前回、Symantec Endpoint Protection 12.1.6 MP7 client for Linuxをインストールしてみましたが最新のKernel(3.10.0-514.6.2.el7.x86_64)には未対応でした。
そのためにAutoProtectが動作しません。
ところがSymantec Endpoint Protection 12.1.6から未対応のカーネルの場合、インストール時に自動コンパイルを実行して対応する機能が追加されたようです。
Symantec Endpoint Protection 12.1.x でサポートされる Linux のカーネル
https://support.symantec.com/ja_JP/article.TECH223240.html
Symantec Endpoint Protection 12.1.6 から 12.1.6 MP7 までのカーネルサポート
Symantec Endpoint Protection 12.1.6 for Linux では、カーネルモジュールのサポートに変更があります。事前にコンパイルされた Auto-Protect 用カーネルモジュールをインストール終了時に有効化できない場合、自動プロセスが Auto-Protect 用カーネルモジュールのコンパイルを開始します。要件など自動コンパイルの動作について詳しくは、「Symantec Endpoint Protection for Linux クライアントの自動コンパイル」を参照してください。
Auto-compile for Symantec Endpoint Protection client for Linux
https://support.symantec.com/en_US/article.INFO2514.html
- 開発環境のインストール
- SEP for Linux再インストール
- 確認
- Live Update
- log
- Virus Test
1 2 |
# yum groupinstall "Development Tools" # yum install kernel-devel kernel-headers |
1 2 3 |
# ./install.sh -i Starting to install Symantec Endpoint Protection for Linux Downgrade is not supported. Please make sure the target version is newer than the original one. |
アップデートできるかなと思いましたがダメでした。アンインストールしてインストールします。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# ./install.sh -u Starting to uninstall Symantec Endpoint Protection for Linux. Begin removing LiveUpdate component warning: file /opt/Symantec/LiveUpdate/jlu.jar: remove failed: No such file or directory LiveUpdate component removed successfully Begin removing GUI component GUI component removed successfully Begin removing legacy Auto-Protect component Legacy Auto-Protect component removed successfully Begin removing Auto-Protect component Auto-Protect component removed successfully Begin removing virus protection component Virus protection component removed successfully Uninstall completed ============================================================= The log files for uninstallation of Symantec Endpoint Protection for Linux are under ~/: sepfl-install.log sep-install.log sepap-install.log sepap-legacy-install.log sepui-install.log sepjlu-install.log |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# ./install.sh -i Starting to install Symantec Endpoint Protection for Linux Performing pre-check... Pre-check succeeded Begin installing virus protection component Preparing... ################################# [100%] Performing pre-check... Pre-check is successful Updating / installing... 1:sav-12.1.7166-6700 ################################# [100%] Virus protection component installed successfully Begin installing Auto-Protect component Preparing... ################################# [100%] Performing pre-check... Pre-check is successful Updating / installing... 1:savap-x64-12.1.7166-6700 ################################# [100%] Auto-Protect component installed successfully Begin installing GUI component Preparing... ################################# [100%] Performing pre-check... Pre-check is successful Updating / installing... 1:savui-12.1.7166-6700 ################################# [100%] GUI component installed successfully Begin installing LiveUpdate component Preparing... ################################# [100%] Performing pre-check... Pre-check is successful Updating / installing... 1:savjlu-12.1.7166-6700 ################################# [100%] LiveUpdate component installed successfully Begin installing legacy Auto-Protect component Preparing... ################################# [100%] Performing pre-check... Pre-check is successful Updating / installing... 