Transcription

Symantec Endpoint Protection 14.3 RU3 for Linux ClientGuideSeptember 202114.3 RU3

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideTable of ContentsCopyright statement. 3Protecting Linux devices with Symantec Endpoint Protection. 4About the Symantec Agent for Linux. 4Symantec Agent for Linux system requirements.4Installing the Symantec Linux Agent or the Symantec Endpoint Protection client for Linux.4Getting started on the Linux agent.7Upgrading the Symantec Linux Agent.8Updating the kernel modules for the Symantec Linux Agent.8Managing your Linux client using the command line tool (sav). 9Troubleshooting the Symantec Linux Agent. 11Uninstalling the Symantec Linux Agent or the Symantec Endpoint Protection client for Linux. 112

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideCopyright statementBroadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.Copyright 2021 Broadcom. All Rights Reserved.The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visitwww.broadcom.com.Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom doesnot assume any liability arising out of the application or use of this information, nor the application or use of any product orcircuit described herein, neither does it convey any license under its patent rights nor the rights of others.3

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideProtecting Linux devices with Symantec Endpoint ProtectionAbout the Symantec Agent for LinuxSymantec Agent for Linux protects your Linux devices from malware threats, risks, and vulnerabilities. It proactivelysecures your Linux devices against known and unknown malwares.The antimalware features consist of Antimalware (AMD) that protects your Linux devices from malicious software, suchas viruses, spyware, ransomware etc., and Auto-Protect (AP) that detects malicious threats when an application islaunched.Symantec recommends to have auto-protect enabled to ensure the real-time protection. Any malware that is detected isimmediately quarantined. If you disable auto-protect, you can still detect malware using an on-demand scan.Getting started on the Linux agentSymantec Agent for Linux system requirementsThis section includes the system requirements for the most current version.For the system requirements for earlier versions of Symantec Endpoint Protection, or for the most current version of thesesystem requirements, see the following webpage:Release notes, new fixes, and system requirements for all versions of Endpoint ProtectionTable 1: Symantec Agent for Linux system requirementsComponentHardwareOperating systemsRequirements Intel Pentium 4 (2 GHz) or later processor500 MB of free RAM (4 GB of RAM is recommended)2 GB available disk space if /var, /opt, and /tmp share the same filesystem/volume500 MB available disk space in each /var, /opt, and /tmp if on different volumesAmazon Linux 2CentOS 6, 7, 8Debian 9, 10Oracle Enterprise Linux 6, 7, 8Red Hat Enterprise Linux 6, 7, 8SuSE Linux Enterprise Server 12.x, 15.xUbuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTSFor a list of supported operating system kernels, see Supported Linux kernels for Symantec EndpointProtection.Installing the Symantec Linux Agent or the Symantec EndpointProtection client for Linux(For 14.3 RU1 and later)You install Symantec Linux Agent directly on a Linux device. You cannot deploy the Linux agent from Symantec EndpointProtection Manager remotely.4

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideTo install Symantec Linux Agent, create an installation package in Symantec Endpoint Protection Manager, transfer theinstallation package to a Linux device and then run the installer. The installer will configure the new agent and register itwith Symantec Endpoint Protection Manager.NOTESymantec Linux Agent 14.3 RU1 and later cannot run as an unmanaged client. All management tasks must beperformed in Symantec Endpoint Protection Manager or in the cloud console.(For 14.3 RU1 and later) To install the Symantec Linux Agent:1. In Symantec Endpoint Protection Manager, create and download the installation package.2. Put the package on a network share, USB device, or other share mechanism.If the devices where you want to install the Linux agent are in an isolated network or do not have Internetaccess, configure a local repository. See:Creating a local repository3. Install the Linux agent in one of the following ways:If you transferred the package to 1. Navigate to folder location and run the following command to make the LinuxInstaller filethe Linux deviceexecutable:chmod u x LinuxInstaller2. Run the following command to install the agent:If you configured a localrepository./LinuxInstaller1. Run the following command:./LinuxInstaller – --local-repo LOCAL Repository URL For example:./LinuxInstaller – --local-repo https://your-domain.com/sep linux agent/14 3RU3You must run the command as root.To view the list of installation options, run ./LinuxInstaller -h.4. To verify the installation, navigate to /usr/lib/symantec and run ./status.sh to confirm that the modules areloaded and daemons are running:./status.shSymantec Agent for Linux Version: 14.3.450.1000Checking Symantec Agent for Linux (SEPM) status.Daemon trunningsisipsagentrunningModule status:sisevtloadedsisaploadedNote that communication status is only available for cloud-managed clients.(For 14.3 MP1 and earlier)You install an unmanaged or managed Symantec Endpoint Protection client directly on a Linux computer. You cannotdeploy the Linux client from Symantec Endpoint Protection Manager remotely. The installation steps are similar whetherthe client is unmanaged or managed.The only way to install a managed client is with an installation package that you create in Symantec Endpoint ProtectionManager. You can convert an unmanaged client to a managed client at any time by importing client-server communicationsettings into the Linux client.5

