Stop and start Symantec Endpoint Protection on OS X

README.md

This script enables you stop and start Symantec Endpoint Protection on OS X

Installation

sudo curl https://gist.githubusercontent.com/steve-jansen/61a189b6ab961a517f68/raw/sep -o /usr/local/bin/sep
sudo chmod 755 /usr/local/bin/sep
sudo chown root:staff /usr/local/bin/sep

/etc/sudoers

If your user account is not a member of the admin group (i.e., not an OS X Administrator), you need to add the following line to /etc/sudoers using sudo visudo tool:

myusername ALL= NOPASSWD: /usr/local/bin/sep

Example

me:~$ sep stop
/usr/local/bin/sep: relaunching as sudo /usr/local/bin/sep
/usr/local/bin/sep: unloading Symantec Endpoint Protection daemon
/usr/local/bin/sep: unloading Symantec Endpoint Protection shared settings daemon
/usr/local/bin/sep: closing Symantec Endpoint Protection UI widget

me:~$ sudo /usr/local/bin/sep start
/usr/local/bin/sep: relaunching as sudo /usr/local/bin/sep
/usr/local/bin/sep: loading Symantec Endpoint Protection daemon
/usr/local/bin/sep: unloading Symantec Endpoint Protection shared settings daemon
/usr/local/bin/sep: launching Symantec Endpoint Protection UI widget

sep

#!/bin/bash

# relaunch with sudo if we aren't root
if [[ $EUID -ne 0 ]]; then
   echo "$0: relaunching as sudo $0 $1 $USER"
   sudo "$0" $1 $USER
   exit $?
fi

real_user=$USER
if [ -n "$2" ]; then
  real_user=$2
fi

stop() {
  echo $0: unloading Symantec Endpoint Protection daemon
  launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist

  echo $0: unloading Symantec Endpoint Protection shared settings daemon
  launchctl unload /Library/LaunchDaemons/com.symantec.sharedsettings.*plist

  echo $0: closing Symantec Endpoint Protection UI widget as $real_user
  sudo -u $real_user launchctl unload /Library/LaunchAgents/com.symantec.uiagent.application.*plist
}

start() {
  echo $0: loading Symantec Endpoint Protection daemon
  launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist

  echo $0: loading Symantec Endpoint Protection shared settings daemon
  launchctl load /Library/LaunchDaemons/com.symantec.sharedsettings.*plist

  echo $0: launching Symantec Endpoint Protection UI widget as $real_user
  sudo -u $real_user launchctl load /Library/LaunchAgents/com.symantec.uiagent.application.*plist
}

case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  *)
    echo "Usage: $0 [start|stop]"
    ;;
esac

You saved me! Thanks for this script !

So awesome. The daemon had been running for 4 hours at 100+%. Stopping and restarting totally worked. THANKS!!

thank you

Thanks Steve! That helps a lot 👍

Not working on Yosemite:

$ sep stop
/usr/local/bin/sep: relaunching as sudo /usr/local/bin/sep stop XXX
/usr/local/bin/sep: unloading Symantec Endpoint Protection daemon
/Library/LaunchDaemons/com.symantec.symdaemon.plist: No such file or directory
/usr/local/bin/sep: unloading Symantec Endpoint Protection shared settings daemon
/Library/LaunchDaemons/com.symantec.sharedsettings.plist: No such file or directory
/usr/local/bin/sep: closing Symantec Endpoint Protection UI widget as XXX
/Library/LaunchAgents/com.symantec.uiagent.application.plist: No such file or directory

You made my day. Thanks!

P.S. If the process "nwjs helper" is eating up to 150% CPU usage on your macOS, try turning SEP off.

@JESii Figured out the solution here

Per https://support.symantec.com/en_US/article.TECH134203.html, we need to use com.symantec.symdaemon.*plist to match on com.symantec.symdaemon.plist for SEP 12.x and com.symantec.symdaemon.NFW.plist for SEP 14.x

the asterisk in daemon pathnames will accommodate suffix variations - SEP 12.1.x uses .plist and SEP 14.0 uses .NFM.plist

I've updated this gist and confirmed it's working on Sierra with SEP 14.x.

