ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

High SEP CPU and growing ccSubSDK folder when using EDR for Insight lookups

book

Article ID: 240660

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After setting an Endpoint Detection and Response (EDR) server to accommodate Insight lookups, the Symantec Endpoint Protection (SEP) client begins exhibiting high CPU utilization.  Also, the ccSubSDK (\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK) folder is filling up with thousands of files.

The following repetitive errors can be seen in the SEP System log:

Cannot assign a client authentication token. This client is not scheduled to obtain a client authentication token.

Cause

The client will attempt to retrieve an authentication token even if submissions are disabled when connected to EDR.

Environment

Release :SEP 14.3

Resolution

A fix was provided in SEP 14.3 RU4.  To resolve the issue, upgrade the client to that version or later. 

Workarounds:

  • If upgrading in not an immediate option, consider either disabling Insight lookups or direct lookups to the public Insight servers instead of EDR. 
  • Restarting the smc service (smc -stop, smc -start) will offer a temporary reprieve, but the issue will recur. 

Additional Information

ESCRT-7730