Environment
- App Control Windows Agent: All Supported Versions
- App Control Console: All Supported Versions
Symptoms
Increased server backlog shows that much of the activity is coming from PowerShell .ps1 files
Cause
These files appear to be related to the OS attempting to check whether or not AppLocker is enabled.
Resolution
- Login to the Console and verify the Custom Rule for the psscriptpolicytest files is created.
- Navigate to https://ServerAddress/shepherd_config.php
- Select the Property, "ABExclusionRules".
- If a Value currently exists, copy & paste this to the end:
|;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
- If a Value does not currently exist, copy & paste this:
;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
- Click Change to apply the new ABExclusion
Additional Notes
- This ABExclusion instructs the Agents to not send Events related to specific PowerShell .ps1 files to the server, but to still scan and track it's operations in it's own local cache.
- Trailing/Proceeding spaces are not supported in ABExclusion rules.
- ABExclusions are separated by the pipe character |
Related Content