Video Screencast Help

Is Symantec Endpoint Protection version 12 able to scan for Linux viruses?

Created: 16 Dec 2012 • Updated: 28 Dec 2012 | 53 comments
This issue has been solved. See solution.

Before I recommend my company to buy and install SEP (Symantec Endpoint Protection) version 12, I would appreciate it if someone who is an expert on this software provide me answers to the following question:

Is SEP 12 able to remove viruses from Linux and/or Mac computers?

My company has an assortment of Microsoft Windows 7 computers, Mac computers and Linux (Debian/Fedora/Ubuntu) computers. All of them are managed via Microsoft Windows 2008 server. SEP 12 will be installed on this server.

Thank you in advance for your answer.

Comments 53 CommentsJump to latest comment

.Brian's picture

SEP 12.1 cannot do this.

You need to use SAV for Linux (SAVFL). See this:

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Be Creative. Be IT's picture

Thanks, my friend, for your advice.

Again, please tell me how to obtain SAV for Linux?

I have searched Symantec's entire website and could not find the purchasing/licensing details for SAV for Linux. How is SAVFL sold or licensed? What is the retail price?

.Brian's picture

SAVFL comes included on the download for SEP 12.1. It should be included in the SAVFL folder on the 12.1 DVD. Do you not see it there?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Not exactly sure. Should be a SAVFL folder on there if it is.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Be Creative. Be IT's picture

I suppose SAVFL is to be installed on Linux-based computers, not on the Windows 2008 server?

.Brian's picture

Correct.

You can map a drive to a linux share and scan that way.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Depends on OS, check version requirements here:

http://service1.symantec.com/SUPPORT/ent-security....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

It supports both 32 and 64 bit:

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

SAVFL comes included on the download for SEP 12.1. Do you see any challenge while installing it on 32 bit or 64 bit OS?

You will see similar folder structure about SEP 12.1. It inculdes all setup files like SEP 32bit, 64bit, MAC, Linux, SEPM.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Be Creative. Be IT's picture

Hi Chetan,

Thanks for your reply.

I see that you are a technical support engineer for "Endpoint Security".

Coul you please answer my question: Is Symantec Antivirus for Linux able to scan for and remove Linux-specific malware? According to Wikipedia's article on "Linux Malware" ( http://en.wikipedia.org/wiki/Linux_malware ) SAV for Linux is only able to scan for and remove Microsoft Windows-specific malware.

pete_4u2002's picture

SEP for windows and SAV for linux are different products.

SAV for linux cannot be managed by the SEPM.

SEP 12.1 can manage Windows and MAC OS.

Be Creative. Be IT's picture

Thanks for your clarifications.

I have another question.

According to Wikipedia.org under the document titled "Linux Malware" (URL is http://en.wikipedia.org/wiki/Linux_malware ), it states:

Anti-virus applications

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

For Microsoft Windows-specific threats

These applications are useful for computers (typically, servers) which will pass on files to MS Windows users. They do not look for Linux-specific threats.

Is it true that SAV for Linux does not look for Linux-specific threats but rather Microsoft Windows-specific threats?

 

 

Be Creative. Be IT's picture

Thanks for your offer of help but the article that you referred to is more than 11 years old.

Could some expert on the product, Symantec Antivirus for Linux, answer directly to my question please?

Are the claims made by Wikipedia's article on "Linux Malware" about SAV for Linux true?

 

Thanks for your clarifications.

I have another question.

According to Wikipedia.org under the document titled "Linux Malware" (URL is http://en.wikipedia.org/wiki/Linux_malware ), it states:

Anti-virus applications

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

For Microsoft Windows-specific threats

These applications are useful for computers (typically, servers) which will pass on files to MS Windows users. They do not look for Linux-specific threats.

Is it true that SAV for Linux does not look for Linux-specific threats but rather Microsoft Windows-specific threats?

Be Creative. Be IT's picture

@ pete_4u2002

Please answer my question directly:

Is Symantec Antivirus for Linux able to scan for and remove Linux-specific viruses?

.Brian's picture

Yes.

