Endpoint Protection

We have purchased SEP for Mac licenses and installed on several test user's Apple laptops. This is to determine if this product is a viable AV option for a large number of executives across several companies.  Since the computers will be either mobile or remote, this will be an unmanaged application.

The biggest complaint I've received is during startup SEP will not work in the background without prompting the user, and it requires a 66.4MB update every time the computer is turned on. I have tried using the Symantec Scheduler to "Do not show progress", but something always overrides the setting. I have already gone through several channels of support to try and resolve this.

Many of the test users are reporting that the interface is very obtrusive with its "constant nagging" and confusing prompts. The other issue is some computers use AirCards for Internet access and pay a monthly fee for limited bandwidth. SEP downloads a 66.4MB update every time the computer is restarted, and in one instance it has become very costly for the user.

We can easily get volume licensing through Symantec, however if we cannot resolve these two issues we will pursue another AV solution. In one scenario, the client will likely drop their entire Symantec solution altogether.

Any suggestions or guidance will be appreciated.  Thank you.

more information on Liveupdate and FAQ on this link

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010062409301948

not aware of the 66 MB download for update everytime!

The way LiveUpdate works with SEP for Mac does mean that the updates are larger - the client cant always take microdefs - thats something we are working to resolve.  I'm not aware of the SEP client running LU everytime it boots though - it should be on the schedule set by the administrator.

Can you give me some more information on what the prompts are that users are seeing?  I'm running SEP for Mac across my three mac's at home and never see any prompts from it!

thanks

Paul,

I'm not sure if this is exactly the same thing that bbeutel is seeing or not, but it sounds like it might be.  My company has a site license for SEP on the Mac and I've installed it on three different Macs, all running Snow Leopard.  On a regular (roughly daily) basis, LiveUpdate launches without warning and performs a full update.  This results in both the LiveUpdate icon showing in the dock and when it completes, the LiveUpdate Summary screen displaying, requiring the user to click OK to dismiss it.

The two issues I have with this behavior is:

1. LiveUpdate runs regularly (I'm guessing daily).  If the Mac is powered down for more than a day or so then it launches very soon after you power it up and log in.  It runs despite the LiveUpdate scheduler application having nothing listed in it to run.  So there's obviously some hidden setting somewhere that's causing it to launch.

2. When it runs it always displays an icon in the dock and the Summary when it completes.  I have users who would rather remove SEP altogether than have it pop up every single day for what they consider to be a useless message.

I have no problem with LU running every day like it is.  In fact I welcome it.  What I don't like though is that there is apparently no way to change the behavior to make it less disruptive to users.  I've been scowering the web for information and found that I can run LU quietly without displaying the Summary information if I invoke the following from a command prompt:

 /Applications/Symantec\ Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate -liveupdateautoquit YES -liveupdatequiet YES --update LUdf

So LU obviously has the ability to NOT display the Summary.  But I don't see any way of preventing the Summary from being displayed by the default way LU runs since there's no listing for it in the scheduler app.  So how do I make the default daily run of LU quiet?  There's got to be a way to add  -liveupdateautoquit YES -liveupdatequiet YES or the equivilant to the default way LU launches every day.  How do you go about doing that?

-Bruce

I have found that unmanaged clients will install with a root-user schedule that does NOT run silently.  If this is the case, you can enter the following in a Terminal window to delete the default schedule.

sudo symsched -d all

Enter the admin password when prompted (it will not echo).

You can then use the GUI Symantec Scheduler to schedule per user, or use sudo symsched (command line) with the -quiet switch.  Here's a document that covers the command-line stuff:  Guide to symsched Command-line Switches

In managed environments, schedules given by the SEPM should be silent by default.

To the original poster, when you say "very obtrusive with its "constant nagging" and confusing prompts" -- can you provide examples?  I ask this in all sincerity.  I can't think of what it could be nagging about aside from definitions being out of date.

sandra

Thanks, that sounds like exactly what I was looking for.  I'll give it a try ASAP.

