Monitoring blocked Powershell events

Hello Community,

Currently we are blocking all powershell interaction on all clients in our company via the Application Control feature in sophos central.

We are aware that a lot of applications are using powershell for updating their services and stuff like that.

Currently we are missing any option to monitor the activity which process are trying to execute powershell.

In the Logs & Reports section we just see that the user tried to execute the powershell.exe but not which process.

On the Logs of the client itselfe we just get an entry "Powershell got blocked by the administrator".

With Sophos Live Discover we just see successfully executed Powershell commands so that doesnt help us as well.

Does someone know how we can review the processes which tried to execute powershell but got blocked by sophos?

Thanks in forward!

Sincerely Yours.

Parents
  • Application control doesn't record that sort of action because the call to powershell is blocked at the PS launch based on it being powershell. AppC doesn't care what the parameters passed are.

    If you have XDR, that populates the datalake with the commands set so you could see them through that query system. 

    Is the idea that you want to allow some applications to call powershell? You aren't going to be able to have that granular control with AppC - it's an all or nothing sort of thing. The application is allowed to launch or not - there is no conditions.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Application control doesn't record that sort of action because the call to powershell is blocked at the PS launch based on it being powershell. AppC doesn't care what the parameters passed are.

    If you have XDR, that populates the datalake with the commands set so you could see them through that query system. 

    Is the idea that you want to allow some applications to call powershell? You aren't going to be able to have that granular control with AppC - it's an all or nothing sort of thing. The application is allowed to launch or not - there is no conditions.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children