Hello everyone,

I would like to ask what is the best approach to prevent and/or monitor the execution of PowerShell scripts or even the use of the PowerShell application on the computers in my IT environment, using Check Point Endpoint Security.

My objectives are:

• Preventing PowerShell execution (in cases where it's not required by end users);

• Detecting/alerting when PowerShell is executed — especially in suspicious contexts (e.g., powershell.exe -Encoded Command, etc.);

• Monitoring or blocking the creation/execution of Scheduled Tasks (schtasks.exe), which are often used for malicious persistence.

Specific questions:

• Is it possible to create block rules to prevent PowerShell usage, while allowing exceptions if needed?

• Are there ways to generate alerts or detailed logs when PowerShell is executed (even if it's legitimate)?

• Does Harmony Endpoint allow for visibility over suspicious scheduled task creation?

• Are there any best practices or recommended profiles to mitigate this type of behavior?

I appreciate any guidance or sharing of experiences with these configurations.

Best regards,
K