CB Protection: Microsoft Word Load Time Increases When Agent Is Placed In High Enforcement Mode

search cancel

book

calendar_today

Carbon Black App Control (formerly Cb Protection)

It normally takes Microsoft Word 6 seconds to open a file, however it will take 20 seconds or more for Microsoft Word to open the same file when machine is assigned to a High Enforcement Policy.
Procmon.log file reports 'winword.exe' performing an inordinate amount of read/write operations to the Windows Registry.

CB Protection agent is tracking, and creating events for all reads/writes the 'word.exe' process is performing in the Windows Registry.

Add following 'kernelProcessRegExclusions' property/value:

a. Property Name: kernelProcessRegExclusions for winword.exe

b. HostID: 0 (for all hosts)

c. Value: kernelProcessRegExclusions=*\winword.exe:0x7f
d. Select 'Enabled'
e. Apply to appropriate Policy, then 'Save'

Adding suggested 'kernelProcessRegExclusions' property will instruct the CB Protection Agent to ignore all regedit registry operations performed by 'winword.exe'.
Following document provides steps for collecting Procmon.log file: https://community.carbonblack.com/t5/Knowledge-Base/Cb-Protection-How-To-Collect-Agent-Performance-Logs-Windows/ta-p/64875
It's important to note that you can only have one active 'kernelProcessRegExclusions' property defined. Comma separated values are allowed for some kernel exclusion properties, i.e. kernelProcessExclusions, kernelFileOpExclusions, however you should not have multiple 'kernelProcessRegExclusions' properties defined, since only one of them will actually be used.
To add a specific HostID value:

thumb_up Yes

thumb_down No