Endpoint Performance

Generally speaking, Installing Windows Agents have a small footprint on endpoint machines. Memory usage, CPU usage, and boot time should be negligibly impacted. If certain best practices are not followed, endpoint performance can be affected.

Item to Consider

Troubleshooting items to consider if endpoint performance issues are reported include the following.

Anti-Virus

Ensure anti-virus exclusions are in place for all anti-virus products in the environment. Refer to Antivirus Exclusions.

Secondary File Hash Exclusions

Ensure secondary file hash exclusions are in place. Refer to Exclude File Extensions during File Hashing.

These are usually helpful for developers running compilers or opening 1 TB database files. It may not affect boot-up items, but should be part of resolutions for some endpoint performance complaints.

No Application Control Policies have Applies To All Processes enabled in the Advanced Settings. This should be used very sparingly, as it will target non-interactive processes (including system processes) and cause more processing time. This is only used in the rare instance that it is required. This is needed to target a file that appears in the Agent logs like this:

DoProcessWork Ignoring Process 42576 (C:\Windows\System32\sppsvc.exe) as it is a protected process

Checking Applies To All Processes will allow the policy to target this file. It should only be needed in very few, rare instances. By default, this should be unchecked, unless absolutely necessary.

Policy Enforcement

Most policies do not have Continue Enforcing Policies and Continue Enforcing Policies for Child Processes enabled in the Advanced Settings. These options are typically disabled for most policies. With the options disabled, a target application is caught by a policy, performs the Actions on the policy, and then processing completes. With these enabled, a target application is caught by a policy and processing continues against other policies, which is not the way an efficient policy stack is created.

Consider enabling Skip Policy Analysis at Start-up in the Advanced settings on some Policies. Refer to Increase Boot-up Performance

If this is checked on a Policy, it will pause that Policy’s analysis during boot-up. Understand the risk associated with this and consider enabling it on Policies that should not be targeting boot-up files.

Present in Signed Security Catalog

The Application filter for Present in Signed Security Catalog should be used as an Exception filter in some policies, especially Block policies. This filter dynamically targets the files that are deployed via the Operating System (OS). That includes a lot of files that run at boot-up.

Make sure that Block policies have this filter as an Exclusion filter, so that OS files are not inadvertently blocked. You may want to create a policy with a low policy priority number that allowed the Present in Signed Security Catalog to run in standard context. This allows quick processing in the stack without elevating or blocking them. If an Allow policy for Present in Signed Security Catalog is used to elevate those files, the Elevation policy would need to occur before the Allow policy.

Audit Policy Events

Make sure that Audit Policy Events are not enabled on many of your policies. This creates more work for the endpoint and should definitely not be enabled on every policy. This should only be on Discovery policies and there should be some self-imposed limitations on using it. If this and Continue Enforcing Policies are enabled on multiple policies, the same file event can be caught by multiple policies (adding to process) and feedback of the event can be gathered multiple times (very inefficient).

Policy Filters

Application Control policies should not have more than 100 total filters on the policy. The combined number of Application filters, Inclusion filters and Exclusion filters should not exceed 100. Processing time of the agent is more efficient with two policies of 100 filters vs. a single policy with 200 filters. Review the Application Control policies to determine the total number of filters per policy.

Summary

If endpoint performance issues are reported by a subset of users, determine if there is commonality in the roles of the effected users. For example, if the effected users are developers, review the suggestions above and make sure that Secondary File Hash Exclusions are addressed.

Additionally, understand the types of Application Control policies that are used in the environment. Are Application Control policies mainly focused on Elevation policies to remove Admin rights? Or, is a set of strict Allow / Block policies enabled to restrict allow all files that need to run? If strict Allow / Block policies are in place, investigate ways to simplify the filters used to target applications. For example, instead of creating individual Application filters for files in C:\Windows, target by the file location since standard users (without Admin rights) do not have write access to that directory. Using one filter to target a large repository of files will be much more efficient than targeting each individual file separately.