High CPU Utilization found on Endpoint Security client after deploying Endpoint Detection and Response in the Cloud
search cancel

High CPU Utilization found on Endpoint Security client after deploying Endpoint Detection and Response in the Cloud


Article ID: 270590


Updated On:


Endpoint Security Endpoint Security Complete


We keep seeing High CPU for Symantec (ccSvcHst.exe) and we just deployed Endpoint Detection and Response (EDR) with all the default options selected.   Is there a reason why this keeps happening? Can we change some scanning attributes to minimize this utilization?


Endpoint Detection and Response (EDR) policy was applied to SEP causing higher than normal CPU utilization


To isolate whether or not EDR is involved with the High CPU, edit the EDR policy and turn off Endpoint Activity Recorder (EAR), and save the changes.  Next check the SES clients to see if that helps or not.  If not, then withdraw the EDR Policy to further isolate it.  

If turning off EAR or withdrawing EDR Policy, resolves the High CPU, and you intend to keep EDR on, then you'll need to add EAR specific exclusions to minimize your observed CPU utilization.  

To determine the noisiest events please do the following: 

1. Log into ICDm Cloud Portal
2. Click on the Investigate option 
3. Under Filter by, type in Device Name <machine name> and click Run Query 
4. Once results are present, navigate to Group By and then Other Fields and then search / select the Event Type Id

NOTE: This will give you the highest number of events present based on the maximum of 10k events displayed

5. Click on the Event count hyperlink and then you'll see a list of events for the Event Type ID (ex: 8015 - Monitored Source)

a. From here, you'll need to review the description to determine what files or exe's are involved in the events. 
b. If you'd prefer that these events aren't gathered, you'll need to notate the Actor File SHA256 to exclude in a later step. 

6. To exclude events based on their SHA256, open your Endpoint Detection and Response policy and scroll down to your Endpoint Activity Recorder Rules section.   
From here, click Add, next choose from the available options (Do not record, or Disable monitoring) and then specify the SHA256 hash you want to exclude. 
(NOTE: Do Not Record, will "stop" recording specific events associated with the supplied SHA256 value only. Also this config will likely still impact CPU utilization, as the items will still be monitored, but not recorded. Disable monitoring will "stop" monitoring ALL Event types and NOT only specific events.)

Additionally, if you would like to test or add exclusions specific to a single SEP/SES client system you'll need to duplicate your production EDR policy and assign the duplicate copy to the client so that the exclusions only impact the single systen, rather than ALL of production machines. 

7. Once EAR exclusions are applied, then monitor the SEP clients for improved performance.  

If EAR exclusions have been applied but the issue continues, then gather a "Full Dump" from the SES Cloud / ICDm console per kb: 
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Endpoint-Detection-and-Response/EDR-Actions/Initiating-a-full-dump.html during the time range of the issue and analyze the file for any other possible exclusions you want to add.

NOTE: The "Full Dump includes all events during your specified time range, and often exceeds the 10k events limit displayed in SES Cloud / ICDm.

8.  If you've added EAR exclusions and you still see the same issue please gather the data outlined in kb: https://knowledge.broadcom.com/external/article/169923/high-cpu-usage-due-to-ccsvchstexe-on-a-b.html and contact Support for assistance.