SAVFL is for Linux based OS and will scan and detect Linux malware.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi BCBIT,

Just to confirm:

  • SAVFL will catch Linux threats, Windows threats, and Mac threats.
  • SEP on Windows will catch Linux threats, Windows threats, and Mac threats
  • SEP on Mac will catch Linux threats, Windows threats, and Mac threats
  • Symantec Mobile Security 7.2 / SEP Mobile Edition on Windows Mobile will only catch threats that are designed to work on the Android/WM platforms (not full Windows, Linux or Mac)

(So: if you have a file server that is running Linux, it won't be able to help spread Windwos viruses.  The same goes in vice-versa: a Wuindows file server will block threats that target Linux machines.  SMS 7.2 on an Android phone doesn't have the memory, CPU, etc to detect every threat for every platform- it just protects itself.)

Here's a couple of articles that will help you to make the most of SAV for Linux:

Do we really need a Antivirus for Linux
https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux

How to Install SAV for Linux (SAVFL) and Update It Using LUA 2.x (2.3.0.71)
https://www-secure.symantec.com/connect/articles/how-install-sav-linux-savfl-and-update-it-using-lua-2x-23071

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide

Please do update this thread if you need any more info!  I know SAVFL pretty well.  &: )

 

 

With thanks and best regards,

Mick

SOLUTION
Be Creative. Be IT's picture

@ Mick2009

Thanks for taking the time to write a rather detailed and informative reply.

But your reply is at odds with Brian1's (see below).

SEP 12.1 cannot do this.

You need to use SAV for Linux (SAVFL). See this:

So who's right?

The person who I think knows a lot about SAVFL is Chetan Savade (he's the technical support engineer for "Endpoint Security") and he has not replied to me yet, despite the fact that I sent him a PM yesterday.

Mick2009's picture

Brain and I are both right.  &: ) 

SEP must be installed on Windows and Macs.

SEP comes with "SAV for Linux" which is installed on Linux machines.

With thanks and best regards,

Mick

Be Creative. Be IT's picture

No. Only one of you is right.

Please re-read my original post right at the top of this page, which is reproduced below:

Before I recommend my company to buy and install SEP (Symantec Endpoint Protection) version 12, I would appreciate it if someone who is an expert on this software provide me answers to the following question:

Is SEP 12 able to remove viruses from Linux and/or Mac computers?

My company has an assortment of Microsoft Windows 7 computers, Mac computers and Linux (Debian/Fedora/Ubuntu) computers. All of them are managed via Microsoft Windows 2008 server. SEP 12 will be installed on this server.

Thank you in advance for your answer.

 

Be Creative. Be IT's picture

@ Mick2009

  • SAVFL will catch Linux threats, Windows threats, and Mac threats.
  • SEP on Windows will catch Linux threats, Windows threats, and Mac threats

Could you be kind enough to quote the relevant "Knowledge Base" articles to support the above claims? Thanks in advance.

Mick2009's picture

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article:TECH158071   |  Created: 2011-04-14   |  Updated: 2011-04-14   | 
Article URL http://www.symantec.com/docs/TECH158071

Here's the Threat List displaying some of the Linux-specific threats.

Opening the Threat List on SEP fro Mac or on SAVFL will display their threats, too (threats targetting all OS's)

 

 

With thanks and best regards,

Mick

GeoGeo's picture

Hi BCBI

SEP is not installed on Linux machines the accompanying product SAV is installed on linux machine it can detect and delete Linux based virus's but can not be controlled via the SEP manager deployed for SEP. SAV is included on the DVD for the SEP product.

Management of Symantec AntiVirus (SAV) for Linux:

http://www.symantec.com/docs/TECH102587

 

Best practice to install Symantec Antivirus for Linux:

http://www.symantec.com/docs/TECH150596

SEP can only be installed on windows or MAC based machines but can scan and detect virus's on shared drives from a linux machine

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Be Creative. Be IT's picture

Hi GeoGeo

The links that you provided do not answer my question at all.

Does SAVFL remove Linux-specific threats or Microsoft Windows-specific threats? Please point out the relevant "Knowledge Base" articles to support your answer. Thanks.

According to Wikipedia's article titled "Linux Malware", SAVFL can only scan, detect and remove MS Windows-specific threats.

