Overview

SEP for Mac provides anti-virus/anti-malware (AV) protection and network intrusion prevention technologies (IPS), along with added central management and reporting. Its protection technology may inhibit performance or seemingly disrupt any file or folder functionality of your computer. 

Most issues should subside after the particular SEP protection technology has accomplished its tasks in searching for potential risks and remedying them if possible.

The SEP for Mac FAQ page tries to cover common and known issues and is a good place to start if you suspect SEP may be misbehaving.

This document will walk you through (1) SEP for Mac's typical misbehaviors and (2) basic troubleshooting guidelines, as well as (3) how to temporarily disable SEP protection technologies and (4) how to get log information that may be needed when calling the Service Desk for further assistance.

Common behavior from the SEP for Mac client

Generally, the UCSF SEP client policies are set to allow end users to temporarily disable the SEP protection technologies as a way to help them troubleshoot issues. Before we discuss that option as well as other workarounds, here are some common behaviors that can help you recognize if SEP is just doing its job or instead may be the cause of anomalous issues.

SEP for Mac contains anti-virus/anti-malware protection technologies. Typically, the most resource-intensive task that SEP for Mac performs is running a full scan of a volume. Potential side effects during file scanning may include:

• Increased CPU usage
• Slow disk access
• Lockout by a file caused by quarantining actions
• Blockage of internet traffic deemed to be an attack on or risk to the network

 To determine if SEP for Mac is in the middle of a scanning operation, you can check the status:

• Go to Applications -> Symantec Solutions -> Symantec Endpoint Protection. The status screen should note any active tasks SEP is performing.

Other things to note about scheduled scans:

• The first scan of any volume may take a long time to complete.
• After a successfully completed scan, subsequent scheduled scans will take less time, since the client should skip files that have not been modified since the last scan.
• Scheduled scan(s), defined in policy, are typically set for times that will cause the least amount of impact to the workday (e.g., in the middle of the night or very early in the morning).
• If a machine was powered down during a scheduled scan, the scan will resume once the computer is powered on again.

Regarding Time Machine volumes:

A Time Machine volume containing a long history will take a very long time to complete, because each time interval on the backup will be scanned as though it were an entire system. To mitigate this issue, we recommend using one of the following:

• Only mounting Time Machine volumes when needed
• Starting a new Time Machine volume after installing the SEP for Mac client
• Maintaining Time Machine on a smaller volume

Temporarily disabling the SEP client

Although disabling SEP is not recommended, the quickest way to determine if an issue is being caused by SEP's protection technologies is to "disable" the client temporarily to see if the issue goes away.

In the next section, we will discuss how to examine logs to determine what SEP is doing, which is the preferred method to rule out SEP as the cause of unwanted behavior. However, the feature of allowing end users to "disable SEP" provides an easy way to set the SEP client into a pass-through mode, allowing you to determine whether one of SEP's protection technologies is interfering with a task you need to accomplish and know to be benign.

To temporarily disable the SEP Auto-Protect feature:

1. In the top menu bar, to the far right, click the Symantec QuickMenu icon.
2. From the drop-down list, select Open Symantec Endpoint Protection.
3. From the left column menu list, select Intrusion Protection, then slide the green bar left for Vulnerability Protection and Firewall.  
4. From the left column menu list, select Device Control, then slide the green bar left for Device Control
5. Please remember to re-enable the functions following the tests to ensure maximum protection of the computer asset.

To re-enable the SEP Auto-Protect feature:

Wait for a few minutes (the central policy should force the client re-enable itself shortly). You can also follow the same procedures used to disable the feature, but in step 3, choose Enable for the protection type.

To stop an active scanning process:

1. Go to Applications -> Symantec Solutions -> Symantec Endpoint Protection.
2. If a scan is in progress, you should be presented with an option to postpone or cancel it.

Communications issues for updates to definitions and policies

To ensure the client is communicating and is managed properly by the endpoint servers:

1. Select the Symantec client tray icon, located at the top right corner of the screen.
2. Select Open Symantec Endpoint Protection, select Management from the left hand column
3. Verify that the Connection Status says Connected and specifies the SEP management to which it's connected.
   

Checking logs on a Mac

1. Go to Applications -> Symantec Solutions -> Symantec Endpoint Protection.
2. Click on Activity from the left hand column.
3. Click on Security History
4. Click on Virus Scans and then you can specify which day to review the scan logs

Installation logs

SEP for Mac installation logs are stored in the system's install logs:

• Review the file /private/var/log/install.log.
• The phrase "Symantec Endpoint Protection Installation Log" will appear at the beginning of the installation cycle. It is also accessible through the Console application utility.

Additional logs

Information on exporting the logs mentioned above can be found in the Symantec Knowledge Base Article TECH214527.

Advanced (tech-savvy) users can review more logs by following the instructions found in the Symantec Knowledge Base Article TECH134761, which covers using the GatherSymantecInfo tool from Symantec.

Uninstalling a SEP client

A common troubleshooting step would be to uninstall and reinstall the SEP client: 

• Instructions for uninstalling the SEP client can be found on the SEP for Mac FAQ documentation page.
• After uninstalling SEP client, re-download a new client installer from https://software.ucsf.edu/content/endpoint-protection and reinstall the client.

Reporting issues and getting additional help

Gather the Troubleshooting information found on the client. This will provide useful information (e.g., versions, communication settings, actions, updates).

1. Go to Applications -> Symantec Solutions -> Symantec Endpoint Protection.
2. Click on Help menu option found at the top of the computer screen.
3. Select Gather Support Information from the menu.
4. Type in the account password for the computer when prompted to install the new helper tool.
5. Wait for the system to gather the system information.
6. Click OK on the dialog box Symantec Endpoint Protection would like to access files in your Desktop folder.
7. A dialog box will appear stating Done Gathering Data.  Look on the desktop for the file Symantec Support Data.zip
8. Contact the Service Desk by visiting https://ucsf.service-now.com/ess/ or calling 415-514-4100.

Advanced troubleshooting for the tech-savvy

The majority of Symantec's documentation (e.g., how-to articles, Knowledge base articles, forum discussions) is fully open and accessible to anyone. Most are technical, but they can be very informative.

A good place to start for advanced troubleshooting of SEP for Mac issues is Symantec's office "SEP for Mac FAQ" Knowledge Base article at:

https://support.symantec.com/en_US/article.TECH240292.html