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideIf the Linux operating system kernel is incompatible with the pre-compiled Auto-Protect kernel module, the installer triesto compile a compatible Auto-Protect kernel module. The auto-compile process automatically launches if it is needed.However, the installer might be unable to compile a compatible Auto-Protect kernel module. In this case, Auto-Protectinstalls but is disabled. For more information, see:Supported Linux kernels for Symantec Endpoint ProtectionNOTEYou must have superuser privileges to install the Symantec Endpoint Protection client on the Linux computer.The procedure uses sudo to demonstrate this elevation of privilege.(For 14.3 MP1 and earlier) To install the Symantec Endpoint Protection client for Linux:1. Copy the installation package that you created to the Linux computer. The package is a .zip file.2. On the Linux computer, open a terminal application window.3. Navigate to the installation directory with the following command:cd /directory/Where directory is the name of the directory into which you copied the .zip file.4. Extract the contents of the .zip file into a directory named tmp with the following command:unzip "InstallPackage" -d sepfilesWhere InstallPackage is the full name of the .zip file, and sepfiles represents a destination folder into which theextraction process places the installation files.If the destination folder does not exist, the extraction process creates it.5. Navigate to sepfiles with the following command:cd sepfiles6. To correctly set the execute file permissions on install.sh, use the following command:chmod u x install.sh7. Use the built-in script to install Symantec Endpoint Protection with the following command:sudo ./install.sh -iEnter your password if prompted.This script initiates the installation of the Symantec Endpoint Protection components. The default installation directoryis as follows:/opt/Symantec/symantec antivirusThe default work directory for LiveUpdate is as follows:/opt/Symantec/LiveUpdate/tmpThe installation completes when the command prompt returns. You do not have to restart the computer to completethe installation.(For 14.3 MP1 and earlier)To verify the client installation, click or right-click the Symantec Endpoint Protection yellow shield and then click OpenSymantec Endpoint Protection. The location of the yellow shield varies by Linux version. The client user interfacedisplays information about program version, virus definitions, server connection status, and management.More information6

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideGetting started on the Linux agentThe Symantec Endpoint Protection Manager administrator may have enabled you to configure the settings on the Linuxagent.Table 2: Steps to get started on the Linux agent (for 14.3 RU1 and later)StepTaskDescriptionStep 1Install the Symantec Agent for The administrator provides you with the installation package for a managed client orLinux.sends you a link by email to download it. See:Installing the Symantec Linux Agent or the Symantec Endpoint Protection client for LinuxStep 2Check that the Linux agentTo confirm the connection to Symantec Endpoint Protection Manager or cloud console,communicates with theyou can run the following command:Symantec Endpoint Protection /usr/lib/symantec/status.shManager or cloud console.Step 3Verify that the Auto-Protect isrunning.Step 4Check that the definitions areup to date.To check the status of Auto-Protect, run the following command:cat /proc/sisap/statusLiveUpdate definitions are available at the following ons/Table 3: Steps to get started on the Linux client (for 14.3 MP1 and earlier)StepTaskDescriptionStep 1Install the Linux client.Step 2Check that the Linux clientDouble-click the Symantec Endpoint Protection shield. If the client successfullycommunicates with Symantec communicates with Symantec Endpoint Protection Manager, then server informationEndpoint Protection Manager. displays under Management, next to Server. If you see Offline, then contact theSymantec Endpoint Protection Manager administrator.If you see Self-managed, then the client is unmanaged.The shield icon also indicates both the management and the communication status.Step 3Verify Auto-Protect is running. Double-click the Symantec Endpoint Protection shield. Auto-Protect's status displaysunder Status, next to Auto-Protect.You can also check the status of Auto-Protect through the command-line interface:sav info -aStep 4Check that the definitions areup to date.The Symantec Endpoint Protection Manager administrator provides you with theinstallation package for a managed client or sends you a link by email to download it.You can also uninstall an unmanaged client, which does not communicate with SymantecEndpoint Protection Manager in any way. The primary computer user must administerthe client computer, update the software, and update the definitions. You can convert anunmanaged client to a managed client. See:Installing the Symantec Linux Agent or the Symantec Endpoint Protection client for LinuxLiveUpdate automatically launches after installation is complete. You can verify thatdefinitions are updated when you double-click the Symantec Endpoint Protection shield.The date of the definitions displays under Definitions. By default, LiveUpdate for theLinux client runs every four hours.If the definitions appear outdated, you can click LiveUpdate to run LiveUpdate manually.You can also use the command-line interface to run LiveUpdate:sav liveupdate -u7

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideStepStep 5TaskRun a scan.DescriptionBy default, the managed Linux client scans all files and folders daily at 12:30 A.M.However, you can launch a manual scan using the command-line interface:sav manualscan -s pathnameNote: The command to launch a manual scan requires superuser privileges.More informationSymantec Endpoint Protection for Linux Frequently Asked Questions (SEP for Linux FAQ)Upgrading the Symantec Linux Agent(For 14.3 RU1 and later)As of version 14.3 RU1, the Linux client installer detects and uninstalls the legacy Linux client (earlier than 14.3 RU1) andthen performs a fresh install. Old configurations will not be retained.To upgrade the Symantec Linux Agent:1. In Symantec Endpoint Protection Manager, create and download the installation package.2. Copy the downloaded package to the Linux device.3. Navigate to folder location and run the following command to make the LinuxInstaller file executable:chmod u x LinuxInstaller4. Run the following command to uninstall the existing agent and re-install the Symantec Linux Agent:./LinuxInstallerRun the command as root.5. To verify the installation, navigate to /usr/lib/symantec and run ./status.sh script to confirm that the modulesare loaded and daemons are running:./status.shSymantec Agent for Linux Version: 14.3.450.1000Checking Symantec Agent for Linux (SEPM) status.Daemon trunningsisipsagentrunningModule status:sisevtloadedsisaploadedUpdating the kernel modules for the Symantec Linux Agent(For 14.3 RU1 and later)Whenever a new Linux kernel update is released, the Symantec Linux Agent for that platform needs to be updated tosupport the new kernel. To make the process more efficient, the kernel modules of the Linux agent can now be updated byusing the Linux repository.NOTEEnsure that the agents can connect to the Symantec repository server (https://linuxrepo.us.securitycloud.symantec.com/) to download the kernel module updates.8

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideWhenever you run the yum update command on a RHEL, Amazon Linux, Oracle Linux, or CentOS system, thecommand also looks for new agent packages. If an update is available, the latest kernel module is downloaded and theagent is updated automatically. After the kernel module is updated, you must restart the instance for the update to takeeffect.Alternatively, you can update the agent kernel module by running the following command in the instance. Open a terminalwindow with root privileges, navigate to /usr/lib/symantec/ and run the following command:/usr/lib/symantec/installagent.sh --update-kmodFor the Ubuntu systems, type the following commands:1. To refresh and update local package database:sudo apt-get cleansudo apt-get update2. To upgrade to the latest kernel module:/usr/lib/symantec/installagent.sh --update-kmodSuperuser privileges are required to perform this action.In a restricted environment with no Internet connection, you can update the kernel modules in one of thefollowing ways:1. Manually transfer the latest KMOD package to a system that has no Internet connection, attach the KMOD package tothe LinuxInstaller, and then run the LinuxInstaller.1. On a system that has Internet connection, download the KMOD package./LinuxInstaller -d2. Manually copy and paste the KMOD package to the agent that you want to upgrade.3. List the attached packages./LinuxInstaller -l4. Attach the new KMOD package to the LinuxInstaller.tar czf - [KMOD-package-name] LinuxInstaller5. Make sure that the new KMOD package is included in the list of attached packages./LinuxInstaller -l6. Run the installer to update the kernel modules./LinuxInstaller -- --update-kmod2. Set up a local repository and edit the repository settings so that the agent uses the local repository instead of thedefault Symantec repository.1. Set up the local repository that hosts the KMOD packages.For information about how to create a local repository, refer to documentation of the respective Linux distributionthat you are using.2. On the client computer, run the following command to redirect it to use the local repo:./LinuxInstaller --local-repo localrepo url Example of the URL: --local-repo 'http:// repo ip or hostname: port optional /sep linux'3. To update the KMOD, run:./LinuxInstaller -- --update-kmodIf you update the operating system kernel modules, you must also update the corresponding kernel module update for theSymantec Endpoint Protection client. Without the compatible kernel modules, the Symantec Endpoint Protection clientmay not work properly and some features may be disabled.Managing your Linux client using the command line tool (sav)(For 14.3 RU2 and later)9

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideThe Linux client command line tool lets you control and check on your Linux client.To manage your Linux client using the command line tool1. On a Linux client computer, navigate to the following location:/opt/Symantec/sdcssagent/AMD/tools2. Run the sav command as follows:./sav [options] commandTable 4: Options for savOption-q-hDescriptionApplies toQuietAs of 14.3 RU2Displays available options and commands for sav.As of 14.3 RU2Table 5: Commands for savOptionautoprotect -eDescriptionEnables Auto-Protect.To check the Auto-Protect status, run the following command:Applies toAs of 14.3 RU2[[email protected] tools]# cat /proc/sisap/status grep-i MODEautoprotect -dThe reply can be one of the following: mode ENA (if enabled) mode DIS (if disabled)Disables Auto-Protect.As of 14.3 RU2info -dShows the version and date of the current virus and security risk definitions inuse on the device.As of 14.3 RU3info -eShows the version of the scan engine in use on the device.As of 14.3 RU3info -pShows the Symantec Agent version in use on the device.As of 14.3 RU3info -aShows the status of Auto-Protect on the device.As of 14.3 RU3liveupdate -uRuns LiveUpdate immediately.As of 14.3 RU3manage -i file Imports the sylink.xml file to the specified location.As of 14.3 RU2manualscan -s file list Starts a manual scan.As of 14.3 RU3 file list specifies the file and directory list to scan.To specify this list, type a list of files and directories separated by line feeds andending with an end of file signal, such as CTRL-D. If a directory is specified, allsubdirectories are also scanned. Wildcard characters are supported.By default, the maximum number of items that can be added to a manual scanthat is started from the command line interface is 100. You can use symcfg tochange the DWORD value of VirusProtect6MaxInput to increase this limit. Toremove the limit entirely, set the value of VirusProtect6MaxInput to 0.If you specify a hyphen (-) instead of a list of files and directories, then the listof path names is read from the standard input. You can use commands thatproduce a list of files or path names separated by line feeds. Submitting a verylong list of items to this command can negatively affect performance. Symantecrecommends that you limit lists to a maximum of a few thousand items.manualscan -tStops a manual scan that is in progress.As of 14.3 RU3More information10

