Script control protects
Windowsdevices by blocking scripts from executing. If you want to allow scripts to execute, you can add exclusions in several ways using wildcards. For example, you can set the policy to block scripts from executing and only allow scripts that are added to the exclusion list to run.
For each type of script, you can select one of the following actions:
You can find script control alert and block events in the
Protection > Script Controlscreen.
This setting controls whether you want to allow Active Scripts to run, or block them from running. Active Scripts include VBScript and JScript.
For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent 1.2.1380 and later, you need to set them individually.
This setting controls whether you want to allow scripts to run, or block them from running.
For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent version 1.2.1380 and later, you need to set them individually.
Block PowerShell console usage
This setting controls whether you want to block the PowerShell console from launching for devices running agent version 1.2.1380 or later. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell one-liners.
This setting is valid when the action for PowerShell scripts is set to
Block. When the action for PowerShell scripts is set to Alert, the agent does not send alerts for PowerShell console usage.
If you use a script that launches the PowerShell console, and Block PowerShell console usage is enabled, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the
-fileswitch. A basic command to run a PowerShell script without invoking the console would be:
Powershell.exe -file [script name]
Macros (2.1.1578 and earlier)
This setting controls whether to alert or block
Microsoft Officemacros. Macros use Visual Basic for Applications (VBA) which allows embedding code inside a
Microsoft Officedocument (typically
PowerPoint). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a macro is performing a malicious action when it tries to manipulate the system. The agent looks for malicious actions originating from a macro that affects anything outside the
Consider the following:
This setting controls whether to allow Python scripts (version 2.7 and 3.0 to 3.8), or block them from running. This setting is valid for agent 1580 or later.
This setting controls whether to allow .NET DLR scripts to run, or block them from running. This setting is valid for agent 1580 or later.
XLM Macros (Preview)
The XLM Macros feature is currently available in Preview mode where it might behave unexpectedly.
This setting controls whether
Excel4.0 (XLM) macros to run, or blocks them from running. When macros are enabled and executed, the
MicrosoftAMSI interface communicates with the agent to determine whether to allow the macro to run or to block it according to the device policy.
This feature requires the following:
Disable Script Control
You can specify whether to disable script control for certain script types. When you disable script control, scripts are allowed to run and you do not receive alerts.
Exclude Files, Script or Processes
You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert, even when script controls are set to block. You can also add exclusions for processes to allow scripts from certain applications to run properly that would otherwise be blocked. For example, if the IT department uses specific tools to run scripts all the time, you can add the process for that tool as an exclusion so that scripts can be run through that tool.
You specify the relative path of the folder or sub-folder. The folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
Excluding folders and scripts