Endpoint Protection

I am trying to test Symantec Endpoint Protection Manager 12.1.6 installed on Windows with the protection client installed on a headless Linux machine.

I have generated the zip package from the SEPM and succesfully extracted it and installed the client on Ubuntu. I can see in SEPM that the Linux machine is succesfully connecting to the SEPM.

I have successfully connected to LiveUpdate and downloaded updates with

$ cd /opt/Symantec/symantec_antivirus/
$ sudo ./sav liveupdate -u

but when I try to load those updates in with

$ sudo ./sav definitions -u

I get the error that 'Scan engine is malfunctioning'.

I also see this error when I run

$ ./sav info -a

(If it helps track this down, if I run '$ sudo ./sav liveupdate -u' again I get the error again but with a typo 'Scan engine is malfunctionioning' (note the onion)).

Looking in /var/symantec/Logs/debug.log I also see the error:

-1300243648 ERROR smc.SmcIPCManager Could not contact savtray. err: -1

On reading the articles http://www.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide and https://support.symantec.com/en_US/article.TECH95496.html I thought perhaps I would need to compile my own version of Auto-Protect as the kernel for my Linux machine is 3.2.0-101-virtual.

(Full details from 'uname -a' are:

Linux vagrant-ubuntu-precise-32 3.2.0-101-virtual #141-Ubuntu SMP Thu Mar 10 22:39:01 UTC 2016 i686 i686 i386 GNU/Linux

)

So, I followed the instructions in the second article, using the build.sh file in the directory src/ap-kernelmodule-12.1.6867-6400/ from the unzipped package I got from the SEPM.

In case it's important, the only issue I had with the process was at the end when running

$ sudo /etc/init.d/rtvscand restart

rtvscand can't be stopped in order to be restarted.

I thought just restarting the actual Linux machine would do the job of restarting rtvscand, but I still see the 'Scan engine is malfunctioning' error.

Can anyone suggest what to try next?

Thanks

I'd suggest trying run SymDiag Linux on this client and see what else it throws up

https://support.symantec.com/en_US/article.TECH170752.html

and follow the steps.

However with the savtray error, I'm assuming you're not runing any KDE or Gnome graphical desktop environment?

Hi Tony, no I'm not using KDE or GNOME: I'm eventually intending to run Antivirus on a headless web server.

And on that note, I ran symdiag.run and got the following error message:

######### Symantec Diag v 2.1.160 #########
######### Report Version 20160222 #########
Time :  Thu Apr 14 17:04:14 UTC 2016

Checking for updates via HTTPS
100%[======================================>] 61          --.-K/s   in 0s

2016-04-14 17:04:16 (15.8 MB/s) - `/tmp/tmp.L0Ge7c6BJG' saved [61/61]

You are already using updated version

Extracting contents ...
Unable to determine Linux configuration.

Using default configuration for RedHat/Fedora/CentOS
Starting SymDiag

Collecting information about installed/available Memory...
The exception information has been sent to Symantec:

An exception was thrown by the type initializer for System.Drawing.GDIPlus
  at System.Drawing.KnownColors..cctor () [0x00000] in <filename unknown>:0
./libgdiplus.so
  at (wrapper managed-to-native) System.Drawing.GDIPlus:GdiplusStartup (ulong&,System.Drawing.GdiplusStartupInput&,System.Drawing.GdiplusStartupOutput&)
  at System.Drawing.GDIPlus..cctor () [0x00000] in <filename unknown>:0

Do you want to copy this information to the clipboard?
Press any key to continue...
Thank you for using SymDiag

Is there a switch to run it without a gui? I've found

$ sudo ./symdiag.run  -s

but all i get is

######### Symantec Diag v 2.1.160 #########
######### Report Version 20160222 #########
Time :  Thu Apr 14 17:21:45 UTC 2016

Checking for updates via HTTPS
100%[======================================>] 61          --.-K/s   in 0s

2016-04-14 17:21:46 (18.3 MB/s) - `/tmp/tmp.IhAbml5RQ2' saved [61/61]

You are already using updated version

Extracting contents ...
Unable to determine Linux configuration.

Using default configuration for RedHat/Fedora/CentOS
Starting SymDiag

Collecting information about installed/available Memory...
Thank you for using SymDiag

and I'm not sure what to do with that?

Thanks

I don't dabble with Linux SEP very much, so only can give you limited advice. But...

From what I can see, the -s switch is for use on Windows platform, so I don't think there's one for Linux. It would appear SymDiag requires GUI for this to work if I read it right due to this error message

System.Drawing.GDIPlus:GdiplusStartup

Now, to your SEP installation issue - to be honest, I am at a loss to why this is not working for you. I had a search in this forum and couldn't see anyone else expierencing the same issue as you. But all I can see that SEP client *should* work without GUI.

Might be worth removing it and starting all over again and if it still does not work, raise a support case with Symantec and see what they say. If you do get an answer, it might be good to share it by posting here for others.

Hi Tony, I opened a case with support and it sounds like it just isn't going to work without a GUI. The resolution written on the (now closed) support case was 'component would malfunction in a headless linux box'.

Thanks,

David

Thanks for the update. So, my earlier thoughts was indeed spot on. Shame, really, as it would have been good if it can work on a headless box. :(

Re: the error with symdiag.run...we have done work on our utility to remove unintended references to dialogs that cause this particular exception.  Ironically, it is some error code that wants to produce a dialog.  Hopefully, in our latest release we have removed any last such code so that if there is an error in data collection (a not too uncommon occurrence) it won't produce an exception such as this.

I just wanted to chime in here because I noticed in your original post that you weren't running ./sav as root. In my experience, you will always get the message "Scan engine is malfunctioning.":

$ ./sav info --engine
Scan engine is malfunctioning.
$ sudo ./sav info --engine
151.1.0.15