Process scripts
This feature is available only on Windows 10 endpoint machines.
ESET Inspect uses AMSI to get the content of scripts executed on ESET Inspect Connector machines through Endpoint Security.
ESET Inspect Connector machine needs EES 7.2 or later with AMSI option enabled in Advanced Settings > Detection Engine > Advanced Options section. It should be enabled by default.
On Windows 10, AMSI provides us information about:
•PowerShell (scripts, interactive use, and dynamic code evaluation)
•Windows Script Host (wscript.exe and cscript.exe)
•JavaScript and VBScript
•Office VBA macros
|
To detect suspicious VBA scripts on monitored machines, ESET Inspect needs Office 365 version 1808 and enabled macro scanning. To enable the macro scanning, the user should set the HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Common\Security\MacroRuntimeScanScope register value to 1 or run the following script in the command line: powershell.exe -command "if (Test-Path -Path HKCU:\Software\Microsoft\Office) { foreach ($reg_path in Get-ChildItem -Path HKCU:\Software\Microsoft\Office | Where-Object {($_.Name.Contains(\".\"))}) { $reg_sub_path = (Join-Path -Path $reg_path.Name -ChildPath '').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common = (Join-Path -Path $reg_path.Name -ChildPath 'Common').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common_security = (Join-Path -Path $reg_path.Name -ChildPath 'Common\Security').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); if (!(Test-Path -Path $reg_sub_path_common)) { New-Item –Path $reg_sub_path –Name \"Common\"; } if (!(Test-Path -Path $reg_sub_path_common_security)) { New-Item –Path $reg_sub_path_common –Name \"Security\"; } Set-ItemProperty -Path $reg_sub_path_common_security -Name \"MacroRuntimeScanScope\" -Value 1; }}" |
That means the script mentioned above that was run on the ESET Inspect Connector machine displays content in the ESET Inspect Web Console.