Domain Name Parsing Agent Setting

Beginning in Windows Agent 10.3, Domain Name Parsing can be enabled via the Agent Setting, 'Domain Name Parsing'. 

Prior to Windows Agent 10.3, Driver Domain Name Parsing was enabled via the Option,  'EnableDriverDomainNameParsing', and this would enable parsing from all network traffic, which could be resource heavy.

The new Domain Name Parsing Agent Setting will improve this process by only parsing nework traffic from ports 80 and 443, and will allow the ability to narrow down to only processing from a specific list of processes, or to parse from all processes.

If the legacy Option is enabled, configuring an Agent Setting will take precendence over the legacy Option.

Domain Name Parsing Agent Setting

Navigate to Agent Settings.

Select the New Setting button at the top left.

In the Create Settings sidebar, select Domain Name Parsing from the Setting Type dropdown.

Next, select the desired 'Applies To'.

Then, select the required parameter.

• Disable
  • Driver registry key 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatLockerDriver\Parameters\network.enableDomainNameParsing'  will be set to false
  • Agent registry key 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ThreatLocker\DomainParsingSetting' will be present with Setting Mode 0 and paths []
  • The driver will not parse domain names from network packets
• All Processes
  • Driver registry key 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatLockerDriver\Parameters\network.enableDomainNameParsing' will be set to true
  • Agent registry key 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ThreatLocker\DomainParsingSetting' will be present with Setting Mode 1 and paths []
  • The driver will parse domain names from network packets for all processes
• Specified Paths
  • Driver registry key 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatLockerDriver\Parameters\network.enableDomainNameParsing' will be set to true
  • Agent registry key 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ThreatLocker\DomainParsingSetting' will be present with Setting Mode 2, and paths will be a list of paths, separated by commas
  • The driver will parse domain names from network packets for a set list of processes which are maintained by the driver.
  • If Web Control product is enabled, web browser paths, although not stored in the registry key, will be included in the list of processes for which domain names are parsed, and be visible in the Unified Audit.

Select the 'Create' button.

To send this new setting to the Agents without waiting for a full check-in, press the 'Update Agents' button.

For assistance with enabling Agent Settings, please see Agent Settings | ThreatLocker Help Center.