Symantec Service Framework generates high CPU when SEDR recording and splunkd.exe are both present
search cancel

Symantec Service Framework generates high CPU when SEDR recording and splunkd.exe are both present

book

Article ID: 176491

calendar_today

Updated On:

Products

Endpoint Detection and Response Cloud Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

The Symantec Service Framework (ccSvcHst.exe) generates high CPU on Symantec Endpoint Protection (SEP) clients when Symantec Endpoint Detection and Response (SEDR) Data Recording is Enabled and Splunk Add-On for Windows (splunkd.exe) is present.

Environment

  • SEP Client is registered with SEDR appliance
  • In UI of SEDR appliance, the Data Recording feature is enabled for the Symantec Endpoint Protection Manager (SEPM) Controller connection to the SEPM which controls the SEP client.
  • Splunk Add-On for Windows 7.0.0 is installed on the same machine with SEP Client

Resolution

Symantec is investigating at this time.

Possible configuration workarounds in order of greatest reduction/savings of CPU cycles:

  1. Identify which features of Splunk Universal Forwarder are unnecessary or overused in your environment, then change the Interval for one or more features of Splunk Universal Forwarder to disable or reduce the frequency of those features.

    NOTE: Making these changes effective may require a scheduled restart of the splunk server which holds settings for the target instances of splunkd.exe
     
  2. Within SEDR, on the SEPM Controller connection, create process exclusions for features of Splunk Universal Forwarder which you seek to retain.
     
  3. Use divide and conquer methodology to isolate which Recording features create most CPU usage, then make decisions to balance CPU usage versus security needs. Create a SEP client group, add it to Recording Exceptions, and disable all event recording, then proceed through divide and conquer troubleshooting to evaluate which recording features add the most CPU usage, then decide how to balance CPU usage versus security.

 

To disable one or more features of Splunk Universal Forwarder

 

To create process exclusions for Splunk Universal Forwarder which you seek to retain

SEDR 4.4 and prior:

  1. On SEDR UI, navigate to Settings> Global
  2. Scroll down to the list of SEPM Controller connections
  3. On the line for the SEPM Controller connection you seek to modify, click the ellipses on the right side of the line, then click Recorder Exceptions
  4. Add exceptions for the following process names:
    splunkd.exe
    splunk-powershell.exe

     
  5. Add exceptions for the SHA256 hashes of these two executable files

SEDR 4.5 and later:

  1. On SEDR UI, navigate to Policies > Recorder
  2. Click the + sign to add a Recorder Rule
  3. Choose 'Disable Monitoring'
  4. Add the fully qualified actor path for the following process names:
    splunkd.exe
    splunk-powershell.exe

     
  5. Add exceptions for the SHA256 hashes of these two executable files