You can utilize HIPS in lieu of this specific VSE Access Protection rule by enabling IPS rule 3893 (Access Protection - Prevent execution of scripts from the Temp folder). This will enable you to create a more specific (IPS) exception while maintaining a higher level of security than VSE would offer by excluding cscript in its entirety.
I would also like to see the exclusion filters apply to the Threat Target File Path field. This seems like the most obvious way to combat the problem.
The suggestions to use high/low risk processes rules unfortunately have no bearing on the Access Control policies.
While HIPS policies may give you finer control here, HIPS is a complicated beast to deploy. This should be a simple thing. If you have a rule that is described as "controlling scripts" in the temp folder, and you have a provision for exclusions, then the exclusion should at least apply to the script name and not the interpeter. This is a good idea but unfortunately the implementation renders useless.
Message was edited by: newbernd on 4/16/13 9:09:22 AM CDT
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.