What steps are required to block PowerShell with Custom Rules in App Control?

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions

Due to the deep integration with the operating system it is not recommended to outright block PowerShell. Instead, the approach should be to restrict aspects of PowerShell while monitoring others.

When using App Control to restrict PowerShell, it can be done through the use of the Rapid Config: Powershell Protection.

1. Log in to the Console and navigate to Rules > Software Rules > Rapid Configs.
2. Click View Details (pencil icon) next to Powershell Protection
3. Change the Status to Enabled
   • It is recommended to initially start Rapid Configs:
     • In Report mode
     • Limited to a specific Policy
4. Monitor Reports > Events accordingly.
   • This will allow for tuning the Rapid Config accordingly to eliminate false positives before changing to Block.

• Command Line Exceptions may be required to allow known-good, trusted software to properly execute.
• NSA, Partners Recommend Properly Configuring, Monitoring PowerShell