Endpoint Protection

Before I recommend my company to buy and install SEP (Symantec Endpoint Protection) version 12, I would appreciate it if someone who is an expert on this software provide me answers to the following question:

Is SEP 12 able to remove viruses from Linux and/or Mac computers?

My company has an assortment of Microsoft Windows 7 computers, Mac computers and Linux (Debian/Fedora/Ubuntu) computers. All of them are managed via Microsoft Windows 2008 server. SEP 12 will be installed on this server.

Thank you in advance for your answer.

SEP 12.1 cannot do this.

You need to use SAV for Linux (SAVFL). See this:

http://www.symantec.com/business/support/index?page=content&id=TECH103599

Thanks, my friend, for your advice.

Again, please tell me how to obtain SAV for Linux?

I have searched Symantec's entire website and could not find the purchasing/licensing details for SAV for Linux. How is SAVFL sold or licensed? What is the retail price?

SAVFL comes included on the download for SEP 12.1. It should be included in the SAVFL folder on the 12.1 DVD. Do you not see it there?

Is it on the Trial CD?

Not exactly sure. Should be a SAVFL folder on there if it is.

Correct.

You can map a drive to a linux share and scan that way.

I suppose SAVFL is to be installed on Linux-based computers, not on the Windows 2008 server?

So what is the point of having SEP then?

SAVFL is for 32-bit or 64-bit Linux OS?

And SEP 12.1 is for Microsoft Windows 32-bit or 64-bit?

Depends on OS, check version requirements here:

http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005110716014248

It supports both 32 and 64 bit:

http://www.symantec.com/business/support/index?page=content&id=TECH163806

SEP for windows and SAV for linux are different products.

SAV for linux cannot be managed by the SEPM.

SEP 12.1 can manage Windows and MAC OS.

Hi,

SAVFL comes included on the download for SEP 12.1. Do you see any challenge while installing it on 32 bit or 64 bit OS?

You will see similar folder structure about SEP 12.1. It inculdes all setup files like SEP 32bit, 64bit, MAC, Linux, SEPM.

Thanks for your clarifications.

I have another question.

According to Wikipedia.org under the document titled "Linux Malware" (URL is http://en.wikipedia.org/wiki/Linux_malware ), it states:

Anti-virus applications

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

For Microsoft Windows-specific threats

These applications are useful for computers (typically, servers) which will pass on files to MS Windows users. They do not look for Linux-specific threats.

Is it true that SAV for Linux does not look for Linux-specific threats but rather Microsoft Windows-specific threats?

hope this threat writeup helps

http://www.symantec.com/security_response/writeup.jsp?docid=2004-052312-2729-99&tabid=2

Thanks for your offer of help but the article that you referred to is more than 11 years old.

Could some expert on the product, Symantec Antivirus for Linux, answer directly to my question please?

Are the claims made by Wikipedia's article on "Linux Malware" about SAV for Linux true?

Thanks for your clarifications.

I have another question.

According to Wikipedia.org under the document titled "Linux Malware" (URL is http://en.wikipedia.org/wiki/Linux_malware ), it states:

Anti-virus applications

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

For Microsoft Windows-specific threats

These applications are useful for computers (typically, servers) which will pass on files to MS Windows users. They do not look for Linux-specific threats.

Is it true that SAV for Linux does not look for Linux-specific threats but rather Microsoft Windows-specific threats?

check the definition for the same ,its known for 2010 even though discovered in 2001 since there might be vairants.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-052312-2729-99

@ pete_4u2002

Please answer my question directly:

Is Symantec Antivirus for Linux able to scan for and remove Linux-specific viruses?

Yes.

SAVFL is for Linux based OS and will scan and detect Linux malware.

Hi Chetan,

Thanks for your reply.

I see that you are a technical support engineer for "Endpoint Security".

Coul you please answer my question: Is Symantec Antivirus for Linux able to scan for and remove Linux-specific malware? According to Wikipedia's article on "Linux Malware" ( http://en.wikipedia.org/wiki/Linux_malware ) SAV for Linux is only able to scan for and remove Microsoft Windows-specific malware.

Hi BCBIT,

Just to confirm:

• SAVFL will catch Linux threats, Windows threats, and Mac threats.
• SEP on Windows will catch Linux threats, Windows threats, and Mac threats
• SEP on Mac will catch Linux threats, Windows threats, and Mac threats
• Symantec Mobile Security 7.2 / SEP Mobile Edition on Windows Mobile will only catch threats that are designed to work on the Android/WM platforms (not full Windows, Linux or Mac)

(So: if you have a file server that is running Linux, it won't be able to help spread Windwos viruses.  The same goes in vice-versa: a Wuindows file server will block threats that target Linux machines.  SMS 7.2 on an Android phone doesn't have the memory, CPU, etc to detect every threat for every platform- it just protects itself.)

