Mac Endpoint Protection client displays "Virus and Spyware Protection is disabled" and invalid kernel extension signatures
search cancel

Mac Endpoint Protection client displays "Virus and Spyware Protection is disabled" and invalid kernel extension signatures

book

Article ID: 162631

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Status page of SEP (Symantec Endpoint Protection) Mac client interface displays "Virus and Spyware Protection is Disabled" and OS is logging "invalid signature" errors to system.log for various Symantec kext (kernel extension) files. The issue persists, even after a successful download of new virus definitions via LiveUpdate or clicking "Fix" in SEP client interface.

  • The SEP client interface displays "Virus and Spyware Protection is disabled"
     
  • Mac OS system log (Applications->Utilities->Console->system.log) displays errors similar to the following (other Symantec kexts may also be involved):
    Untrusted kexts are not allowed
    ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

     
  • Upon running the kext diagnostic command:
    sudo kextutil -tn "/Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext"

    NORMAL kextutil output is a single line as below:

    /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext appears to be loadable (including linkage for on-disk libraries).

    An example of output indicating a PROBLEM:

    Warnings: 
        The booter does not recognize symbolic links; confirm these files/directories aren't needed for startup: 
            CodeDirectory
            CodeRequirements
            CodeResources
            CodeSignature
     Code Signing Failure: code signature is invalid
    Warnings: 
        The booter does not recognize symbolic links; confirm these files/directories aren't needed for startup: 
            CodeDirectory
            CodeRequirements
            CodeResources
            CodeSignature
    /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext appears to be loadable (including linkage for on-disk libraries).

Cause

The kext files may be corrupt, from various causes.

Code signature errors may be exposed by beta versions of the Mac OS.

Erroneous symbolic links (if present) in the kext folder will prevent auto-protect from loading. These links are likely to have been introduced by a customized installation procedure, e.g. a script that modifies the SEP client after installation.

Resolution

Code signature errors in beta versions of Mac OS may be worked around by disabling the "rootless" feature (AKA System Integrity Protection or SIP). Symantec does not recommend this for any extended period of time, and SEP code signing will be addressed in future versions to address this issue. To toggle "rootless": reboot and hold down command-R to enter recovery console, run Utilities->Terminal, run "csrutil disable" (or "csrutil enable"), and reboot

Other file/folder corruption causes may be resolved by uninstalling and reinstalling the SEP product, directly from a proper souce. For example, it is not advisable to unzip an installation package on a Windows (or other OS) and then copy the files to a Mac; it is best to copy any zipped installation package directly to the Mac before unzipping, otherwise subtle file permission errors may be introduced to the installation.

Other workarounds may include manually replacing the contents of the affected kext folder(s) from a working system.