The com.broadcom.mes.systemextension process used by Symantec Endpoint Protection (SEP) / Symantec Endpoint Security (SES) for Mac is showing high CPU utilization.

Release : 14.3.x for Mac

The most common reasons for CPU spikes on the com.broadcom.mes.systemextension process would be:

• Compressed file scanning is enabled
• Lack of vendor recommended exclusions
• Problematic build

Compressed File Scanning:

Compressed file scanning is typically not recommended, especially for AutoProtect. Extra CPU resources are required to decompress and examine such files. If there are any risks in compressed files, they do not present a threat unless decompressed. In that case SEP AutoProtect scanning would catch the risk if the file was decompressed during normal file operations.

See How to Disable Scanning of Compressed Archives in SEP for Mac

Lack of Vendor-recommended exclusions

Intensive applications that generate a lot of file activity will in turn trigger SEP to scan the files that are being accessed or modified.  In many circumstances, application vendors will provide documentation/recommendations for files/directories to exclude from AntiVirus scans.  Make sure to make the recommended exclusions.

SEPM:  Creating Exceptions Policies in the Endpoint Protection Manager

SES ICDm:  Adding Allow List policy scan exceptions

Problematic build:

If running SEP 14.2 RU2 on macOS 10.15 or newer, high CPU usage will occur.  SEP should be upgraded to a newer build (14.3 RU3 or higher is recommended).

macOS 10.15.x machines experience high CPU use when Endpoint Protection 14.2 RU2 is installed

Additional troubleshooting:

Component Isolation:

If additional troubleshooting is necessary and a case needs to be created with support, it's important to know which feature is causing the CPU spike.  If that's not known, component isolation is recommended.  Component isolation is accomplished by disabling each feature set (Auto-Protect, Firewall, Device Control, etc...) one by one until the CPU issue no longer occurs.  If disabling Auto-Protect mitigates the issue, determine if SONAR is the responsible feature by re-enabling Auto-Protect and uncheck the option for 'Enable Suspicious Behavior Detection'.

Common Requested Data:

GatherSymantecInfo report - A log collection tool has been created for SEP/SES for Mac clients.  The output from this tool will requested by a technician.

A Process sample report of com.broadcom.mes.systemextension - run Activity Monitor, choose View->All Processes, select the com.broadcom.mes.systemextension process, then View->Sample Process, save report.

Screenshot of activity monitor - A screenshot of the activity monitor showing the processes with the highest CPU utilization can be helpful when correlating SEP CPU usage to another application that's likely triggering the scanning and subsequent SEP CPU spike.