Endpoint Protection

  • Private Community
 View Only

  • 1.  Heavy network traffic

    Posted Jan 28, 2025 03:48 AM

    Hello All,

    Please help,

    We noticed heavy network traffic every hour in our network.

    There is a small communication between every single  PC and domain controller (about 30MB) which totals several tens of GB.

    It utlilize DC servers CPU to 100% and network interface.

    It seems that SEP client starts some Group policy task.

    We found in GPO debug the action invoked by SEP process

    GPSVC(d0c.2db0) 10:24:30:044 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 3340, processImageName = C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.10158.8000.105\Bin64\ccSvcHst.exe

    GPSVC(d0c.25c8) 09:24:52:672 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 3340, processImageName = C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.10158.8000.105\Bin64\ccSvcHst.exe

    GPSVC(d0c.1500) 08:25:03:052 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 3340, processImageName = C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.10158.8000.105\Bin64\ccSvcHst.exe

    Thank you,



  • 2.  RE: Heavy network traffic

    Broadcom Employee
    Posted Jan 29, 2025 02:28 AM
    Edited by Russ_V Jan 29, 2025 02:36 AM

    Hi Tomasz, 

    Thanks for reaching out.  

    We saw a similar issue in On Prem SEP client version 14.3 RU7 per kb: 
    https://knowledge.broadcom.com/external/article/269665/gpo-events-1502-generated-every-5-minute.html

    However, that issue was resolved in 14.3 RU8 Build 10101, as mentioned in the above kb. 

    From what I can tell your running 14.3 RU8 Patch 1 which would have the earlier fix provided, so this may either be a repeat issue or a completely new issue altogether. 

    To better assist you kindly open a case up with Support and gather the following data simultaneously during the issue for review: 

    #1. Enable verbose WPP logging per kb:
    https://knowledge.broadcom.com/external/article/176312/how-to-collect-verbose-wpp-logs-for-endp.html 
    NOTE: In step 7, increase the log size from 500 mb to 2048 mb to ensure we get enough data logged

    #2. Run ProcMon (standard log) per kb: https://knowledge.broadcom.com/external/article/177543/process-monitor-for-standard-log-and-for.html

    Run both tools together simultaneously while the issue is reproducing for only 3-5 minutes and then zip up the data and upload it to the case. 

    NOTE: A Windows Performance Recorder trace could also be useful per kb: 
    https://knowledge.broadcom.com/external/article/169923/data-to-gather-for-support-for-high-cpu.html

    Lastly, as a temporary workaround you could try the steps mentioned in the 1st kb shared above, or open Run and type in smc -stop and then enter to disable SEP to see if that helps.

    Best,

    Russ_V


    Original Message