De nada!  I went to edit my post to add that the sudo symsched would schedule LiveUpdate for all users (would only appear in the GUI Symantec Scheduler for root, though root user does not need to be enabled for the schedule to be set), but I couldn't because you'd replied.

sandra

Bruce P has described the exact same issues I am experiencing as well.  On a daily basis, the SEP interface requires several clicks worth of interaction before it goes away. When the users describe it as "obtrusive and nagging", this is what is happening:

• A few minutes after start up, the bright yellow SEP icon appears on the dock and bounces until you acknowledge it.
   
• Once you do, a window containing the update information appears with OK and Quit buttons. Clicking Quit closes LiveUpdate however since the OK button is on the bottom right of the window, the user's instinctively click it first.
   
• Once OK is clicked, the LiveUpdate options window opens. Closing this window finally puts SEP into the background.
   

I've tried creating a weekly schedule (Monday, 3am, All Products, Quiet) using the sudo symsched command in Terminal as sandra.g described, but it still comes back (in this case, on Thursday) and does the same routine as described above. I've also verified with the GUI that the schedule is indeed active and setup correctly.

The users find this very annoying, and their argument is: "An antivirus program should not bother me unless I have a virus". I completely agree with them, and i've assured them that there must be a solution to fix this.

Also, this is happening on 7 machines now, so it is not localized to one system. 

Thanks to everyone for your feedback.

...the bright yellow SEP icon appears on the dock and bounces until you acknowledge it.

Do you mean the LiveUpdate icon?  The behaviour you are describing sounds like a missed event LiveUpdate running after bootup, one that does not have the "quiet" switch attached to it.

Are these clients installed as standalone clients (that is to say, not being managed by a Windows SEPM server)?  If they are unmanaged, it really sounds to me like the default scheduled LiveUpdate (which is not quiet) is persisting.  If managed, let me know; I don't want to go into that detail if it does not apply.

I've tried creating a weekly schedule (Monday, 3am, All Products, Quiet) using the sudo symsched command in Terminal as sandra.g described, but it still comes back (in this case, on Thursday) and does the same routine as described above. I've also verified with the GUI that the schedule is indeed active and setup correctly.

I'm confused.  The only way you should be seeing a schedule in the GUI created using symsched command line (in conjunction with sudo) is if you are logged in as root.  Is this the case?

Not that it should matter, but do these machines pretty much have just a single user each?

On one of the machines having this issue, please open a Terminal window and enter:

sudo symsched -l

(that's a lowercase L)  Then copy what you see there into a message on this thread (or attach a screen shot to this thread).  Thanks.

sandra

The SEP missed event icon seems to appear a couple times a week, regardless of what the schedule is setup up as and even when using the -quiet command.

These machines are all unmanaged since they are on the road and seldom connect to a network where they can be managed.

"I'm confused.  The only way you should be seeing a schedule in the GUI created using symsched command line (in conjunction with sudo) is if you are logged in as root.  Is this the case?"

Should I be logged in on the Root account while entering the Terminal command?  Having the Root account enabled allows 'sudo' commands to officially run as Root, so typically there isn't a difference.  I've tried both for the record.

Each machine typically only has one user, but occasionally they will be two. Each user has additional profile settings I must manually configure, and the SEP client is one of them.

Entering that command sudo symsched -l did not render a response, whether I was logged in as a user or the Root account.

Screen shot:

Also if it hasn't been mentioned, it is very desirable if the SEP client does not indicate that a schedule was missed if it is able to complete on another date.

Thank you.

So there is no LiveUpdate schedule for all users, or it would display here.

I'm afraid I'm not being clear... I hope this helps.

Setting a schedule LiveUpdate for all users can be done two ways on an unmanaged client:

- the "sudo symsched LiveUpdate...." command entered in Terminal while logged in as another user (I have never tested whether or not a non-admin user could do it).  You do not have to be logged in as root, nor does root even have to be enabled to write the schedule for all users or for LiveUpdate to even run.

- Via the GUI if logged in as root (obviously, in this case, root needs to be enabled, at least to set the schedule).

So if I understand correctly, with no symsched jobs showing for all users per your screenshot, and no LiveUpdate schedule showing in the Symantec Scheduler UI for the individual user, these 'missed events' are running upon login?

How many users typically use a single machine?

sandra

I had the same problem but with an update every hour instead of the once per month set in the GUI. To delete the hourly update:

In terminal