Script control protects devices by blocking malicious scripts from running.
Script control monitors and protects against scripts running in your environment. The agent is able to detect the script and script path before the script is executed. Depending on the policy set for script control (alert or block), the agent will allow or block the execution of the script.
Script control is for Windows agents only.
For agent 1370 and earlier, setting the action affects active script and PowerShell.
For agent 1380 and later, the action can be set separately for active script, PowerShell, and macros.
For agent 1580 and later, actions can be set for .NET Dynamic Language Runtime (DLR) and Python.
This control allows all scripts to run and alerts you when scripts are run. It is recommended that you initially enable Script Control in Alert mode to monitor and observe all scripts running in their environment.
Enabling Alert mode for Script Control does not send alerts about PowerShell console usage. The ability to block PowerShell console usage requires that PowerShell be set to
Block PowerShell console usagemust also be enabled.
This control blocks all scripts from running. You can allow scripts to run using the
Approve scripts in these folders (and subfolders)option.
When you have a good understanding of all scripts running in your environment, you can change their settings to Block mode and only allow scripts to run out of specified folders.
This controls alerts or blocks Active Scripts from running.
This control alerts or blocks PowerShell scripts.
Block PowerShell console usage
For agent version 1380 or later, prevents the PowerShell console from launching. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell one-liners. You can disable this feature and allow the PowerShell console to run, at the policy level.
If you use a script that launches the PowerShell console, and Block PowerShell console usage is enabled, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the
-fileswitch. A basic command to run a PowerShell script without invoking the console would be:
Powershell.exe -file [script name]
This control alerts or blocks
Microsoft Officemacros. Macros use Visual Basic for Applications (VBA) that allows embedding code inside a Microsoft Office document (typically Word,
PowerPoint). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a
Microsoft Officemacro trying to manipulate the system is a malicious action. The agent looks for malicious actions originating from a macro that affects things outside the
This control alerts or blocks Python version 2.7 and 3.0 - 3.8 scripts.
This control alerts or blocks .NET DLR scripts.
Disable Script Control
For agents 1430 and later, clicking
Disable Script Controlmeans the script type will not be blocked or alerted on. For agents 1420 and lower, the only settings are alert or block, meaning some action is always taken on the script type.
You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert or being blocked with Script Control enabled. You can also add a process exclusion to allow scripts to run if the process is excluded.
When you approve scripts in a folder:
Use a process exclusion when you want to block scripts from executing except ones being run by a specific application. For example, you don't want end-users running scripts, but you want to allow your IT department to run scripts as part of their work. If the IT department uses the same tools all the time, you can add the process as an exclusion. This would identify the process running the interpreter, and if the process is excluded, it will be allowed to run.