Be Creative. Be IT's picture

Hi GeoGeo

The links that you provided do not answer my question at all.

Does SAVFL remove Linux-specific threats or Microsoft Windows-specific threats? Please point out the relevant "Knowledge Base" articles to support your answer. Thanks.

According to Wikipedia's article titled "Linux Malware", SAVFL can only scan, detect and remove MS Windows-specific threats.

Be Creative. Be IT's picture

@ Mick2009

In your earliest post, you made the following claims:

  • SAVFL will catch Linux threats, Windows threats, and Mac threats.
  • SEP on Windows will catch Linux threats, Windows threats, and Mac threats
  • SEP on Mac will catch Linux threats, Windows threats, and Mac threats

I am still waiting for you to provide the links to the relevant "Knowledge Base" articles to support them.

Mick2009's picture

Hi again BCBIT,

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article:TECH158071   |  Created: 2011-04-14   |  Updated: 2011-04-14   | 
Article URL http://www.symantec.com/docs/TECH158071

 

Here's a screenshot of the threat list from a SAV For Linux client.  (Just run sav info -t from the command line to generate the threat list on SAVFL.)  Linux threats, Mac threats, Windows threats.... it will detect them.

 

With thanks and best regards,

Mick

GeoGeo's picture

What are you after the complete attack database that symantec has on linux attacks that can be picked up?

Or just confirmation that SAVFL picks up linux malware and actions it? If so it was it was actioned in Mick2009 link by another symantec employee.

https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Be Creative. Be IT's picture

Hi GeoGeo,

Granted that the link https://www-secure.symantec.com/connect/articles/d... answers my question that SAVFL does indeed scan for, detect and remove Linux-specific malware/viruses.

What about the claim by Mick2009 that SAVFL is able to scan for, detect and remove MS Windows- and Mac-specific malware/viruses as well?

Mick2009 further claims that SEP is able to remove viruses/malware from three platforms: MS Windows, Mac and Linux.

Up till now, he hasn't produced the URLs to "Knowledge Base" articles to back up his claims.

.Brian's picture

The point is SAVFL scans for and removes Linux malware.

The links provided above, especially by Mick are very helpful.

I wouldn't put to much stake into what you read on Wikipedia since it can be edited by anyone. From the link you provided to the Wikipedia article, whoever wrote it obviously doesn't know what they're talking about and it needs to be re-written. Maybe I'll fix it today when I get a chance...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Be Creative. Be IT's picture

@Brian81

I wouldn't put to much stake into what you read on Wikipedia since it can be edited by anyone. From the link you provided to the Wikipedia article, whoever wrote it obviously doesn't know what they're talking about and it needs to be re-written. Maybe I'll fix it today when I get a chance...

Please do amend the article titled "Linux Malware" at Wikipedia's site for the benefit of all its readers. Moreover your action will correct any misconception about what SAVFL can or cannot do. Your amendment will surely benefit Symantec Corporation and create a positive buzz for it.

Now, if only Mick2009 could produce the URLs to the "Knowledge Base" articles that support his claims that (I quote his words)

  • SAVFL will catch Linux threats, Windows threats, and Mac threats.
  • SEP on Windows will catch Linux threats, Windows threats, and Mac threats
  • SEP on Mac will catch Linux threats, Windows threats, and Mac threats

then you could include Mick2009's claims as well in that Wikipedia's article.

Mick2009's picture

Hi BCBIT,

Making the collection complete.... With thanks to Mac guru SandraG, here's how to confirm the threat list on a Mac.  (I have confirmed here in my test lab that Linux threats are indeed listed.)

Please update this thread if there is anything additional needed, or do take the time ot mark it "solved" for the benefit of future admins with the same question (Solved threads are indexed / come up in certain searches.) 

With thanks and best regards,

Mick

 

 

With thanks and best regards,

Mick

sandra.g's picture

You're welcome! smiley

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Be Creative. Be IT's picture

To: Any Symantec employee

In his earliest post, Mick2009 wrote the following (and I quote him):

SAVFL will catch Linux threats, Windows threats, and Mac threats.
SEP on Windows will catch Linux threats, Windows threats, and Mac threats
SEP on Mac will catch Linux threats, Windows threats, and Mac threats

According to him, SEP on Windows will catch Linux, Windows and Mac threats.

