After upgrading to Symantec Endpoint Protection (SEP) 14.2 RU1, an increase is observed in the amount of memory being used by the SYSTEM instance of ccSvcHst.exe at idle on the client.

SEP 14.2 RU1

This is expected.  In 14.2 RU1 changes were made to ccSvcHst to reduce CPU utilization, lower disk I/O and increase battery life while a system is idle.  The result is a higher working set of memory for the SYSTEM instance of ccSvcHst.exe.  There is no performance impact or system requirement changes related to this change in behavior.  The increase in memory usage only occurs at idle.  If memory usage on the machine increases, then the working set for ccSvcHst will be reduced.

A registry key can be set to return ccSvcHst to pre-14.2 RU1 behavior.

1. Temporarily set Tamper Protection to Log Only
2. Add the following entry into the registry
   • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\WorkingSetGarbageCollector\ccSvcHst-SYSTEM
   • DWORD (32-bit) Value: WorkingSetThreshold
   • Value Data (Decimal): 8388608
3. Return Tamper Protection to its previous setting
4. Restart

NOTE: This is not recommended in most cases. Additional work past 14.2 RU1 has increased efficiency.