Endpoint Protection

Hello all

I'm trying to install SAV for Linux 1.0.14-13 on an Ubuntu 12.04.2 x64 (kernel 3.5.0-28-generic-x86_64) desktop computer.
I have read that although SAV for Linux 1.0.14 supports Ubuntu 12.04, it's only for the 3.2x kernel so I should compile my own autoprotect modules for 3.5.
I have done so, but cannot restart the SAV rtvscand service afterwards.

Here is what I have been doing:

Prerequisite steps:
Sun / Oracle Java 1.7 installed
sudo apt-get install build-essential
sudo apt-get install linux-headers-$(uname -r) build-essential

Installing SAV:
Extract the SAV installer, navigate to the deb folder and type:

sudo dpkg -i sav-*.amd64.deb savap-*.amd64.deb savjlu-*.amd64.deb savui-*.amd64.deb

This returns the following errors during installation (trimmed to show relevant info):

Unpacking savui (from savui-1.0.14-13.amd64.deb) ...
Setting up sav (1.0.14-13) ...
/etc/init.d/symcfgd: line 154: /opt/Symantec/symantec_antivirus/symcfgd: No such file or directory
/etc/init.d/rtvscand: line 151: /opt/Symantec/symantec_antivirus/rtvscand: No such file or directory
invoke-rc.d: initscript symcfgd, action "start" failed.
/etc/init.d/rtvscand: line 151: /opt/Symantec/symantec_antivirus/rtvscand: No such file or directory
/etc/init.d/symcfgd: line 154: /opt/Symantec/symantec_antivirus/symcfgd: No such file or directory
/etc/init.d/symcfgd: line 154: /opt/Symantec/symantec_antivirus/symcfgd: No such file or directory
/etc/init.d/rtvscand: line 151: /opt/Symantec/symantec_antivirus/rtvscand: No such file or directory
invoke-rc.d: initscript rtvscand, action "start" failed.
Setting up savap (1.0.14-13) ...
symap: not currently loaded
symev: unable to load kernel support module (UNSUPPORTED-OS-ub-ST-12-3.5.0-28-generic-x86_64)
invoke-rc.d: initscript autoprotect, action "restart" failed.

I see an error related to teh kernel I am running (3.5x) so I follow the published instructions on how to successfully compile my own autoprotect modules for kernel 3.5:

Compiling autoprotect modules for kernel 3.5x:

tar xvzf ap-kernelmodule-1.0.14-13.tar.gz
cd ap-kernelmodule-1.0.14-13
sudo ./build.sh --kernel-dir /usr/src/linux-headers-$(uname -r)

and here are the results for that (trimmed down to show relevant info):
 

Kernel release is not set, build the kernel modules for the current kernel release(3.5.0-28-generic)
/home/ubuntuadmin/Downloads/Ubuntu/sav/ap-kernelmodule-1.0.14-13/symev/symev.c: In function ‘symev_read_proc_symev’:
/home/ubuntuadmin/Downloads/Ubuntu/sav/ap-kernelmodule-1.0.14-13/symev/symev.c:431:9: warning: format ‘%d’ expects argument of type ‘int’, but argument 9 has type ‘long unsigned int’ [-Wformat]

/symap-custom-3.5.0-28-generic-x86_64.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/ubuntuadmin/Downloads/Ubuntu/sav/ap-kernelmodule-1.0.14-13/symap/symap-custom-3.5.0-28-generic-x86_64.mod.o
  LD [M]  /home/ubuntuadmin/Downloads/Ubuntu/sav/ap-kernelmodule-1.0.14-13/symap/symap-custom-3.5.0-28-generic-x86_64.ko
make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-28-generic'
cp symap-custom-3.5.0-28-generic-x86_64.ko ../bin.ira/symap-custom-3.5.0-28-generic-x86_64.ko
~/Downloads/Ubuntu/sav/ap-kernelmodule-1.0.14-13

Congratulations, build was successful!

I move the newly-compiled autoprotect modules to their correct folders:

sudo mv * /opt/Symantec/autoprotect/



Starting SAV services:   

I start the autoprotect service, which seems to start OK:

sudo /etc/init.d/autoprotect restart
Stopping AP: symap: not currently loaded
Starting AP: symev: loaded (symev-custom-3.5.0-28-generic-x86_64.ko)
symap: loaded (symap-custom-3.5.0-28-generic-x86_64.ko)
Setting major=250 from /proc/symap



Now I attempt to start the rtvscand service, which fails:

sudo /etc/init.d/rtvscand restart

Stopping rtvscand:                                                   failed
/etc/init.d/rtvscand: line 151: /opt/Symantec/symantec_antivirus/rtvscand: No such file or directory
/etc/init.d/symcfgd: line 154: /opt/Symantec/symantec_antivirus/symcfgd: No such file or directory
/etc/init.d/symcfgd: line 154: /opt/Symantec/symantec_antivirus/symcfgd: No such file or directory
/etc/init.d/rtvscand: line 151: /opt/Symantec/symantec_antivirus/rtvscand: No such file or directory
Starting symcfgd:                                                    failed

And then I'm stuck. The error message above mentions missing files in /opt/Symantec/symantec_antivirus/.

I've checked and those files are there. Restarting the PC doesn't fix the problem and I think I've followed the correct procedure to install.

Any advice?  Thank you

Hi Abbers,

Symantec Antivirus for Linux requires 32-bit libraries that are not installed on the 64-bit version of Ubuntu 9.10 or 10.04.  It should work if you install the 32-bit libraries by running the following command via a terminal.

"sudo apt-get install ia32-libs"

Let me know how you get on / please keep this thread up-to-date with your progress!

All the best,

Mick

Thank you Mick, that seems to have done the trick!

I installed the 32-bit libraries prior to installing SAV, and I could start rtvscand:

Stopping rtvscand: ..                                                done
Starting rtvscand:                                                   done

I tested SAV using the EICAR test file, which was detected and quarantined successfully.

I still have more work to do, such as getting the GUI working and managing the Ubuntu computer from our SEP Manager, but to get SAV working on Ubuntu is definitely a major milestone!

Many thanks for your assistance

Glad to assist! 

One known Ubuntu issue that you will run into (and how to fix it):

Symantec AntiVirus for Linux Savtray GUI Does not appear in Ubuntu with Unity
http://www.symantec.com/docs/TECH199921 
 

Also- this series of articles may help you make the best use of SAV for Linux! 

• SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide covers the importance of auto-protect scanning, necessary scan exclusions and how to test them
• SAV for Linux: A (Somewhat) Illustrated Guide Part 2 provides examples of the various different ways in which SAVFL can be configured (by command line, by GRC.DAT and by xsymcfg).
• SAV for Linux: A (Somewhat) Illustrated Guide Part 3 focuses on how to keep SAV for Linux up-to-date.
• SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter illustrates how to get some data and events from those isolated, unmanaged SAVFL clients into the Symantec AV's central management and reporting tool, the Symantec Endpoint Protection Manager (SEPM). 

It is absolutely crucial to get those Linux machines protected.  Here's yesterday's example why, from Security Response:

When Web Servers Serve Evil
https://www-secure.symantec.com/connect/blogs/when-web-servers-serve-evil

With thanks and best regards,

Mick

Thanks Mick, I have followed the above steps and the SAV icon now appears as a menu item!

However, I am concerned that AutoProtect is now disabled (I did get it working from the command line during installation).

The SAV icon in the menu bar shows the red X and the application itself displays the AutoProtect status as disabled.