Endpoint Protection

Hi,
 I have Windows 7 x64 (SP1 beta) with SEP 11.0.6100.645

 I'd like to run the firewall component only of SEP, so I uninstalled the 2 firewall related components. At the moment I also want to run SEP unmanaged, so just for basic AV with scheduled liveupdate. (I had some strange issues with the firewall, possibly relating to a large number of miniport adapters I have for virtualization & vpn)

 However I noticed "SMC.exe" was still running and taking a small amount of CPU (a few %). I therefore disabled
 - Symantec Network Access Control
 - Symantec Management Client

Having done this I observe
 - The tray icon is no longer present
 - If I manually start the gui & get a warning NAP id not running
 - The test virus EICAR is still correctly picked up.

Am I right in thinking this configuration is
 - giving full virus protection
 - running unmanaged
 - offering no firewall/network protection

Thanks
Nigel.

The main job of SMC.exe(Symantec Management Client) is the communication between SEPM and client(It is having some other roles also).

Can you tell me what exactly you required?Do you want to use firewall and AV ?If yes smc is must.Because in firewall smc has an impotent role.
As far as I know rtvscan.exe and smc.exe are the most important processes of SEP....

For now it's just to run AV. The firewall issue would be a separate discussion.

What I noticed with SMC.EXE is something I try and place close attention to -- processes that "leak" CPU (ie whilst not appearing to do anything useful). In this case smc.exe was a constant 2% cpu draw. There was nothing I could see in the log

If smc's role is to periodically check for policies I'd not expect a constant draw?

the smc is for establishing communication with the management server for new policies and virus definitions; there are lot of other process when run under smc.exe
open sep console
help and support
troubleshooting
do you see the client as self managed?
try to remove the package and install it from CD select advance
remove ntp
install as unmanged.

Check the following article which tell us about the processes and services used by SEP

Title: 'Processes and Services used by Symantec Endpoint Protection'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007102906283148?Open&seg=ent

Symantec Management Client provides communication with the Symantec Endpoint Protection Manager. Controls the SMC.exe & SMCGui.exe processes.

If you want  to install SEP unmanaged, without the  firewall component, then do the following:

1. Go to Programs and features in control panel.
2. Seelct symantec emdpoint  perotection, and  select change.
3. Modify the insdtallation to uncheck network threat  protection, and application and device  control.
See  below:

Thanks for the info.

I had already adopted that approach of changing the install -- I then removed SEP entirely and installed unmanaged from the SEP CD. Whilst I don't have the firewall enabled (as required, in both cases), I am still seeing smc.exe take a fairly constant 2% CPU. Whilst 2% is small if I had a number of processes doing this it would soon become significant (and waste power, generate heat, shorten battery life)

What would this process be doing on an ongoing basis on an unmanaged client? 
The process appears to be doing a burst of activity every 5 seconds 

A quick attempt to look at the stack trace with "process explorer" gives some hint it's to do with network detection/vpn -- maybe, but that shouldn't be in play in this non-firewall configuration?
Looking with "procmon" (process monitor) shows it is trawling the registry for network connection/tcp configuration data every few seconds

Wondering what exactly it's doing, why & how to stop it..

In registry disable NTP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant

Change the Value of Start to 4 . 1 –means enabled.

I don't have a SysPlant service in the registry -- I did deselect NTP & firewall/intrusion during install (and similar to the screenshots posted above),

Even with those components selected, smc.exe is doing something related to networking & this is causing a momentary spike. I see 2% in windows task manager continually, presumably averaged over 5 or 10s (slow). In process explorer it can peak at 8%+ (probably over a second)

Am trying therefore to determine if this is
 * doing something useful (for my configuration)
 * A defect that should be reported
 * A consequence of having something enabled I don't need

As mentioned above I see a variety of sw from time to time take cpu unnecessarily. Multiplied out this can become a lot of wasted resource -- and in addition to cpu load there's always the risk of other forms of resource use & contention.

In the client go to change settings(left side)--->client management --->configure settings-->general and uncheck show notification area icon option.Then observe......

Thanks for the quick responses BTW - appreciated & impressed.

I tried that (actually had tried before). Whilst the icon disappears as expected, I see the same from smc.exe & in particular still see those registry enquiries going on (around 20,000 in 10s)

Any further ideas? It does look as if SMC is going stuff it doesn't need to (though obviously I don't know the code)

For now running with that service disabled, "eicar" is still detected by autoprotect which is a good sign.

?

SMC.exe--This is the client. Controls the client-manager communication, location detection, and is the non-driver portion of Network Threat Protection.

So think you cannot stop that process.In my opinion if it not using a considerable amount of resources you can ignore it.

Thanks. I guess my point was that it does seem to be consuming resources - 1000s of registry calls per second & contributing to a constant cpu load of a few %. That by itself isn't that high, but the problem comes when all of these kinds of process workloads are added together.

 

In this case the firewall (off) /management (unmanaged) components are already disabled so there doesn't appear to be a reason for smc to consume this resource.

 

IMO the impact on a system from tools such as AV, firewalls etc is really important as they're running "everywhere" all the time -- that adds up to a lot.

Whilst there may indeed not be a big enough problem here to warrant an urgent fix, I do think there's a potential optimization for future product releases to improve the overall load imposed by SEP. Indeed even though this scenario isn't typical in that smc may technically not be required, the work the process is doing may turn out to be unecessary across the board.

Since originally posting this I have installed a new version of a managed client

 

11.0.6100.645

 

I have both antivirus and ntp installed & it appears to be functioning fine apart from one significant annoyance -- the smc.exe cpu "leak" reported in this thread,

 

smc.exe is constantly drawing nearly 5% cpu -- with an effect on battery life

 

smc is constantly re-reading the registry (network configuration) in a loop - this definately looks like a defect.

There is a new version RU6 MP2 11.0.6200.754 release about 2 weeks ago - you may want to check it and if you still experience a problem to open a case with TechSupport.