Version
7.x
Issue
When using Custom Script Rules to block execution of PowerShell scripts (ps1 and psm1 files), execution of those files in PowerShell is not blocked.
Symptoms
Execution of a PowerShell script is not being blocked.
Cause
By default, the bundled Custom Script Rule for PowerShell uses "File Association" as the means for blocking the script. The default application in Windows for PowerShell scripts is Notepad.
Solution
Solution 1
Change the Windows settings so that PowerShell is the default application to launch when opening ps1 or psm1 files.
Solution 2
Change the rule to block "powershell.exe" instead of "File Association" by following these steps:
- Login to the Bit9 Console
- Open Rules -> Software Rules -> Scripts
- Click the Edit icon for the PowerShell rule
- Open the dropdown for Script Definition and select "Script Type and Process"
- In the new Script Process section, enter "powershell.exe" (without the quotes) then click the Add button
- Save the Custom Script Rule
