SEP11 and CPU usage on Virtual Machines

Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I’ve been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.
I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn’t agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.
People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don’t believe in tamper protection. Proactive Threat Protection shouldn’t be installed on servers either. I did turn off location awareness which I wasn’t using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.
Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.
Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I’ve gathered logs for them, but there hasn’t been a resolution yet.

3 Comments

  1. Roger,
    I manage my company’s Symantec AV solution and I just upgraded to SEP11 from SAV10 thinking it would solve all of my high CPU utilization problems and it just hasn’t. I do have most options disabled like you do with the exception of Proactive Threat Protection.
    I don’t know why, but it is more of a problem that effects my laptop users than any other kind of user. Sometimes the logins take several minutes and this is on pretty quick Dell Latitude series laptops! I would love a solution for this problem, but I think an entirely different AV solution may be the real answer.

  2. I wish I’d pushed harder for Sophos instead of being afraid of change. Now I’m into Symantec for 3 more years.
    I went from having no AV on my vista laptop to having SEP11. It was amazing how much slower the boot and shut down is.

  3. Hey Ray, I was wondering if Symantec ever resolved your issue, or did you go with a different AV? I am having similar issues with my Windows Server 2008 VM.

Comments are closed.