CCSVCHST.exe of Symantec Endpoint Protection client shows very High CPU Utilization and take long time to start service
This is observed when SEPM is added to SEDR 4.5 or greater which is configured with large number of SHA256 values in ALLOW/DENY list.
Whenever, there is an update to ALLOW/DENY list in SEDR or SEP Service is restarted the issue is observed.
The CPU utilization settles down after some time depending on System resources. This time may vary from 30 minutes to more than an hour.
In SEDR 4.5 and later a new feature was introduced to send the SHA256 Hash values of ALLOW/DENY list to SEPM exceptions policy.
It affects SEP 14.3 RU1 or later.
SEPM Exception policy xml cannot handle more than recommended 500 to 600 values thus taking longer time to process the list.
SEP : 14.3 RU1, 14.3 RU2, 14.3 RU3, 14.3 RU4
SEDR : 4.5, 4.6
Component : Symantec Service framework in SEP
Both the products are working as designed.
This article can be useful in case of high CPU issue: