Process scripts
Available only on Windows 10 endpoint machines.
ESET Inspect On-Prem uses AMSI to execute script content on ESET Inspect Connector machines through Endpoint Security.
ESET Inspect Connector machines need EES 7.2 or later with the AMSI option enabled in Advanced Settings > Detection Engine > Advanced Options (enabled by default).
On Windows 10, AMSI provides information about:
•PowerShell (scripts, interactive use, and dynamic code evaluation)
•Windows Script Host (wscript.exe and cscript.exe)
•JavaScript and VBScript
•Office VBA macros
To detect suspicious VBA scripts on monitored machines, ESET Inspect needs Office 365 version 1808 and macro scanning enabled. To enable the macro scanning, set the HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Common\Security\MacroRuntimeScanScope register value to 1, or run the following command line script: powershell.exe -command "if (Test-Path -Path HKCU:\Software\Microsoft\Office) { foreach ($reg_path in Get-ChildItem -Path HKCU:\Software\Microsoft\Office | Where-Object {($_.Name.Contains(\".\"))}) { $reg_sub_path = (Join-Path -Path $reg_path.Name -ChildPath '').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common = (Join-Path -Path $reg_path.Name -ChildPath 'Common').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common_security = (Join-Path -Path $reg_path.Name -ChildPath 'Common\Security').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); if (!(Test-Path -Path $reg_sub_path_common)) { New-Item –Path $reg_sub_path –Name \"Common\"; } if (!(Test-Path -Path $reg_sub_path_common_security)) { New-Item –Path $reg_sub_path_common –Name \"Security\"; } Set-ItemProperty -Path $reg_sub_path_common_security -Name \"MacroRuntimeScanScope\" -Value 1; }}" |
The script above, run on the ESET Inspect Connector machine, displays content in the ESET Inspect Web Console.