Endpoint Detection and Response (EDR)

 View Only
Expand all | Collapse all

Can EAR rules be created to prevent recording of entire folder activities?

  • 1.  Can EAR rules be created to prevent recording of entire folder activities?

    Posted Jan 16, 2023 04:31 PM
    Good afternoon,

    I am wondering if it is possible to create EAR rules to avoid recording the content activity of the entire folder and its subfolders. For example: prevent recording the activity of an exchange server that is installed in C:\Program Files\Microsoft\Exchange Server; the databases are stored in E:\Program Files\Microsoft\Exchange Server and the logs in F:\Logs MSE\Mailbox. With the EDR policy turned on the server remains at 80% or 90% of the CPU load and turning the policy off reduces consumption to less than 50%.

    Thanking you for your comments and help to resolve this eventuality.


  • 2.  RE: Can EAR rules be created to prevent recording of entire folder activities?

    Broadcom Employee
    Posted Jan 18, 2023 08:55 AM
    Edited by Gavin Fulton Jan 18, 2023 08:59 AM
    Hi,
    EAR polices are primarily designed to reduce the event volume associated with "known good" activity rather than to reduce the client CPU impact.
    To reduce the system load of monitoring excessively active applications (such as potentially the MS Exchange executable file) you would need to apply a "disable monitoring" EAR Rule associated with the SHA256 or Full Path to the MS Exchange executable. 
    I would therefore recommend that you instead open a support ticket to confirm this is definitely the reason for high CPU load when the EDR policy is enabled on this system.

    However to answer the question as originally asked, yes an EAR rule can be defined with a "wildcard" actor value targeting specific file paths with appropriate wild card or regex definition to avoid recording the file activity of the entire folder and its subfolders. (event type = File Activity) A similar rule can be created to avoid recording the Directory activity of the entire folder and its subfolders (Event type = Directory Activity)