Carbon Black will block any executables it pulls down though. And I think it may also block scripts as well. Executables have to be whitelisted before they can run.
Its an extremely strict approach, but it does address the situation you're talking about.
If you write a batch file on a Windows PC with Carbon Black on it, you will not be able to run it. Of course there is customisation available to tweak what is/isn't allowed.
Yes, but that's like 1% of the actual surface area for "running a script". I am not a Windows expert but on, say, Linux you can overwrite a script that someone has already run, or modify a script that is already running, or use an interpreter that your antivirus doesn't know about, or sit around and wait for a script to get run and then try to swap yourself into the authorization that gets granted for that, or…there's a whole lot of things. I assume Windows has most of the same problems. My confidence in Carbon Black stopping this is quite low.
Its an extremely strict approach, but it does address the situation you're talking about.