Endpoint Protection

I am running Red Hat Enterprise Linux Server 6.4.  I have been trying to get Symantec to work with no progress.  My kernel version is 2.6.32-431.5.1.el6.x86_64, so after reading http://www.symantec.com/business/support/index?page=content&id=TECH101598 I went out and got the source to compile against my version (thanks for keeping your software up to date Symantec, your only a few years behind).

I extracted the source and realized I didn't have the utilities to build Symantec.  At that point I found the utilities in the rhel-6-server-optional-rpms branch.  I added that branch and then installed sharutils and ncompress.

I ran the build and it of course failed.  I then found this link, https://www-secure.symantec.com/connect/forums/sav-savap-antivirus-centos-62. I went through the solution listed in the coments and was able to get the build to succeed.  At that point all of the builds and installs appeared to work fine.

My build command was:  sudo ./build.sh --kernel-dir /lib/modules/$(uname -r)/build

Once it finished I copied the new files over with: cp ./bin.ira/* /opt/Symantec/autoprotect/

I then tried to restart autoprotect and rtvscand.

Output of sudo /etc/init.d/autoprotect restart:

Stopping AP: symap: module in use (symap: count=2)
Starting AP: symev already loaded.
symap already loaded.
Setting major=246 from /proc/symap
 

Output of sudo /etc/init.d/rtvscand restart:

Stopping rtvscand:                                                   FAILED

Starting rtvscand: .................................  (it eventually times out with a failed message.)

I then took a look at /var/log/messages and get:

rtvscand: --- rtvscand started (pid 8874) ---
rtvscand: rtvscand running as daemon
rtvscand: rtvscand shutdown -- was running  0:00
rtvscand: --- rtvscand (pid 8874) has terminated ---
symcfgd: subscriber 18 has left -- closed 1 remaining handles

I tried some other commands hoping to get information about the state of the software or a specific error message.

output of  sudo /opt/Symantec/symantec_antivirus/sav autoprotect -e:

Unable to determine status of scanning daemon
 *** This command may not function correctly or may be delayed
 

output of sudo /opt/Symantec/symantec_antivirus/sav info -a

Unable to determine status of scanning daemon
 *** This command may not function correctly or may be delayed
Could not contact rtvscan - AutoProtect probably disabled
 

output of sudo  /opt/Symantec/symantec_antivirus/sav manualscan -s /home/

Unable to query value MaxInput
Unable to determine status of scanning daemon
 *** This command may not function correctly or may be delayed
 

When I do a ps aux the only Symantec entry listed is:

/opt/Symantec/symantec_antivirus/symcfgd -l info

I was able to copy the virus definitinos on the system and wehn I ran the definitions script it updated the definitions and exited with a success message.

I eventually need to get the autoprotect running, but in the near term I at least have to get a manual scan working so I can scan the EICAR file and make sure the installation is working.  Can anyone point me toward a solution?

Thanks.

What SAVFL version is this? Have you tried the latest SEP for Linux?

Symantec™ Endpoint Protection 12.1.5 for Linux Client Guide

Hi,

The enterprise version of Symantec Endpoint Protection now includes the Symantec Endpoint Protection client for Linux. The Symantec Endpoint Protection client for Linux replaces the Symantec AntiVirus client for Linux and supports a greater range of distributions and kernels. Added distributions include Red Hat Enterprise Linux Server (RHEL) 6.5 and CentOS 6.5

SEP for Linux clients can now be managed by an RU5 SEPM, or later. Configuration enhancements have been made to the SEPM to allow policy creation for managed Linux clients. This includes AV policy settings, centralized exceptions, and LiveUpdate settings. The SEPM also features enhanced reporting for Linux clients, including the SEP client version, host OS details, and hardware details.

Mentioned kernel version is supported with the latest version.

Migration Paths:

Symantec Endpoint Protection adds support for Linux as of 12.1.5. You can only migrate Symantec AntiVirus for Linux 1.0.14 directly to the Symantec Endpoint Protection client for Linux 12.1.5.

You must uninstall all earlier versions of Symantec AntiVirus for Linux first.

You do not need to uninstall Symantec AntiVirus for Linux Reporter before you install the Symantec Endpoint Protection client for Linux.

Attachment(s)

LinuxClient_Guide_SEP12.1.5_1.pdf   456 KB 1 version

The file I downloaded from the Symantec site and compiled this morning is: Symantec_Endpoint_Protection_12.1.5_Linux_Client_EN.zip

Is there a different file I was suppossed to get?  The instructions in the posted guide only say to get it from a manager program, it didn't have any obvious reference to a manual installation procedure for RHEL 6.4

I will try completely wiping it from my system in case an old installation is corrupting the new one, but the old installation was endpoint protection also, just a year older version.  note:  it didn't work either.

That's the correct one, just wanted to verify.

UPDATE:

I completely wiped Symantec from my system and then followed this guide:

https://www-secure.symantec.com/connect/articles/how-install-symantec-endpoint-protection-1215-supported-linux-operating-systems

Once I got the oracle version of java installed the rest seems to have worked, now I just have to figure out how to get the update and license files working so it will get the av definitions.