Symantec Endpoint Protection Download Mac

Posted on  by

  1. Symantec Endpoint Protection Macos Catalina Download
  2. Symantec Endpoint Protection Mac Firewall
  3. Symantec Endpoint Protection Download Mac
  4. Symantec Endpoint Protection Definitions Download For Mac

. Symantec Endpoint Protection may run an initial scan of the system files shortly after the installation has completed. This is not a full scan of the entire Mac. In some cases, the com.symantec.mes.systemextension process may get stuck when it first starts after the update, and this will cause the fans on your Mac to run at full speed. Windows symantec endpoint protection free download - Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, Endpoint Protection, and many more programs. The users receive the URL in an email to download the package and install the. Symantec Endpoint Protection. Symantec Endpoint Protection Manager. Mac clients automatically prompt a restart when installation completes. Linux clients do not require a restart. Restarting the client computers from. Symantec Endpoint Protection Manager.

The following are required for the SEP for Mac client to properly function:

  1. Permission to install Kernel Extensions (required as of macOS 10.13)
  2. Permission to install System Extensions (new in macOS 10.15)
  3. Enable Full Disk Access or FDA (new in macOS 10.15)

NOTE: you should apply only the permissions required by that version of macOS, e.g. apply only the kernel extension permissions to macOS 10.14 or older, and apply other permissions only when that has been upgraded to 10.15. See Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

Other related articles:

  • Endpoint Protection for Mac reports 'Full Disk Access is not enabled'.


There are example screenshots below from Jamf for configuring pre-authorization of these three permissions. First screenshot shows system extension whitelisting using Team ID and Bundle ID. Second screenshot shows how to give FDA rights to SEP system extension. These steps will need to be repeated for both the Symantec and Broadcom Bundle and Team IDs to accommodate a range of SEP versions that may be in your environment.

SEP VersionBundle IDTeam ID
Up to 14.3com.symantec.mes.systemextension 9PTGMPNXZ2
14.3 and newer com.broadcom.mes.systemextension Y2CCP3S9W7


Attached also are examples of *.mobileconfig files (unsigned XML) with the correct settings that can be imported into Jamf or other macOS MDM tool. There are two config files, one each for the Symantec and Broadcom Bundle and Team IDs. When troubleshooting profile policy errors it is sometimes helpful to export the unsigned policy XML from your Jamf managment console and compare it with these attachments.

In Symantec Endpoint Protection (SEP) 14.1. (14.1 ) and later, you have at least two options for downloading LiveUpdate (LU) content to Symantec Endpoint Protection clients for Mac and Linux.

Note: Linux client support is added with Symantec Endpoint Protection 12.1.5 and is only available starting with that release.

  1. Use Symantec LiveUpdate Administrator 2.x (LUA 2.x). This is the best option for installations with larger numbers of Mac and/or Linux computers.
  2. For smaller installations, you can configure the Apache web server as a reverse proxy. This enables the Apache web server installed along with Symantec Endpoint Protection Manager (SEPM) to download and cache the LU content for Mac and Linux clients locally whenever new content is published. This configuration results in saving of external network bandwidth.

Below are the instructions to set up the Apache web server in Symantec Endpoint Protection Manager to allow Symantec Endpoint Protection clients for Mac and Linux to download LiveUpdate (LU) content by the webserver. Please note that this solution enables Symantec Endpoint Protection Manager to act as a cache: it does not process Mac or Linux definitions into .dax files as it does with Windows definitions. It does not enable Symantec Endpoint Protection clients for Mac or Linux to update from a Group Update Provider (GUP).

Note: You can only make these configuration changes on the enterprise version of Symantec Endpoint Protection. These instructions do not apply to Symantec Endpoint Protection Small Business Edition 12.1 (SEP SBE).

