Symantec Endpoint Protection client shows very High CPU Utilization and take long time to start service
Article ID: 223807
Updated On:
Products
Issue/Introduction
CCSVCHST.exe of Symantec Endpoint Protection client shows very High CPU Utilization and take long time to start service
This is observed when SEPM is added to SEDR 4.5 or greater which is configured with large number of SHA256 values in ALLOW/DENY list.
Whenever, there is an update to ALLOW/DENY list in SEDR or SEP Service is restarted the issue is observed.
The CPU utilization settles down after some time depending on System resources. This time may vary from 30 minutes to more than an hour.
Cause
In SEDR 4.5 and later a new feature was introduced to send the SHA256 Hash values of ALLOW/DENY list to SEPM exceptions policy.
Refer : What's new in Symantec Endpoint Detection and Response 4.5
It affects SEP 14.3 RU1 or later.
SEPM Exception policy xml cannot handle more than recommended 500 to 600 values thus taking longer time to process the list.
Environment
Release :
SEP : 14.3 RU1, 14.3 RU2, 14.3 RU3, 14.3 RU4
SEDR : 4.5, 4.6
Component : Symantec Service framework in SEP
Resolution
Both the products are working as designed.
Additional Information
This article can be useful in case of high CPU issue:
https://knowledge.broadcom.com/external/article/224815/high-cpu-on-all-enrolled-sep-clients-wit.html
Attachments
Feedback
