This content is viewable by Everyone

SEP for Linux: Install Guide

System requirements

Broadcom maintains this webpage to list supported Linux distributions and kernels for each of the Symantec Endpoint Protection versions.

You can validate your Linux Distribution and Kernel Version in an elevated terminal command:

uname -r

Verify your Linux Distribution and Kernel in Terminal


Note: Some potential boot-time vulnerabilities may be present when using an older or unsupported kernel. To increase the security of this process, consider password protecting the GRUB bootloader.


Download the UCSF SEP client installer

  1. Verify you are on a UCSF connection (ethernet, UCSFwpa or vpn@UCSF).
  2. Go to
  3. Under Linux Downloads, click on the appropriate link


Uninstall old and other client security applications

  • Note: You will need to uninstall any other anti-virus or endpoint protection programs you may have.
  • As of this writing (6/27/2023), Symantec Endpoint Protection for Linux does not include Firewall and Intrusion Protection (IPS) components. Broadcom maintains a list of supported components for the Symantec Endpoint Protection application in their Frequently Asked Questions article for Linux Agents


Run the UCSF SEP client installer

  1. Open terminal and navigate to the .elf file acquired from UCSF
  2. Grant the file execute permissions for your user or all users

    chmod u+x YourFile.elf


    chmod a+x YourFile.elf

  3. Execute the installation file as a super user

    sudo ./YourFile.elf
    Use the .ELF File to Install your SEP for Linux Agent

  4. Once the installation completes successfully, the installer will confirm the installed Daemons are running and the Modules are loaded. 


Verify Symantec Agent Status

You can validate the agent Daemon and Module status by executing


Additional scrips are present in this directory to start and stop the agent, and validate the installed product versions.

Validate the SEP for Linux agent status using terminal



  • The "sisevt" module is symevent, a kernel event monitor
  • The "sisap" module is autoprotect, a real-time file scanner


Managing your Linux client using the command line tool (sav)

Broadcom maintains documentation here on how to use the command line tool (sav) to manage the Auto-Protect settings, check the product and definition versions, configure manual and scheduled scan settings, and work with quarantined files. Note: this tool requires root privileges to run. 

By default, this tool is installed to /opt/Symantec/sdcssagent/AMD/tools

Manage your SEP for Linux Agent with the command line tool SAV


SEP for Linux with Secure Boot enabled

Secure Boot is generally recommended as an additional measure of protection for systems, preventing malicious code from being inserted into the kernel. Secure Boot is the protocol that enables a safe and trusted path during the Linux boot process, using digital key pairs to check that SystemTap and other startup code hasn't been altered by a rootkit or similar mechanism. 


When Secure Boot is enabled on a Linux system where SEP for Linux is deployed, some of SEP's functions may fail to start. Follow the procedure outlined in this Broadcom article to import the public key signing certificate (added to your agent when SEP is installed) with the MOK (Machine Owner Key) Manager.