3 Replies Latest reply on Jun 19, 2018 12:54 AM by Martin.Retzbach

    Exception rules for developers

    Martin.Retzbach Rookie

      Hi community,

      I have someserious difficulties to implement AC in our RnD department. They use eclipse, cmake and some other GNU tools. When the service is running it almost doubles the time for compiling.  Has anyone experience with this?

        • 1. Re: Exception rules for developers
          timothyb SupportEmployee

          This isn't an uncommon problem with some Development environments.

           

          Capture some (or all if it doesn't take too long) of the compilation process using ProcMon, then use Tools Menu -> Process Tree to review the result.  You will see the parent and child process relationship.  What you'll probably note is many short lived processes, such as cmd.exe, make.exe, gcc.exe and so on.  There maybe hundreds or thousands of these.

           

          Every time a process is requested to launch, Application Control needs to hold it up, check the process against your rules and then either allow it to run or deny it.  I don't think this is where the delay is though, as these operations only tend to take around 10-50ms with logging enabled.  For every DLL that the process tries to load, Application Control also needs to hold up that request and then run it through your rules.  Each process maybe loading 20+ DLLs.  So the number of operations increases significantly.

           

          For a standard application, the overhead of running the rules against the process launch and the DLLs it loads, tends not to be noticeable.  When many short lived processes are launched, the effect can become noticeable.

           

          I would suggest initially reviewing the ProcMon Process Tree and identifying the processes affected.

           

          • Within your Application Manager Console open your config
          • Manage Tab -> Advanced Settings -> Custom Settings Tab
          • Add ExProcessNames if it doesn't already exist.
          • Add the processes identified above.  Note the description of ExProcessNames for how it should be delimitated (typically space), this is different to the other exceptions.
          • Deploy to a few test endpoints

           

          If you want to also test excluding the processes from the hook, add DriverHookEx and add the processes.  As per above, note how the processes should be delimitated (typically a semi-colon).

          • 2. Re: Exception rules for developers
            Fordo Apprentice

            Personally, I'd consider exempting the R&D guys and getting agreement from their management to sandbox/segregate their environment in some way - at the least, not develop/build on the same workstations they use for mail, browsing etc.

             

            Implementing application whitelisting on developers is non-trivial and will probably result in them either a) finding a workaround or b) escalating and getting a blanket exemption anyway.

            • 3. Re: Exception rules for developers
              Martin.Retzbach Rookie

              Hi Fordo and Timothyb,

               

              your're both right. Had the same discussions. Hoped that I forgot something and there is a magic tool that fix all things. Thanks anyway.