Environment
- App Control Agent: All supported versions
Symptoms
- User is able to download and execute unapproved file using powershell.exe
- File downloaded using powershell.exe process was locally approved by the agent without any intervention
Cause
This can happen if powershell.exe is marked as an Installer using Trusted Directory approval mechanism or have been setup to be treated as an installer using Execution Control custom rule to allow and promote "powershell.exe"
Resolution
Re-evaluate approval configuration for powershell.exe as per business requirement to prevent any further files from being automatically approved that should not be.
Related Content