When looking at resource utilization of Symantec Endpoint Protection (SEP) Linux Agent, you notice that sisamddaemon is using a large amount of CPU resources.  The issue goes away when Auto-Protect scanning is disabled.  (/opt/Symantec/sdcssagent/AMD/tools/sav autoprotect -d) 

Symantec Linux Agent (14.3 RU1 or later)

By default, Auto-Protect will scan any file that is accessed or modified.  On busy servers, this activity can cause high CPU usage when installed applications have heavy disk utilization. 

To resolve the issue, you can make exclusions for known good software and files that are frequently accessed.  You can determine which files Auto-Protect is scanning by monitoring scan activity for 10 minutes. To do this:

1. Login as root account or equivalent (who allow to become root or to run sudo)
2. Run following command (root can run a command as sisips uid without password)

su - sisips -c "./sisipsconfig.sh -approfile 10"  

=> this will start profiling the Auto-Protect scan activity for 10 minutes.

3. If high CPU usage is seen, note the time.
4. Collect and check the following log for what AP scanned at that time and make appropriate exclusions.
/var/log/sdcsslog/amdlog/profile.log

Note: Only files marked as 'Completed' in the profile log were actually scanned.  Excluded files will show in the profile log, but should not show as 'Completed'. If they do, exclusions should be verified.