Endpoint Protection

 View Only

  • 1.  ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 10, 2012 03:16 PM

    We have many servers that I am monitoring with an average Memory Usage of ~ 16MB for ccSvcHst.exe and up to 8% CPU time.

     

    We always have 3 to 6 servers with higher Memory Useage, some over 200MB and occupying as much as 50% of the processor time and I am talking about 50% of the processor's time from the time it was rebooted.

     

    I don't want to open a ticket for each and every server so how can I troubleshoot this?

     

    Dave



  • 2.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 11, 2012 09:32 PM

    hi,

    what sep version are you using ?



  • 3.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 11, 2012 10:35 PM

    ccSvcHst.exe this process is implemented in SEP 12.1 hope they runnin on SEP 12.1 

     

    Symantec Endpoint Protection client shows high CPU usage immediately after virus definition updates.

    http://www.symantec.com/docs/TECH170756

    check this article hope this helps......


  • 4.  RE: ccSvcHst.exe with high CPU time and above average memory usage.



  • 5.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 12, 2012 10:03 AM

    You are correct Mohan, it is SEP 12.1 and it is running on a Windows 2008 Server.



  • 6.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 12, 2012 10:26 AM

    Symantec support determined that the problem was a corrupt virus definition and refered me to this post:

    http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

     

    This solved the problem for this server but I have one other with the same problem. I found the problems using two batch files.

    BATCH FILE 1

    del \\tsclient\c\users\[myusername]\desktop\results\*.* /q
    Start GetTaskList server1
    Start GetTaskList server2
    Start GetTaskList server3
     

     

    BATCH FILE 2

    echo %1 >> \\tsclient\c\users\[myusername]\desktop\results\%1.txt
    tasklist /v /S %1 /U lfob\[myusername] /P [mypassword] /fi "cputime gt 00:40:00" >> \\tsclient\c\users\[myusername]\desktop\results\%1.txt
    exit

     

    This will create one file for each server and only show processes that used at least 40 minutes of the CPU time. Here are the results I got with Server02 being the one I fixed.

     

        9/6/12 16:56 9/7/12 12:08 9/10/2012 16:39
    SERVER SERVICE MEMORY
    USAGE    		 CPU IN TIME MEMORY
    USAGE    		 CPU IN TIME MEMORY
    USAGE    		 CPU IN TIME
    Server02 ccSvcHst.exe 17,236 K 15.47% 16,572 K 15.15% 291,148 K 34.16%
    Server21 ccSvcHst.exe 17,188 K 8.84% 17,016 K 8.36% 217,272 K 24.16%
    Server09 ccSvcHst.exe 4,356 K 0.04% 16,384 K 4.21% 16,388 K 14.59%
    Server15 ccSvcHst.exe 16,464 K 2.11% 16,384 K 2.09% 16,880 K 11.00%
    Server22 ccSvcHst.exe 17,368 K 6.13% 16,552 K 5.83% 17,796 K 8.53%
    Server05 ccSvcHst.exe 16,804 K 6.76% 17,056 K 6.56% 16,616 K 7.74%
    Server14 ccSvcHst.exe 3,916 K 0.03% 17,020 K 0.69% 16,388 K 3.36%
    Server03 ccSvcHst.exe         16,456 K 3.27%
    Server23 ccSvcHst.exe 16,404 K 2.42% 16,416 K 2.30% 16,656 K 3.05%
    Server13 ccSvcHst.exe     16,552 K 1.08% 16,524 K 2.99%
    Server16 ccSvcHst.exe 17,060 K 0.66% 16,728 K 0.65% 16,404 K 2.66%
    Server28 ccSvcHst.exe 17,032 K 1.84% 17,108 K 1.83% 16,892 K 1.94%
    Server26 ccSvcHst.exe 16,440 K 1.59% 16,528 K 1.57% 16,428 K 1.64%
    Server12 ccSvcHst.exe 16,420 K 0.62% 16,488 K 0.61% 16,488 K 1.56%
    Server11 ccSvcHst.exe 16,552 K 0.14% 3,804 K 0.01% 16,356 K 0.71%
    Server06 ccSvcHst.exe         17,184 K 0.49%
    Server01 ccSvcHst.exe         17,328 K 0.33%
    Server24 ccSvcHst.exe 16,444 K 0.22% 16,136 K 0.22% 16,572 K 0.23%
    Server07 ccSvcHst.exe 16,404 K 0.16% 16,508 K 0.16% 16,712 K 0.17%
    Server25 ccSvcHst.exe 16,624 K 0.04% 17,516 K 0.04% 16,388 K 0.07%
    Server04 ccSvcHst.exe 4,072 K 0.02% 16,388 K 0.43% 3,300 K 0.02%
    Server10 ccSvcHst.exe 3,868 K 0.04% 16,396 K 2.70%    
    Server18 ccSvcHst.exe 16,416 K 1.62% 16,572 K 1.55%    
    Server08 ccSvcHst.exe 16,388 K 0.31% 16,468 K 0.31%    
    Server27 ccSvcHst.exe 16,388 K 0.21% 16,420 K 0.20%    
    Server26 Smc.exe            
    Server01 SemSvc.exe            
    Server28 Smc.exe            
    Server04 Smc.exe            
    Server17 ccSvcHst.exe 16,720 K 0.31% 16,408 K 0.31%    
    Server19 ccSvcHst.exe 16,528 K 23.51% 16,392 K 21.68%    
    Server20 ccSvcHst.exe 16,668 K 19.69% 16,416 K 18.22%    

