Enterprise
Cursor Enterprise: Endpoint Security
Cursor loads JavaScript modules and reads files at startup. When endpoint security software scans every file operation, the added latency can push startup past Cursor's internal timeout and make features like Agent fail. The fix is to exclude Cursor's processes and install directory from real-time scanning, then restart and confirm Agent works.
On this page
Why does endpoint security software break Cursor startup?
Cursor's extension host reads JavaScript files from its own install directory at startup. When security software adds per-file scanning latency, the cumulative delay can exceed Cursor's startup timeout, and features like Agent fail. Software that injects into processes can cause the same problem.
This mainly affects startup. Once modules are loaded into memory, ongoing file operations are infrequent and unlikely to cause issues.
Cursor's own files are code-signed binaries and bundled JavaScript, not user-generated content. Excluding them from real-time scanning does not reduce protection for your user files or network traffic.
What processes and paths should we exclude?
Add the following to your security product's exclusion list. On Windows you cover three processes and two install paths; on macOS you exclude the app bundle.
- Windows process
- Cursor.exe
- User install path
- %LOCALAPPDATA%\Programs\cursor\Cursor.exe
- System install path
- %ProgramFiles%\cursor\Cursor.exe
- Windows process
- rg.exe
- User install path
- %LOCALAPPDATA%\Programs\cursor\resources\app\node_modules\@vscode\ripgrep\bin\rg.exe
- System install path
- %ProgramFiles%\cursor\resources\app\node_modules\@vscode\ripgrep\bin\rg.exe
- Windows process
- inno_updater.exe
- User install path
- %LOCALAPPDATA%\Programs\cursor\resources\app\node_modules\cursor-inno-updater\inno_updater.exe
- System install path
- %ProgramFiles%\cursor\resources\app\node_modules\cursor-inno-updater\inno_updater.exe
| Windows process | User install path | System install path |
|---|---|---|
| Cursor.exe | %LOCALAPPDATA%\Programs\cursor\Cursor.exe | %ProgramFiles%\cursor\Cursor.exe |
| rg.exe | %LOCALAPPDATA%\Programs\cursor\resources\app\node_modules\@vscode\ripgrep\bin\rg.exe | %ProgramFiles%\cursor\resources\app\node_modules\@vscode\ripgrep\bin\rg.exe |
| inno_updater.exe | %LOCALAPPDATA%\Programs\cursor\resources\app\node_modules\cursor-inno-updater\inno_updater.exe | %ProgramFiles%\cursor\resources\app\node_modules\cursor-inno-updater\inno_updater.exe |
Windows process exclusions, by user install vs system install.
- Platform
- Windows (user install)
- Path to exclude
- %LOCALAPPDATA%\Programs\cursor\
- What it is
- Application binaries and bundled modules
- Platform
- Windows (system install)
- Path to exclude
- %ProgramFiles%\cursor\
- What it is
- Application binaries and bundled modules
- Platform
- macOS
- Path to exclude
- /Applications/Cursor.app/
- What it is
- Application bundle (exclude the Cursor.app process)
| Platform | Path to exclude | What it is |
|---|---|---|
| Windows (user install) | %LOCALAPPDATA%\Programs\cursor\ | Application binaries and bundled modules |
| Windows (system install) | %ProgramFiles%\cursor\ | Application binaries and bundled modules |
| macOS | /Applications/Cursor.app/ | Application bundle (exclude the Cursor.app process) |
Path exclusions per platform.
Some products use kernel-level minifilter drivers that scan all file I/O regardless of which process is reading. Add both process exclusions and path exclusions for the Cursor install directory, not just one.
How do we find which security software is running?
If you don't know which products are active, these commands help you locate where exclusions need to go. On Windows, run them in an Administrator PowerShell window.
# Registered AV products
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct |
Select-Object displayName, pathToSignedProductExe
# Kernel-level filesystem filter drivers
fltmc
# Check for EDR process injection via environment variables
[System.Environment]::GetEnvironmentVariables() |
Where-Object { $_.Keys -match "BPP|COR_PROFILER|COMPLUS|__COMPAT" }
# Windows Defender status
Get-MpComputerStatus |
Select-Object IsTamperProtected, RealTimeProtectionEnabled, AMRunningMode- Reading fltmc: standard Windows drivers you can ignore include
WdFilter,storqosflt,wcifs,CldFlt,bfs,FileCrypt,luafv,Wof,FileInfo,npsvctrig,bindfltandUnionFS. Other drivers are likely third-party security software. - Reading the environment-variable check: if it returns any results, an EDR product is injecting code into every new process on the machine, and an exclusion may be necessary.
How do we verify the exclusions are working?
- 1Run the identification commands to determine which security products are running.
- 2Add both process and path exclusions for those products in their management consoles.
- 3Restart Cursor and test Agent. This is the definitive test of whether the exclusions worked.
- 4If it still fails, export logs and contact Cursor support with the diagnostic output.
After applying exclusions, restart Cursor and confirm Agent features work without timing out. If you previously saw empty Extension Host logs (Cmd/Ctrl+Shift+P, then Output, then Extension Host), they should now show normal startup output.
Frequently asked questions
Why does Cursor Agent time out on locked-down machines?
Endpoint security software that scans every file operation or injects into processes adds startup latency. When that delay exceeds Cursor's internal startup timeout, the extension host doesn't finish loading and Agent fails. Excluding Cursor's processes and install directory removes the delay.
Is it safe to exclude Cursor from antivirus scanning?
Yes. Cursor's own files are code-signed binaries and bundled JavaScript, not user-generated content. Excluding them from real-time scanning is low-risk and does not reduce protection for your user files or network traffic.
Do we need both process and path exclusions?
Often, yes. Some security products use kernel-level minifilter drivers that scan all file I/O regardless of which process reads the file, so a process-only exclusion may not be enough. Add path exclusions for the Cursor install directory as well.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.