In a mixed managed and unmanaged Symantec Endpoint Protection (SEP) environment, ccSvcHst.exe causes excessive CPU use only on clients that are managed. A large serdef.dat file is found on the clients.

This issue occurs from SEP Manager upgrades to environments using replication. Each upgrade has the potential to add new entries into the LiveUpdate Content policy resulting in duplicates. With each upgrade the number of duplicates increases, thus resulting in a larger policy file.

As a result, the SEP client gets caught in an endless loop trying to process the policy file.

The typical serdef.dat and server.dat files are kilobytes (KB) in size. When this issue is present, these files are typically over megabytes (MB) in size.

This issue is fixed in Symantec Endpoint Protection 14.2.0.1 (14.2 MP1)  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

As a work around, you can create a new LiveUpdate Content policy and assign it to the affected client groups.