Environment
- App Control Server: All Versions
- App Control Agent: All Versions
- Microsoft Monitoring Agent
Symptoms
- Microsoft Monitoring Agent creating an inordinate amount of 'File approved (custom rule)' events similar to the following:
File c:\program files\microsoft monitoring agent\agent\health service state\monitoring host temporary files xxx\xxxx\main.cmd was approved due to custom rule
- 'monitoringhost.exe' is the process creating events
Cause
Large amount of OS level reads are being performed in the System or Application Event logs.
Resolution
Add following 'kernelFileOpExclusions' parameter to address events related to the 'monitoringhost.exe' process:
- Open following URL > https://<appcontrol_servername>/agent_config.php
- Select 'Add Agent Config'
- Add following fields:
a. Property Name: MS monitoringhost.exe 'kernelFileOpExclusions'
b. Host ID- <host_id of agent machine> (0 for ALL)
c. Value - kernelFileOpExclusions=*\program files\microsoft monitoring agent\agent\health service state\monitoring host temporary files*\*:2097151
d. Platform - Windows
e. Status - Enabled
f. Create For: (Set as needed)
- Select Save button
Additional Notes
- The 'monitoringhost.exe' process is what each MS server role uses to perform monitoring activities, such as executing a monitor or running a task, e.g. when a MS agent subscribes to the event log to read events, it is the 'monitoringhost.exe' process that runs those activities.
- Adding this parameter will limit the amount of events the App Control Agent will generate by excluding specific operations processed by the driver, in this case all operations except executions.