Endpoint Protection

SAV for Linux: A (Somewhat) Illustrated Guide Part 2 

12-28-2012 05:06 AM

SEP 12.1 RU5 introduced a managed SEP for Linux client in September 2014.  Details can be found in New fixes and features in Symantec Endpoint Protection and Network Access Control 12.1.5 and Symantec Endpoint Protection 12.1.5 for Linux Client Guide. The use of this new, managed SEPFL client is highly recommended over the legacy SAVFL client.

Linux is Growing Ever More Popular

Over the past twenty years, the Linux OS has secured a foothold in the market.  Now its popularity is growing faster than ever before.  Estimates indicate that five percent of all computers are running some disto of Linux, including more than 90% of today's most powerful supercomputers. 

The number of questions about Symantec AntiVirus for Linux (the current protection client for Linux which ships with Symantec Endpoint Protection) keeps growing, too.  So, following on SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide, here is a second article in the series which describes the various ways to configure your SAVFL client.


Choices, choices, choices....

SAV for Linux uses a local configuration database to store configuration data for the product.  This is a binary file rather than text-based, so changing settings is not as easy as editing an .ini or .cfg file, and there's really no setting that can be changed through the savtray GUI.  Other tools are necessary.

SAVFL can be configured from the command line, by dropping on a GRC.DAT file, or by changing settings using an unsupported tool called xsymcfg.

Be extremely careful when performing any manual configuration: invalid entries or typos may cause SAVFL to stop functioning correctly, potentially resulting in the infection of a key Linux server!


Command Line

The Symantec AntiVirus for Linux Implementation Guide has an extensive section on "Using the sav CLI to interact with Symantec AntiVirus"

You can use the sav CLI to perform the following tasks:

  • enable and disable Auto-Protect
  • start and schedule LiveUpdates and view the current LiveUpdate schedule
  • start and stop manual scans
  • create, delete, enable, and disable scheduled scans
  • view a list of scheduled scans and detailed information about each scan
  • display items and act on items in the local Quarantine
  • roll back to a previous version of virus and security risk definitions
  • use the latest version of local virus and security risk definitions
  • display general product information

There is a symcfg command line tool which can change the settings of SAVFL: symcfg can be used to display, create, remove, and change the value of data that is stored in the product's settings database.

For example: suppose it is desired to check what settings are present regarding the scheduled LiveUpdate task.  Using sudo, from the /opt/Symantec/symantec_antivirus directory, use the command ./symcfg -r list -k 'Symantec Endpoint Protection\AV\PatternManager'

The results are displayed on screen.  These can also be piped out to a text file if needed.


To disable LiveUpdate, change the Enabled value from 1 to 0:

./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 0

Re-enable it:
./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 1


Be very careful when adding or deleting anything via symcfg!  Values will be overwritten or removed without any "Are you sure?" prompt.



Back in the SAV 10.1 days, there way a file called GRC.DAT which served roughly as the equivalent of the sylink.xml file in today's SEP 11 and SEP 12.1.  This file could be copied from the correct Windows or NetWare SAV server and dropped onto Windows SAV clients, and the various settings would be set or restored.  This same technology was built into SAV for Linux: instead of being copied from the SAV server, though, the GRC.DAT files are built using a ConfigEd.exe tool on a Windows machine.

Here is an overview of how the process works: 

How to configure Symantec AntiVirus for Linux using a GRC.DAT file
Article URL http://www.symantec.com/docs/TECH93386 

... and here is a proposed enhancement request for an updated ConfigEd tool.  The existing tool offers only partial functionality unless it is installed on a Windows-based SAV machine.

Update Configuration Editor (ConfigEd) Tool for SAVFL

Once a GRC.DAT file is ready, it is copied into the /var/symantec directory.  Be sure that ownership and permissions on the file are not restrictive!  A valid GRC.DAT will be processed automatically after a few minutes, or it can be processed immediately if a command is run:

sudo /opt/Symantec/symantec_antivirus/symcfg add -k 'Symantec Endpoint Protection\AV\ProductControl' -v ProcessGRCNow -d 1 -t REG_DWORD

The GRC.DAT file disappears when it has been successfully read and inserted into the SAVFL client's configuration database.



