This is a developing situation, and we will continue to update this article as more information is made available.  What is the 3CX Exploitation?   There is known exploitation of the 3CXDesktopApp which is beaconing out to malicious FQDNs.  From 3CX 3CX Security Alert for Electron Windows App | Desktop App  ThreatLocker Recommendations  ThreatLocker has created two suggested policies for this vulnerability.   Customers who use 3CX should add these suggested policies to their 3CX application definitions.

Link to Microsoft Update Guide: CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability What is CVE-2023-23397? CVE-2023-23397 is a vulnerability in Microsoft Outlook. The exploit is triggered upon the receipt of a malicious email with overdue tasks or calendar events and is executed before a user is required to interact with it. This type of attack, known as a SMB Relay Attack, works by stealing NTLM hashes from a victim's system, tricking the victim's system into connecting to an attacker-controlled SMB server, and leaking the NTLM hash (a type of password hash used by Microsoft Windows operating systems to authenticate users) in the process.

3/16/2023 It has been reported that during the update process from Agent Version 7.8.x to 7.9 or greater, applications may not be able to run as admin.  The issue is caused by a new file of ThreatLockerConsent, which is used for elevating programs when using elevation, and the old file being renamed. Because the service is trying to access a mismatched version when an application is elevated, it causes a validation error and prevents elevation of any sort, even if you are using regular Windows elevation.

   For Organizations Which Utilize Microsoft Products Microsoft has a default peer-to-peer update feature that allows an endpoint to download the needed update files from a different endpoint on the same network. By default, this is done through Port 7680. From the Microsoft Learn Website: No deployment package: Starting in version 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large update content.

ThreatLocker has scheduled upcoming SQL maintenance to improve performance on the ThreatLocker Portal. Planned Start Date/Time: Saturday, February 11, 2023 8:00 PM EST Planned End Date/Time: Sunday, February 12, 2023 8:00 AM EST Customer Impact: Customers may experience portal slowness and delayed approvals during the maintenance window. Changes to policies and applications will be slow/delayed.   Computers will check-in and take maintenance mode changes as usual.

ThreatLocker guarantees that all its products go through the most stringent quality testing processes for both security and reliability.  This document outlines the quality assurance (QA) process for the ThreatLocker Endpoint Security Product. This document aims to ensure that ThreatLocker's product is developed and delivered with the highest quality standards and meets customer requirements. The QA process applies to all stages of development and delivery, including but not limited to product design, development, testing, deployment, and maintenance.

1/17/2023 ThreatLocker has resolved this issue in Agent Version 7.8. 1/13/2023 The ThreatLocker Development team is working to develop a solution within Tamper Protection to avoid needing the exclusions in the future. 1/9/2023 There has been a reported issue regarding backups failing because Tamper Protection is restricting the backup software's access to ThreatLocker files. This is caused by the backup software trying to access the ThreatLocker files in manner that is blocked by Tamper Protection.

There has been reported issues with machines running the ThreatLocker agent not successfully checking in to our portal with consecutive error logs (found in "log.txt") of "StartupWorker The type initializer for 'System.Net.ServicePointManager' threw an exception." while Eaglesoft was running on the machine. This appears to have been caused due to reported issues of Microsoft.NET and Eaglesoft conflicts causing a missing or corrupted config file called "machine.config" in the Microsoft.NET directory that is needed for our service to run successfully.

  CVE-2022-30190, otherwise known as Follina, is a vulnerability in Microsoft Office that when exploited permits arbitrary code to be executed on the target machine by Microsoft Support Diagnostic Tool (MSDT). ThreatLocker can help protect your environment from this exploitation. First, we recommend you work with your Solutions Engineer and get your endpoints locked down and secure as quickly as possible. By default, every computer group automatically has Ringfenced Policies included for the powerful, and commonly abused Windows tools such as CMD and PowerShell that will prevent their communication with the internet unless you have added in exceptions or removed the internet Ringfencing.

When creating policies, you can apply them to a limited number of users or Active Directory groups. When applying a policy to a specific user, consider service accounts that might be required.  For example, if you want to permit iTunes for your C.E.O only, you can add his domain\CEOName to the Policy. However, iTunes also requires additional services to run, that run under the system account. In this case, you would also want to add the SYSTEM account to the Policy.

