https://community.checkpoint.com/t5/Endpoint/Detect-Precent-powershell-execution/m-p/252689#M10638 <P>Hello everyone,</P><P>I would like to ask what is the best approach to prevent and/or monitor the execution of PowerShell scripts or even the use of the PowerShell application on the computers in my IT environment, using Check Point Endpoint Security.</P><P>My objectives are:</P><UL><LI><P>Preventing PowerShell execution (in cases where it's not required by end users);</P></LI><LI><P>Detecting/alerting when PowerShell is executed — especially in suspicious contexts (e.g., powershell.exe -Encoded Command, etc.);</P></LI><LI><P>Monitoring or blocking the creation/execution of <STRONG>Scheduled Tasks</STRONG> (schtasks.exe), which are often used for malicious persistence.</P></LI></UL><H3>Specific questions:</H3><UL><LI><P>Is it possible to create <STRONG>block rules</STRONG> to prevent PowerShell usage, while allowing exceptions if needed?</P></LI><LI><P>Are there ways to <STRONG>generate alerts or detailed logs</STRONG> when PowerShell is executed (even if it's legitimate)?</P></LI><LI><P>Does Harmony Endpoint allow for visibility over <STRONG>suspicious scheduled task creation</STRONG>?</P></LI><LI><P>Are there any <STRONG>best practices or recommended profiles</STRONG> to mitigate this type of behavior?</P></LI></UL><P>I appreciate any guidance or sharing of experiences with these configurations.</P><P>Best regards,<BR />K</P> Mon, 07 Jul 2025 15:41:47 GMT kiikoo15 2025-07-07T15:41:47Z https://community.checkpoint.com/t5/Endpoint/Detect-Precent-powershell-execution/m-p/252689#M10638 <P>Hello everyone,</P><P>I would like to ask what is the best approach to prevent and/or monitor the execution of PowerShell scripts or even the use of the PowerShell application on the computers in my IT environment, using Check Point Endpoint Security.</P><P>My objectives are:</P><UL><LI><P>Preventing PowerShell execution (in cases where it's not required by end users);</P></LI><LI><P>Detecting/alerting when PowerShell is executed — especially in suspicious contexts (e.g., powershell.exe -Encoded Command, etc.);</P></LI><LI><P>Monitoring or blocking the creation/execution of <STRONG>Scheduled Tasks</STRONG> (schtasks.exe), which are often used for malicious persistence.</P></LI></UL><H3>Specific questions:</H3><UL><LI><P>Is it possible to create <STRONG>block rules</STRONG> to prevent PowerShell usage, while allowing exceptions if needed?</P></LI><LI><P>Are there ways to <STRONG>generate alerts or detailed logs</STRONG> when PowerShell is executed (even if it's legitimate)?</P></LI><LI><P>Does Harmony Endpoint allow for visibility over <STRONG>suspicious scheduled task creation</STRONG>?</P></LI><LI><P>Are there any <STRONG>best practices or recommended profiles</STRONG> to mitigate this type of behavior?</P></LI></UL><P>I appreciate any guidance or sharing of experiences with these configurations.</P><P>Best regards,<BR />K</P> Mon, 07 Jul 2025 15:41:47 GMT https://community.checkpoint.com/t5/Endpoint/Detect-Precent-powershell-execution/m-p/252689#M10638 kiikoo15 2025-07-07T15:41:47Z https://community.checkpoint.com/t5/Endpoint/Detect-Precent-powershell-execution/m-p/252714#M10639 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/121487">@kiikoo15</a>&nbsp;</P> <P>I believe that first you could use this functionality below:</P> <P><A href="https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Application-Control-configuring-the-policy.html" target="_blank">Configuring Application Permissions in the Application Control Policy</A></P> Mon, 07 Jul 2025 19:28:03 GMT https://community.checkpoint.com/t5/Endpoint/Detect-Precent-powershell-execution/m-p/252714#M10639 lluner 2025-07-07T19:28:03Z