Processes and services used by Endpoint Protection 14
search cancel

Processes and services used by Endpoint Protection 14


Article ID: 170706


Updated On:


Endpoint Protection


You want to know which processes and services are used by Symantec Endpoint Protection (SEP) 14.



This table lists the services used by SEP.

  Service Name Executable Description
SEP Symantec Endpoint Protection sms.dll Provides malware and threat protection for Symantec Endpoint Protection
Symantec Network Access Control

snac64.exe Checks that the computer complies with the defined security policy and communicates with the Symantec Enforcers to allow your computer to access the corporate network.
  Symantec Migration Service (SEPMasterServiceMig)   "It's a service used during upgrade with reboot, After new SEP is installed side by side with the old one and until you reboot ,new partially installed SEP is hosted in SepMasterServiceMig, while the old one runs in SepMasterService. During reboot the old one is deleted and SepMasterServiceMig is renamed to SepMasterService."
SEPM Symantec Embedded Database dbsrv16.exe Embedded database used by Symantec Endpoint Protection Manager
Symantec Endpoint Protection Launcher SemLaunchSvc.exe Launch service which can invoke special processes for Symantec Endpoint Protection Manager.
Symantec Endpoint Protection Manager SemSvc.exe Application server which communicates with Symantec Endpoint Protection Manager, Symantec Protection clients, and a database.
Symantec Endpoint Protection Manager API Service SemSvc.exe Application server provides web services.
Symantec Endpoint Protection Manager Webserver httpd.exe Web server which communicates with Symantec Endpoint Protection Manager, Symantec Endpoint Protection clients, and a database.
Symantec MSS DB Connector prunsrv.exe This service allows a MSS Collector to remotely access DB services. This is service is only installed when the Synapse Log Collector for SEPM Embedded DB is installed for ATP. The log collector enables ATP to collect incident logs from a Symantec Endpoint Protection Manager database.
SEPM 14.1 Symantec Endpoint Protection Bridge Service prunsrv.exe Bridge service.
Symantec Endpoint Protection Bridge Uploader Service BridgeUploaderSrv.exe Data uploader service.


This table lists the processes used by SEP.

Executable Description
ClientRemote.exe Remote install SEP client
SemSvc.exe Tomcat service
SemLaunchSvc.exe Runs under Local System account. SEPM uses this service component to run services that requires elevated privilege
sesmcontinst.exe Downloads SEPM updates from LiveUpdate servers. Used also for importing .VDB/.JDB files (VirusDefs) into SEPM. Also used to cleanup AV and IPS temporary content files during uninstallation.
LuCatalog.exe Utility to register/unregister SEPM's with LiveUpdate. Update/sync LU Inventory
LuCallbackProxy.exe Part of Live Update. The Call Back Proxy Module monitors how many updates are required to be downloaded, and schedules downloads to be performed at various times through various mirror sites to increase download efficiency.
LuComServer_3_3.exe LiveUpdate Core Engine
httpd.exe Apache process
dbisqlc.exe Embedded DB process
dbsrv16.exe Embedded DB process
semapisrv.exe Tomcat instance service running for REST web-services.
snac64.exe Symantec Network Access Control executable. Checks that the computer complies with the defined security policy and communicates with the Symantec Enforcers to allow your computer to access the corporate network .
AutoExcl.exe Helps to configure exclusion list on the SEP Client.
DoScan.exe Responsible for scanning.
nlnhook.exe hook lotus notes
SavUI.exe Responsible for UI related to Scan dialog
SepLiveUpdate.exe Runs LiveUpdate on clients -- ccSvcHst is the process that actually connects to LiveUpdate server
Smc.exe Communication with the SEPM
SmcGui.exe Controls the SEP system tray icon and its functions
SymCorpUI.exe Controls user interface of SEP
symerr.exe Error reporting component

This is Symantec Service Framework. For SepMasterService service run using the framework provided by ccSvcHst. Among other functions:

  • Downloads SEP client updates from LiveUpdate servers.
DevViewer.exe It helps you find hardware device ID's for device blocking in Symantec Endpoint Protection (SEP).
DWHWizrd.exe Mainly used when a new set of definitions comes in. It is also used to re-scan files in quarantine when new virus definitions are updated and installed.
RtvStart.exe  Application to restart RTVScan service
roru.exe The installer in Symantec Endpoint Protection 12.1 uses the Replace On Reboot Uninstaller (RORU), whereby an older version of SEP will not actually be removed and replaced by the newer version until after a reboot. 
WSCSAvNotifier Used to update AntiVirus status to Windows Security Center.


Used in install scenarios such as uninstall, or add/remove feature to ensure SEP UI is closed during install operation. Open UI blocks SEP services from stopping, causing install failures. In order to effectively close UI in all user sessions it installs temporary


It is responsible for migrating user scans from SAV and SEP11. (This EXE has been removed from SEP version 14.3 RU5 and later)

Additional Information

Exclusions for Symantec Endpoint Protection (SEP) if Agent is having a conflict when 3rd party security protection software is installed.

Resolution : Configure the 3rd party security protection software to exclude SEP folders and processes, which will prevent them from monitoring data that is written to or read from the folders.


It is recommended to whitelist all of the processes and folders that are listed below:

Endpoint Agent Installation Location *

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\

Endpoint Agent Data Folder Location *

C:\ProgramData\Symantec\Symantec Endpoint Protection\

Endpoint Service name (SepMasterService)




* Need to exclude all subfolders