     

    Hope this helps.

     



  • 7.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 20, 2012 12:40 PM

    Symantec wants a Full memory dump when the problem is symptomatic. As the client is a server this will not be possible.

     

    Still no solution.



  • 8.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 20, 2012 10:13 PM

    I agree with you. thanks for the updates it will be helpful. Let me try with your idea..



  • 9.  RE: ccSvcHst.exe with high CPU time and above average memory usage.

    Posted Sep 24, 2012 05:38 PM

    The Scan Times are what are killing us. I tell our support person about the problem and they didn't even know that it was related to the Scan Times or were just affraid to tell us.

    We have scans that run nearly 2 days 17 hours on average so even if we started this at 6pm on Friday it still would not be done until 11 AM Monday morning and we cannot start the scans Friday night. One scan ran for 4 days and 10 hours, almost an entire work week!

    Here is our top 10 most affected servers that are running AV only. Everything is turned off except for Auto-Protect that is running fine except when a full scan is running.

     

    Computer Name Event
    Duration    		 Average
    Duration    		 Start Datetime End Datetime Status
    Server1 105:37:31 64:56:25 8/26/2012 6:00 8/30/2012 15:37 Completed
    Server1 106:05:45 64:56:25 9/2/2012 6:00 9/6/2012 16:05 Completed
    Server1 57:38:49 64:56:25 9/9/2012 6:00 9/11/2012 15:38 Completed
    Server1 26:26:83 64:56:25 9/16/2012 6:00 9/17/2012 8:26 Completed
    Server1 28:53:16 64:56:25 9/23/2012 6:00 In Progress Started
    Server2 85:17:56 54:55:33 8/26/2012 6:00 8/29/2012 19:17 Completed
    Server2 102:36:89 54:55:33 9/2/2012 6:00 9/6/2012 12:36 Completed
    Server2 48:11:96 54:55:33 9/9/2012 6:00 9/11/2012 6:11 Completed
    Server2 38:30:23 54:55:33 9/16/2012 6:00 9/17/2012 20:30 Completed
    Server2 00:00:00 54:55:33 9/23/2012 6:00 In Progress Started
    Server3 88:18:96 51:45:00 8/26/2012 6:00 8/29/2012 22:19 Completed
    Server3 81:25:41 51:45:00 9/2/2012 6:00 9/5/2012 15:25 Completed
    Server3 50:26:73 51:45:00 9/9/2012 6:00 9/11/2012 8:26 Completed
    Server3 38:33:90 51:45:00 9/16/2012 6:00 9/17/2012 20:33 Completed
    Server3 00:00:00 51:45:00 9/23/2012 6:00 In Progress Started
    Server4 80:34:26 49:42:87 8/26/2012 6:00 8/29/2012 14:34 Completed
    Server4 79:47:76 49:42:87 9/2/2012 6:00 9/5/2012 13:47 Completed
    Server4 50:17:84 49:42:87 9/9/2012 6:00 9/11/2012 8:17 Completed
    Server4 37:54:51 49:42:87 9/16/2012 6:00 9/17/2012 19:54 Completed
    Server4 00:00:00 49:42:87 9/23/2012 6:00 In Progress Started
    Server5 78:11:98 47:36:46 8/26/2012 6:00 8/29/2012 12:12 Canceled
    Server5 91:14:13 47:36:46 9/2/2012 6:00 9/6/2012 1:14 Completed
    Server5 32:57:58 47:36:46 9/9/2012 6:00 9/10/2012 14:57 Canceled
    Server5 35:38:61 47:36:46 9/16/2012 6:00 9/17/2012 17:38 Completed
    Server5 00:00:00 47:36:46 9/23/2012 6:00 In Progress Started
    Server6 68:38:63 46:00:51 8/26/2012 6:00 8/29/2012 2:38 Completed
    Server6 76:56:08 46:00:51 9/2/2012 6:00 9/5/2012 10:56 Completed
    Server6 33:48:03 46:00:51 9/9/2012 6:00 9/10/2012 15:48 Canceled
    Server6 23:28:33 46:00:51 9/16/2012 6:00 9/17/2012 5:28 Completed
    Server6 27:11:49 46:00:51 9/23/2012 6:00 9/24/2012 9:11 Completed
    Server7 57:13:84 40:35:85 8/26/2012 6:00 8/28/2012 15:13 Completed
    Server7 71:38:06 40:35:85 9/2/2012 6:00 9/5/2012 5:38 Completed
    Server7 39:30:71 40:35:85 9/9/2012 6:00 9/10/2012 21:30 Completed
    Server7 34:36:63 40:35:85 9/16/2012 6:00 9/17/2012 16:36 Completed
    Server7 00:00:00 40:35:85 9/23/2012 6:00 In Progress Started
    Server8 34:54:46 28:44:17 8/26/2012 6:00 8/27/2012 16:54 Completed
    Server8 34:51:86 28:44:17 9/2/2012 6:00 9/3/2012 16:51 Completed
    Server8 29:53:46 28:44:17 9/9/2012 6:00 9/10/2012 11:53 Completed
    Server8 21:41:63 28:44:17 9/16/2012 6:00 9/17/2012 3:41 Completed
    Server8 22:19:45 28:44:17 9/23/2012 6:00 9/24/2012 4:19 Completed
    Server9 01:26:29 28:30:22 8/26/2012 6:00 8/26/2012 7:26 Canceled
    Server9 47:56:50 28:30:22 9/2/2012 6:00 9/4/2012 5:56 Completed
    Server9 40:39:88 28:30:22 9/9/2012 6:00 9/10/2012 22:39 Completed
    Server9 24:31:88 28:30:22 9/16/2012 6:00 9/17/2012 6:31 Completed
    Server9 27:56:58 28:30:22 9/23/2012 6:00 9/24/2012 9:56 Completed
    Server10 35:50:51 28:29:54 8/26/2012 6:00 8/27/2012 17:50 Completed
    Server10 36:27:43 28:29:54 9/2/2012 6:00 9/3/2012 18:27 Completed
    Server10 24:02:34 28:29:54 9/9/2012 6:00 9/10/2012 6:02 Completed
    Server10 22:31:28 28:29:54 9/16/2012 6:00 9/17/2012 4:31 Completed
    Server10 23:36:15 28:29:54 9/23/2012 6:00 9/24/2012 5:36 Completed

    The full scans

    • Scan All Files
    • Have Insight Lookup Enabled with Quarantine Risk then Leave Alone selected.
    • Action tab has Clean risk, Quarantine risk, Backup before Repair, Terminate and Stop Automaticly.
    • Notifications is turned off.

    Prity basic but still we wait!