- Expert Rule with both Execute operation and Approve action causes significant performance impact
- Execute operations are stalled until confirmed the file is approved or allowed
- The Approve action forces the agent to analyze the file which is time consuming and CPU intensive
- Combining both Execute with Approve will significantly slow down any running application matching the rule
- Using the Execute Action: Allow and Promote could unnecessarily elevate nested processes which will cause unintended local approvals of files.
- Allow and Promote should not be used unless a very specific situation in encountered like multi layered software install where a parent process creates and executes a child process which then creates and executes another child process
- File Creation or an Expert Rule with a Write/Modify operations and a custom Yara Tags will cause poor performance and high CPU
- A custom Yara Tag combined with a Write/Modify operation forces the agent to analyzes a file before it has been written on disk
- File Creation rules should only use the provided pre-built Yara Tags listed in the following doc
- Custom Yara Tags should only be used within Execution control rules
- File Creation or Expert Rule with a Write/Modify operations and a file properties Macro will cause poor performance and high CPU
- A file properties Macro combined with a Write/Modify operation forces the agent to analyzes the file before it has been written on disk
- Macros on the list bellow should only be used in Execution control rules or Expert rules with Execute operations
'<Sha256:', '<CertIssuer:', '<CertSerial:', '<CertSHA1:', '<CertMD5:', '<OnlyIf:BuildAttributes:',
'<OnlyIf:BuildTime:', '<OnlyIf:PrivateBuild:', '<OnlyIf:SpecialBuild:', '<OnlyIf:Comments:', '<OnlyIf:Company:',
'<OnlyIf:Copyright:', '<OnlyIf:Description:', '<OnlyIf:FileType:', '<OnlyIf:FileVersion:', '<OnlyIf:Language:',
'<OnlyIf:Manufacturer:', '<OnlyIf:OriginalName:', '<OnlyIf:PackageCode:', '<OnlyIf:ProductName:', '<OnlyIf:ProductCode:',
'<OnlyIf:ProductVersion:', '<OnlyIf:TargetOS:', '<OnlyIf:UpgradeCode:', '<OnlyIf:AboutURL:', '<OnlyIf:HelpURL:', '<OnlyIf:UpdateURL:'
- Expert Rule using the Open/Read operations can hurt performance and should be avoided
- Open/Read operations are generally not considered interesting by the agent
- Open/Read operations can still be used in an Expert rule with the Ignore action