symantec live update will not run when no user is logged in on OS X, workaround

OS X does not allow GUI apps to run when there is no console session (no one is logged in). This is a security measure put in place for good reason. However, applications like Symantec’s Live Update are affected in that they do not have a way to run when there is no active user session (ssh doesn’t count). In conversing with Symantec support staff this is apparently a known issue since at least last year! It is described in detail in this article: http://www.symantec.com/business/support/index?page=content&id=TECH155154.

To complicate matters further, if one tries to run Live Update from the command line when no one is logged in it will confuse the Live Update process into thinking that it’s already running, causing Live Update to never run (even if it’s on a set schedule) until the process is killed. Additionally, schedules set by symsched, even as root, will not run Live Update when no user is logged in.

To work around this issue, Symantec has described a way of “slip-streaming” current definition updates into the main Symantec Endpoint Protection installer package. This is great if you aren’t into making sure every client gets the latest virus definitions immediately. However, if you are like me and like when things work, you can follow a modification I made to this slip-stream process that automates these updates and ensures that “Live Update” is run every time SEP 12.1 is installed regardless of whether a user is logged in.

To do this we write a short script to download the latest update file and slip-stream its contents into the main .mpkg installer. This script should be run before the main installer package. An example using JAMF policy would be to

  1. Place the .mpkg installer on the root of the boot drive (/).
  2. Run the below script to slip-stream the latest update.
  3. After slipstreaming the update, this script will install the main .mpkg which includes the latest virus updates.
#!/bin/bash
###################################### START HEADER #################################
## Use this code freely as long as you keep this header intact
## SEP121-Slipstream.sh written by Andrew Caldwell, 1/2012
## Although this code is tested and functional on 10.5 and 10.6, your mileage may vary
## and I accept NO responsibility for you using this code on your own Mac(s)
###################################### END HEADER ###################################
## Get the current date. This will be used as a starting point to download the latest definitions
CurrDate=`date +%Y%m%d`
## A flag to signal the script when the update has been found and downloaded
UpdateFound=0
while [ $UpdateFound -eq 0 ]
do
    ## The filename is static except for the date it is released, so store this name in a variable
    ## to change if necessary
    DesiredUpdate="NavM_Intel_Installer_"$CurrDate"_US.zip"

    ## Use curl to generate a listing of the files on the Symantec website. Grep out the file that most
    ## closely resembles the desired update
    FileListing=`curl -l ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus_mac/ | grep $DesiredUpdate`

    ## Compare the file curl found to the desired update filename. If they match, we've found the latest
    ## update, download it. If not, try again with the previous days' date

    if [ "$FileListing" == "$DesiredUpdate" ]; then
       UpdateFound=1
       curl ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus_mac/$DesiredUpdate > /Users/Shared/definitions.zip
       cd /Users/Shared/
       unzip definitions.zip
       rsync -avE SymantecAVDefs_Intel.pkg/Contents/ /Symantec\ Endpoint\ Protection.mpkg/Contents/Resources/NAVDefs.pkg/Contents/
       rm /Symantec\ Endpoint\ Protection.mpkg/Contents/Resources/NAVDefs.pkg/Contents/Resources/verschk
       installer -verbose -pkg /Symantec\ Endpoint\ Protection.mpkg -target /
    else
       CurrDate=$(( $CurrDate - 1 ))
    fi
done
## Clean up after the updates are finished
rm -rf definitions.zip SymantecAVDefs_Intel.pkg /Symantec\ Endpoint\ Protection.mpkg

Symantec, from my experience over the past several months releases virus definition updates for Macs every day or every other day. Since we can’t know for sure when the latest updates were released relative to the date the .mpkg is slipstreamed, the script contains logic within the while loop that

  1. Checks for the update file with the current date, on the chance that Symantec released an update the same day.
  2. If it does not find one, it retries with the date one day prior.
  3. It continues trying one day prior to that until it finds a matching update file.

Starting with the current date and working backwards ensures that only a few iterations of this check are run before a valid latest update file is found. Since we are checking in sequential date order, the most recent date will always be found first.

UPDATE: 6/29/12

Apparently leaving the Mac logged is is not enough if you have a screen locking policy in place as we do in my company. Live Update will also fail to run if the screen is locked since the OS does not allow gui apps to run on the Mac while it’s screen is locked. Read my post on using bash and applescript to unlock a Macs desktop to help automate a solution to this problem.

About these ads

About this entry