Endpoint Protection

Hi,

What does ccsvchst.exe*32 do for Symantec, recently we have seeing that  ccsvchst.exe*32 high CPU utilization , recently we didn't change any SEP policies.

We have SEPM server with SEP 12.1 RU1 MP1 and same as for clients also.

Please someone guide me how to overcome this issue.

I have read like this below regarding ccsvchst.exe*32 file, but we are not using the norton software suite.. we are uisng only Symantec Endpoint Protection Manager .

The ccsvchst.exe file is automatically added to your computer upon installing the Norton software, and it is referred to as the Symantec Service Framework. The ccsvchst.exe file works to display the GUI (Graphical User Interface) of Norton products, which usually include the Norton security Suites.

Thats the rtvscan. in 12.1. All the real time scan is taken care by this process

The RTVScan.exe functionality is now provided by the SepMasterService service. The image name for this service is now ccSvcHst.exe. Note that there are multiple ccSvcHst.exe instances running on your computer. The SepMasterService service requires one instance, and an additional instance is required for each user session.

You may see high CPU utilisation by this process when scans are run or even during updates.

Can you tell what is going on when the high CPU utilisation takes place?

Thanks Rafeeq .. is there any article for this ??

Hi Brian81..Some hard drive impact on the clients for periods of time and this .exe.

But do you know if it happens during scan or during updates, or??

Do you have a lot of exceptions in place? This could have an effect as well.

As  confirmed by Paul its now ccsvchst.exe

https://www-secure.symantec.com/connect/forums/sep-121-scan-bar#comment-5937741

https://www-secure.symantec.com/connect/forums/processes-taskmager-sep-121-scanning

are u seeing issues with Citrix servers?

Hi Brian81,

Recently we have not  add any exceptions , we have 15 to 20 exceptions .

Can you check if the AV policy , if its set to Scan when file is accessed or modified?

http://www.symantec.com/business/support/index?page=content&id=TECH197809

That is not enough to cause a problem. Is this constant or does it happen only at certain times?

It is correct that CCSvcHst.exe replaced RTVScan as the 'workhorse' application for 12.1.

My first thought is the scanning of compressed files. When they are scanned they are unpacked to X number of levels (3 is the default, I think) by the decomposer engine, which will take some processing power, as you might imagine. If you recently created a lot of archive files and they are in a directory that is being scanned--or a lot archive files are being copied to the computer and being scanned by Auto-Protect--then this could explain what's happening.

You're also using an older build. SEP 12.1 RU2, for example, has the following fix:

High CPU usage of ccSvcHst.exe process

Fix ID: 2707848

Symptom: The Symantec Endpoint Protection service (ccSvcHst.exe) consumes 100% of one CPU during a scan.

Solution: Modified the Decomposer component to prevent a condition where the scanner could become stuck on a malformed archive file.

Most current release is 12.1 RU3 (12.1.3). You can check the fix notes for that release and for 12.1 RU2 MP1 (12.1.2.1) here.

Edit to add:

I have read like this below regarding ccsvchst.exe*32 file, but we are not using the norton software suite.. we are uisng only Symantec Endpoint Protection Manager.

(Bolding mine.) If you don't have the SEP client installed, that machine is not protected against threats. Or is this a mistype?

sandra

Hi

Please upgrade to SEP 12.1.3 as there are many fixes

Regards

Like what SameerU? Could you please provide a little more description to your statement? This will be helpful for all reading this thread.

Thanks,
Brian

This is notn always the fault of the a/v.  Especially if your realtime scan is set to run when files are accessed, any new application on your system that touches large number of files can cause this to seem like the realtime scan is constantly running.  For example, we had a "discovery agent" running for some other software to see what files/appl,ications were out there and that would cause the realtime a/v scan to be running a lot. Also, try to make sure LARGE files are excluded from the realtime scan.  You can also eliminate some realtime scanning using Insight and the Insight cache utility.

Howie

By the way, I would strongly suggest going to 12.1 RU3.  Make sure you don't have 12.1 RU2 MP1 as there are reported performance issues with TEEFER in that particulr release, fixed in the RU3 version.