Here's a couple of articles that will help you to make the most of SAV for Linux:

Do we really need a Antivirus for Linux
https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux

How to Install SAV for Linux (SAVFL) and Update It Using LUA 2.x (2.3.0.71)
https://www-secure.symantec.com/connect/articles/how-install-sav-linux-savfl-and-update-it-using-lua-2x-23071

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide

Please do update this thread if you need any more info!  I know SAVFL pretty well.  &: )

@ Mick2009

Thanks for taking the time to write a rather detailed and informative reply.

But your reply is at odds with Brian1's (see below).

SEP 12.1 cannot do this.

You need to use SAV for Linux (SAVFL). See this:

So who's right?

The person who I think knows a lot about SAVFL is Chetan Savade (he's the technical support engineer for "Endpoint Security") and he has not replied to me yet, despite the fact that I sent him a PM yesterday.

Brain and I are both right.  &: ) 

SEP must be installed on Windows and Macs.

SEP comes with "SAV for Linux" which is installed on Linux machines.

@ Mick2009

• SAVFL will catch Linux threats, Windows threats, and Mac threats.
• SEP on Windows will catch Linux threats, Windows threats, and Mac threats

Could you be kind enough to quote the relevant "Knowledge Base" articles to support the above claims? Thanks in advance.

No. Only one of you is right.

Please re-read my original post right at the top of this page, which is reproduced below:

Hi BCBI

SEP is not installed on Linux machines the accompanying product SAV is installed on linux machine it can detect and delete Linux based virus's but can not be controlled via the SEP manager deployed for SEP. SAV is included on the DVD for the SEP product.

Management of Symantec AntiVirus (SAV) for Linux:

http://www.symantec.com/docs/TECH102587

Best practice to install Symantec Antivirus for Linux:

http://www.symantec.com/docs/TECH150596

SEP can only be installed on windows or MAC based machines but can scan and detect virus's on shared drives from a linux machine

Also these links may be useful

How to obtain the latest release of Symantec AntiVirus for Linux

http://www.symantec.com/docs/TECH93841

About the Symantec AntiVirus client for Linux

http://www.symantec.com/business/support/index?page=content&id=HOWTO17995&actp=search&viewlocale=en_US&searchid=1329988056873

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article:TECH158071   |  Created: 2011-04-14   |  Updated: 2011-04-14   | 
Article URL http://www.symantec.com/docs/TECH158071

Here's the Threat List displaying some of the Linux-specific threats.

Opening the Threat List on SEP fro Mac or on SAVFL will display their threats, too (threats targetting all OS's)

Hi GeoGeo

The links that you provided do not answer my question at all.

Does SAVFL remove Linux-specific threats or Microsoft Windows-specific threats? Please point out the relevant "Knowledge Base" articles to support your answer. Thanks.

According to Wikipedia's article titled "Linux Malware", SAVFL can only scan, detect and remove MS Windows-specific threats.

Hi GeoGeo

The links that you provided do not answer my question at all.

Does SAVFL remove Linux-specific threats or Microsoft Windows-specific threats? Please point out the relevant "Knowledge Base" articles to support your answer. Thanks.

According to Wikipedia's article titled "Linux Malware", SAVFL can only scan, detect and remove MS Windows-specific threats.

@ Mick2009

In your earliest post, you made the following claims:

• SAVFL will catch Linux threats, Windows threats, and Mac threats.
• SEP on Windows will catch Linux threats, Windows threats, and Mac threats
• SEP on Mac will catch Linux threats, Windows threats, and Mac threats

I am still waiting for you to provide the links to the relevant "Knowledge Base" articles to support them.

Hi again BCBIT,

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article:TECH158071   |  Created: 2011-04-14   |  Updated: 2011-04-14   | 
Article URL http://www.symantec.com/docs/TECH158071

Here's a screenshot of the threat list from a SAV For Linux client.  (Just run sav info -t from the command line to generate the threat list on SAVFL.)  Linux threats, Mac threats, Windows threats.... it will detect them.

What are you after the complete attack database that symantec has on linux attacks that can be picked up?

Or just confirmation that SAVFL picks up linux malware and actions it? If so it was it was actioned in Mick2009 link by another symantec employee.

https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux

The point is SAVFL scans for and removes Linux malware.

The links provided above, especially by Mick are very helpful.

I wouldn't put to much stake into what you read on Wikipedia since it can be edited by anyone. From the link you provided to the Wikipedia article, whoever wrote it obviously doesn't know what they're talking about and it needs to be re-written. Maybe I'll fix it today when I get a chance...

