Video Screencast Help

What does ccsvchst.exe*32 do for Symantec

Created: 01 Aug 2013 | 13 comments

Hi,

What does ccsvchst.exe*32 do for Symantec, recently we have seeing that  ccsvchst.exe*32 high CPU utilization , recently we didn't change any SEP policies.

We have SEPM server with SEP 12.1 RU1 MP1 and same as for clients also.

Please someone guide me how to overcome this issue.

I have read like this below regarding ccsvchst.exe*32 file, but we are not using the norton software suite.. we are uisng only Symantec Endpoint Protection Manager .

The ccsvchst.exe file is automatically added to your computer upon installing the Norton software, and it is referred to as the Symantec Service Framework. The ccsvchst.exe file works to display the GUI (Graphical User Interface) of Norton products, which usually include the Norton security Suites.

 

Operating Systems:

Comments 13 CommentsJump to latest comment

Rafeeq's picture

Thats the rtvscan. in 12.1. All the real time scan is taken care by this process

The RTVScan.exe functionality is now provided by the SepMasterService service. The image name for this service is now ccSvcHst.exe. Note that there are multiple ccSvcHst.exe instances running on your computer. The SepMasterService service requires one instance, and an additional instance is required for each user session.

 

.Brian's picture

You may see high CPU utilisation by this process when scans are run or even during updates.

Can you tell what is going on when the high CPU utilisation takes place?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

San1985's picture

Thanks Rafeeq .. is there any article for this ??

Hi Brian81..Some hard drive impact on the clients for periods of time and this .exe.

.Brian's picture

But do you know if it happens during scan or during updates, or??

Do you have a lot of exceptions in place? This could have an effect as well.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

San1985's picture

Hi Brian81,

Recently we have not  add any exceptions , we have 15 to 20 exceptions .

.Brian's picture

That is not enough to cause a problem. Is this constant or does it happen only at certain times?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

It is correct that CCSvcHst.exe replaced RTVScan as the 'workhorse' application for 12.1.

My first thought is the scanning of compressed files. When they are scanned they are unpacked to X number of levels (3 is the default, I think) by the decomposer engine, which will take some processing power, as you might imagine. If you recently created a lot of archive files and they are in a directory that is being scanned--or a lot archive files are being copied to the computer and being scanned by Auto-Protect--then this could explain what's happening.

You're also using an older build. SEP 12.1 RU2, for example, has the following fix:

High CPU usage of ccSvcHst.exe process
Fix ID: 2707848
Symptom: The Symantec Endpoint Protection service (ccSvcHst.exe) consumes 100% of one CPU during a scan.
Solution: Modified the Decomposer component to prevent a condition where the scanner could become stuck on a malformed archive file.

Most current release is 12.1 RU3 (12.1.3). You can check the fix notes for that release and for 12.1 RU2 MP1 (12.1.2.1) here.

Edit to add:

I have read like this below regarding ccsvchst.exe*32 file, but we are not using the norton software suite.. we are uisng only Symantec Endpoint Protection Manager.

(Bolding mine.) If you don't have the SEP client installed, that machine is not protected against threats. Or is this a mistype?

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SameerU's picture

Hi

Please upgrade to SEP 12.1.3 as there are many fixes

Regards

 

.Brian's picture

Like what SameerU? Could you please provide a little more description to your statement? This will be helpful for all reading this thread.

Thanks,
Brian

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

hforman's picture

This is notn always the fault of the a/v.  Especially if your realtime scan is set to run when files are accessed, any new application on your system that touches large number of files can cause this to seem like the realtime scan is constantly running.  For example, we had a "discovery agent" running for some other software to see what files/appl,ications were out there and that would cause the realtime a/v scan to be running a lot. Also, try to make sure LARGE files are excluded from the realtime scan.  You can also eliminate some realtime scanning using Insight and the Insight cache utility.

 

Howie

 

hforman's picture

By the way, I would strongly suggest going to 12.1 RU3.  Make sure you don't have 12.1 RU2 MP1 as there are reported performance issues with TEEFER in that particulr release, fixed in the RU3 version.