Terminal Server resources are consumed by multiple instances of Symantec Endpoint Protection processes
Last Updated August 07, 2015
When SEP (Symantec Endpoint Protection) is installed, Citrix and other Terminal Servers slow down or become unresponsive. There may be multiple SEP system tray icons and/or the Task Manager Process List indicates multiple instances of SEP processes.
Symptoms Symptoms include one or more of the following, usually increasing as additional clients log onto a Terminal Server
High CPU utilization
Multiple instances of the following processes: SmcGui.exe, ccApp.exe, ProtectionUtilSurrogate.exe (64 bit only)
Duplicate SEP system tray icons (on the server; see Note in Solution below for duplicate icons on a Terminal Server client)
Hourglass that won't go away on logged in clients (this was specifically because they don't show the icon as part of their policies)
This problem was fixed in Symantec Endpoint Protection 11.0 Maintenance Release 3.
Upgrade to Symantec Endpoint Protection 11.0 Maintenance Release 3 or newer.
In addition to upgrading, SmcGui must be disabled (to avoid multiple instances of that process and the SEP tray icon) by adding the following DWORD registry value on the Terminal Server: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\LaunchSmcGui = 0
To further optimise memory, you can prevent ccApp from loading: Browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (for 64bit servers this is HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run), find the ccApp entry and delete it
When disabling SmcGui, the following functionality is also disabled:
No SEP icon on the system tray
No ability to open the system logs from the client GUI
No ability to see the firewall or SNAC status from the GUI (most customers will not install a firewall on their Terminal Server)
No startup scans
No delayed threat detection notifications
No missing or out of date definition notifications
Clients do not display all information in the Help & Support > Troubleshooting > General Information (Server, Group, Location, Policy serial number, etc)
Clients locally show as Offline on the Help & Support > Troubleshooting > General Information view. In reality the client is still forwarding stateful information and log data to the Symantec Endpoint Protection Manager (SEPM).
Clients do not show the Logon Client status on the SEPM client status view.
The following is a list of the features that are lost after disabling ccApp: