Script control
Script control protects
Windows
devices by blocking scripts from executing. If you want to allow scripts to execute, you can add exclusions in several ways using wildcards. For example, you can set the policy to block scripts from executing and only allow scripts that are added to the exclusion list to run.Item | Description |
---|---|
Action | For each type of script, you can select one of the following actions:
The following settings are available for Active Script and PowerShell Script settings:
You can find script control alert and block events in the Protection > Script Control screen. |
Active Script | This setting controls whether you want to allow Active Scripts to run, or block them from running. Active Scripts include VBScript and JScript. For enhanced script control, use one of the Block UNSAFE scripts or Block ABNORMAL and UNSAFE scripts settings. These settings require CylancePROTECT Desktop agent version 3.2 or later. If a device is running an earlier agent, the script will be blocked by default. |
PowerShell Script | This setting controls whether you want to allow PowerShell scripts to run, or block them from running. For enhanced script control, use one of the Block UNSAFE scripts or Block ABNORMAL and UNSAFE scripts settings. These settings require CylancePROTECT Desktop agent version 3.2 or later. If a device is running an earlier agent, the script will be blocked by default. |
PowerShell Console | This setting controls whether you want to allow the PowerShell console to run or block it from launching. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell console in interactive mode. Alert mode for PowerShell Console requires CylancePROTECT Desktop agent version 3.2 or later. It allows scripts to run and reports the detected event to the management console. For agents that don't support Alert mode, the use of PowerShell console will be allowed by default and an alert won't be generated.If you use a script that launches the PowerShell console, and PowerShell Console is blocked, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the -file switch. A basic command to run a PowerShell script without invoking the console would be: Powershell.exe -file [script name] |
Macros (2.1.1578 and earlier) | This setting controls whether to alert or block Microsoft
Office macros. Macros use Visual Basic for Applications (VBA) which allows embedding code inside a Microsoft
Office document (typically Microsoft
Office , Excel , and PowerPoint ). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a macro is performing a malicious action when it tries to manipulate the system. The agent looks for malicious actions originating from a macro that affects anything outside the Microsoft
Office products.Consider the following:
|
Python | This setting controls whether to allow Python scripts (version 2.7 and 3.0 to 3.8), or block them from running. This setting is valid for agent 2.1.1580 or later. |
.NET DLR | This setting controls whether to allow .NET DLR scripts to run, or block them from running. This setting is valid for agent 2.1.1580 or later. |
XLM Macros (Preview) | The XLM Macros feature is currently available in Preview mode where it might behave unexpectedly. This setting controls whether CylancePROTECT Desktop allows Excel 4.0 (XLM) macros to run, or blocks them from running. When macros are enabled and executed, the Microsoft AMSI interface communicates with the agent to determine whether to allow the macro to run or to block it according to the device policy.This feature requires the following:
|
Advanced Settings | The following advanced settings encourage script scoring and benefits script control:
|
Exclude Files, Script or Processes | You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert, even when script controls are set to block. You can also add exclusions for processes to allow scripts from certain applications to run properly that would otherwise be blocked. For example, if the IT department uses specific tools to run scripts all the time, you can add the process for that tool as an exclusion so that scripts can be run through that tool. You specify the relative path of the folder or sub-folder. The folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path. Excluding folders and scripts
Excluding processes
|