Symantec Endpoint Protection client shows very High CPU Utilization and take long time to start service

book

Article ID: 223807

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

CCSVCHST.exe of Symantec Endpoint Protection client shows very High CPU Utilization and take long time to start service

This is observed when SEPM is added to SEDR 4.5 or greater which is configured with large number of SHA256 values in ALLOW/DENY list.

Whenever, there is an update to ALLOW/DENY list in SEDR or SEP Service is restarted the issue is observed.

The CPU utilization settles down after some time depending on System resources. This time may vary from 30 minutes to more than an hour.

 

Cause

In SEDR 4.5 and later a new feature was introduced to send the SHA256 Hash values of ALLOW/DENY list to SEPM exceptions policy.

Refer : What's new in Symantec Endpoint Detection and Response 4.5

It affects SEP 14.3 RU1 or later.

SEPM Exception policy xml cannot handle more than recommended 500 to 600 values thus taking longer time to process the list.

Environment

Release :

SEP : 14.3 RU1, 14.3 RU2, 14.3 RU3

SEDR : 4.5, 4.6

Component : Symantec Service framework in SEP

Resolution

We are aware of the issue and working on it. Please contact technical support for assistance.

Attachments