COH32.exe utilizes 90-100% CPU usage for extended periods

Article:TECH91913  |  Created: 2009-01-20  |  Updated: 2012-07-30  |  Article URL http://www.symantec.com/docs/TECH91913
Article Type
Technical Solution

Product(s)

Issue



COH32.exe uses high percentage of CPU

Symptoms
Workstation slows down

Tasks freeze or delay
Process usage shows coh32.exe utilizing 90-100% cpu usage for extended periods

 


Cause



Unknown processes are repeatedly scanned.

This can also occur if the Proactive Threat Protection Scan Frequency is set to scan new processes immediately even though the option was set to "At the default scanning frequency" at a later time.  If the check mark is left for "Scan new processes immediately" it can cause processes to be scanned continuously.


Solution



Add custom scripts and applications (especially those developed by the customer in-house) to the force detection list and then add a TruScan Centralized Exception exception to ignore/log only these processes.

To force a process to be detected by TruScan so an exception can be made requires two steps:
1.) Force TruScan to detect the process.
2.) Add the appropriate exception to the detected process.

Follow the steps below by first selecting Process to force process detection, and then again, selecting Detected Processes to add the exception.
 

      1. Log into the SEPM and click Policies.
      2. Under View Policies click Centralized Exceptions.
      3. Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.
      4. In the left pane, click Centralized Exceptions.
      5. Click the Add button to open a drop-down menu. Move the cursor over TruScan Proactive Threat Scan Exceptions to open a second drop-down menu.
      6. Select one of the two options: Detected Processes, Process.
      7. Note: if you are unsure about what type of exception to make please see the chapter entitled "Configuring Centralized Exceptions Policies" in the "Administration Guide for Symantec™ Endpoint Protection and
      Symantec Network Access Control".
      8. Enter the appropriate information for the detected processes, or process you would like to exclude.
      9. (Optional) Repeat steps 5 through 7 to add any other TruScan Proactive Threat Scan Exceptions you would like to the policy.
      10. (Optional) Follow the appropriate steps under "Creating exceptions for Antivirus and antispyware scans" or "Creating exceptions for Tamper Protection scans" to add those types of exceptions to this policy.
      11. Click OK.




References
Document ID: 2008030423280248

Title: 'Making exceptions using centralized exception policies in Symantec Endpoint Protection Manager.'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248?Open&seg=ent


Technical Information
By default, TruScan does not automatically document unknown processes. If it cannot find a reason to white list the process or alert on the process, it merely keeps rescanning it. Forcing custom application processes to be detected will add them to the detected application list and known good/internal applications can then be excluded/white-listed.


 



Legacy ID



2009012008215548


Article URL http://www.symantec.com/docs/TECH91913


Terms of use for this information are found in Legal Notices