PHPKB Knowledge Base Software Logo  
Guru Corner
Online Knowledgebase System  
Knowledge Base Home Knowledge Base Home
Home > All Categories > Symantec > Endpoint Protection (AntiVirus) > Terminal Server resources are consumed by multiple instances of Symantec Endpoint Protection processes
Question Title Terminal Server resources are consumed by multiple instances of Symantec Endpoint Protection processes


When SEP (Symantec Endpoint Protection) is installed, Citrix and other Terminal Servers slow down or become unresponsive. There may be multiple SEP system tray icons and/or the Task Manager Process List indicates multiple instances of SEP processes.

Symptoms include one or more of the following, usually increasing as additional clients log onto a Terminal Server

  • High CPU utilization
  • Multiple instances of the following processes: SmcGui.exe, ccApp.exe, ProtectionUtilSurrogate.exe (64 bit only)
  • Duplicate SEP system tray icons (on the server; see Note in Solution below for duplicate icons on a Terminal Server client)
  • Hourglass that won't go away on logged in clients (this was specifically because they don't show the icon as part of their policies)



This problem was fixed in Symantec Endpoint Protection 11.0 Maintenance Release 3.


Upgrade to Symantec Endpoint Protection 11.0 Maintenance Release 3 or newer.

In addition to upgrading, SmcGui must be disabled (to avoid multiple instances of that process and the SEP tray icon) by adding the following DWORD registry value on the Terminal Server:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\LaunchSmcGui = 0

To further optimise memory, you can prevent ccApp from loading: Browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (for 64bit servers this is HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run), find the ccApp entry and delete it

When disabling SmcGui, the following functionality is also disabled:

  • No SEP icon on the system tray
  • No ability to open the system logs from the client GUI
  • No ability to see the firewall or SNAC status from the GUI (most customers will not install a firewall on their Terminal Server)
  • No startup scans
  • No delayed threat detection notifications
  • No missing or out of date definition notifications
  • Clients do not display all information in the Help & Support > Troubleshooting > General Information (Server, Group, Location, Policy serial number, etc)
  • Clients locally show as Offline on the Help & Support > Troubleshooting > General Information view. In reality the client is still forwarding stateful information and log data to the Symantec Endpoint Protection Manager (SEPM).
  • Clients do not show the Logon Client status on the SEPM client status view.

The following is a list of the features that are lost after disabling ccApp:

  • Internet Email Scanning

Note: Duplicate SEP system tray icons in the local system tray of a Terminal Server client may be the result of a Citrix feature called Seamless Desktop Integration, where server resources are made to appear as if they are running on the client. See Symantec Endpoint Protection: Duplicate system tray icons appear on Terminal Server Client for each connection to a Citrix Server.
Authored by: Guru Corner
Click Here to View all the questions in Endpoint Protection (AntiVirus) category.
File Attachments File Attachments
There are no attachment file(s) related to this question.
Article Information Additional Information
Article Number: 139
Created: 2011-02-20 12:06 PM
Rating: No Rating
Article Options Article Options
Print Question Print this Question
Export to Adobe PDF Export to PDF File
Export to MS Word Export to MS Word
Search Knowledge Base Search Knowledge Base

Powered by Guru Corner