Endpoint Protection

SAV for Linux: A (Somewhat) Illustrated Guide Part 3 

01-23-2013 08:23 AM

SEP 12.1 RU5 introduced a managed SEP for Linux client in September 2014.  Details can be found in New fixes and features in Symantec Endpoint Protection and Network Access Control 12.1.5 and Symantec Endpoint Protection 12.1.5 for Linux Client Guide. The use of this new, managed SEPFL client is highly recommended over the legacy SAVFL client.

The Story So Far....

This is the third in an informal series of articles intended to help admins make the best use of Symantec AntiVirus for Linux, keeping those boxes protected from today's many emerging threats without killing the CPU or the network bandwidth.

This article will focus on the area with which many admins encounter the most trouble- how to keep SAV for Linux up-to-date.


How Often Are New Definitions Released?

New certified definitions are posted for SAVFL once per day.  These definitions contains all the AntiVirus signatures against all known threats, regardless of what OS they are designed to exploit.  Do not put off updating SAVFL on your Linux file server, thinking that there cannot be that many new Linux worms since last week.  SAVFL needs the latest definitions to stop the latest Windows/Mac/Android threats affecting clients that access that file server.  Make sure that SAVFL is updated every day.


OK, How Does SAVFL Get Updated?

There are three ways:

  1. Internet LiveUpdate servers (The default.  Recommended if you have only a few SAVFL clients)
  2. Internal LiveUpdate Administrator 2.x server (Recommended if you have many SAVFL clients.)
  3. Intelligent Updater (Useful in certain circumstances, such as completely isolated computers.)


What Happens When I Push This Button?

SAVFL comes with Java LiveUpdate (JLU) built into it.  Clicking "LiveUpdate" from the SAVFL GUI will, by default, start a session that retrieves updates from the Internet.  A session can also be manually started from the command line: sav liveupdate -u

As long as the SAVFL client is updating every day, the files downloaded will be of manageable size.

If the SAVFL client goes out-of-date by weeks, then a full set of definitions will need to be downloaded.  That can be a couple hundred MB.


"We Have A Lot of Linux Machines- that Many Updates Would Kill Our Network Bandwidth!"

If you establish an internal LiveUpdate Administrator 2.x server (LUA 2.x), it will download the update files from the Internet source servers once, and then make them available to all of your SAVFL clients on the corporate LAN.  Here is an official Symantec article on configuring the LUA 2.x server for SAVFL contents:

Configuring LiveUpdate Administrator 2.x to Download and Distribute Symantec Antivirus for Linux Contents
Article URL http://www.symantec.com/docs/TECH152311


The initial download is large, but then each subsequent day's download is small. Here is what LUA 2.x looks like making that first download of SAVFL materials, in case you have never seen the product:


The SAVFL clients then need to have their  setting updated so they know to look to that internal source, rather than keep looking on the Internet  Here is an article on how to configure the SAVFL clients to use that internal LUA 2.x server's Distribution Center (DC):

Configuring Symantec Antivirus for Linux (SAVFL) to download definitions from the Distribution Center of an internal LiveUpdate Administrator (LUA) 2.x Server
Article URL http://www.symantec.com/docs/TECH93505

And here is an excellent article by another member of the Connect Forum (give it a "thumbs up" vote!)  

How to Install SAV for Linux (SAVFL) and Update It Using LUA 2.x (


There's Always A Third Option

It is also possible to bring SAVFL clients up-to-date using an Intelligent Updater (IU).  Here's the article on that option:

How to update a Linux-based computer with Intelligent Updater definitions
Article URL http://www.symantec.com/docs/TECH96754 

Using IU's every day would consume a lot of bandwidth.  The size of the current Linux IU file (20130122-004-unix.sh) is 421.54 MB.  This will only grow as more and more threats are discovered.

Intelligent Updaters are a great solution in certain circumstances (completely isolated computers that still require defenses, bringing a computer up-to-date if JLU is failing for some reason) but for day-to-day use, Internet or internal LiveUpdate servers are usually the best option.


OK, You Convinced Me.   I'll Configure my SAVFL Clients' Java LiveUpdate.  So, How Do I Do That? 

If you need to change the LiveUpdate schedule, source server, or other parameters, three ways are possible:

  1. By the command line
  2. By dropping on a GRC.DAT
  3. By changing the /etc/liveupdate.conf file

Details on the first two options can be found in SAV for Linux: A (Somewhat) Illustrated Guide Part 2. Here's a good article on how to manually configure liveupdate.conf:

Configuring Java LiveUpdate
Article URL http://www.symantec.com/docs/TECH101689 

Several admins have found it easy to create a valid liveupdate.conf file containing the proxy, LUA, etc details for their environment and place that in each SAVFL machine's /etc directory.  If there are many SAVFL clients to configure, and there is no SAV 10 Windows client on hand to generate the GRC.DAT, dropping the liveupdate.conf file is what I recommend.


