ccSvcHst.exe service queries files on network drives or shares every 10 or 30 minutes

book

Article ID: 156405

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Procmon reveals that the Symantec Endpoint Protection (SEP) service, ccSvcHst.exe, is querying files on network drives or shares every 10 or 30 minutes.

Cause

The Symantec IRON driver is reaching out to these files to gather information such as SHA256. If the driver is unable to retrieve the required information, it will retry every 10 minutes if the computer or user is idle, or every 30 minutes if the computer or user is busy. In some cases this behavior may lead to problems on your network.

 

Resolution

This issue was fixed in SEP 12.1 RU2.

You can remove the ATPI.DB file to stop SEP from reaching out to these files:

  1. From the command line, navigate to the SEP directory.
  2. Run the command smc –stop.
  3. Remove the following file:

    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\DB\atpi.db

    Windows XP/2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\DB\atpi.db
     
  4. Run the command smc –start.