You experience intermittent 100% CPU usage by ccSvcHst.exe in a virtual machine with a single CPU core and Symantec Endpoint Protection (SEP) 12.1 or 14.0 (MP1, MP2). This lasts for about 5 to 7 minutes.
SEP 12.1 (any version)
SEP 14.0 (MP1, MP2)
While internal testing did not reveal any performance issue on single core virtual servers, it was determined empirically that unknown environmental conditions on such a system may cause the RegSetValueExA Windows API function to finish 10000 times more slowly than normal. Because SEP waits for the completion of this API call in an endless loop, it results in high CPU usage (for single core systems only). The delay amounts to 6 minutes.
You may be able to pinpoint the exact root cause for the Windows API function delay in your environment by using Microsoft's clean boot procedure to your advantage:
Disable all non-Microsoft services and startup items but the bare essentials, i.e. Symantec services and VMware Tools.
Enable non-Microsoft services and start-up items one by one, rebooting every time and determining whether or not the issue can still be reproduced.
When the issue can be reproduced again, it can be assumed the last service or startup item you re-enabled is the culprit. If feasible, this can then be disabled on all other single CPU (core) servers as well.
This issue has been resolved in Symantec Endpoint Protection 14 RU1, by preventing the endless loop that lead to the high CPU usage. Alternatively, adding another core to the virtual machine will avoid the issue.
Subscribing will provide email updates when this Article is updated. Login is required.