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideTroubleshooting the Symantec Linux AgentTroubleshooting the Symantec Linux AgentIn the table below you find the resources for troubleshooting the Symantec Linux Agent (as of 14.3 RU1).ActionDescriptionChecking the status of theagent.To check the version and connection status of the agent and to confirm that the modules are loadedand daemons are running, navigate to /usr/lib/symantec and run the following command:Checking the versions of theagent packages.Navigate to /usr/lib/symantec and run the following command:Viewing the logs./status.sh./version.shYou find the Symantec Linux Agent logs at the following locations: AMD log - provides information related to scanning./var/log/sdcsslog/amdlog CAF log - provides information related to agent activities such as communication with the server,enrollment, commands, events, etc./var/log/sdcss-caflog/ Agent log - provides information related to agent activities./var/log/sdcsslog/SISIDSEvents*.csv CVE log - provides information related to communication between Symantec Endpoint ProtectionManager and the agent./var/log/sdcss-caflog/cve.logCollecting the logs into a zip file. You can use GetAgentInfo script to collect all log files into a ZIP file that you can send tocustomer support.1. Login to Symantec Linux Agent system.2. Navigate to /opt/Symantec/sdcssagent/IPS/tools/.3. Run ./getagentinfo.sh as root.4. A ZIP file will be created in /tmp/ directory.The name of the file will look similar to 20201208 184935 0001 CU mihsan-rhel8.zip-out directory lets you change the location and the name of the generated ZIP file.Changing the CVE logging level. By default, the CVE logging level is info.You can change the logging level to debug in the /opt/Symantec/cafagent/bin/log4j.properties file.After changing the file, you must restart the cafagent service.Changing the AMD logginglevel.By default, the AMD logging level is info.You can change the logging level to trace, to warning, or to error in the i file.Note: Before you modify the AntiMalware.ini file, stop the sisamdagent:Note: service sisamdagent stopNote: After you modify the file, restart the service:Note: service sisamdagent startUninstalling the Symantec Linux Agent or the Symantec EndpointProtection client for LinuxYou uninstall the Symantec Endpoint Protection client for Linux with the script that the installation provides.11

Symantec Endpoint Protection 14.3 RU3 for Linux Client GuideNOTEYou must have superuser privileges to uninstall the Symantec Endpoint Protection client on the Linux computer.The procedure uses sudo to demonstrate this elevation of privilege.(For 14.3 RU1 and later) To uninstall the Symantec Linux Agent:1. On the Linux computer, open a terminal application window.2. Navigate to the following directory:/usr/lib/symantec/3. Run the following built-in script to uninstall Symantec Agent for Linux:./uninstall.sh4. Reboot the computer after the uninstallation finishes and the reboot prompt appears.Note that the uninstall.sh script will remove all components of Symantec Agent for Linux (sdcss-caf, sdcsssepagent, and sdcss-kmod).[[email protected] symantec]# ./uninstall.shRunning ./uninstall.sh (PWD /usr/lib/symantec; version 2.2.4.41)Uninstalling Symantec Agent for Linux (SEPM) .Removing packages sdcss-caf sdcss-sepagent sdcss-kmod sdcss-scriptsSymantec Agent for Linux (SEPM) uninstalled successfully.A reboot is required to complete uninstallation.Please reboot your machine at the earliest convenience.(For 14.3 MP1 and earlier) To uninstall the Symantec Endpoint Protection client for Linux:1. On the Linux computer, open a terminal application window.2. Navigate to the Symantec Endpoint Protection installation folder with the following command:cd /opt/Symantec/symantec antivirusThe path is the default installation path.3. Use the built-in script to uninstall Symantec Endpoint Protection with the following command:sudo ./uninstall.shEnter your password if prompted.This script initiates the uninstallation of the Symantec Endpoint Protection components.4. At the prompt, type Y and then press Enter.Uninstallation completes when the command prompt returns.NOTEOn some operating systems, if the only contents of the /opt folder are the Symantec Endpoint Protectionclient files, the uninstaller script also deletes /opt. To recreate this folder, enter the following command:sudo mkdir /optTo uninstall using a package manager or software manager, see the documentation specific to your Linux distribution.12

performed in Symantec Endpoint Protection Manager or in the cloud console. (For 14.3 RU1 and later) To install the Symantec Linux Agent: 1. In Symantec Endpoint Protection Manager, create and download the installation package. 2. Put the package