Deciding what you would like to lockdown in your environment as well as how you would like to lockdown your environment is a vital part of achieving optimum security. Within this scope, falls the use of USB drives. Managing and addressing USB drives is an essential part of security as they are a potential threat to corporate data. There are, of course, certain cases in which you might need to authorize the use of USB drives.

View in Browser Earlier today, Adobe released an update for Adobe Reader which included a brand new, unsigned file. This file, c:\program files (x86)\adobe\acrobat dc\acrobat\libeay32.dll, has never been part of Adobe before. Unfortunately, this caused a delay in the incorporation of this file into our Built-In Application Definition, and we do apologize for that.  At 8 a.m. EDT ThreatLocker received an alert that there was an Adobe Reader update. It is unusual for Adobe to release a new file that does not contain their signature.

ThreatLocker uses the directory in C:\Windows\Temp in order to place files for installation on agent upgrade. This directory is often used for many different software applications, and could potentially be full of other temp files. Deleting the temp files from this directory and restarting the service should remedy any agents that are failing to upgrade. Follow the steps below: Note: This affects all version 6.3 and before Open Command Prompt and navigate to the C:\Windows\Temp directory

  View in browser DUAL FACTOR AUTHENTICATION WITH DUO ThreatLocker can be integrated with dual-factor authentication from DUO. When you are first configuring this DUO integration, ThreatLocker recommends you have a separate browser open and logged into your ThreatLocker Portal in the event the integration does not get configured correctly so that you can still gain access to edit the Integration settings, or the Administrators Page MFA settings. 

View in browser Computer Groups that do not learn are useful for computers that you do not want to learn or profile automatically when in Learning Mode (e.g. restricted computers, or computers that will be left in Monitor Mode, that you do not want to affect your environment).  To create a computer group that does not learn:  Select Computer Groups from the left navigation menu Click New Computer Group.

View in Browser Navigate to the Administrators page from the ThreatLocker menu. You have two options: Invite, or New Administrator Invite (recommended) Select the Invite button from the top of the page. Input the email address of the admininstrator you wish to invite. Select 'Send Invitation' at the top of the page. The administrator will receive an email with a link to create their portal account. New Administrator Select the 'New Administrator' button from the top of the page.

View in Browser ThreatLocker has provided default Policies to permit some common business Applications for you right out of the box. These default policies exist to help make your onboarding process quicker and easier. Workstations Group Default Policies Permit: msdt.exe (Ringfenced) WScript.exe (Ringfenced) SpoolSv.exe (Ringfenced) RingCentral Meetings (Ringfenced) Zoom Video Communications, Inc. (Ringfenced) Lifesize Video Conferencing Software (Ringfenced) Cisco WebEx LLC (Ringfenced) Blue Jeans (Ringfenced) GoToMeeting (Ringfenced)  Microsoft Edge Chromium (Ringfenced)  Microsoft Office Installer (Ringfenced)  Microsoft Office (Ringfenced)  Chrome Updater (Built-In)  Google Chrome (Ringfenced)  Microsoft Onedrive (Built-In)  Windows Communication App (Built-In) Windows Phone (Built-In) Windows Defender (Ringfenced) Internet Explorer (Ringfenced) Windows Command Prompt (Ringfenced) Curl (Ringfenced) Powershell (Ringfenced) RunDLL - Block Internet (Ringfenced) CScript (Ringfenced) Windows RegSVR32 (Ringfenced) Windows Scheduled Tasks (Ringfenced)  WMI (Ringfenced) Windows Core Files (Built-In) Windows Update (Built-In) Microsoft Windows HCL Publisher (Built-In) Deny:

ThreatLocker will notify you of possible Policy changes that have yet to take effect by creating a red "Click to Deploy Policies" button in the upper left-hand corner of the portal. This button must be selected for any Policy changes to apply.   Global Policies are the exception and will be covered below. Note: If you are in your initial Learning Mode, policies will automatically be deployed to the endpoints accorting to the Learning settings (e.

View in browser Log into the ThreatLocker Portal. Navigate to the Unified Audit Page. Change the Action dropdown list to Any Deny, and select Search. This will display everything currently being denied by ThreatLocker.  Filter the results further by Username, Hostname, Filename, etc., to help reduce the amount of noise in your results. Review the results, and expand any of the rows for more details. If you identify files being denied that you want to permit, this can be done directly from here with either the Permit Application or Add to Application buttons.

