Endpoint Protection

Hi all,

I have a new Linux machine with Symantec Endpoint client RU5, which does not have access to Internet. So, this machine does not get updates from Internet.

I have followed the HOWTO article https://support.symantec.com/en_US/article.HOWTO85034.html. but It does not work for me.

The machine reports to SEP Manager, but it says "Malfunctionning" (I guess, because of liveupdate not running correctly)

The linux liveupdate log file tells that :

30 sept. 2015 19:33:34 Downloading minitri.flg to /data/symantec/LiveUpdate/tmp/1443634414287/minitri.flg ...
30 sept. 2015 19:33:34 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:34:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:36:14 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:37:34 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:38:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:39:54 Downloading livetri.zip to /data/symantec/LiveUpdate/tmp/1443634414287/livetri.zip ...
30 sept. 2015 19:39:54 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:41:14 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:42:35 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:43:55 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:45:15 Connecting to liveupdate.symantec.com:80 via HTTP ...
30 sept. 2015 19:46:15 Downloading minitri.flg to /data/symantec/LiveUpdate/tmp/1443634414287/minitri.flg ...
30 sept. 2015 19:46:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:47:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:48:15 Downloading livetri.zip to /data/symantec/LiveUpdate/tmp/1443634414287/livetri.zip ...
30 sept. 2015 19:48:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:49:15 Connecting to update.symantec.com via FTP ...
30 sept. 2015 19:50:15 A LiveUpdate server could not be selected.
30 sept. 2015 19:50:15
30 sept. 2015 19:50:15 The Java LiveUpdate session did not complete successfully.
30 sept. 2015 19:50:15 Return code = -2 001
30 sept. 2015 19:50:15

I have setup the Liveupdate policy to have an internal LiveUpdate serveur which IP address is "http://192.168.xx.xx" (x = numbers), but I don't know how to check on the linux client if that policy is applied or not.

Also, my SEPM apache-root folder is empty. Does it mean that it does not download content for linux/mac machines ?

Last but not least, I have found that post https://www-secure.symantec.com/connect/forums/liveupdate-server-url-linux-servers which it talks about access log file. My file never populates and I don't know if I need to change the CustomLog format to make it work to my OS language (which is french).

So, I have several questions that I am not able to answer myself.

Any help is appreciated.

Thank you.

Has the Linux client checked in recently?

The folder should be called "cache-root" Is that what you have there? The folder is empty because a client has not connected. Also, logging can be left as is you shouldn't need to change it.

You need to enable sylink logging on the Linux client to see what is going on:

Enabling Sylink logging for the Symantec Endpoint Protection client for Linux

Another thing you could do is update the client manually with definitions from here:

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep

Hi,

Linux client can be updated using the Intelligent Updater file.
First download the definitions from
http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep​
or
Symantec FTP site (ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/)​

After downloading the definitions, Mark the file executable and install the definitions using the below commands.
# chmod +x YYYYMMDD-RRR-unix.sh
# ./YYYYMMDD-RRR-unix.sh​

The format for the Intelligent Updater name is YYYYMMDD-REV-TYPE.sh. Type refers to if it is for Windows/Linux/Mac and whether it is for a 32-bit or 64-bit machine. SAVFL always uses the 32-bit package, even for 64-bit machines. For instance, to download the Intelligent Updater definitions for a 64-bit Linux machine for August 17th, 2010 and revision 16, the filename would be “20100816-016-unix.sh”​

Note:
The IU requires the uncompress and uudecode tools to be installed on the Linux machine.  It will not succeed without them. You can download these utilities from the distribution mirror directory using one of the following commands as per your distribution.​

To check whether policy is applied or not, verify the policy serial number in the linux client GUI.

Refer this guide it would be helpful: Symantec Endpoint Protection for Linux Frequently Asked Questions (SEP for Linux FAQ)

http://www.symantec.com/docs/TECH231013

Oh, I am tired ^^

Yes, it is called "cache-root", not apache-root.

I will check for that sylink logging tomorrow and keep you updated. Thank you.

Sounds good, thanks.

Hi all,

I would like to avoid doing the update manually. At the moment I have only one Linux server as a test. Then, the idea is to use several machines with linux (about 10/15 machines). So it will be a bit difficult to update that manually for each server.

ᗺrian,

I have enabled the Sylink logging, but I am unable to understant anything ^^ and the only error i have found is something about savtray (I think it does not matter)

please attache the slink log I will try to find if there is anything wrong.

Here is the debug.log file

Attachment(s)

debug_8.zip   24 KB 1 version

Resolved !

My mistake.

I have not setup the Server link correctly.

In the policy, I have written http://ServerIP

Instead of http://ServerIP:8014/luproxy

After that, It works as it should : well :)

Original text from https://support.symantec.com/en_US/article.HOWTO85034.html. :

Update LiveUpdate policy for Mac and Linux clients to point to new LiveUpdate server

Take the following steps to update your LiveUpdate policy for Mac and Linux clients for your desired groups. Once the policy is updated, these clients will point to the newly configured Apache Web server for downloading LU content.

1. Within Symantec Endpoint Protection Manager, click Policies > LiveUpdate. On the LiveUpdate Settings tab, double-click the LiveUpdate Settings policy that applies to your desired groups.
    
2. Click Use a specified internal LiveUpdate Server under Mac Settings > Server Settings (or Linux Settings > Server Settings) and specify the name "SEPM HTTP LU Proxy," with the corresponding URL:  http://ServerIP or ServerName:8014/luproxy

Thank you for help