Script control Skip Navigation

Script control

Script control protects
Windows
devices by blocking scripts from executing. If you want to allow scripts to execute, you can add exclusions in several ways using wildcards. For example, you can set the policy to block scripts from executing and only allow scripts that are added to the exclusion list to run.
Item
Description
Action
For each type of script, you can select one of the following actions:
  • Disabled
    : This action allows all scripts to run and but does not report them to the console. This setting is not recommended.
  • Alert
    : This action allows all scripts to run and reports them to the console. Use this setting when you want to monitor and observe all scripts that are running in your environment. This setting is recommended for initial deployment while you determine which scripts you want to allow or block.
  • Block
    : This action blocks all scripts from running and reports them to the console. Only files that are added to the exclusion list are allowed to run. Use this setting after testing and monitoring for threats in alert mode.
The following settings are available for Active Script and PowerShell Script settings:
  • Block UNSAFE scripts
    : If the script is not already in the exclusion list, 
    CylancePROTECT
    obtains a threat score for the script from the
    Cylance
    cloud services, and if it receives an unsafe threat score, the script is blocked from executing. Unsafe files greatly resemble malware. Unscored and abnormal scripts are alerted to the console but are not blocked.
  • Block ABNORMAL and UNSAFE scripts
    : If the script is not in the exclusion list,
    CylancePROTECT
    obtains a threat score for the script from the
    Cylance
    cloud services, and if it receives an abnormal or unsafe threat score, the script is blocked from executing. Unsafe files greatly resemble malware. Abnormal files have some malware-like attributes but are less likely to be malware than an unsafe file. Unscored scripts are alerted to the console but are not blocked.
You can find script control alert and block events in the
Protection > Script Control
screen. 
Active Script
This setting controls whether you want to allow Active Scripts to run, or block them from running. Active Scripts include VBScript and JScript.
For enhanced script control, use one of the
Block UNSAFE scripts
or
Block ABNORMAL and UNSAFE scripts
settings. These settings require
CylancePROTECT Desktop
agent version 3.2 or later. If a device is running an earlier agent, the script will be blocked by default.
PowerShell Script
This setting controls whether you want to allow PowerShell scripts to run, or block them from running.
For enhanced script control, use one of the
Block UNSAFE scripts
or
Block ABNORMAL and UNSAFE scripts
settings. These settings require
CylancePROTECT Desktop
agent version 3.2 or later. If a device is running an earlier agent, the script will be blocked by default.
PowerShell Console
This setting controls whether you want to allow the PowerShell console to run or block it from launching. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell console in interactive mode.
Alert mode for PowerShell Console requires
CylancePROTECT Desktop
agent version 3.2 or later. It allows scripts to run and reports the detected event to the management console. For agents that don't support Alert mode, the use of PowerShell console will be allowed by default and an alert won't be generated.
If you use a script that launches the PowerShell console, and PowerShell Console is blocked, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the
-file
switch. A basic command to run a PowerShell script without invoking the console would be:
Powershell.exe -file [script name]
Macros
(2.1.1578 and earlier)
This setting controls whether to alert or block
Microsoft Office
macros. Macros use Visual Basic for Applications (VBA) which allows embedding code inside a
Microsoft Office
document (typically
Microsoft Office
,
Excel
, and
PowerPoint
). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a macro is performing a malicious action when it tries to manipulate the system. The agent looks for malicious actions originating from a macro that affects anything outside the
Microsoft Office
products.
Consider the following:
  • The script control macros feature works with agent version 2.1.1578 and earlier. For newer agents, use the
    Dangerous VBA Macros
    violation type in the memory protection policy.
  • Any macro exclusions created for script control must be added to the memory protection exclusions for the
    Dangerous VBA Macros
    violation type.
  • Starting with
    Microsoft Office
    2013, macros are disabled by default. Most of the time, you do not need to enable macros to view the content of an
    Microsoft Office
    document. You should only enable macros for documents you receive from users you trust, and you have a good reason to enable it. Otherwise, macros should always be disabled.
Python
This setting controls whether to allow Python scripts (version 2.7 and 3.0 to 3.8), or block them from running. This setting is valid for agent 2.1.1580 or later.
.NET DLR
This setting controls whether to allow .NET DLR scripts to run, or block them from running. This setting is valid for agent 2.1.1580 or later.
XLM Macros
(Preview)
The XLM Macros feature is currently available in Preview mode where it might behave unexpectedly.
This setting controls whether
CylancePROTECT Desktop
allows
Excel
4.0 (XLM) macros to run, or blocks them from running. When macros are enabled and executed, the
Microsoft
AMSI interface communicates with the agent to determine whether to allow the macro to run or to block it according to the device policy.
This feature requires the following:
  • Microsoft Windows
    10 or later
  • CylancePROTECT Desktop
    agent version 3.1
  • VBA macros must be disabled in the
    Excel
    File > Trust Center > Excel Trust Center > Macro Settings
    menu.
Advanced Settings
The following advanced settings encourage script scoring and benefits script control:
  • Score All Scripts
    : This setting ensures that all scripts are scored, regardless of the script control setting. By default, if the script control setting is set to Alert or Block, scripts will remain unscored.
  • Upload Script to Cloud
    : This setting specifies whether a copy of the script is uploaded to the
    CylancePROTECT
    cloud services for threat analysis and scoring. If this option is not selected,
    CylancePROTECT
    attempts to obtain a score for the script using its hash details.
  • Alert On Suspicious Scripts Execution Only
    : When a script is scored and a threat is not detected, this setting specifies that the execution of the script is not reported to the management console. If this option is not selected, the execution of any scripts is reported to the management console, even if a threat is not detectable.
Exclude Files, Script or Processes
You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert, even when script controls are set to block. You can also add exclusions for processes to allow scripts from certain applications to run properly that would otherwise be blocked.  For example, if the IT department uses specific tools to run scripts all the time, you can add the process for that tool as an exclusion so that scripts can be run through that tool.
You specify the relative path of the folder or sub-folder. The folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
Excluding folders and scripts
  • Folder exclusions cannot contain the script or macro file name. These entries are not valid and the agent ignores them.
  • If you want to exclude a specific script, you must use a wildcard. For more information about how to use wildcards to exclude specific scripts, see Wildcards in script control exclusions.
  • If the “Everyone” group in your organization has write permissions to a folder, anyone inside or outside of the organization can drop a script in the folder and write to it.
    CylancePROTECT Desktop
    will continue to send alerts on scripts and block them. The write permissions apply not only to the direct parent folder, but also to all parent folders, all the way to the root.
Excluding processes
  • Process exclusions require agent version 2.1.1580 or later.
  • The executable in the process exclusion may be quarantined by execution control and therefore blocked from running. If the executable is quarantined, you need to add it to the
    Policy Safe List
    in the
    File Actions
    tab.
  • Process exclusions continue to allow scripts to run and does not restrict them from running from the specified folder.