View in browser Overview This article covers the setup to allow ThreatLocker requests to be translated into tickets in your ConnectWise Manage instance Setup Log into your ConnectWise Manage instance Navigate to System > Setup Tables Search for the Table "Email Connector" and select it Select the email connector you wish to use Select the Add + icon at the bottom of the page for Parsing Rules Use "Custom" for "

View in browser Note: Unless these are repeating they raise no concern. Connections between the Agent and API can be temporarily disrupted due to a number of reasons. The connections between the Agent and API run every 60 seconds. This article will cover general Event Log errors experienced with a network disconnect while having ThreatLocker installed. Unable to update computersettings:https://api.threatlocker.com//The operation has timed out Network disconnect (Failure to communicate with the API).

ThreatLocker provides the ability to specify certain processes that will be excluded from monitoring by ThreatLocker. This should only be used in very specific circumstances. Nothing will be blocked, or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes that have been set to be excluded. It is important to note that the processes are excluded based on the path you specified, not the hash.

The Unique Identifier for your organization can be located on two pages in the ThreatLocker Portal: the Computers Page and the Deployment Center. Retrieving your Unique Identifier from the Deployment Center Page Log into the ThreatLocker Portal. Navigate to the Deployment Center in the left menu. Select the expand arrow next to Deploy Agents.  Your Unique Identifier is found under the RMM and Script Deployment section as shown below.

  In light of recent events, a new malware strain, Hermetic Wiper, has been identified. It's important to recognize that this malware does not encrypt, but it is destructive malware that corrupts hard drives. The hash files for this malware have been identified by ThreatLocker and made into a Built-In application.  Devices in a secure state will automatically block this file from executing as it would any other file, without an application and policy.

Overview The following articles goes over how to hide the tray icon in ThreatLocker version 5.30 and newer. Hiding the tray  Log into the ThreatLocker Portal. Navigate to Organizations from the left menu. Select the organization you'd like to hide the tray for. Go to the Branding tab. Add (hide) to the Tray Icon section . Save the change. The tray icon will be hidden once the user logs out and back in.

NOTE: If you believe you have been affected by this, please contact a Cyber Hero We received reports that computers were installed in the wrong child account when being pushed using an RMM.  There was an issue identified that has affected the deployment of some customers using certain RMM scripts. The affected scripts incorrectly placed the computers into the wrong child account under the MSP. The issue was caused by an incorrect cache on the API for the RMM script and has now been fully resolved.

View in Browser Updated: Friday, December 17, 2021 ThreatLocker has created a custom report that you can run to check your Applications to see if they contain any of the vulnerable Log4j files.   Please note: Having any of these Log4j files does not automatically mean that they are exploitable. In order to be exploited, attackers would need to be able to interface with the vulnerable Application. Running the ThreatLocker Report that scans for any Applications that contain the vulnerable Log4j files  From the ThreatLocker Portal, navigate to the Reports Page.

Application Definitions are sets of files hashes, certificates or other rules that define what files are required for an Application to run. There are two types of Application Definitions.  Built-In Application Definitions Built-In Applications are created by ThreatLocker. These definitions contain all of the files required to run an Application. For example, Slack (Built-In) contains all of the hashes that are required to run the Slack Desktop Application.  When using Built-In Definitions, ThreatLocker automatically updates the Definitions as vendors release new builds.

ThreatLocker Application Control Policies give you the power to control what software can execute, and what that software can do on your endpoints.  When you first deploy ThreatLocker, Policies may automatically be created under a specific computer group or individual computers. You can configure how Policies are automatically created under the Computer Group settings page. You can edit, create, or modify Policies to suit your needs.  Policies run like firewall policies in order from top to bottom.

View in Browser. Merging application definitions is a means of transferring the definition of one application to that of another. To demonstrate this process, we have two different custom applications for Notepad++ shown below. Ultimately, albeit not always the case, these application definitions should fall into one application both for simplicity and efficiency. This article will demonstrate how to merge two applications together. How to Merge First, select the checkbox next to the applications you want to merge into one.

When an application gets blocked in ThreatLocker, the user has the option to request permission from an administrator. Once the user clicks the 'Request Access' button, the request window will populate. Here the user has the option to enter a message to accompany the request, their email address so they can be notified when the request is processed. By default, a copy of the file they are requesting will be attached unless they deselect the checkbox next to 'Attach a copy of the file with the request'.