My question is: since my company has an assortment of computers and laptops running MS Windows, Mac and Linux operating systems and all of them are managed by a server running MS Windows Server 2008, is it sufficient for my company to just install SEP on the server to scan for, detect and remove Linux, Mac and Windows threats? In other words, there is no need at all to install SAVFL on Linux-based computers and SAV for Mac on Mac-based machines. Am I correct?

.Brian's picture

SEP is a host based agent and will only scan the host that it is installed on. There is no way you could possibly install SEP on one machine and expect it scan all machines on your network, unless you created shares and mapped a drive to those shares from your server that has SEP installed. This would be an inpossible task. And not to mention Auto-Protect wouldn't come into play here.

Bottom line, you need to have SEP installed on each host.

Say you have a Linux box that is infected with Linux specific malware and trying to infect other OS based machines (ex. Windows or Mac machine), the SEP agent on the Windows or Mac machine will still detect and stop the attempt on the local host itself but it won't remove the threat from the source Linux host. You would also need to install SAVFL on this Linux host to remediate the infection completely.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Be Creative. Be IT's picture

There is no way you could possibly install SEP on one machine and expect it scan all machines on your network, unless you created shares and mapped a drive to those shares from your server that has SEP installed. This would be an inpossible task. And not to mention Auto-Protect wouldn't come into play here.

Bottom line, you need to have SEP installed on each host.

I didn't know that. Thanks for the detailed explanation. If only someone had explained right at the beginning of this thread that SEP needed to be installed on each host.

But how do you explain the existence of a centrally managed option in SEP? I vaguely remember having seen it during the installation process of SEP. One is asked to choose between "Unmanaged" and "Managed".

I was under the impression that if I chose "Managed", SEP on my Windows 2008 server will scan, detect and remove all malware from machines connected to the server.

Say you have a Linux box that is infected with Linux specific malware and trying to infect other OS based machines (ex. Windows or Mac machine), the SEP agent on the Windows or Mac machine will still detect and stop the attempt on the local host itself but it won't remove the threat from the source Linux host. You would also need to install SAVFL on this Linux host to remediate the infection completely.

What about Mick2009's claims that (and I quote)

  • SAVFL will catch Linux threats, Windows threats, and Mac threats.
  • SEP on Windows will catch Linux threats, Windows threats, and Mac threats
  • SEP on Mac will catch Linux threats, Windows threats, and Mac threats

His claims are so far-fetched. No wonder he has been keeping quiet since the time I asked him for the relevant "Knowledge Base" articles supporting his claims.

.Brian's picture

Managed simply means the SEP client is managed by the SEPM, meaning you can assign policies, receive logs from the client, etc. It is the central management console for all SEP clients that are managed by the SEPM.

Unmanaged means that the client is not managed by the SEPM. All configuration needs to be done on the client instead of thru the SEPM. You cannot manage policy or view logs from the client thru the SEPM. It will all need to be done on the client.

That is all managed and unmanaged mean.

Mick's claims are the truth. Although Windows malware will not run on Linux and Mac and vice versa for all three, it is still possible to physically have a Windows file on a Mac or Linux system. The Mac or Linux OS probably won't recognise it or it won't run but the file can still be there.

As an example, I have people attach their phone via USB. The phone is running the Android OS (Linux based) and some phones will be infected. The SEP client on the Windows machine will detect and clean it even though it is Linux based.

In the past, I've pulled hard drives from machines running the Linux OS and attached them to my Windows machine and scanned with the SEP client. Malware was found and cleaned. So regardless of the OS, SEP will catch and clean if there is a signature for it.

I'm not sure about a KB article as I've never searched for one but I do know SEP can detect malware for Windows, Mac, and Linux.

And just as an fyi, malware is mutating to the point where it will actually detect what OS you're running first than infect accordingly.

