Use case 1: Prevent PowerShell from starting

Scenario: You want to prevent Powershell from starting when a user launches a browser (here Internet Explorer), which could potentially install malware on the agent computers.

  1. Start out with entering a description and a Comment if required on the General tab. As this is a rather general rule, enter a low Priority for it. Check Enable rule (default).

  2. On the Filter tab, specify the following:

    • Enter the full path to the iexplore.exe in the Accessing application text box Alternatively, you could also use an application collection that contains different browsers.
    • Check Pass to child processes to prevent the browser from calling Powershell.exe from the command line (cmd.exe) (this is a child process).
    • Since you want to prevent PowerShell from starting from Internet Explorer, specify Execute as Access mode.
    • Browse for a file or for a folder in the Started applications or paths text box, e.g. powershell.exe as file name in this example.

    We recommend specifying only the file name with blocking rules so that all instances can be included. When you specify the full path, please note that several program instances may exist, e.g. powershell.exe may be located in two different directories C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe or in C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

  3. Specify the following on the Action tab:

    • The measure you want to use is to block the access.
  4. For all other options, keep the default settings.

Conclusion: Every time the iexplore.exe is called and tries to start PowerShell, PowerShell will be blocked.