View in browser This article covers the steps required to permit all the files in a single directory that are signed by a particular vendor. Log into the ThreatLocker Portal. Navigate to the Unified Audit. Use the search criteria to locate the directory. Expand the row, and select Add to Application. Use the top dropdown list to select the Application. Clear the Hash and Process Path fields. Replace everything after the desired directory with a * in the Path field.

View in browser From the ThreatLocker Portal Approval Center Navigate to the Approval Center to view requests. Selecting the View icon will bring up the Application Request dialogue box. There are four main sections as follows: Information about the file being permitted Here you will see the requested file, details about the file, and the user and host that requested it. There is also a hyperlink to virustotal.com where you can see if any of the top antivirus software has flagged the file as potentially malicous based on the SHA-256 hash of the file.

Open in Browser The approval center provides a single location from which admins can permit blocked and requested files, allow access to storage drives, and grant elevation for programs which need administrative privileges.  To access the Approval Center, manage either your parent organization or one of your client organizations and click it from the lefthand menu. Viewing this page from a particular client will allow you to see only that client's active requests.

Open in Browser Installation Mode Installation mode is used for installing new software that doesn't have a pre-defined definition or one you haven't created a definition for before. It temporarily disables file blocking and allows you to install the software. Threatlocker catalogs all the files that are installed that would have ordinarily hit the default-deny policy.   You can enable installation mode from the Computers page. Select 'Installation' in the quick dropdown menu next to the computer you are changing the status of.

  May 6, 2022 ThreatLocker strives to keep our partners informed about potential weaknesses in their environment and create Built-In Policies to help mitigate them. The above email was sent in response to ThreatLocker observing an increased use of the BCDEdit tool across our customer base. The tool was called from various management and remote access tools and in some cases was used to reboot computers in safe mode. ThreatLocker does not believe there is a zero day vulnerability in any tool that has led to this increase in attacks.

View in browser Bitlocker can be used to encrypt your drives from PowerShell, leaving you unable to access them after a reboot. Stop PowerShell from interating with the Bitlocker Application Through our Suggested Policies, you can prevent PowerShell from calling the Bitlocker Application. Navigate to Application Control > Policies Select the desired level from the Applies To dropdown menu on the top right. Select the 'Add Suggested Policies' button.

Using Storage Control policies, you can prevent access to your shares by any computer not running ThreatLocker. You will need to create 2 basic policies on your server: a policy to deny remote access to your file shares to all remote computers, and a policy to permit remote access to only remote computers running ThreatLocker. ThreatLocker will use a Microsoft call to verify that the ThreatLockerService is running. These policies will protect your files from the server side, allowing only computers running ThreatLocker to access the shares you specify.

We have received a number of concerns from clients about potential malicious software being distributed inside the wrsa.exe (Webroot) service. The concern appears to have originated from an email from another security vendor. Who claimed that Webroot was pushing out malicious software similar to SolarWinds as a result of JoeSandbox.com reporting the wrsa.exe file being malicious. The recommendation from the vendor was to only allow the service by Hash and not the certificate.

View in browser Overview This article will cover the steps required to restart the ThreatLocker Agent on a computer. This is most commonly used to force the Agent to update to the latest version. Restarting the ThreatLocker Agent Log into the ThreatLocker Portal. Navigate to Computers Page using the left menu. Check the checkbox next to the desired computer, then select Restart Service > Restart Selected to restart the service on only select computers.

 View in browser The ThreatLocker Update Channel can be set on an individual group basis. This will determine the speed at which the group will have its ThreatLocker Version automatically updated. To alter your settings, navigate to the Computer Groups page. Select the Group or Groups that you want to change, and select the "Change Update Channel" at the top of the page. Then select the desired channel from the dropdown, and select the Update button.

View in browser Overview You can set any Deny Policy with the option to request to notify you via SMS message when a user requests permission for an item that was blocked by that Policy. You will need to add your cell number to the notifications for the Policy you wish to be alerted for. Many people set this on their Default Policy. Configuration Log into the ThreatLocker Portal and navigate to Application Control > Policies under the Organization you want to receive alerts for.

