Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
- Microsoft Windows: All Supported Versions
Symptoms
- Blocks are seen on powershell files with a __psscriptpolicytest suffix.
- Block events each time powershell.exe is launched.
Cause
These files are related to
routine checks Microsoft implemented to determine which Language Mode to use for PowerShell. Blocking their execution reduces the attack surface of PowerShell by enabling Constrained Language Mode.
Resolution
Create a Custom Rule that enforces the Block event, but does not display a Notifier to the user.
- Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
- Use the following details:
- Rule Name: Block PS Script Policy Test (or something memorable)
- Platform: Windows
- Rule Type: Execution Control
- Execute Action: Block
- Notifier: Uncheck and select <none>
- Path or File:
- *\__psscriptpolicytest*.ps1
- *\????????.???.ps1
- Process: Any process
- User: Any user
- Save
- Create the AB Exclusion referenced here to further suppress Event & File Information from being sent to Server for processing.
Additional Notes
- In many customer environments that use PowerShell heavily, the amount of new files created by this change cause significant overhead to the server - processing these new files, cataloging the new files, etc.
- Some customers are seeing as much as 50-60% of all file events in their environment generated due to these scripts.
- These files are generated with a new hash each time PowerShell is launched (the file contains a timestamp that makes each creation unique).
Related Content
