COH32.exe uses high percentage of CPU
Workstation slows down
Tasks freeze or delay
Process usage shows coh32.exe utilizing 90-100% cpu usage for extended periods
Unknown processes are repeatedly scanned.
This can also occur if the Proactive Threat Protection Scan Frequency is set to scan new processes immediately even though the option was set to "At the default scanning frequency" at a later time. If the check mark is left for "Scan new processes immediately" it can cause processes to be scanned continuously.
Add custom scripts and applications (especially those developed by the customer in-house) to the force detection list and then add a TruScan Centralized Exception exception to ignore/log only these processes.
To force a process to be detected by TruScan so an exception can be made requires two steps:
1.) Force TruScan to detect the process.
2.) Add the appropriate exception to the detected process.
Follow the steps below by first selecting Process to force process detection, and then again, selecting Detected Processes to add the exception.
- 1. Log into the SEPM and click Policies.
2. Under View Policies click Centralized Exceptions.
3. Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.
4. In the left pane, click Centralized Exceptions.
5. Click the Add button to open a drop-down menu. Move the cursor over TruScan Proactive Threat Scan Exceptions to open a second drop-down menu.
6. Select one of the two options: Detected Processes, Process.
7. Note: if you are unsure about what type of exception to make please see the chapter entitled "Configuring Centralized Exceptions Policies" in the "Administration Guide for Symantec™ Endpoint Protection and
Symantec Network Access Control".
8. Enter the appropriate information for the detected processes, or process you would like to exclude.
9. (Optional) Repeat steps 5 through 7 to add any other TruScan Proactive Threat Scan Exceptions you would like to the policy.
10. (Optional) Follow the appropriate steps under "Creating exceptions for Antivirus and antispyware scans" or "Creating exceptions for Tamper Protection scans" to add those types of exceptions to this policy.
11. Click OK.
Document ID: 2008030423280248
Title: 'Making exceptions using centralized exception policies in Symantec Endpoint Protection Manager.'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248?Open&seg=ent
By default, TruScan does not automatically document unknown processes. If it cannot find a reason to white list the process or alert on the process, it merely keeps rescanning it. Forcing custom application processes to be detected will add them to the detected application list and known good/internal applications can then be excluded/white-listed.