The unsupported xsymcfg tool is located in /opt/Symantec/symantec_antivirus/unsupported directory.  Just in case this article has not been clear, this tool is handy but it is unsupported.  Use it at your own risk, because Technical Support will not be able to help reverse any damage done if xsymcfg is used incorrectly.  The only option will be to uninstall SAVFL and re-install it using the default settings.

Here is what xsymcfg looks like:


In brief, it operates just like the Registry on a windows computer.  Using this graphical tool to change key values will alter the way that SAVFL behaves.

For example, from the Symantec AntiVirus for Linux Implementation Guide:

By default, the maximum number of items that can be added to a manual scan that is generated from the command line interface is 100. You can use symcfg to change the DWORD value VirusProtect6\MaxInput to increase this limit. To remove the limit entirely, you must set it to 0.

To change that value, just open up HKEY_CURRENT_USER, Symantec Endpoint Protection, AV in xsymcfg.  Right-click on MaxInput and chose to Modify.  Change the value to 0 and click OK.


Final Notes

Many thanks for reading!  Please do add comments and feedback below.

Linux admins may wish to cast their support for these proposed enhancement requests:

Managed SEP client for Linux

Create a tool to verify the minimum requirements for SAVFL - Sav For Linux

Remote Deployment Tool for SAVFL


0 Favorited
0 Files

Tags and Keywords


10-17-2014 11:28 AM


The enterprise version of Symantec Endpoint Protection now includes the Symantec Endpoint Protection client for Linux. The Symantec Endpoint Protection client for Linux replaces the Symantec AntiVirus client for Linux and supports a greater range of distributions and kernels. Added distributions include Red Hat Enterprise Linux Server (RHEL) 6.5 and CentOS 6.5

SEP for Linux clients can now be managed by an RU5 SEPM, or later. Configuration enhancements have been made to the SEPM to allow policy creation for managed Linux clients. This includes AV policy settings, centralized exceptions, and LiveUpdate settings. The SEPM also features enhanced reporting for Linux clients, including the SEP client version, host OS details, and hardware details.

Can refer this article: https://www-secure.symantec.com/connect/articles/how-install-symantec-endpoint-protection-1215-ru5-linux-operating-system

06-13-2014 11:23 AM

Unfortunately, that configed tool only runs 100% when installed on a computer that also has SAV.

06-13-2014 10:16 AM

Well this autumn unfortunately is too far 

I'll need to configure Linux clients on the next week and i just want to know if SEP license is enough to run ConfigEd or if i absolutely need SAV Windows-base licence to edit my GRC.DAT.

06-13-2014 10:06 AM

Hi Skas,

Thanks for the kind words.  One bit of good news: this autumn, there is expected to be a managed SEP for Linux client released with SEP 12.1 RU5.  This will make it far easier to arrange for Linux machine sto receive the correct policies uniformly, report their events back to the SEPM, etc.

Looking forward to that!  &: )


06-13-2014 09:54 AM

HI Mick, 

your guide is useful like water in a desert. 

As is written, ConfigEd can run with all its functionality only on Windows-based SAV machine: i want to know if ConfigEd can also run on Windows-based SEPM machine.

I have 1 Windows server with SEPM  and the other machines are Linux clients: i really would like to use ConfigEd to edit GRC.DAT instead of using the command line interface.


03-27-2014 03:40 AM

Hi Mick ,

Thanks for your article.

09-12-2013 02:05 PM

Love the article.

06-05-2013 05:23 AM

Nice Article. Well Done.

03-08-2013 02:09 AM

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter

02-05-2013 06:46 PM

Thanks Mick !

01-24-2013 04:42 AM

Readers of this artiocle may also be interested in....

SAV for Linux: A (Somewhat) Illustrated Guide Part 3

01-03-2013 10:32 AM

Nice one Mick, well done :D


01-03-2013 10:30 AM

Quality stuff, as always! Keep them coming Mick!


01-02-2013 05:33 AM

Amazing Artical.....It would not be Bad if everyone say you SAVFL Guru...........


01-01-2013 05:53 AM


Awesome Article.. This is an Article which gives great insight into the SAV FL.

Keep such Articles coming..Great one MICK...!!!

12-31-2012 12:25 PM

Nice article on SAVFL (in addition to the first one), Mick. Keep 'em coming!

I've seen some good things on the horizon in regards to managed SAVFL clients. Can't wait!



Related Entries and Links

No Related Resource entered.