• Execution Blocks on files similar to: c:\windows\temp\__psscriptpolicytest_w3zfet4t.u53.ps1
• Block events each time powershell.exe is launched.

• App Control Agent: All Supported Versions
• App Control Console: All Supported Versions
• Microsoft Windows: All Supported Versions

• These files are related to routine checks Microsoft implemented to determine which Language Mode to use for PowerShell.
• Blocking the file creation will switch PowerShell to Constrained Language Mode to help reduce the attack surface.

Custom Rule Creation:

Determine whether to block the creation of the files to enforce Constrained Language Mode, or to Approve the creation and allow Full Language Mode.

1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
2. Use the following details:
   • Rule Name: Block PS Script Policy Test (or something memorable)
   • Platform: Windows
   • Rule Type: File Creation Control
   • Write Action:
     
     • Choose Block to enforce Constrained Language Mode
     • Choose Approve to allow Full Language Mode
   • Notifier or Approval Event: 
     • If Blocking: Uncheck Notifier and select <none>
     • If Approving: Uncheck Send Approval Event
   • Path or File:
     • *\__psscriptpolicytest*.ps1
     • *\????????.???.ps1
   • Process: Any process
   • User: Any user
3. Save

Custom ABExclusion:

Create an ABExclusion to suppress Event & File Information from being sent to Server for processing:

1. Navigate to https://ServerAddress/shepherd_config.php
2. Select the Property, "ABExclusionRules" and adjust the Value accordingly:
   • If a Value exists, copy & paste this to the end:

     |;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3

   • If a Value doesn't exist, copy & paste this:

     ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3

3. Click Change to apply the new ABExclusion.