We have "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders" rule enabled to BLOCK in our domain and works great. Maybe too great. There seems to be one script that runs from the temp folders that is part of GDRIVE desktop app and when blocks, its throwing one of those ominous critical windows errors pop ups to the user.
Would there be a way to avoid this without disabling the block altogether? It looks to me that the exclusions screen is for executables rather than destination file executed... so not sure what options do i have here. We are n ENS 10.5.2
the invisible.vbs is upgrade script.. so only will run when google drive is updating or checking for new version.. we had same issue and just ignored it since not allot of people is using google.drive..
this rule is McAfee defined and you cannot exclude target paths/files. But you can recreate this rule: just create a new rule, add the cscript, wscript, ... executables under "Ausführbare Dateien" and add the TEMP folders under "Untergeordnete Regeln"/"Ziele" but add a "Ziel" with **\Windows\Temp\*.vbs and "Einschlussstatus" is "Ausschließen".
I know it's an old post but I have a similar problem witch this rule
I duplicated the existing policy to make a test one disabled the original rule and make a new one named
"Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement"
wscript.exe and cscript.exe with inclusion status "include"
In subrules i've added only temp foldes for this test
Subrule type: Files
File, folder name, or file path
File, folder name, or file path
Saved it, assigned to a test subgroup in system tree, moved a test pc into this group and enforced the new policy but it still trigers
HEADQUARTER\testuser ran WSCRIPT.EXE, which tried to access C:\USERS\testuser\APPDATA\LOCAL\TEMP\$LDTMP$\, violating the rule "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement", and was blocked. For information on how to respond to this event, see KB85494.
@PawelEm Access Protection is a process/executable monitoring/blocking feature. As such, you can only exclude processes/executables from an AP rule, not file paths or non-executable files.
What gets excluded from rules are executable files/processes that are acting against the end file/what is being protected by a particular rule---which is what is blocked. For your rule, in the way it is configured, the only thing you can exclude is wscript.exe or cscript.exe---which obviously negates the purpose of the rule.
Side note: Exclusions can contain wildcards when applicable/needed, but must end in a defined executable-type extension. i.e. **\Temp\**\*.exe. An undefined file path-type exclusion will not be honored on any rule.
For the rule in question, to achieve what you desire, the rule needs to be completely reconfigured. This would require either duplicating the rule (which currently, unfortunately, isn't possible--and I would recommend submitting a PER to allow for this to be done) or disabling the rule and creating a new user-defined one from scratch which allows for modification of sub-rules.
Since achieving replication is difficult at best, I've done so for you based on what it seems you're attempting to achieve and have attached it. You can import this .xml and then copy the config you see there. It is easier for me to give it to you in this form than map out in text what would need to go where.
I've made two versions, one that includes just the closest recreation possible via a user-defined rule of the "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders" rule. This will allow modification of the sub-rule to allow paths to be excluded from the core of the rule. It is named "2.0: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders". This can be imported and used for reference by anyone, if desired.
The second, is one specifically for PawelEM that has both the recreation of the original + your desired exclusion, AND replication of what I assume your attempted replication was based on your previous post.
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?