• Execution Blocks on files similar to: c:\windows\temp\__psscriptpolicytest_w3zfet4t.u53.ps1
• Block events each time powershell.exe is launched.

• App Control Agent: All Supported Versions
• App Control Console: All Supported Versions
• Microsoft Windows: All Supported Versions

These files are related to routine checks Microsoft implemented to determine which Language Mode to use for PowerShell.

Custom Rule Creation:

Create a Custom Rule that the Block event, but does not display a Notifier to the user:

1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
2. Use the following details:
   • Rule Name: Block PS Script Policy Test (or something memorable)
   • Platform: Windows
   • Rule Type: Execution Control
   • Execute Action: Block
   • Notifier: Uncheck and select <none>
   • Path or File:
     • *\__psscriptpolicytest*.ps1
     • *\????????.???.ps1
   • Process: Any process
   • User: Any user
3. Save

Custom ABExclusion:

Create an ABExclusion to further suppress Event & File Information from being sent to Server for processing:

1. Navigate to https://ServerAddress/shepherd_config.php
2. Select the Property, "ABExclusionRules" and adjust the Value accordingly:
   • If a Value exists, copy & paste this to the end:

     |;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3

   • If a Value doesn't exist, copy & paste this:

     ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3

3. Click Change to apply the new ABExclusion.

• In many customer environments that use PowerShell heavily, the amount of new files created by this cause significant overhead to the Server (processing & cataloging these files, events, etc).
• Some customers could see a reduction of as much as 50-60% of all File Events in their environment with the Custom Rule & ABExclusion above.
• These files are generated with a new hash each time PowerShell is launched (the file contains a timestamp that makes each creation unique).