Script control Skip Navigation

Script control

Script control protects
devices by blocking malicious scripts from running. The agent can detect the script and script path before the script is executed. You can set the policy to block scripts from running and only allow scripts that are added to the exclusion list to run.
For each type of script, you can select one of the following actions:
  • Alert
    : This action allows all scripts to run. Use this setting when you want to monitor and observe all scripts that are running in your environment. This setting is recommended for initial deployment while you determine which scripts you want to allow or block.
  • Block
    : This action blocks all scripts from running. Only files that are added to the exclusion list are allowed to run. Use this setting after testing and monitoring for threats in alert mode.
You can find script control alert and block events in the
Protection > Script Control
Active Script
This setting controls whether you want to allow Active Scripts to run, or block them from running. Active Scripts include VBScript and JScript.
For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent 1.2.1380 and later, you need to set them individually.
This setting controls whether you want to allow  scripts to run, or block them from running.
For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent version 1.2.1380 and later, you need to set them individually.
Block PowerShell console usage
This setting controls whether you want to block the PowerShell console from launching for devices running agent version 1.2.1380 or later. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell one-liners.
This setting is available when the action for PowerShell scripts are set to
When the PowerShell control is set to alert mode, the agent does not send alerts for PowerShell console usage.
If you use a script that launches the PowerShell console, and Block PowerShell console usage is enabled, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the
switch. A basic command to run a PowerShell script without invoking the console would be:
Powershell.exe -file [script name]
Macros (2.1.1578 and earlier)
This setting controls whether to alert or block
Microsoft Office
macros. Macros use Visual Basic for Applications (VBA) which allows embedding code inside a
Microsoft Office
document (typically
Microsoft Word
, and
). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a macro is performing a malicious action when it tries to manipulate the system. The agent looks for malicious actions originating from a macro that affects anything outside the
Microsoft Office
  • The script control macros feature works with agent version 1578 and earlier. For newer agents, use the
    Dangerous VBA Macros
    violation type in the memory protection policy.
  • Any macro exclusions created for script control must be added to the memory protection exclusions for the
    Dangerous VBA Macros
    violation type.
  • Starting with
    Microsoft Office
    2013, macros are disabled by default. Most of the time, you do not need to enable macros to view the content of an
    Microsoft Office
    document. You should only enable macros for documents you receive from users you trust, and you have a good reason to enable it. Otherwise, macros should always be disabled.
This setting controls whether to allow Python scripts (version 2.7 and 3.0 to 3.8), or block them from running. This setting is valid for agent 1580 or later.
This setting controls whether to allow .NET DLR scripts to run, or block them from running. This setting is valid for agent 1580 or later.
XLM Macros (Preview)
The XLM Macros feature is currently available in Preview mode where it might behave unexpectedly.
This setting controls whether
CylancePROTECT Desktop
4.0 (XLM) macros to run, or blocks them from running. When macros are enabled and executed, the
AMSI interface communicates with the agent to determine whether to allow the macro to run or to block it according to the device policy.
This feature requires the following:
  • Microsoft Windows
    10 or later
  • CylancePROTECT Desktop
    agent version 3.1
  • VBA macros must be disabled in the
    File > Trust Center > Excel Trust Center > Macro Settings
Disable Script Control
You can specify whether to disable script control for certain script types. When you disable script control, scripts are allowed to run and you do not receive alerts.
Exclude Files, Script or Processes
You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert, even when script controls are set to block. You can also add exclusions for processes to allow scripts from certain applications to run properly that would otherwise be blocked.  For example, if the IT department uses specific tools to run scripts all the time, you can add the process for that tool as an exclusion so that scripts can be run through that tool.
You specify the relative path of the folder or sub-folder. The folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
Excluding folders and scripts
  • Folder exclusions cannot contain the script or macro file name. These entries are not valid and the agent ignores them.
  • If you want to exclude a specific script, you must use a wildcard. For more information about how to use wildcards to exclude specific scripts, see Wildcards in script control exclusions.
  • If the “Everyone” group in your organization has write permissions to a folder, anyone inside or outside of the organization can drop a script in the folder and write to it.
    CylancePROTECT Desktop
    will continue to send alerts on scripts and block them. The write permissions apply not only to the direct parent folder, but also to all parent folders, all the way to the root.
Excluding processes
  • Process exclusions require agent version 2.1.1580 or later.
  • The executable in the process exclusion may be quarantined by execution control and therefore blocked from running. If the executable is quarantined, you need to add it to the
    Policy Safe List
    in the
    File Actions
  • Process exclusions continue to allow scripts to run and does not restrict them from running from the specified folder.