ul

0 views
Skip to first unread message

Vaniria Setser

unread,
Jun 28, 2024, 4:46:27 PM6/28/24
to dapusinca

I want to update Symantec Endpoint protection and NIS with offline update using command lines. Is there any option to do this? If it is available, I will be migrating from symantec endpoint manager to unmanaged clients as well as NIS. I can save licensing cost by this.

Sorry. I am already using offline intelligent update and running it manually in all Pcs. Instead, I am looking for an option like installing the intelligent updater .exe files through commandline. Ex: run the cmd to update SEP or NIS

Note: This is example. I was looking for the option like this. By this way I can reduce the necessity of going to every PC and running the update file manually. Instead, I can schedule the same at specified time

Symantec has an anti-virus program called Symantec Endpoint Protection. From the Manager, you can build custom packages that will deploy the policies you choose to specific groups of computers. When the package build is complete, you have a single file named setup.exe that you can install manually on computers in a specific group, and when setup completes, the computers will then appear in the SEP manager server as being a part of the specified group.

I gave this a try. I created a simple package pointing to the setup.exe file with my usual prerequisite rules, applicability rules, and installed rules, but the manager insists that there are no computers with the program installed.

So, assuming the command line installer can work, how to construct an installed rule for version 12.1.5, say, so that when version 12.1.6 is released, Patch Manager will understand that version 12.1.6 is already installed, and won't attempt to install version 12.1.5, but will install on any computers with no installed version?

So in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTVERSION) it will give you the current version that is installed. You should be able to create a rule where "If equal to or < 12.1.5 then allow" or somthing like that.

Thanks for your reply. I think that does help. However, since I can update any existing SEP client to the latest version of SEP using my SEP Manager, I would like to install SEP only to those clients without SEP at all. So I entered an installed rule that looks for the key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion . If that key exists, I won't install 12.1.4. That will prevent me from overwriting 12.1.5 with 12.1.4, but will install 12.1.4 if the reg key above does not exist, I think. Testing now.

Trouble in paradise. The reg key is not being recognized for the installed rules, and the install is failing on the computers I am attempting to deploy to. I was hoping that there was someone out there who has successfully deployed a SEP setup.exe package, and I could leverage their experience in terms of the command line switches that will work to install it silently, and the installed rules that will verify that the package is successfully deployed. Has anyone done this successfully? Thanks so much!

I currently deploy and update SEP through patch manager. It works well but I did have to increase the max allowed package size. I do not recall exactly where the setting was but it prevented me from publishing the update package until it was increased.

Only downside is that it will pull that data from your SEPM server opposed to your WSUS server. But chances are you won't keep this package current anyway so regardless it will be pulling/checking in with the SEPM server.

I 100% subscribe to what @mavraham wrote you. And I would also like to inform you that we can not recommend or guide on how to uninstall/install the products of other vendors. I would recommend that you contact in this symantec engineers to help on the uninstall of symantec.

Thanks million , the article link you gave from Broadcom website is very useful and looks I can use one of the command given there to uninstall Symantec Endpoint Protection via SCCM . Thanks lot again and appreciate your time in framing the above response to my question .

Thanks for the reply, You didn't understand the question, in netbackup 7.7 there is an option when you add or update a client in a policy you can detect the operating system, I need command line equivalent for updating client os by detect option in GUI.

I didn't find yet any specific command run in background to detect the operating system. Got less time today to resarch. I am planing to reproduce this issue, may be nbsl and nbproxy give us some hint. Keep you update...

@Tousif, that's not true, it works for Unix operating system as well, at least 7.7.3 does. There must be a command in background which checks the OS by may be bpgetconfig and then updates using bpplclients, I can use a script to do it, However I am checking what does Netbackup do in background.

Thanks Riaan for the reply, as per my testing, bpgetconfig works fine for Unix clients, for windows they detect as PC However when you autodetect them from policy GUI they are detected as windows 2008 x64 So I would say no autodetect doesn't use bpgetconfig in background. If I use bpgetconfig somehow I will have to use bpplclients -hardware -os to update it through command line.

Actually my issue is I see many clients updated wrong as their os which works fine in terms of backup as long their actual os matches with policy type. But i need to update all clients by autodetecting their hardware/os.

@RiaanBadenhorst, I agree it doesn't effect anything, However my primary query is when you do auto detect operating system in policy for a client what commands does it do in background. Because it seems nobody knows.

I had a look at this, and I couldnt find any command that does the same thing. Not always, but in some cases the GUI does 'run a command' and this can be seen in user_ops/nbjlogs. In this case it doesn't log any command when you do the OS discovery. The man page / caommand ref guide didn't show anything either.

@mph999@GeForce123Thanks for the reply, Actually for Unix systems I can automate it by getting details from "NetBackup Client Platform" However for Windows I will have to combine "Client OS/Release" as well. If it's a java option only then could you tell me a way I can detect operating system for all the clients under a master server? As in my environment people have selected wrong OS which doesn't effect the back as long as policy type matches with the actual OS type. However I would want to have the clients with correct operating system. As I could see in GUI i have to select each client and do a detect, it doesn't support select multiple and then do a detect.

Thanks @mph999 I am working on it, my environment doesn't has all types of OS, could you or anyone provide all test cases for bpgetconfig output so I can create a global script which could be helpful for veritas also.

For me, "Allowed Team Identifiers" provides the best balance between security and admin overhead. But (at least in 10.16.1) it doesn't appear to work. If I download the profile and remove the signing, there is no mention of the Team ID I entered in the GUI. "Allowed System Extensions" does appear to work, but is more restrictive. The settings you need are:
Team Identifier: 9PTGMPNXZ2
Allowed System Extensions: com.symantec.mes.systemextension

@mikedowler Just to check that I'm following your workflow properly, I've created the config profile in Jamf, put together the System Extensions payload with "Allowed System Extensions" for the type, populated the team identifier, and explicitly added com.symantec.mes.systemextension as an allowed System Extension.

However, despite scoping that out to a test Mac on 10.15.1 and confirmed it's installed, running sudo systemextensionctl list returns 0 extensions, and when I launch SEP, it still indicates that "System extensions need authorization". Any idea what might be broken in my setup? I've also tried setting Allowed Team Identifier and specifying that identifier, but no luck there either.

Also, (PPPC) grant it access to EVERYTHING, your PPPC profile looks a little light unless im missing something. Remember, when the systemextension is fully utilized (i dont believe symantec is fully utilizing it yet) its doing a full system scan, I wanted mine to include all possible avenues of data, external & internal. (This is COMPLETE overkill, you only need SystemPolicyAllFiles)

Hello @NoahRJ , @Hugonaut , @MatG
After following your workflow correctly, I always have the message in sep for system extensions need authorization :( have you been able to find a solution to this?

@leobrt Are you doing this upgrading from Mojave to Catalina? Or on a fresh Catalina build? I've found that the configuration profile needs to be applied only after the machine is on Catalina - it's hit or miss whether the system will respect it if it's applied on 10.14 and then upgraded to 10.15. Once the PPPC/kext/sysext pieces are in place on a Catalina machine, then you install SEP, launch it, and it should get whitelisted properly.

@NoahRJ
Hi,
Indeed, the Mac were under Mojave and migrated to Catalina. I test with a new Catalina installation and I say again. If this is the cause it is a real problem because all our Mac are in this case ..

Just add a quick comment to this, that cause me to pull my hair out. With SEP 14.2.2 It was complaining about the System Extension not working, when in fact it was just missing the virus definitions, never once said this. Once I ran a Live-Update the System Extension was approved and the extensions changed from waiting "user approval" to "activated enabled". So make sure to run live update before re-creating the profiles. :P

@mapurcel Yes. On my own machine it was causing the fans to spin up at idle. I actually deleted the systemextension file from within the Endpoint Protection.app bundle just to see what would happen, and SEP still seems to work fine on 10.15.2 without it eating up 1/8th of my CPU 24/7.

(12/20/19) Update, if your SEPM is 14.2 RU2, there are indeed two options for building the package. In our case, we are unable to update the server so had to use a unconfigured package, followed by a 2nd package, the communications package, to connect the unmanaged install to our server. I've noticed the Catalina flavor of the build isn't as bad on the CPU, but the extension still runs higher that I would like to see..

7fc3f7cf58
Reply all
Reply to author
Forward
0 new messages