Increased server backlog or large growth of the filenames tables was caused by large number of PowerShell temp files

• App Control Windows Agent: All Supported Versions
• App Control Console: All Supported Versions

PowerShell creates variety of temp files that never execute, tracking such activity can cause the filenames table to fill up and the server backlog to increase significantly.

1. If PowerShell blocks of temp files are observed, please check the Custom Rule for the psscriptpolicytest files solution
2. Navigate to https://ServerAddress/Shepherd_config.php
3. Select the Property > "ABExclusionRules". 
   • If a Value currently exists, copy & paste this to the end:

     |;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3

   • If a Value does not currently exist, copy & paste this:

     ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
     

4. Click Change to apply the new ABExclusion

• This ABExclusion rules instructs the agents to not send Files and Events related to specific PowerShell .ps1 temporary files to the server
• Agents still track all PowerShell activity and store it in the local database cache
• Trailing/Proceeding spaces are not supported in ABExclusion rule
• ABExclusions are separated by the pipe character: |
• A large number of the PowerShell temp files are related to the Windows validating if certain functionality has been enabled such as AppLocker
• More information can be found here: https://learn.microsoft.com/en-us/archive/msdn-technet-forums/c080aa5a-b6a0-4e57-b856-42bded59509e