Endpoint Prevent Configuration causing very slow Outlook times

We have a need to monitor users that are copying files off their laptops when they are off the corporate network. So we’ve made an Endpoint Monitoring Policy.

The problem is we get a big performance hit when users are opening or closing Outlook or adding PST files to Outlook when on the corporate network. When you check out the configuration below you can see I’m attempting to drop the network packets of anything that is not in the 192.168…. address range. (I’ve tried many different syntax ways so far, but makes no difference, but happy to try anything people suggest)

I have clearly proven to myself that when I’m part of this policy, my outlook takes 8-10 mins to open (with heavy network utilisation) and the same amount of time to add large PST files. When I remove my laptop from it, Outlook’s speed returns to normal.

The solution\design is working as we want it too. I get an incident each time a user copies a file off the laptop when they are not on our corporate network, and not an incident when files are copied to network shares whilst on the corporate network.

Anyone got some tips or work out if I’ve done anything wrong?

The solution I have designed is this:

Agent Configuration:

Enable Monitoring:  (I’ve ticked)

Removable Storage

CD/DVD

Copy to Share

Filter by File Properties: (default with added exclusions for .ost and .pst)

1              Ignore   Local Drive        

                       $Cookies$\*,

        $InternetCache$\*,

        $LocalAppData$\*,

        $LocalAppData$\..\Temp\*,

        $LocalAppDataLow$\*,

        $RoamingAppData$\*,

        $Windows$\Prefetch\*,

        $Windows$\SoftwareDistribution\*,

        *\System Volume Information\*

2    Monitor         CD/DVD, Removable Storage   

    *.doc, *.docx, *.jar, *.mpp, *.pdf, *.ppt, *.pptx, *.rar, *.rtf, *.txt, *.wcm, *.xls, *.xlsx, *.zip

3     Ignore           Local Drive, Removable Storage              

    *.ost, *.pst, *.tmp, *.url, *.v2i, *.vmdk, *.vmem

4      Ignore          Application File Access, Local Drive         

    *

Specify Default File Filter Action

The following action will be applied to any file that does not match any of the file filters configured above:

Monitor

Filter by Network Properties

IP Filters:

+,192.168.0.0/16,*;-,*,*

For the test:

Agent Group

Group Condition

                User Attributes

Logged in User, and Always include these Agents.

Policy

Detection

Protocol or Endpoint monitoring > Endpoint Destination >  CD/DVD and Removable Storage and Copy to Network Share

Endpoint Location > Off the Corporate Network

Groups

Test group of few users

Response

Send email on incident