Symantec Endpoint Protection and Catalina - unable to do live updates

jwojda
Valued Contributor II

We've got some users that are upgrading their OS to Catalina and finding their Symantec no longer completes the live updates. All of the existing machines are using an older version of SEP (14.0), but even upgrading to 14.2.1 doesn't seem to resolve the issue.

The device shows it has a valid connection to the SEP servers. We did allow the app in security and privacy.

13 REPLIES 13

Eltord
Contributor

We've actually had a lot of discussion about this same issue in the MacAdmins Slack symantec channel. A lot of other groups are having this same problem, and are actually experiencing Kernel Panics and a multitude of other issues with Symantec right now. We've been meeting with our TAM and they've said that the hotfix before this current one was a failure on their part to resolve these issues, and that they just released a hotfix yesterday that appears to be resolving a lot of the issues more successfully based on their testing.

We are going to be doing testing for that hotfix today to see what we come up with, and i'll post here when I can the progress I've made. Our current issues are that the devices are Kernel Panicking, the upgrade to Catalina is breaking the SEP app so the system extensions are no longer accepted automatically with the config profile in place.

brunerd
Contributor

Yeah it's a catch-22 of upgrading Mojave Macs with SEP 14.2 RU2+ to Catalina
You can't deploy the Config Profile to whitelist the System Extension unless you are already on Catalina (Mojave does not really know how to apply the CP) and then the System Extension will attempt to load immediately upon first boot after the upgrade before the CP is in place!

I came upon a very low-tech way of handling this: Before upgrading a Mac with SEP 14.2 RU2+ to Catalina, rename the folder where the system extension lives so it cannot be loaded, then once you've ensured the System Extension Config Profile is loaded, rename the folder back to it's original name and reboot to get it to load. YMMV but thought I'd toss this out there for those caught in the Catch-22...

mv /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions/ /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions-DISABLED

jwojda
Valued Contributor II

I believe I've got a working mobileconfig now from here - post #22 from kroeb which seems to be working, as soon as the test machine received the config profile, symantec flipped to "your computer is protected".

The only thing I wasn't sure on was when I went to security and privacy, accessibility doesn't show anything for symantec and Full Disk Access shows symantec extensions, but they are not checked... (see attached). 4c1627c0b9d94cf2aec43666f9758dbf

3b28a2da70e04041981eb8901d10fa32

mthoma
New Contributor III

We've been having problems ever since the SEP release back in Nov/Dec that's supposedly compatible with Catalina. Lots of kernel panics with Macs using USB-C adapters (most to Ethernet).

I just tested allowing Symantec Endpoint Protection in Full Disk Access as show above in the screenshot. So far my Mac mini is behaving whereas before when I restarted with the Belkin USB-C -> Ethernet adapter attached, the Mini would KP.

We'll look into adding a PPPC to allow this setting. Will test other Macs with the same issues over the next few days to confirm.

We had two cases open with Symantec (now Broadcom) and no one thought to have us check this setting! :( When troubleshooting other issues with giving apps access (such as allowing mic and camera access to Zoom, etc) I noticed this entry and wondered if it would fix our issue.

Currently running the latest SEP hot fix, but I'm also going to try this with the current official release.

Hope this helps someone else.

mthoma
New Contributor III

Unfortunately the fix I thought was working isn't. The only thing that does work is uninstalling SEP but that's unfortunately not an option for us. I'll continue testing and report back if I have any lasting success.

guidotti
Contributor II

Are you guys still having issues?
Newest Mojave 10.14.6 with 003 security patch is kernel panicking for us out of sleep.
Also happening on Catalina, newest 10.15.5.
It seems to only be affecting our 2017 MacBook Pros so far.
We are using newest SEP 14.3.

dng2000
Contributor II

My organization has at least a dozen kernel panics reported to me recently, primarily High Sierra and Mojave with 2020-003 patch and SEP 14.2.2. Am I understanding correctly that kernel panics are happening on SEP 14.3 as well? On a separate but related topic, I'm also well aware for the past 4 months that certain non-Apple USB adapters and docks trigger kernel panics on Catalina with SEP 14.2.x. Does anyone know if SEP 14.3 resolves that issue?

hepvd
Contributor

@dng2000 We had also a LOT of Kernel Panic with 14.3. The com.symantec.internetSecurity.kext and com.symantec.ips.kext causing looping boot. It was awfull. Symantec was not helping at all (no support), plus Broadcom removed all community chats and documentation.

We cancelled our contract 2 month ago.

dng2000
Contributor II

Thanks @hepvd for sharing your situation.

llitz123
Contributor III

I appreciate this thread as I too am having all sorts of random issues with Symantec Endpoint Protection. I even uninstalled and still get kernel panics with 14.3 on MacOS 10.14. I have also had support tickets open for months with no response after I cornered them about issues. On 7/1:

I am writing this to let you know the case is being advanced to the next level and you will be contacted as soon as possible. Assuring the best of services at all time.

What process do people use to completely uninstall SEP and has anyone successfully tested any alternatives?
Thanks for any help.

dng2000
Contributor II

@llitz123 Have you used RemoveSymantecFiles from https://knowledge.broadcom.com/external/article/151387/remove-symantec-software-for-mac-using-r.html to see if that stops the kernel panics? That's what my environment use for troubleshooting.

llitz123
Contributor III

@dng2000 Thanks. I will use something similar to remove Symantec.
FWIW I had a ticket open with Broadcom support for a while. They eventually escalated it and I replied every week asking for updates. It's a client provisioning issue where it works once and then doesnt and there is an issue creating a 10.15 MDM installer... Their escalation team replied:

Thank you for contacting Symantec Enterprise Technical Support. Our Technical Support team is available to assist with any problems experienced with our products. For questions regarding custom product configuration please review our documentation or kindly refer to our Consulting Services team. You can find the Administrator Guide for Endpoint Protection here: LINK The complete Technical Support Reference Guide, which outlines the scope of Technical Support as well as what is not supported, can be found at https://knowledge.broadcom.com/external/article/163980/symantec-support-reference-guide.html#policy Our Consulting Services team can design, optimize, and implement your security environment to ensure maximum protection and value from your investment. For further assistance in this matter, please refer to Consulting Services at https://www.Broadcom.com/support/symantec/services/consulting Thank you again for contacting Symantec Enterprise Technical Support! For your convenience this case will be Closed within 72 hours absent further questions or concerns. If you experience any problems using our products, please don’t hesitate to open a new case and we will be happy to assist.

We are removing Symantec from our environment ASAP because the product doesnt work as expected and it's always a serious chore to update the console and clients. And IMO their support is horrible.

llitz123
Contributor III

This script seems to work for me.