This isn't an uncommon problem with some Development environments.
Capture some (or all if it doesn't take too long) of the compilation process using ProcMon, then use Tools Menu -> Process Tree to review the result. You will see the parent and child process relationship. What you'll probably note is many short lived processes, such as cmd.exe, make.exe, gcc.exe and so on. There maybe hundreds or thousands of these.
Every time a process is requested to launch, Application Control needs to hold it up, check the process against your rules and then either allow it to run or deny it. I don't think this is where the delay is though, as these operations only tend to take around 10-50ms with logging enabled. For every DLL that the process tries to load, Application Control also needs to hold up that request and then run it through your rules. Each process maybe loading 20+ DLLs. So the number of operations increases significantly.
For a standard application, the overhead of running the rules against the process launch and the DLLs it loads, tends not to be noticeable. When many short lived processes are launched, the effect can become noticeable.
I would suggest initially reviewing the ProcMon Process Tree and identifying the processes affected.
- Within your Application Manager Console open your config
- Manage Tab -> Advanced Settings -> Custom Settings Tab
- Add ExProcessNames if it doesn't already exist.
- Add the processes identified above. Note the description of ExProcessNames for how it should be delimitated (typically space), this is different to the other exceptions.
- Deploy to a few test endpoints
If you want to also test excluding the processes from the hook, add DriverHookEx and add the processes. As per above, note how the processes should be delimitated (typically a semi-colon).
Personally, I'd consider exempting the R&D guys and getting agreement from their management to sandbox/segregate their environment in some way - at the least, not develop/build on the same workstations they use for mail, browsing etc.
Implementing application whitelisting on developers is non-trivial and will probably result in them either a) finding a workaround or b) escalating and getting a blanket exemption anyway.
Hi Fordo and Timothyb,
your're both right. Had the same discussions. Hoped that I forgot something and there is a magic tool that fix all things. Thanks anyway.