Exclusion Path
The Agent Configuration policy can be customized to exclude specified folder paths from all application control policy processing. All applications launched from the specified paths will not be processed via the Verify Privilege Manager agent, which allows for minimal interruption and maximum performance. Any log entries are executed asynchronously without any impact on processing.
For developers with an agent installed on a computer running the {PRODUCTNAME}# application, adding an Exclusion Path to the application control agent is the best approach to safeguard against increased compilation times that affect system performance.
Exclusion paths are paths to software development tools (for example, program files, folders,etc.). When an application launches the agent checks the exclusions first, before filters, thereby executing faster and saving time with agent and filter assessment.
If performance issues persist with the use of exclusion paths, IBM Security recommends an evaluation with support services to assess the environment.
To add exclusion paths to the Agent Configuration policy in the General Settings:
-
Navigate to your Computer Group and select Agent Configuration.
-
Select the Application Control Agent Configuration Policy (Windows) policy.
-
To access advanced settings, click Show Advanced.
-
In the Exclusion Path field, specify the path exclusions for the application control agent. Separate each path by a new line.
Verification
At the endpoint use the Agent Utility to make sure the policies are updated. Launch the application you specified in the exclusion, for out example notepad.exe and verify that the Agent Utility logs contain a message like this:
Ignoring process 11452 (C:\Windows\System32\notepad.exe) exclusion: c:\windows\system32\notepad.exe