CPU usage for lsass.exe increases after migrating Symantec Endpoint Protection (SEP) Release Update 5 (RU5) or newer. This is seen on systems with limited resources connecting to encrypted network shares.
This is an unintended side-effect of changes made to the AutoProtect component of SEP RU5. The change was made to resolve issues with files that are affected by Opportunistic Locking. After RU5, AutoProtect will cause lsass.exe to query files that are locked by Opportunistic Locking multiple times. In environments with very little free resources, this will cause the system's performance to slow, and the CPU usage of lsass.exe to increase significantly.
This issue is resolved in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 3 (RU6 MP3). For download instructions see Obtaining the latest version of Endpoint Protection or Network Access Control 11.
Program is designed to access a database on an encrypted network share, copying data from this share down as temp data.