Sorry, I Don't Speak Klingon

Opening /etc/liveupdate.conf with a standard text editor presents a page full of odd text and characters:

This is actually by design.  The contents of this configuration file are encrypted to prevent tampering.  Editing the liveupdate.conf file on SAVFL must be done using a special tool.  The following article contains all the details:

Configuring Java LiveUpdate using the built-in Graphical User Interface (GUI)
Article URL http://www.symantec.com/docs/TECH123038 

Here is what the tool looks like:



What Just Happened?

To see the details on a Java LiveUpdate session, read liveupdt.log.  This log file takes practice to read, but can tell you what product components were checked for updates, what server the SAVFL client tried to connect to, if that connection was successful, what files were downloaded and if they were then processed.

By default this log is located in the /opt/Symantec/LiveUpdate directory, but that is configurable in liveupdate.conf.

Note that this log only covers Java LiveUpdate activity, not Intelligent Updater.  That tool generates it own logs.

In case JLU sessions are not completing correctly, the following article may help:

Troubleshooting Java LiveUpdate 3.x
Article URL http://www.symantec.com/docs/TECH123310 



Is There Any Sneaky Way to See What Set of AV Definitions All My SAVFL Clients Have?

Yes. &: )

SAVFL (SEP for Linux) status check


Many Connect Forum members have expressed and interest in a managed "Symantec Endpoint Protection for Linux" client.  (You may show your interest for such at the link below.)  Until that becomes available, SAVFL Reporter can collect some information from all of the legacy SAV for Linux clients in the organization, and display details in a report within Symantec Endpoint Protection Manager (SEPM).  This report can make it easy to spot clients with definitions that are out of date. 


Managed SEP client for Linux



Final Notes

Many thanks for reading!  Please do add comments and feedback below.



0 Favorited
0 Files

Tags and Keywords


10-17-2014 11:28 AM


The enterprise version of Symantec Endpoint Protection now includes the Symantec Endpoint Protection client for Linux. The Symantec Endpoint Protection client for Linux replaces the Symantec AntiVirus client for Linux and supports a greater range of distributions and kernels. Added distributions include Red Hat Enterprise Linux Server (RHEL) 6.5 and CentOS 6.5

SEP for Linux clients can now be managed by an RU5 SEPM, or later. Configuration enhancements have been made to the SEPM to allow policy creation for managed Linux clients. This includes AV policy settings, centralized exceptions, and LiveUpdate settings. The SEPM also features enhanced reporting for Linux clients, including the SEP client version, host OS details, and hardware details.

Can refer this article: https://www-secure.symantec.com/connect/articles/how-install-symantec-endpoint-protection-1215-ru5-linux-operating-system

09-12-2013 02:05 PM

Love the article.

06-19-2013 06:03 AM

Great + 10

06-19-2013 06:03 AM

Great + 10

03-08-2013 02:09 AM

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter

03-01-2013 12:21 PM

The Symantec Mobile Security 7.2 articles that I mentioned above are now live: check them out, Android fans!

Illustrated Guide to Installing Symantec Mobile Security 7.2,


Getting to Know the Symantec Mobile Security 7.2 Client

02-05-2013 06:47 PM

yes +1 !

02-03-2013 05:39 PM

Thumbs Up !!

01-25-2013 04:45 AM

Many thanks, MeloSep!

Android is based on Linux, you are correct there.  I have not seen any vulnerabilities or threats, myself, that have moved back and forth between those platforms though.  (It might be possible, but I have not seen it.)

The thing I am concerned about, as the IT world moves in a BYOD (Bring Your Own Device) direction where personal and corporate equipment and networks become merged, is Android threats circulating through the file servers, mail servers, etc.  Android, unlike iPhone, offers the ability to get your Apps from many markets/methods.  .apk's can be mailed around, copied from shared network fodlers, etc. 

I am beginning to see a lot of Windows and Linux threat logs that include Android detections.  For example:


Event IP Address Computer Name Source Risk Name Occurrences File Path
Security risk found 10.x.x.x COMPUTERNAME Scheduled scan Android.Lotoor 1 c:\Users\NAME\Downloads\Roots\z4root 1.3.0.zip>>z4root 1.3.0.apk


I believe my next few articles will highlight the Symantec Mobile Security 7.2 product which defends Android and Windows Mobile devices.  

If there is sufficient demand, I may write another SAVFL article about the cool things that can be done with SAVFL Reporter first.

Thanks again for the comments and feedback, all!  &: )         


01-25-2013 04:08 AM

Great stuff bro, really appreciate your work!

You mentioned Android in the beginning, vulnerabilities for this OS are in some way "compatible" and moved to a normal Linux system?

As far I know, android take most of the code in use from the Linux kernel, is this the reason why?




01-25-2013 03:46 AM

Excellent stuff.

01-24-2013 05:19 AM

Great article, thanks!

01-23-2013 12:29 PM

Very nice!

Related Entries and Links

No Related Resource entered.