Endpoint Protection ccsvchst.exe process consume high cpu over time

book

Article ID: 171244

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A very busy file server with SEP 14 installed has observed high CPU consumption over time from ccsvchst.exe process, usually in the span of 1 week from a restart of services or computer.

Cause

With file reputation submission enabled, SEP is required to enumerate and keep track of all short-lived processes the file serve generates.  Therefore over time (~ 1 week), ccsvchst.exe process will consume large amount of CPU, > 95%.

Resolution

Two viable solutions,

1. Rename file atpieim.dll on the affected endpoint.  This will be a per endpoint solution.  File atpieim.dll's function is to submit file reputation data to Symantec.

  • Disable tamper protection
  • Run 'smc -stop'
  • Rename 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\AtpiEim.dll' to something different. i.e. AtpiEim.old
  • Run 'smc -start'
  • Re-enable tamper protection

2. If there are multiple endpoints affected, disabling file reputation submission via policy.

With either of the two methods above, the end result will be to disable file reputation data submission to Symantec, thus removing the need for SEP to enumerate and keep of all processes generated from a busy file server.

Attachments