Configure the Apache web server in Symantec Endpoint Protection Manager

Take the following steps to configure Apache web server to serve as a reverse proxy:

  1. Stop semwebsrv (Symantec Endpoint Protection Manager Webserver) and semsrv (Symantec Endpoint Protection Manager).
  2. Create a folder called cache-root in the Apache folder of your Symantec Endpoint Protection Manager installation directory, e.g.
    SEPM_Installapachecache-root
    The default path of SEPM_Install is as follows:
    Ensure that the account running Symantec Endpoint Protection Manager Webserver has full control of SEPM_Installapachecache-root.
    • 64-bit systems: C:Program Files (x86)SymantecSymantec Endpoint Protection Manager
    • 32-bit systems: C:Program FilesSymantecSymantec Endpoint Protection Manager (12.1.x only)
  3. Verify if the following files are present in the folder apachemodules:

    If the files are not present, copy the files from the downloaded installation folder or DVD from ToolsApache-ReverseProxy to SEPM_Installapachemodules. Refer to the section Security and Compatibility for more details.

    • mod_cache.so
    • mod_cache_disk.so (12.1.5 and later)
    • mod_proxy.so
    • mod_proxy_http.so
    • mod_setenvif.so
  4. To make a backup of the original configuration file, navigate to SEPM_Installapacheconf, and then copy httpd.conf to httpd-orig.conf.
  5. Make the following changes to httpd.conf:
    • Locate the following line, and add the character # to comment it out, as shown:
      #AsyncSendFile anydirectory
    • Locate the following lines and remove the character # to uncomment them, and make the following change, where SEPM_Install is the actual path of your Symantec Endpoint Protection Manager installation (use forward slashes).
      AsyncSendFile givendirectory
      ForceAsyncSendFile 'SEPM_Install/Inetpub/content'
    • Optionally, to add cache logging, search for the following line in httpd.conf:
      LogFormat '%h %l %u %t '%r' %>s %b' common
      ... and replace it with:
      LogFormat '%h %l %u %t %{cache-status}e '%r' %>s %b' common
    • Add the following lines to the end. Replace SEPM_Install in the text below with the actual path of your Symantec Endpoint Protection Manager installation.
      For 12.1.5 and later:
      Note: Red text indicates file names that have changed from the version of Apache included with 12.1.4. If you previously implemented this functionality for 12.1.4, you only need to update the changed file names in httpd.conf.
  6. Save and then close the file.
  7. Start semwebsrv (Symantec Endpoint Protection Manager Webserver) and semsrv (Symantec Endpoint Protection Manager).
Download

To test that the proxy server is running by downloading an LU file, click Start > Run, and then enter http://localhost:8014/luproxy/masttri.zip. If your Symantec Endpoint Protection Manager Apache web server uses a different port than 8014, replace 8014 with your actual port number in the above URL.

Note: While the massttri.zip file is requested via a local URL address, the request is passed to Symantec's public LiveUpdate server. Make sure that the connection to LiveUpdate web domains can be established from the Symantec Endpoint Protection Manager server according to TECH102059. The reverse proxy also requires a direct connection to Symantec's LiveUpdate servers - it cannot itself go through another proxy.

The LU download requests to the Apache web server are logged in a separate log file, located in SEPM_Installapachelogsaccess-%Z.log.

Update LiveUpdate policy for Mac and Linux clients to point to new LiveUpdate server

Take the following steps to update your LiveUpdate policy for Mac and Linux clients for your desired groups. Once the policy is updated, these clients will point to the newly configured Apache web server for downloading LU content.

  1. Within Symantec Endpoint Protection Manager, click Policies > LiveUpdate. On the LiveUpdate Settings tab, double-click the LiveUpdate Settings policy that applies to your desired groups.
  2. Click Use a specified internal LiveUpdate Server under Mac Settings > Server Settings (or Linux Settings > Server Settings) and specify the name 'SEPM HTTP LU Proxy,' with the corresponding URL: 'http://ServerIP:8014/luproxy' or 'http://ServerName:8014/luproxy'
    Where ServerIP or ServerName represents the IP number or name of the server that hosts Symantec Endpoint Protection Manager. If the Symantec Endpoint Protection Manager Apache web server uses a different port that 8014, replace 8014 with your actual port number in the above URL.
  3. Add Symantec LiveUpdate server as a fallback mechanism (this is optional, because this is always a fallback option). Use http://liveupdate.symantecliveupdate.com.
  4. Enable download randomization under Mac Settings > Schedule (or Linux Settings > Schedule). If the option is not greyed out, check Randomize the start time. This prevents the Apache web server from getting overloaded at certain times in a day.

