High CPU usage seen on systems with Endpoint Protection and Endpoint Detection and Response
Article ID: 238115
Updated On: 10-04-2023
Products
Issue/Introduction
High CPU utilization is seen on server where the Symantec Endpoint Protection (SEP) client is installed.
Due to this the system is going in a hang state and are unable to perform any activity on that server.
Symantec Endpoint Detection and Response (SEDR) is also present in the environment.
Environment
SEP 14.3x, SEDR
Cause
The high CPU usage is caused by the IPS feature. You can try disabling Netstat events in IDSVia64.sys to confirm.
IPS submissions must be disabled in SEPM and if applicable, Netstat events need to be disabled in EDR.
Resolution
To resolve the issue, disable the below:
1. Disable IPS submissions in SEPM
2. Disable Netstat in SEDR
IPS submissions can be disabled in SEPM by unchecking the below:
a. Navigate to SEPM > Clients > Policies > Click on External Communications link.
b. In Submissions tab click on "More options..." button
c. Uncheck "Network data that helps Symantec recommend reductions to your organization's network attack surface"
How to disable Netstat is SEDR:
a. Login to SEDR web UI, go to Settings > Global > select SEPM Connector you need to modify
b. Choose 'Endpoint Activity Recorder Configuration' from menu
c. Uncheck the 'Enable Netstat Event Recording' checkbox, then save the change.
d. New FDR policy will be propagated to SEPM and then SEP will pick it up
Feedback
