CB Protection:Is it possible to block wscript from running .vbs scripts?
search cancel

CB Protection:Is it possible to block wscript from running .vbs scripts?

book

Article ID: 285891

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Is it possible to block wscript from running .vbs scripts?

Environment

  • CB Protection Server: All versions
  • CB Protection Agents: All versions

Resolution

Yes, if the environment is configured to find .vbs files interesting.

Additional Information

  • .vbs files themselves are only interesting because one can enable a Visual Basic script rule to enable tracking of those. However a tool like wscript.exe doesn't care when the filename is called when you run it. If wscript.exe is approved on an endpoint, it can run any file, with any extension (or no extension). It's just a script processor. 
  • Choose to create a reporting rule to track any wscript.exe executions in order to review for malicious behavior, or simply block wscript.exe in the environment, and then create allow rules where needed for the tool to run in specific instances. Otherwise, wscript has no restrictions on what is run as long as wscript.exe is approved.
Powered by Wolken Software