Hi BCBIT,

Making the collection complete.... With thanks to Mac guru SandraG, here's how to confirm the threat list on a Mac.  (I have confirmed here in my test lab that Linux threats are indeed listed.)

Please update this thread if there is anything additional needed, or do take the time ot mark it "solved" for the benefit of future admins with the same question (Solved threads are indexed / come up in certain searches.) 

With thanks and best regards,

Mick

You're welcome!

sandra

Hi GeoGeo,

Granted that the link https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux answers my question that SAVFL does indeed scan for, detect and remove Linux-specific malware/viruses.

What about the claim by Mick2009 that SAVFL is able to scan for, detect and remove MS Windows- and Mac-specific malware/viruses as well?

Mick2009 further claims that SEP is able to remove viruses/malware from three platforms: MS Windows, Mac and Linux.

Up till now, he hasn't produced the URLs to "Knowledge Base" articles to back up his claims.

@Brian81

I wouldn't put to much stake into what you read on Wikipedia since it can be edited by anyone. From the link you provided to the Wikipedia article, whoever wrote it obviously doesn't know what they're talking about and it needs to be re-written. Maybe I'll fix it today when I get a chance...

Please do amend the article titled "Linux Malware" at Wikipedia's site for the benefit of all its readers. Moreover your action will correct any misconception about what SAVFL can or cannot do. Your amendment will surely benefit Symantec Corporation and create a positive buzz for it.

Now, if only Mick2009 could produce the URLs to the "Knowledge Base" articles that support his claims that (I quote his words)

• SAVFL will catch Linux threats, Windows threats, and Mac threats.
• SEP on Windows will catch Linux threats, Windows threats, and Mac threats
• SEP on Mac will catch Linux threats, Windows threats, and Mac threats

then you could include Mick2009's claims as well in that Wikipedia's article.

To: Any Symantec employee

In his earliest post, Mick2009 wrote the following (and I quote him):

SAVFL will catch Linux threats, Windows threats, and Mac threats.
SEP on Windows will catch Linux threats, Windows threats, and Mac threats
SEP on Mac will catch Linux threats, Windows threats, and Mac threats

According to him, SEP on Windows will catch Linux, Windows and Mac threats.

My question is: since my company has an assortment of computers and laptops running MS Windows, Mac and Linux operating systems and all of them are managed by a server running MS Windows Server 2008, is it sufficient for my company to just install SEP on the server to scan for, detect and remove Linux, Mac and Windows threats? In other words, there is no need at all to install SAVFL on Linux-based computers and SAV for Mac on Mac-based machines. Am I correct?

SEP is a host based agent and will only scan the host that it is installed on. There is no way you could possibly install SEP on one machine and expect it scan all machines on your network, unless you created shares and mapped a drive to those shares from your server that has SEP installed. This would be an inpossible task. And not to mention Auto-Protect wouldn't come into play here.

Bottom line, you need to have SEP installed on each host.

Say you have a Linux box that is infected with Linux specific malware and trying to infect other OS based machines (ex. Windows or Mac machine), the SEP agent on the Windows or Mac machine will still detect and stop the attempt on the local host itself but it won't remove the threat from the source Linux host. You would also need to install SAVFL on this Linux host to remediate the infection completely.

There is no way you could possibly install SEP on one machine and expect it scan all machines on your network, unless you created shares and mapped a drive to those shares from your server that has SEP installed. This would be an inpossible task. And not to mention Auto-Protect wouldn't come into play here.

Bottom line, you need to have SEP installed on each host.

I didn't know that. Thanks for the detailed explanation. If only someone had explained right at the beginning of this thread that SEP needed to be installed on each host.

But how do you explain the existence of a centrally managed option in SEP? I vaguely remember having seen it during the installation process of SEP. One is asked to choose between "Unmanaged" and "Managed".

I was under the impression that if I chose "Managed", SEP on my Windows 2008 server will scan, detect and remove all malware from machines connected to the server.

Say you have a Linux box that is infected with Linux specific malware and trying to infect other OS based machines (ex. Windows or Mac machine), the SEP agent on the Windows or Mac machine will still detect and stop the attempt on the local host itself but it won't remove the threat from the source Linux host. You would also need to install SAVFL on this Linux host to remediate the infection completely.

What about Mick2009's claims that (and I quote)

• SAVFL will catch Linux threats, Windows threats, and Mac threats.
• SEP on Windows will catch Linux threats, Windows threats, and Mac threats
• SEP on Mac will catch Linux threats, Windows threats, and Mac threats

His claims are so far-fetched. No wonder he has been keeping quiet since the time I asked him for the relevant "Knowledge Base" articles supporting his claims.