Additionally, on SEP 12.1.x clients for Linux, edit the liveupdate.conf file and set serverlogging=false. SEP For Linux 14.0 does not require this setting. See TECH230862.

Symantec Endpoint Protection Macos Catalina Download

Managing cache file size

To manage the size of your cache file, take the following steps.

  1. Verify if the htcacheclean.exe file is present in the following folder:
    SEPM_Installapachebin
  2. If the file is not present in the mentioned location, copy htcacheclean.exe from the ToolsApache-ReverseProxy folder on your DVD to SEPM_Installapachebin
  3. Enter the following command while logged in with an account that has full access rights on the cache-root folder:
    htcacheclean -n -t -d1440 -l1024M -p'SEPM_Install/apache/cache-root'

This will run the htcacheclean tool in daemon mode. The cache cleaning will be done on a daily interval. The maximum cache size allowed on disk is 1 GB.

To automatically start the htcacheclean daemon every time Windows starts, take the following steps.

  1. Hold down the Windows key on your keyboard and press the letter R to open the Run dialog. Type taskschd.msc, and then click OK.
  2. In the Task Scheduler, in the right pane, click Create Basic Task.
  3. Name the new task with a description such as Manage Apache Cache Size, and then click Next.
  4. To set the task to run every time Windows starts, in the Task Trigger pane, click When the computer starts, and then click Next.
  5. In the Action dialog box, click Start a program, and then click Next.
  6. Enter the full path to htcacheclean into Program/script:
    SEPM_Installapachebinhtcacheclean.exe
  7. Enter the following arguments into Add arguments (optional), and then click Next.
    -n -t -d1440 -l1024M -p'SEPM_Install/apache/cache-root'
  8. To complete adding the scheduled task, click Finish.
  9. In the Windows Task Scheduler library, right-click the task you created, and then click Properties.
  10. In the Settings tab, click to deselect Stop the task if it runs longer than, and then click OK.

Since the task does not run until you restart the system, you can run it now. In the Task Scheduler, right-click the task you created, and then click Run.

Note: Ensure that the user account running the task has full control on the folder SEPM_Installapachecache-root.

Performance and scale

This configuration is designed for small numbers of Mac and/or Linux clients. You should only use this setup if there are only a few Mac and/or Linux clients and the network connecting clients and Symantec Endpoint Protection Manager has good bandwidth throughput. Assuming that each client downloads roughly 500KB of LU content on daily basis, 2000 Mac or Linux clients will result in a download of approximately 1 GB of LU content daily from the Apache web server. For configurations having large numbers of clients, you should consider an alternative like Symantec LiveUpdate Administrator.

Security and compatibility

Symantec suggests the use of only Symantec-signed binaries for Apache modules that are mentioned in this article. These signed binaries are available on the Symantec Endpoint Protection downloaded installation file. Note that the required binaries also get installed along with Symantec Endpoint Protection Manager for versions 12.1.4 and later.

For Symantec Endpoint Protection 14:

Symantec Endpoint Protection Mac Firewall

  • The downloaded full installation file, ToolsApache-ReverseProxy

Because new vulnerabilities may be published after the publication of this article, please check the vulnerabilities published by the Apache project for the appropriate version of Apache web server: http://httpd.apache.org/security/

Symantec Endpoint Protection Download Mac

SEPM Upgrades

Symantec Endpoint Protection Definitions Download For Mac

Note that upgrading the SEP Manager may reset or overwrite this configuration file. As such, post-SEPM upgrade ensure the changes made to httpd.conf are checked and corrected.