CylancePROTECT Desktop script control
CylancePROTECT Desktop
script controlSelecting this option will log any newly found scripts, convicted by
CylancePROTECT Desktop
, to the syslog server.Syslog script control events contain the following properties:
- Alert: The script is allowed to run. A script control event is sent to the management console.
- Block: The script is not allowed to run. A script control event is sent to the management console.
Reporting frequency
The first time a script control event is detected, a message is sent via syslog with full event information. Each subsequent event that is deemed a duplicate will not be sent via syslog for the remainder of the day. At the end of the day, if the counter for a specific script control event is greater than one, an event will be sent via syslog with the count of all duplicate events that have transpired that day. If the counter equals one at the end of the day, no additional message will be sent by the syslog serve or SIEM solution.
Determining if a script control event is a duplicate uses the following logic:
- Look at key information: Device, Hash, Username, and Block/Alert.
- For the first event received in a day, set a counter value to 1. There are separate counters for Block and Alert.
- All subsequent events with the same key increment the counter.
- The counter resets each calendar day.
Example:
If script A runs on Device 1 at 11:59PM on 9/20/18 and then again at 12:05AM, 12:10AM, and 12:15AM on 9/21/18, the following will occur:- One syslog message will be sent on 9/20/18 for the one script control event for that day.
- One syslog message will be sent on 9/21/18 for the two duplicate script control events for that day.
Only one syslog message is sent on 9/21/18 because the events are duplicates of the event that occurred on 9/20/18.
Field | Value | Description |
|---|---|---|
Device ID | [varies] | This is the unique ID for the device. |
Device Name | [varies] | This is the name of the device. |
Event Type | ScriptControl | This is a script control event. |
Event Name | Alert | This is an alert only. No actions were taken on the script control event. |
Blocked | The script control event was blocked. | |
None | No action was taken on the script control event. | |
Unknown | It could not be determined if any action was taken on the script control event. | |
File Path | [varies] | This is the path to the file. |
Interpreter | ActiveScript | This is the interpreter that detects VBScript and Jscript that run from the Windows Script Host (WSH). |
MacroScript | This is the interpreter that detects macros in Microsoft
Office documents. | |
Powershell | This is the interpreter that detects PowerShell scripts. | |
Interpreter Version | [varies] | This is the version number of the interpreter. |
Policy Name | [varies] | This is the name of the policy assigned to the device. |
SHA256 | [varies] | This is the SHA256 hash for the file. |
Zone Names | [varies] | These are the names of the zones to which the device belongs. |
Example message for script control events
BlackBerry Protect Desktop - - - Event Type: ScriptControl, Event Name: Blocked, Device Name: Fake_Device, File Path: d:\windows\system32\windowspowershell\v2.1\newlyMade.vbs, SHA256: FE9B64DEFD8BF214C7490BB7F35B495A79A95E81F8943EE279DC99998D3D3440, Interpreter: active, Interpreter Version: 6.1.7600.16385 (win7_rtm.090713-1255), Zone Names: (Script Test,Server Test), Device ID: e378dacb-9324-453a-b8c6-5a8406952195, Policy Name: Default