Automatic Policy Creation
After you deploy the ThreatLocker agent, it will do its first learning based on what it finds and it will continue learning as your computers are in Learning Mode. By default, your computers will automatically be placed into Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient Policies so that everything that is permitted and running today can continue to work once you lock down your endpoints.
During this initial learning period, ThreatLocker will continue to profile all the Applications that are running and installed in your environment and automatically create Policies for them.
Although most things are, not every Application will be automatically cataloged during Learning Mode. ThreatLocker uses advanced algorithms combined with past experiences to create Application Definitions and Policies when your endpoints are in Learning Mode. These algorithms can change from Application to Application.
As a general rule, Applications that are installed in correct locations such as the Program Files folder, AppData, and in the Windows directory are going to be learned and have Policies automatically created for them. Applications running in the WinSXS folder and temporary folders will also be profiled and have Policies created for them.
Applications that are installed in your Documents folder, Downloads folder, Desktop folder, Users folders, or a folder at the root of C:\ are not going to be profiled during the automatic Learning period unless ThreatLocker is able to match them to an Application name. ThreatLocker uses various algorithms and parameters to decide an Application's name. When you are onboarding, ThreatLocker is trying to figure out what all your Applications are. ThreatLocker uses the location of the Application, what process is calling it, and many other rules in its algorithms to decide what an Application is and what to name it.