High SEP CPU and growing ccSubSDK folder when using EDR for Insight lookups
search cancel

High SEP CPU and growing ccSubSDK folder when using EDR for Insight lookups


Article ID: 240660


Updated On:


Endpoint Protection


After setting an Endpoint Detection and Response (EDR) server to accommodate Insight lookups, the Symantec Endpoint Protection (SEP) client begins exhibiting high CPU utilization.  Also, the ccSubSDK (\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK) folder is filling up with thousands of files.

The following repetitive errors can be seen in the SEP System log:

Cannot assign a client authentication token. This client is not scheduled to obtain a client authentication token.


Release :SEP 14.3


The client will attempt to retrieve an authentication token even if submissions are disabled when connected to EDR.


A fix was provided in SEP 14.3 RU4.  To resolve the issue, upgrade the client to that version or later. 

Note: This fix does not apply if "Client submissions" are still enabled. Only Insight (reputation) lookup queries are permitted without a client authentication token. Client Submissions (broadcom.com)


  • If upgrading in not an immediate option, consider either disabling Insight lookups or direct lookups to the public Insight servers instead of EDR. 
  • Restarting the smc service (smc -stop, smc -start) will offer a temporary reprieve, but the issue will recur. 
  • Enabling SEP clients to access the CAT URL: https://tus1gwynwapex01.symantec.com

Additional Information