search cancel

Protection Engine services spike to 100% CPU utilization when Tanium is used in the environment


Article ID: 225562


Updated On:


Protection Engine for Cloud Services Protection Engine for NAS Protection for SharePoint Servers


You notice the Symantec Protection Engine (symcscan on Linux) process take 100% CPU utilization until the service is manually terminated. If the scanner is enrolled in the Centralized Cloud Console, you instead see the Symantec Protection Engine process taking 50% CPU utilization with the Symantec CAF Service (cafservicemain on Linux) service taking 50% CPU utilization until the services are manually terminated.


  • SPE 8.0 through SPE 8.2.1
  • Tanium


There is an unexpected interaction between Tanium and Protection Engine (SPE) that causes the services mentioned above to enter a state that utilizes all CPU resources.


This issue will be fixed in SPE 8.2.2. Please update to SPE 8.2.2 as soon as it is available. A workaround is available if upgrading is not feasible.


You can exclude ports 9001 and 9002 from Tanium scanning on any SPE scanner. This will prevent the interaction that causes the issue.