https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/btp-exception-not-working-for-ps1-script/m-p/1229979#M8334 <P>Hi Team -&nbsp;<BR /><BR /></P> <P>I've created a Legacy Agent Exception Rule to prevent the Behavioral Threat Protection component from blocking a specific (and legitimate) .ps1 file on my network (within a specific user profile), but Cortex keeps blocking the script.</P> <P>The command line in the alert is:</P> <P data-start="396" data-end="429">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" " C:\Temp\ScriptName.ps1 "<BR /><BR />The exclusion rule was created as follows:<BR data-start="574" data-end="577" />Platform: Windows<BR data-start="598" data-end="601" />Module: Behavioral Threat Protection</P> <P data-start="645" data-end="741">Here are the options I've tried under Target Properties → Files / Folders in allow list:</P> <UL data-start="742" data-end="856"> <LI data-start="742" data-end="761">*ScriptName.ps1</LI> <LI data-start="762" data-end="788">C:\Temp\ScriptName.ps1</LI> <LI data-start="789" data-end="830">powershell.exe-fileScriptName.ps1</LI> <LI data-start="831" data-end="856">-file *ScriptName.ps1</LI> </UL> <P data-start="858" data-end="887">Prevention information:</P> <UL data-start="888" data-end="1124"> <LI data-start="888" data-end="918">OS version: 10.0.26100</LI> <LI data-start="919" data-end="966">Component: Behavioral Threat Protection</LI> <LI data-start="967" data-end="996">Status code: c0400067</LI> <LI data-start="997" data-end="1055">Prevention description: Behavioral threat detected</LI> <LI data-start="1056" data-end="1124">Additional information 1: Rule amsi_malicious.b.464633143106</LI> </UL> Sun, 25 May 2025 12:57:53 GMT L.Shmarya 2025-05-25T12:57:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/btp-exception-not-working-for-ps1-script/m-p/1229979#M8334 <P>Hi Team -&nbsp;<BR /><BR /></P> <P>I've created a Legacy Agent Exception Rule to prevent the Behavioral Threat Protection component from blocking a specific (and legitimate) .ps1 file on my network (within a specific user profile), but Cortex keeps blocking the script.</P> <P>The command line in the alert is:</P> <P data-start="396" data-end="429">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" " C:\Temp\ScriptName.ps1 "<BR /><BR />The exclusion rule was created as follows:<BR data-start="574" data-end="577" />Platform: Windows<BR data-start="598" data-end="601" />Module: Behavioral Threat Protection</P> <P data-start="645" data-end="741">Here are the options I've tried under Target Properties → Files / Folders in allow list:</P> <UL data-start="742" data-end="856"> <LI data-start="742" data-end="761">*ScriptName.ps1</LI> <LI data-start="762" data-end="788">C:\Temp\ScriptName.ps1</LI> <LI data-start="789" data-end="830">powershell.exe-fileScriptName.ps1</LI> <LI data-start="831" data-end="856">-file *ScriptName.ps1</LI> </UL> <P data-start="858" data-end="887">Prevention information:</P> <UL data-start="888" data-end="1124"> <LI data-start="888" data-end="918">OS version: 10.0.26100</LI> <LI data-start="919" data-end="966">Component: Behavioral Threat Protection</LI> <LI data-start="967" data-end="996">Status code: c0400067</LI> <LI data-start="997" data-end="1055">Prevention description: Behavioral threat detected</LI> <LI data-start="1056" data-end="1124">Additional information 1: Rule amsi_malicious.b.464633143106</LI> </UL> Sun, 25 May 2025 12:57:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/btp-exception-not-working-for-ps1-script/m-p/1229979#M8334 L.Shmarya 2025-05-25T12:57:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/btp-exception-not-working-for-ps1-script/m-p/1230157#M8344 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/950972187">@L.Shmarya</a>&nbsp;,</P> <P>&nbsp;</P> <P>For BTP alerts related to powershell you need to reach out to Tech Support and get SUEX from them.</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></P> Tue, 27 May 2025 09:28:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/btp-exception-not-working-for-ps1-script/m-p/1230157#M8344 aspatil 2025-05-27T09:28:14Z