Processes and services used by Endpoint Protection 14

Products

Endpoint Protection

Issue/Introduction

You want to know which processes and services are used by Symantec Endpoint Protection (SEP) 14.

Resolution

Services

This table lists the services used by SEP.

	Service Name	Executable	Description
SEP	Symantec Endpoint Protection	sms.dll	Provides malware and threat protection for Symantec Endpoint Protection
SEP	Symantec Network Access Control	snac64.exe	Checks that the computer complies with the defined security policy and communicates with the Symantec Enforcers to allow your computer to access the corporate network.
	Symantec Migration Service (SEPMasterServiceMig)		"It's a service used during upgrade with reboot, After new SEP is installed side by side with the old one and until you reboot ,new partially installed SEP is hosted in SepMasterServiceMig, while the old one runs in SepMasterService. During reboot the old one is deleted and SepMasterServiceMig is renamed to SepMasterService."
SEPM	Symantec Embedded Database	dbsrv16.exe	Embedded database used by Symantec Endpoint Protection Manager
	Symantec Endpoint Protection Launcher	SemLaunchSvc.exe	Launch service which can invoke special processes for Symantec Endpoint Protection Manager.
	Symantec Endpoint Protection Manager	SemSvc.exe	Application server which communicates with Symantec Endpoint Protection Manager, Symantec Protection clients, and a database.
	Symantec Endpoint Protection Manager API Service	SemSvc.exe	Application server provides web services.
	Symantec Endpoint Protection Manager Webserver	httpd.exe	Web server which communicates with Symantec Endpoint Protection Manager, Symantec Endpoint Protection clients, and a database.
	Symantec MSS DB Connector	prunsrv.exe	This service allows a MSS Collector to remotely access DB services. This is service is only installed when the Synapse Log Collector for SEPM Embedded DB is installed for ATP. The log collector enables ATP to collect incident logs from a Symantec Endpoint Protection Manager database.
SEPM 14.1	Symantec Endpoint Protection Bridge Service	prunsrv.exe	Bridge service.
SEPM 14.1	Symantec Endpoint Protection Bridge Uploader Service	BridgeUploaderSrv.exe	Data uploader service.

Processes

This table lists the processes used by SEP.

Executable	Description
SEPM
ClientRemote.exe	Remote install SEP client
SemSvc.exe	Tomcat service
SemLaunchSvc.exe	Runs under Local System account. SEPM uses this service component to run services that requires elevated privilege
sesmcontinst.exe	Downloads SEPM updates from LiveUpdate servers. Used also for importing .VDB/.JDB files (VirusDefs) into SEPM. Also used to cleanup AV and IPS temporary content files during uninstallation.
LuCatalog.exe	Utility to register/unregister SEPM's with LiveUpdate. Update/sync LU Inventory
LuCallbackProxy.exe	Part of Live Update. The Call Back Proxy Module monitors how many updates are required to be downloaded, and schedules downloads to be performed at various times through various mirror sites to increase download efficiency.
LuComServer_3_3.exe	LiveUpdate Core Engine
httpd.exe	Apache process
dbisqlc.exe	Embedded DB process
dbsrv16.exe	Embedded DB process
semapisrv.exe	Tomcat instance service running for REST web-services.

SEP
snac64.exe	Symantec Network Access Control executable. Checks that the computer complies with the defined security policy and communicates with the Symantec Enforcers to allow your computer to access the corporate network .
AutoExcl.exe	Helps to configure exclusion list on the SEP Client.
DoScan.exe	Responsible for scanning.
nlnhook.exe	hook lotus notes
SavUI.exe	Responsible for UI related to Scan dialog
SepLiveUpdate.exe	Runs LiveUpdate on clients -- ccSvcHst is the process that actually connects to LiveUpdate server
Smc.exe	Communication with the SEPM
SmcGui.exe	Controls the SEP system tray icon and its functions
SymCorpUI.exe	Controls user interface of SEP
symerr.exe	Error reporting component
ccSvcHst.exe	This is Symantec Service Framework. For SepMasterService service run using the framework provided by ccSvcHst. Among other functions: Downloads SEP client updates from LiveUpdate servers.
DevViewer.exe	It helps you find hardware device ID's for device blocking in Symantec Endpoint Protection (SEP).
DWHWizrd.exe	Mainly used when a new set of definitions comes in. It is also used to re-scan files in quarantine when new virus definitions are updated and installed.
RtvStart.exe	Application to restart RTVScan service
roru.exe	The installer in Symantec Endpoint Protection 12.1 uses the Replace On Reboot Uninstaller (RORU), whereby an older version of SEP will not actually be removed and replaced by the newer version until after a reboot.
WSCSAvNotifier	Used to update AntiVirus status to Windows Security Center.
SymCloseUI	Used in install scenarios such as uninstall, or add/remove feature to ensure SEP UI is closed during install operation. Open UI blocks SEP services from stopping, causing install failures. In order to effectively close UI in all user sessions it installs temporary
MigrateUserScans.exe	It is responsible for migrating user scans from SAV and SEP11. (This EXE has been removed from SEP version 14.3 RU5 and later)

Additional Information

Exclusions for Symantec Endpoint Protection (SEP) if Agent is having a conflict when 3rd party security protection software is installed.

Resolution : Configure the 3rd party security protection software to exclude SEP folders and processes, which will prevent them from monitoring data that is written to or read from the folders.

It is recommended to whitelist all of the processes and folders that are listed below:

Endpoint Agent Installation Location *	C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\
Endpoint Agent Data Folder Location *	C:\ProgramData\Symantec\Symantec Endpoint Protection\
Endpoint Service name (SepMasterService)	Sms.dll
Processes	AutoExcl.exe DoScan.exe SavUI.exe SepLiveUpdate.exe Smc.exe SmcGui.exe SymCorpUI.exe symerr.exe ccSvcHst.exe DevViewer.exe DWHWizrd.exe WSCSAvNotifier.exe

* Need to exclude all subfolders