Script blocking settings
Accessing the settings
-
From the top menu, select Settings. From the side menu, select Script blocking.
-
Click Add. The Add settings page opens.
You can assign script blocking settings only to Windows workstations and servers.
Required permissions
| Permission | Access type |
|---|---|
|
Configure script blocking |
Create, edit, delete, copy, or assign script blocking settings profiles. |
|
View script blocking settings |
View script blocking settings profiles. |
Script blocking module operation
Create a script blocking settings profile that you assign to the computers on your network. The settings profile contains a list of rules, and each rule includes a series of attributes that describe a script and an action (block or allow).
Each time a user tries to run a script on the endpoint, Advanced EDR goes through the rules in the specified order and compares the script with the attributes defined in each rule. When it finds a rule that matches the script, it applies the corresponding action and ends the process. No other rules are considered.
Creating a script blocking settings profile
-
From the top menu, select Settings.
-
From the side menu, select Script blocking. The list of existing script blocking profiles opens.
-
Click Add. The Add settings page opens.
-
In the Name text box, type a name for the settings profile. In the Description text box, type a description of the profile.
-
Click No recipient selected to select the computers you want to receive the settings profile.
-
To add a new rule, click Add rule
. The Add rule page opens. -
In the Name text box, type a name for the rule.
-
Select the action that Advanced EDR must take on the script: Block or Allow.
-
To make the rule active, enable the Active toggle.
-
Configure the conditions for the rule. See Configuring a script blocking rule.
-
Click Add. The rule is added to the settings profile, and shows its name (1), status (2), and action (3).
-
-
To change the order of a rule, click the
icon for the rule and drag it to a new position in the list. The script blocking action applies to the first rule in the list that matches the attributes of the script. -
To edit a rule:
-
Select the rule. The Edit rule page opens.
-
Edit the rule.
-
Click Save. The rule updates.
-
-
To delete a rule, click the
icon for the rule. -
To notify computer users about scripts blocked by any of the rules:
-
Enable the Notify computer users about blocked scripts toggle.
-
To add a custom message to the alerts that show on the endpoint, type a message in the Add the following custom message to alerts text box.
-
-
Click Save. Advanced EDR applies the settings to the specified computers.
Configuring a script blocking rule
-
From the drop-down menu, select a property.
-
From the drop-down menu, select an operator.
-
From the drop-down menu, select a value.
-
To add more rules, click
. -
To remove a rule, click
.
This table shows the operator and possible values for each property:
| Property | Description |
|---|---|
|
Execution |
Script execution type (local or remote). |
|
Interactive execution |
Script requires an interactive shell. |
|
Command line |
Command line used to run the script. |
|
Loader MD5 |
MD5 of the file that interprets the script. |
|
Script MD5 |
MD5 of the file that contains the script. |
|
Loader file name |
Name of the file that interprets the script. |
|
Script file name |
Name of the file that contains the script. |
|
Owner |
|
|
Loader path |
Path of the file that interprets the script. |
|
Script path |
Path of the file that contains the script. |
|
Loader SHA-256 |
SHA-256 of the file that interprets the scrip. |
|
Script SHA-256 |
SHA-256 of the file that contains the script. |
|
Script type |
Programming language used to write the script, according to the file extension:
|
|
Execution user |
User account that ran the script. |
|
Configurable properties of a script blocking rule |
|