Endpoint Protection

 View Only
Expand all | Collapse all

Process ccSvtHst.exe slowing system performance

Chetan Savade

Chetan SavadeJan 23, 2014 10:35 AM

ℬrίαη

ℬrίαηJan 23, 2014 12:24 PM

Migration User

Migration UserJan 24, 2014 02:14 AM

  • 1.  Process ccSvtHst.exe slowing system performance

    Posted Jan 22, 2014 11:03 PM
      |   view attached

    I have SEP 12.1.2015.2015 installed. Recently my computer slowed to a standstill, which seemed to be due to a process ccSvtHst.exe, which was using upwards of 500M of my processor. I ran a program called Process Monitor to record what it was doing and saved this to a file (attached), but I need someone to look at it and figure out what that was and how I can prevent it from happening again. Could you please help?

    Attachment(s)

    XML
    Logfile [2014.1.22].XML   3.50 MB 1 version


  • 2.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 22, 2014 11:32 PM

    I suggest you can upgrade your sep client 12.1.2 to sep 12.1.4.

    see this thread

    http://www.symantec.com/connect/forums/cpu-utilization-100-used-after-installing-sepm-121

    http://www.symantec.com/connect/forums/what-does-ccsvchstexe32-do-symantec

     

     

    Upgrading or migrating to Symantec Endpoint Protection 12.1.4 (RU4)

     

    Article:TECH211821  |  Created: 2013-10-23  |  Updated: 2013-11-05  |  Article URL http://www.symantec.com/docs/TECH211821

     



  • 3.  RE: Process ccSvtHst.exe slowing system performance

    Broadcom Employee
    Posted Jan 22, 2014 11:41 PM

    is it happening during the def update ?

    i suggest to open a support ticket

    is it happening on all the clients?

     can you upgrade one of the client to see if the issue doe not exist with Ru4.



  • 4.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 23, 2014 04:14 AM

    Hi

    Is it happening after definitions update ?

    Regards

     



  • 5.  RE: Process ccSvtHst.exe slowing system performance

    Broadcom Employee
    Posted Jan 23, 2014 10:35 AM

    How many clients are affected?

     



  • 6.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 23, 2014 10:43 AM

    It looks to be related to virus definitions updating. Can you confirm from the System Log on the SEP client?



  • 7.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 23, 2014 12:19 PM

    I checked the logs and a new definition file was loaded at 9:59p and a Defwatch Quickscan started at 10:00p and ended at 10:21p. There's also an event "Reputation check timed out" recorded at 10:21p.

    Of note, the period of activity which I captured using Process Monitor runs from 10:22-10:26p. My computer had been running very slowly for at least 10 or so minutes prior to this (I can't recall the exact period of time).

    In response to some of the other questions asked, I have SEP installed on my computer which is the only one it runs on, so I suppose my computer is the only "client" (I think). I've upgraded to SEP 12.1.4013.4013 and will continue to monitor the CPU and memory usage.

    Several months ago I had been having problems with the Defwatch Quickscan seeming to run and slow my computer every time new definitions were updated. I changed a setting in the registry to disable this, which seemed to fix the issue, at least until now. I would prefer if there's a way for me to have the scans run only when I schedule them rather than at whatever time new definitions happen to be loaded. Is there a way I can do this?

     



  • 8.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 23, 2014 12:24 PM

    Is this an unmanaged SEP client?



  • 9.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 24, 2014 02:14 AM

    Yes, I believe so.



  • 10.  RE: Process ccSvtHst.exe slowing system performance

    Broadcom Employee
    Posted Jan 24, 2014 03:55 AM

    Hi,

    Change registry value for EnableDefwatchQuickscan and monitor the result. 

    I am guessing this might be the location.on unmanaged client.

    Screenshot is attached to the reference.

     

    Quickscan.jpg



  • 11.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 24, 2014 08:57 PM

    I tried to set this value to 0 but got an "Error Editing Value" saying that it couldn't change the value. I'm the administrator and have full permissions so I'm not sure why this is happening.

    Also, the DefWatch QuickScan ran again tonight immediately following when new definitions were downloaded, again bringing my system to a slow crawl.



  • 12.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 24, 2014 09:00 PM

    You need to disable tamper protection first in order to edit reg keys for SEP



  • 13.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 24, 2014 09:05 PM

    I had disabled SEP before trying to edit it, thinking that would be sufficient, but apparently it isn't. When I specifically disabled tamper protection it worked, so thanks. Hoping this'll do the trick...



  • 14.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 24, 2014 09:08 PM

    Yes, tamper protection needs to be disabled, disabling SEP won't do it.



  • 15.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 28, 2014 01:56 AM

    As I mentioned in my post the other day, I changed this setting in the registry to disable the automatic DefWatch scans. Last night I noticed my computer again slowing down, and process ccSvcHst.exe seemed to be to blame.

    Somehow SEP seems to have changed the registry value back to "1" and was running another DefWatch scan...

    Why/how was SEP able to do this and how can I regain control of my computer? I'm tempted to disable automatic definitions downloads; of course, this would somewhat defeat the purpose of having SEP in the first place...



  • 16.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 28, 2014 02:23 AM

    I was looking through my registry and found several other references to Defwatch and Quickscan. E.g.,

    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\Defwatch QuickScan Options
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\Default QuickScan Options

    Are there any other settings in the registry, either in these locations or others, that may be useful in disabling these automatic scans?



  • 17.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 28, 2014 02:34 AM

    If you want to disable scanning after virus defination update.

    Try this and change the registry entry

    You must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).

    DefWatchMode
    value  action
    0          Automatically repair and restore files in Quarantine silently
    1          Repair the files in Quarantine silently without restoring
    2          Prompt user
    3          Do nothing

    If you wont be able to modify the registry if the tamper protection is enabled. disable it for a min make the changes

     

    Enabling, disabling, and configuring Tamper Protection in Endpoint Protection on unmanaged Clients

    http://www.symantec.com/business/support/index?page=content&id=TECH102688

     



  • 18.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 28, 2014 02:35 AM


  • 19.  RE: Process ccSvtHst.exe slowing system performance

    Posted Jan 28, 2014 02:56 AM

    James, I've changed that registry value--thanks.

    Rafeeq, I already had most of the modifications suggested in that thread (the ones that pertain to SEP 12.x). I also unchecked the auto-protect option to "Rescan the cache when new definitions are loaded". Thank you as well.

    Any additional suggestions?



  • 20.  RE: Process ccSvtHst.exe slowing system performance

    Posted Feb 03, 2014 12:59 AM

    Despite all the changes I've made, Defwatch has automatically run on three more days after new definitions were loaded....



  • 21.  RE: Process ccSvtHst.exe slowing system performance

    Posted Feb 08, 2014 09:38 PM

    Would someone from Symantec please assist me with this issue? In the meantime I've decided to disable automatic updates. However, this defeats the purpose of having an antivirus program...



  • 22.  RE: Process ccSvtHst.exe slowing system performance

    Posted Feb 08, 2014 09:50 PM

    You're best off opening a case with support. Symantec employees check this forum and lend assistance when they can but if you need immediate help, support is the way to go.