I’ve spend a lot of time working with this, and of what I’ve found so far, would make the suggestion not to use symantec AV on linux if at all possible!
1. Out of the box from a fresh install of symantec AV, Symantec installs the default kernel modules which make your server very unstable. These from what I observed cause the server to randomly hang or panic and crash.
To get around this issue, you need to compile custom kernel modules, and place them in /opt/Symantec/autoprotect before you install the symantec rpms. I’m also still working on trying to put something together to automatically rebuild the kernel modules when a new kernel is installed.
2. Unless you plan to update your java cryptography extensions (JCE) every time you run an update that involves java, your are probably better off not installing liveupdate or savui. (http://www.symantec.com/docs/TECH123310)
without this you are not able to use any of the liveupdate management tools effectively. if you try to create a liveupdate config file it will become corrupt or be wiped out when you try to manage liveupdate.
3. By default liveupdate runs its updates out of /tmp, when it cleans up it removes other random files from tmp. This is an issue because, if the server is using /tmp for anything other than liveupdate, liveupdate tends to interfere with it by removing those files. One good example is with novell OES, where it tends to remove /tmp/.ncp2nss, and the other files used by the nss file system. This typically causes the volumes to stop allowing files to be removed or modified, and you get hundreds or thousands of 0 byte tmp files on the volume.
What I ended up doing was creating my own scripts to manually pull the updates from a central server, and install the definitions on the server. I had also realized that at least in SLES 10, the definition file that you pull from symantec’s ftp site will not run, and throws out a few memory errors before failing. for linux/unix this file is just a short script that includes a uuencoded file. I wrote a script to download these updates, then uudecode the file out of the update, then manually install the definitions.
at this point I’ve had to script out an installer for symantec so that others who install it do the install in the correct order. I’ve had to script out most of the liveupdate functionality, and had to work out how to get the their definitions to actually work.
In my opinion I’ve spent a lot more time than anyone should spend trying to make a commercial product work, and still am running into issues with it.
I’m still fighting with an issue where rtvscand jumps to 100% cpu utilization on some servers, but not all.
With all I’ve been through with this, I’m of the opinion, that just about any AV product is going to be more stable and functional than Symantecs AV for linux. There are even free products like CLAMAV that work much better and require much less effort to get them to run they should.
Leave a Reply