After updating antivirus definitions to July 5th, 2017 revision 8 or later, CPU utilization by ccsvchst.exe increases considerably on clients running Symantec Endpoint Protection (SEP) 14.0. Specifically, the following conditions may be experienced:

1. A momentary increase in CPU usage by ccsvchst.exe while accessing PDFs, Office files, or other non-executable files. This can include accesses during backing up these file types.
2. An overall increase in CPU usage over time by ccsvchst.exe on busy file or application servers.  This CPU usage can occur any time, and does not coincide with active/scheduled scans.

On July 5th, a new SDS engine update was released that includes changes to Auto-Protect. This allows for additional scanning of non-executable file types. This includes reputation lookups on files types such as PDF, and Microsoft Office files. On systems with a large amount of files or where such files are accessed frequently, higher CPU usage can be experienced.

This issue has been fixed in SEP 14.0.1.