1:savap-x64-legacy-12.1.7166-6700 ################################# [100%] Legacy Auto-Protect component installed successfully Pre-compiled Auto-Protect kernel modules are not loaded yet, need compile them from source code Build Auto-Protect kernel modules from source code successfully Installation completed ============================================================= Daemon status: symcfgd [running] rtvscand [running] smcd [running] ============================================================= Drivers loaded: symap_custom_3_10_0_514_6_2_el7_x86_64 symev_custom_3_10_0_514_6_2_el7_x86_64 ============================================================= Auto-Protect starting Protection status: Definition: Waiting for update. AP: Malfunctioning ============================================================= The log files for installation of Symantec Endpoint Protection for Linux are under ~/: sepfl-install.log sep-install.log sepap-install.log sepap-legacy-install.log sepui-install.log sepjlu-install.log sepfl-kbuild.log |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# /etc/init.d/autoprotect status OK # systemctl status autoprotect.service * autoprotect.service - LSB: Symantec AutoProtect Modules Loaded: loaded (/etc/rc.d/init.d/autoprotect; bad; vendor preset: disabled) Active: active (exited) since Fri 2017-02-24 22:21:18 JST; 5min ago Docs: man:systemd-sysv-generator(8) Process: 26503 ExecStart=/etc/rc.d/init.d/autoprotect start (code=exited, status=0/SUCCESS) Feb 24 22:21:17 centos7.rootlinks.net systemd[1]: Starting LSB: Symantec AutoProtect Modules... Feb 24 22:21:18 centos7.rootlinks.net autoprotect[26503]: Starting AP: symev: loaded (symev-custom-3.10.0-514.6.2.el7-x86_64.ko) Feb 24 22:21:18 centos7.rootlinks.net autoprotect[26503]: symap: loaded (symap-custom-3.10.0-514.6.2.el7-x86_64.ko) Feb 24 22:21:18 centos7.rootlinks.net autoprotect[26503]: Setting major=246 from /proc/symap Feb 24 22:21:18 centos7.rootlinks.net systemd[1]: Started LSB: Symantec AutoProtect Modules. |
大丈夫そうです。
1 2 3 4 |
# /opt/Symantec/symantec_antivirus/sav info -a Malfunctioning # /opt/Symantec/symantec_antivirus/sav info -a Enabled |
savコマンドでは暫くはMalfunctioningですが、少し経つとEnabledになりました。
1 |
# /opt/Symantec/symantec_antivirus/sav liveupdate -u |
1 2 3 4 5 6 7 |
# /opt/Symantec/symantec_antivirus/sav log -e sep.log # cat sep.log 1 02/24/17 22:21:27 Information 12070202 Symantec Management Client has been started. 2 02/24/17 22:21:28 Information 12109999 Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer. 3 02/24/17 22:21:28 Information 12109999 Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer. 4 02/24/17 22:30:26 Information 12070800 A LiveUpdate session ran successfully. 5 02/24/17 23:01:52 Information 12070800 A LiveUpdate session ran successfully. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# curl -O http://files.trendmicro.com/products/eicar-file/eicar.com % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68 100 68 0 0 122 0 --:--:-- --:--:-- --:--:-- 122 # /opt/Symantec/symantec_antivirus/sav quarantine -l 1B400000 /root/sep/eicar.com # /opt/Symantec/symantec_antivirus/sav quarantine -i 1B400000 Item: 1B400000 Description: /root/sep/eicar.com Full Path: /root/sep/eicar.com Log Line: 2F01180E062C,5,1,2,centos7.rootlinks.net,root,EICAR Test String,/root/sep/eicar.com,5,1,1,256,33574980,"",0,,0,,457179136,11101,0,0,0,,,,20170223.001,183784,0,,0,,,,,,,,,,,,,,,,,,,,,,,,0,,,0,,502 68 2 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f,,,,1 Flags: INFECTED Quarantined: Fri Feb 24 24:06:44 2017 Created: Fri Feb 24 24:06:44 2017 Last Accessed: Fri Feb 24 24:06:44 2017 Last Modified: Fri Feb 24 24:06:44 2017 |
テストウィルスで感染、駆除(削除)されています。
感染時の処理方法やアラートメールの送信などはSEPMで集中管理しないと管理外クライアントだと無理かな。
あとはKernel Update後にAutoProtectが機能しないことも考えられるから注意ですね。
取り敢えず基本的にことは検証できたからよかった。