I'm not sure what time zone Mick is on but I'm sure he has a busy schedule. Usually it's harder for some of the Symantec employees to keep a regulare presence. But I'm sure he will update when he gets a chance. Hopefully I've explained well enough though. I'm not sure if I can word it any other way. If you're looking for a KB for proof, hopefully it will be provided. I just know based on my experiences with SEP over the past 4 years of what it can do and it does work on all three of the OSs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

Mick's claims are the truth. Although Windows malware will not run on Linux and Mac and vice versa for all three, it is still possible to physically have a Windows file on a Mac or Linux system. The Mac or Linux OS probably won't recognise it or it won't run but the file can still be there.

Seconded. An examination of the virus definition list on an installed endpoint clearly displays cross-platform detections: the Mac endpoint, as shown in the screenshot from my own desktop, has a "W32" (Windows) detection at the top of the list. Typing in "Linux" into the "Display names containing" field yields a variety of Linux.*.* threats.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Mick2009's picture

Many thanks for all who have contributed to this thread.  "Thumbs up."  Experiences and advice like the peer-to-peer posts shared here are the best cure for confusion.  It is also possible to contact Technical Support if there are questions or issues which need immediate, professional assistance.

Absolutely, positively, get an AV or security product on every endpoint in the organization.  The reason why threats like Downadup still plague some organizations is that there is an infected, undefended desktop or server somewhere in a corner which contantly attempts to re-infect every other machine.  Every machine needs an up-to-date AV client and the use of best practice (good password policy, locked down shares, patches, unnecessary products or services removed....)

Here are two KB's which provide additional details:

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article URL http://www.symantec.com/docs/TECH158071

How to View the Threat List on Symantec Endpoint Products 
Article URL http://www.symantec.com/docs/TECH200963

Screenshots which illustrate how to generate those lists on every major platform can be found in this thread, above.

Thanks again, all!

With best regards,

Mick

With thanks and best regards,

Mick

Be Creative. Be IT's picture

To: Mick2009, sandra.g and Brian81

Could anyone of you be kind enough to send me 2 zip files? One of them will contain Mac-specific malware, viruses or trojans, while the other zip file will contain Linux-specific ones.

Please do NOT send me Microsoft Windows-specific malware, viruses and trojans. I have enough of them.

Please name the zip files 1.zip and 2.zip.

Please do not tell me what each zip file contains. Let my SEP 12.2 do the scanning and detection.

After I have posted the results of the scans here, then you can tell me the contents of the 2 zip files.

What do you guys think?

Action (read: testing) speaks louder than words (read: posting replies and clarifications here).

Mick2009's picture

Hi BCBIT,

Apologies, there is no way that Symantec will distribute live viruses, even for testing purposes.  Eicar is what is used for testing even by our own Tech Support engineers: www.eicar.org

 

With thanks and best regards,

Mick

Be Creative. Be IT's picture

Hi Mick2009,

Thanks for your reply and for pointing out the Eicar file test to me.

I have combed through the entire Eicar's website and couldn't find the answer to my question, which is:

The Eicar test file is a Microsoft Windows-specific malware, Mac OS-specific malware or a Linux-specific malware ??

Mick2009's picture

Eicar is platform-neutral.  Linux, Mac, Windows, Netware, mobile security products for Android and Symbian OS, etc- every AV product on every platform should detect the eicar test file.

With thanks and best regards,

Mick

Be Creative. Be IT's picture

Hi Mick2009

I am looking for Linux-specific viruses/malware to test. Could you point out some websites or test files that contain Linux-specific viruses/malware?

Thanks.

Mick2009's picture

Hi BCBIT,

I am honestly not aware of any.  Eicar is what we recommend.

 

With thanks and best regards,

Mick

Be Creative. Be IT's picture

I confirm that SAV for Linux is able to detect Microsoft Windows-specific viruses/malware/trojans. I tested it today against a few files containing known Windows-specific malware/viruses/trojans.

However I am unable to test whether SAV for Linux is able to scan for Linux-specific threats as up till now I am unable to get hold of Linux-specific malware/trojans/viruses.

P.S.: I am using Ubuntu 12.10, kernel 3.5.0.21,64 bit, US English with SAV for Linux version 1.0.14.13. You will have to generate your own "Autoprotect" kernel modules.