Starting with Endpoint Protection (SEP) 14.3 and newer, there will be at least three ccSvcHst.exe processes.

The additional ccSvcHst.exe starting with SEP 14.3 is a result of separating the scan process.  The service associated with this additional process is SepScanService.   Separating the scan process brings more efficient memory usage and less dependency on the main SEP service.

Virus JDBs and IUs in 14.3

This also brought change to the AV/AS definitions.  Pre-14.3 a single JDB contained the files needed to update either a 32-bit or 64-bit client.  This is no longer the case in 14.3 going forward.  Now 32-bit and 64-bit have separate JDBs.  The Intelligent Updaters (IUs) naming has also changed in 14.3

A fourth ccSvcHst.exe process may exist if Web Traffic Redirection is being used.