Managed simply means the SEP client is managed by the SEPM, meaning you can assign policies, receive logs from the client, etc. It is the central management console for all SEP clients that are managed by the SEPM.

Unmanaged means that the client is not managed by the SEPM. All configuration needs to be done on the client instead of thru the SEPM. You cannot manage policy or view logs from the client thru the SEPM. It will all need to be done on the client.

That is all managed and unmanaged mean.

Mick's claims are the truth. Although Windows malware will not run on Linux and Mac and vice versa for all three, it is still possible to physically have a Windows file on a Mac or Linux system. The Mac or Linux OS probably won't recognise it or it won't run but the file can still be there.

As an example, I have people attach their phone via USB. The phone is running the Android OS (Linux based) and some phones will be infected. The SEP client on the Windows machine will detect and clean it even though it is Linux based.

In the past, I've pulled hard drives from machines running the Linux OS and attached them to my Windows machine and scanned with the SEP client. Malware was found and cleaned. So regardless of the OS, SEP will catch and clean if there is a signature for it.

I'm not sure about a KB article as I've never searched for one but I do know SEP can detect malware for Windows, Mac, and Linux.

And just as an fyi, malware is mutating to the point where it will actually detect what OS you're running first than infect accordingly.

I'm not sure what time zone Mick is on but I'm sure he has a busy schedule. Usually it's harder for some of the Symantec employees to keep a regulare presence. But I'm sure he will update when he gets a chance. Hopefully I've explained well enough though. I'm not sure if I can word it any other way. If you're looking for a KB for proof, hopefully it will be provided. I just know based on my experiences with SEP over the past 4 years of what it can do and it does work on all three of the OSs.

Many thanks for all who have contributed to this thread.  "Thumbs up."  Experiences and advice like the peer-to-peer posts shared here are the best cure for confusion.  It is also possible to contact Technical Support if there are questions or issues which need immediate, professional assistance.

Absolutely, positively, get an AV or security product on every endpoint in the organization.  The reason why threats like Downadup still plague some organizations is that there is an infected, undefended desktop or server somewhere in a corner which contantly attempts to re-infect every other machine.  Every machine needs an up-to-date AV client and the use of best practice (good password policy, locked down shares, patches, unnecessary products or services removed....)

Here are two KB's which provide additional details:

Does Symantec Endpoint Protection Provide Protection Against a Specific Threat?
Article URL http://www.symantec.com/docs/TECH158071

How to View the Threat List on Symantec Endpoint Products 
Article URL http://www.symantec.com/docs/TECH200963

Screenshots which illustrate how to generate those lists on every major platform can be found in this thread, above.

Thanks again, all!

With best regards,

Mick

Mick's claims are the truth. Although Windows malware will not run on Linux and Mac and vice versa for all three, it is still possible to physically have a Windows file on a Mac or Linux system. The Mac or Linux OS probably won't recognise it or it won't run but the file can still be there.

Seconded. An examination of the virus definition list on an installed endpoint clearly displays cross-platform detections: the Mac endpoint, as shown in the screenshot from my own desktop, has a "W32" (Windows) detection at the top of the list. Typing in "Linux" into the "Display names containing" field yields a variety of Linux.*.* threats.

sandra

To: Mick2009, sandra.g and Brian81

Could anyone of you be kind enough to send me 2 zip files? One of them will contain Mac-specific malware, viruses or trojans, while the other zip file will contain Linux-specific ones.

Please do NOT send me Microsoft Windows-specific malware, viruses and trojans. I have enough of them.

Please name the zip files 1.zip and 2.zip.

Please do not tell me what each zip file contains. Let my SEP 12.2 do the scanning and detection.

After I have posted the results of the scans here, then you can tell me the contents of the 2 zip files.

What do you guys think?

Action (read: testing) speaks louder than words (read: posting replies and clarifications here).

Hi BCBIT,

Apologies, there is no way that Symantec will distribute live viruses, even for testing purposes.  Eicar is what is used for testing even by our own Tech Support engineers: www.eicar.org

Hi Mick2009,

Thanks for your reply and for pointing out the Eicar file test to me.

I have combed through the entire Eicar's website and couldn't find the answer to my question, which is:

The Eicar test file is a Microsoft Windows-specific malware, Mac OS-specific malware or a Linux-specific malware ??

Eicar is platform-neutral.  Linux, Mac, Windows, Netware, mobile security products for Android and Symbian OS, etc- every AV product on every platform should detect the eicar test file.

Hi Mick2009

I am looking for Linux-specific viruses/malware to test. Could you point out some websites or test files that contain Linux-specific viruses/malware?

Thanks.

Hi BCBIT,

I am honestly not aware of any.  Eicar is what we recommend.

Thanks, Mick2009.