This article describes best practices for configuring Symantec Endpoint Protection (SEP) with Terminal Server and Citrix solutions.
The attached white paper
provides information on the best configuration of Symantec Endpoint Protection in Terminal Server and Citrix environments.
These recommendations apply to Symantec Endpoint Protection 12.1 and 14.
In Symantec Endpoint Protection 12.1 & 14 some processes have changed on the client:
- ccApp.exe and Rtvscan.exe are no longer present. Their functionality has been moved into ccSvcHost.exe.
- SmcGui.exe will only be running if the user launches the Symantec Endpoint Protection GUI and it should only be launched for that user session.
- ccSvcHst.exe handles the system tray icon which is supposed to run in every session.
The start of these multiple instances can be prevented by modifying the registry value for LaunchSmcGui as described in the document.
Prevent the process from starting by changing the registry value:
- Click Start, Run and type "regedit" then click OK
- Browse to the SMC key. In version of SEP older than 12.1 RU5, this is the same location on 32- or 64-bit systems:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
In SEP 12.1.5 (12.1 RU5) and newer on 64-bit systems, LaunchSmcGui and most other SMC keys and values have moved to Wow6432Node:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC
- Find the entry LaunchSmcGui and change it from DWORD 1 to DWORD 0 (add it if it is not already present)
If you are unable to modify the listed registry keys, you can temporarily disable Tamper Protection.
Note: The above registry change will need to be reapplied after a successful upgrade of the client.
SEP 14.0 RTM / 14.0 MP1 have a defect that prevents SEP 14 clients from honoring the LaunchSmcGui 0 registry key value, when correctly set. Multiple instances of ccSvcHst.exe will launch per each user logged onto a Citrix, or Remote Desktop servers. This is fixed in 14 MP2, see KB TECH240297
Imported Document Id