A very busy file server with SEP 14 installed has observed high CPU consumption over time from ccsvchst.exe process, usually in the span of 1 week from a restart of services or computer.
With file reputation submission enabled, SEP is required to enumerate and keep track of all short-lived processes the file serve generates. Therefore over time (~ 1 week), ccsvchst.exe process will consume large amount of CPU, > 95%.
Two viable solutions,
1. Rename file atpieim.dll on the affected endpoint. This will be a per endpoint solution. File atpieim.dll's function is to submit file reputation data to Symantec.
Disable tamper protection
Run 'smc -stop'
Rename 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\AtpiEim.dll' to something different. i.e. AtpiEim.old
Run 'smc -start'
Re-enable tamper protection
2. If there are multiple endpoints affected, disabling file reputation submission via policy.
With either of the two methods above, the end result will be to disable file reputation data submission to Symantec, thus removing the need for SEP to enumerate and keep of all processes generated from a busy file server.
Subscribing will provide email updates when this Article is updated. Login is required.