App Control: Microsoft Monitoring Agent Creating Many 'File approved' Events
search cancel

App Control: Microsoft Monitoring Agent Creating Many 'File approved' Events

book

Article ID: 290123

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Microsoft Monitoring Agent creating an inordinate amount of 'File approved (custom rule)' events similar to the following:
File c:\program files\microsoft monitoring agent\agent\health service state\monitoring host temporary files xxx\xxxx\main.cmd was approved due to custom rule
  • 'monitoringhost.exe' is the process creating events 

 

Environment

  • App Control Server: All Versions
  • App Control Agent: All Versions
  • Microsoft Monitoring Agent

Cause

Large amount of OS level reads are being performed in the System or Application Event logs. 

Resolution

Add following 'kernelFileOpExclusions' parameter to address events related to the 'monitoringhost.exe' process:
  1. Open following URL > https://<appcontrol_servername>/agent_config.php
  2. Select 'Add Agent Config'
  3. Add following fields:
a. Property Name: MS monitoringhost.exe 'kernelFileOpExclusions'
b. Host ID- <host_id of agent machine> (0 for ALL)
c. Value - kernelFileOpExclusions=*\program files\microsoft monitoring agent\agent\health service state\monitoring host temporary files*\*:2097151
d. Platform - Windows
e. Status - Enabled
f. Create For: (Set as needed)
  1. Select Save button

Additional Information

  • The 'monitoringhost.exe' process is what each MS server role uses to perform monitoring activities, such as executing a monitor or running a task, e.g. when a MS agent subscribes to the event log to read events, it is the 'monitoringhost.exe' process that runs those activities.
  • Adding this parameter will limit the amount of events the App Control Agent will generate by excluding specific operations processed by the driver, in this case all operations except executions. 
     
Powered by Wolken Software