Thanks! Really neat script! Works on High Sierra with Symantec 12.1.6 (12.1 RU6 MP6) build 7061 (12.1.7061.6600).

Symantec is installed on my work PC and its such a CPU hog that it impedes my work, so time and again I would like to be able to disable it (but the network admin prohibits that through the normal means). Thank you so much for this workaround and for saving my sanity!

Thanks, It's work!
On Mojave with Symantec 14.

lifesaver. this old imac has always ran like a turd after leaving it on overnight and i usually come back seeing symantec just CHUGGIN resources. after running this, the machine is like a new baby boi... i'lll just have to remember to turn it back on when IT comes patrolling through.

thanks for this!

Thanks for the script. I works perfect!

Hi Steve, nice handy script thanks a lot.
Worked fine till yesterday but with the new Catalina Version (19A602) it does not work anymore.
Could not find specified service
The Services still exist in /Library/LaunchDaemons/ but they are not unloaded. I also cannot unload or disable the services manually.

Does anyone have similar Problems?

I'm running SEP 14.2.2 (14.2 RU2) build 5323 (14.2.5323.2000). I have an issue with MacOS Catalina [10.15.1 (19B88)]. Whenever I run the stop script, the network functionality fails. In the Activity Monitor, com.symantec.mes.systemextension continues to run. Network functionality is resumed after restarting SEP.

I'm running SEP 14.2.2 (14.2 RU2) build 5323 (14.2.5323.2000). I have an issue with MacOS Catalina [10.15.1 (19B88)]. Whenever I run the stop script, the network functionality fails. In the Activity Monitor, com.symantec.mes.systemextension continues to run. Network functionality is resumed after restarting SEP.

Same behavior noted as well, albeit recently.

Do anyone have a script for the new version that has this process?:
com.symantec.wssad.plist
because every time I unload this process all internet connection and browsing goes haywire. Sometimes connects sometimes doesn't. Most of the time it just doesn't load anything.

Stopping SEP on OS 10.15 (Catalina)

OS 10.15 has started using systemextensionsctl to manage extensions, and Symantec is one of the first companies to use this.

Steps:

1. Install the sep tool as described above under Installation.
2. To use systemextensionsctl on OS 10.15, you need to disable System Integrity Protection. This requirement may be removed in future OS X releases, and it only needs to be done once.
   1. First, boot into recovery mode by restarting your Mac and hold Command+R as it boots.
   2. Launch terminal from the Utilities menu.
   3. Type csrutil disable.
   4. Reboot.
3. To kill all Symantec processes:
   1. Run sep stop as an admin user.
   2. Run systemextensionsctl list:

   enabled	active	teamID	bundleID (version)	name	[state]
   	9PTGMPNXZ2	com.symantec.mes.systemextension (10.0.0/10.0.0)	Symantec System Extension	[terminated waiting to uninstall on reboot]
   

   1. Run systemextensionsctl uninstall 9PTGMPNXZ2 com.symantec.mes.systemextension. (The team ID may be different for you. Please send feedback whether or not your installation of SEP has the same teamID.) Note that this command must be run by an admin user while logged into the OS X GUI. This is necessary because the systemextensionsctl command requests a password via dialog box.

After that the issue of network functionality still hasn't been resolved.

Thanks, it works!

Thank you very much! Very helpful

@crkrenn, I can confirm that I can see the same team ID '9PTGMPNXZ2' for 'com.symantec.mes.systemextension' but I also see another service with following ID:

enabled	active	teamID	bundleID (version)	name	[state]
*	*	Y2CCP3S9W7	com.broadcom.mes.systemextension (9.0.4/9.0.4)	Symantec System Extension	[activated enabled]

I uninstalled both.

UPDATED:

Like previous commenters have noted, once I run sep stop then the machine cannot not access internet at all. (Even with com.broadcom.mes.systemextension already deactivated and uninstalled.

Thanks, Very helpful 👍

Thank you so much !