ccSvcHst causes high CPU and high file I/O with the Teredo interface enabled

book

Article ID: 184871

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

High CPU and file I/O is observed on systems with the Symantec Endpoint Protection 14.2 MP1, or newer, client installed when using the Teredo Interface.

CVE.log from a client shows repeated entries of a network change occuring at a rapid pace:

[2020-Jan-08 12:56:01.764452] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 12:57:11.275133] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 12:57:21.328422] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 12:58:28.396178] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 12:58:33.415459] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 12:59:41.450304] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:00:01.466105] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:01:10.504168] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:01:33.516631] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:02:42.552256] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:03:00.561161] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:04:09.591246] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:04:36.615945] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:05:45.653570] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:06:04.660043] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:07:13.695614] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:07:23.716654] [DEBUG] Network change to trigger heartbeat! [thread:1f94]
[2020-Jan-08 13:08:29.746329] [DEBUG] Network change to trigger heartbeat! [thread:1f94]

Cause

When the Teredo interface is enabled, every time it encapsulates network traffic, SEP sees that as a network change and triggers a new heartbeat. The issue compounds on itself because eachs heartbeat then triggers another encapsulation process.

Resolution

The teredo interface will need to be disabled in order to resolve the high CPU and file I/O behavior. The following command can be used to do so:

netsh interface teredo set state=disabled