts on the client or the management system. A restart fixes it - but that's not a solution to either losing protection on the clients, nor to the software's failure to notify admins.



  • 8.  RE: EndPoint protection just quits on a Mac

    Posted May 12, 2016 08:39 AM

    I am a Symantec partner and would be very interested in the outcome of this case.

    I am using the cloud-based product, where Mac is barely an afterthought: You can download the client, but does not appear in the cloud management console, so there is no way to tell if it is (or isn't) working.

    I am currently investigating Sophos as an endpoint protection alternative because ALL of their clients (Windows, Mac, and Linux) appear in their cloud management console.

     



  • 9.  RE: EndPoint protection just quits on a Mac

    Posted May 19, 2016 01:03 PM

    Hi kahml.  I got your reply to my post in another thread which mentioned this cloud-based SEP + Mac thing, and so I searched further and voila here I am. 

     

    So, all I can ask is what the hell?  I was on the verge of starting to offer SEP cloud-managed to Mac customers and now this?  Is your information based off multiple clients/inseances, and any chance maybe if it's a limited scope that the clients in question are outdated Mac systems or whatever?  Just trying to see how prevalent this problem is. 

     

    Sigh, about every 6-12 months, Symantec hits me with one of these absolutely stupid "gotchas" of theirs and I then have to do a gut check and ask myself why am I still loyal to them as a Symantec partner.  The only thing that keeps me from at least investigating other products is lack of time, and that despite these stupidities, Symantec is still a leader in many areas, but this Mac thing (and a list of other things in the past) often have me wondering what in the hell they are doing.  If some idiot in marketing thinks that Macs are too small a market share to bother with, time to wake up and get with it.  I don't blame the Mac developers at Symantec, I blame the management decision not to hire enough or them, or to give them priority development resources, or whatever leads to this kind of nonsense. 

     

    Ah well, time for lunch. 

     

     



  • 10.  RE: EndPoint protection just quits on a Mac

    Posted May 19, 2016 02:42 PM

    Well, I spoke too soon before I knew what was going on.  Just got a notice from SEP SBE something-something alert that said they're working on better Mac support.  I imagine all customers/.cloud partners got this same alert, it only arrived today May 19 2016. 

    Well, maybe I feel it should have been fully supported sooner but they're certainly working on it now so that's great. 



  • 11.  RE: EndPoint protection just quits on a Mac

    Posted Jun 22, 2016 05:18 PM

    We have another incident of the failure, this time with the newer version, 12.1.6867.6400.

    The behavior is slightly different, in that the node remains "online" in SEPM, and that manual scans work. Other symptoms such as failure to run scheduled scans and LiveUpdate not updating anything despite downloading definitions, remain.

    In other words, the newer version does not seem to resolve the issue.