Create a Performance Optimization Rule to Ignore File Modifications
Article ID: 286704
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Create a Custom Rule for Performance Optimization to ignore all Read, Rename, Write, Write Delayed, and Delete operations.
Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Resolution
WARNING: Performance Optimization Rules should avoid:
These types of combinations could prevent the Agent from seeing the Create/Write of an Executable file, and prevent Local Approvals of such files. Additionally, when Interesting files are discovered on execution it will force the Agent to stall operations while analysis is completed in-line. This will cause a greater impact to performance in this situations. Instead: Use a Specific Path and specify the exact non-interesting File Patterns to exclude. |
- Log in to the Console and navigate to Rules > Software Rules > Custom.
- Click Add Custom Rule and enter initial details, example:
- Name: Accounting Software PO Rule
- Description: Ignore writes to non-interesting files that cause performance impacts during report building.
- Status: Enabled
- Define the new Custom Rule, example:
- Platform: Windows
- Rule Type: Performance Optimization
- Path or File: Specific Path
C:\Program Files (x86)\AccountingSoftware\tmp\accounting-tmp.gdb
- Process: Specific Process
C:\Program Files (x86)\AccountingSoftware\reportbuilder.exe
- Policies: Selected Policies > Desktops-Accounting
- Save the new Custom Rule.
Additional Information
- Executions will still be monitored but Performance Optimization Rules will specify folders or files to avoid tracking writes.
- For Windows endpoints, a Procmon capture may be beneficial in determining specific combinations for Performance Optimization.
Feedback
Yes
No
Powered by
