Skip to content

Instantly share code, notes, and snippets.

@steve-jansen
Last active October 28, 2024 16:59
Show Gist options
  • Save steve-jansen/61a189b6ab961a517f68 to your computer and use it in GitHub Desktop.
Save steve-jansen/61a189b6ab961a517f68 to your computer and use it in GitHub Desktop.
Stop and start Symantec Endpoint Protection on OS X

This script enables you stop and start Symantec Endpoint Protection on OS X

Installation

sudo curl https://gist.githubusercontent.com/steve-jansen/61a189b6ab961a517f68/raw/sep -o /usr/local/bin/sep
sudo chmod 755 /usr/local/bin/sep
sudo chown root:staff /usr/local/bin/sep

/etc/sudoers

If your user account is not a member of the admin group (i.e., not an OS X Administrator), you need to add the following line to /etc/sudoers using sudo visudo tool:

myusername ALL= NOPASSWD: /usr/local/bin/sep

Example

me:~$ sep stop
/usr/local/bin/sep: relaunching as sudo /usr/local/bin/sep
/usr/local/bin/sep: unloading Symantec Endpoint Protection daemon
/usr/local/bin/sep: unloading Symantec Endpoint Protection shared settings daemon
/usr/local/bin/sep: closing Symantec Endpoint Protection UI widget
me:~$ sudo /usr/local/bin/sep start
/usr/local/bin/sep: relaunching as sudo /usr/local/bin/sep
/usr/local/bin/sep: loading Symantec Endpoint Protection daemon
/usr/local/bin/sep: unloading Symantec Endpoint Protection shared settings daemon
/usr/local/bin/sep: launching Symantec Endpoint Protection UI widget
#!/bin/bash
# relaunch with sudo if we aren't root
if [[ $EUID -ne 0 ]]; then
echo "$0: relaunching as sudo $0 $1 $USER"
sudo "$0" $1 $USER
exit $?
fi
real_user=$USER
if [ -n "$2" ]; then
real_user=$2
fi
stop() {
echo $0: unloading Symantec Endpoint Protection daemon
launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist
echo $0: unloading Symantec Endpoint Protection shared settings daemon
launchctl unload /Library/LaunchDaemons/com.symantec.sharedsettings.*plist
echo $0: closing Symantec Endpoint Protection UI widget as $real_user
sudo -u $real_user launchctl unload /Library/LaunchAgents/com.symantec.uiagent.application.*plist
}
start() {
echo $0: loading Symantec Endpoint Protection daemon
launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist
echo $0: loading Symantec Endpoint Protection shared settings daemon
launchctl load /Library/LaunchDaemons/com.symantec.sharedsettings.*plist
echo $0: launching Symantec Endpoint Protection UI widget as $real_user
sudo -u $real_user launchctl load /Library/LaunchAgents/com.symantec.uiagent.application.*plist
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo "Usage: $0 [start|stop]"
;;
esac
@crkrenn
Copy link

crkrenn commented Jul 10, 2020

Stopping SEP on OS 10.15 (Catalina)

OS 10.15 has started using systemextensionsctl to manage extensions, and Symantec is one of the first companies to use this.

Steps:

  1. Install the sep tool as described above under Installation.
  2. To use systemextensionsctl on OS 10.15, you need to disable System Integrity Protection. This requirement may be removed in future OS X releases, and it only needs to be done once.
    1. First, boot into recovery mode by restarting your Mac and hold Command+R as it boots.
    2. Launch terminal from the Utilities menu.
    3. Type csrutil disable.
    4. Reboot.
  3. To kill all Symantec processes:
    1. Run sep stop as an admin user.
    2. Run systemextensionsctl list:
    enabled	active	teamID	bundleID (version)	name	[state]
    	9PTGMPNXZ2	com.symantec.mes.systemextension (10.0.0/10.0.0)	Symantec System Extension	[terminated waiting to uninstall on reboot]
    
    1. Run systemextensionsctl uninstall 9PTGMPNXZ2 com.symantec.mes.systemextension. (The team ID may be different for you. Please send feedback whether or not your installation of SEP has the same teamID.) Note that this command must be run by an admin user while logged into the OS X GUI. This is necessary because the systemextensionsctl command requests a password via dialog box.

@vvchistyakov
Copy link

After that the issue of network functionality still hasn't been resolved.

@WonkiJo
Copy link

WonkiJo commented Nov 18, 2020

Thanks, it works!

@yvoronenko-reflexion
Copy link

Thank you very much! Very helpful

@trongthanh
Copy link

trongthanh commented Dec 7, 2020

@crkrenn, I can confirm that I can see the same team ID '9PTGMPNXZ2' for 'com.symantec.mes.systemextension' but I also see another service with following ID:

enabled	active	teamID	bundleID (version)	name	[state]
*	*	Y2CCP3S9W7	com.broadcom.mes.systemextension (9.0.4/9.0.4)	Symantec System Extension	[activated enabled]

I uninstalled both.

UPDATED:

Like previous commenters have noted, once I run sep stop then the machine cannot not access internet at all. (Even with com.broadcom.mes.systemextension already deactivated and uninstalled.

@liuhaoXD
Copy link

Thanks, Very helpful 👍

@arnabghoshTW
Copy link

Thank you so much !

@andreasarf
Copy link

andreasarf commented Jun 30, 2024

It did not kill com.broadcom.mes.systemextension? How to include some process to kill mentioned process?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment