Since the OS version before Windows 10 / Windows Server 2016 does not support AMSI event, Trend Micro Vision One Endpoint use Windows eventID: 4104, as the substitute. The PowerShell Script Block Logging will be turned on during initial installation / upgrade in the following platform:

• Windows 8.1 (32/64-bit)
• Windows 7 (32/64-bit)
• Windows Server 2012 / 2012 R2 (64-bit)
• Windows Server 2008 R2 (64-bit)

This feature will be turned on in CloudEndpoint version 1.2.0.3292.

Note that the registry key of Windows event 4104 will be enabled.

• Registry Key: HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
• EnableScriptBlockLogging = 1

Please ensure to enable PowerShell Script Block Logging / Not configured, if there is a group policy setting in your company.

• Path: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
• Turn on PowerShell Script Block Logging: Enabled / Not configured