View in browser Note: This requires .NET 4.7.2 or newer Overview This article covers the steps required for setting up the ThreatLocker Active Directory Sync tool. This tool is responsible for syncing your Active Directory groups, allowing you to select them when creating\editing policies in ThreatLocker. Permitting the Service Before installing the service, it is advised to create a policy to permit the "ThreatLocker AD Sync Service (Built-In)" application for the computer you are installing it on.

We are very excited to announce the release of ThreatLocker 5.29. The new build brings a lot of exciting new features. We are inviting our partners to test it out in none critical environments. The more people we onboard for testing, the better we can prepare for compatibility with your other products. New and improved ThreatLocker tray.  You can now see all blocked items in the tray, whether they are hidden or not, by right-clicking on the ThreatLocker tray icon and clicking Blocked Items.

View in browser When using the ThreatLocker Application Control agent, certain information is collected to provide the services. ThreatLocker does not share information collected by the ThreatLocker agent with third parties.  The following document outlines the information collected by the ThreatLocker Application Control agent. Computer Hostname. Public IP Address of the Computer; The date and time the agent connected to the ThreatLocker data centers; Logged in Username of the Computer, including the domain name (e.

On ThreatLocker Versions 7.6 and Above ThreatLocker override codes allow you to disable Application Control and Tamper Protection blocking on a computer that does not have access to the internet or the ThreatLocker Data Centers.  Machines on ThreatLocker Versions 7.6 and newer have Override Codes by default. Admins can run the report "Override Codes (Agent 7.6 or above)" to see the unique override code linked to each hostname. These unique codes are automatically regenerated every day per computer you have installed in the portal.

View in Browser If the ThreatLocker popup is not displaying when an item is blocked, there could be a number of reasons. This document goes through the possible reasons why the popup is not showing.  The ThreatLocker Tray is not Started ThreatLocker uses a tray application to notify the user when something is blocked. The tray application automatically starts when the computer logs in. If you have just installed ThreatLocker using an RMM or MSI installer, the tray will not start until you have logged out and logged back in again.

Over the last two weeks, we have received a number of complaints about performance issues. The issues do not appear to be affecting every customer but are significant for those who have been affected. ThreatLocker has substantially grown over the past three months which is contributing to some of the performance issues but should not cause significant performance issues. Of the cases that have been reported, they are not the same cause.

View In Browser ThreatLocker recommends using the Stub Installer over the MSI Installer whenever possible. It will be the most up-to-date version of ThreatLocker assigned to your account, and it also includes a Health Service that can repair potential problems, and keep the ThreatLocker Service running. Locating the Stub Installer To obtain your Stub Installer, navigate to the Computers page and click on 'Install New Computer', accept the EULA, and then the RMM and Script Deployment window will populate which contains the Stub Installers for your organization's computer groups.

You can permit applications by their certificate in combination with path, hash or process.  To Permit using a Certificate from the Audit Search for the file in the Unified Audit; Expand the item you wish to permit; Click Add to Application; Select the Application Name from the dropdown list; Clear the boxes you do not want to match.  Select the Certificate from the certificate dropdown list, and click the Add button.

View in browser **Uninstalling ThreatLocker is not a solution to issues and it can make them harder to diagnose. If you are experiencing issues, please contact the Cyber Heroes.** Temporarily Disable ThreatLocker In the event that you are removing ThreatLocker in order to verify that ThreatLocker itself is not responsible for an application not functioning, you are able to stop the ThreatLocker Service temporarily.  ThreatLocker cannot be uninstalled or stopped while Tamper Protection is enabled.

View in browser You can update the ThreatLocker Version running on a single computer. This is helpful to give you the opportunity to test out a newer version of ThreatLocker before updating your entire organization. Navigate to the Computers page. You will see a column entitled 'Client Version'. By default, the setting will be 'Inherit From Group' which means that the version is controlled by the settings of the computer group.

View in browser The ThreatLocker agent can be upgraded per group of computers; this is done from the Computer Groups page. Select the Group or Groups that you want to update, and click the Update ThreatLocker Version button at the top of the page. Then select the desired version from the dropdown, and click the Update button. Updating Your Clients' ThreatLocker Versions This can be done when managing your customers using the method above.

After an administrator gets invited and their account has been created, you can set specific permissions for them. By default, the new administrator will not have any permissions assigned. To edit these privileges, navigate to the Administrators page.   Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.

If you want to deploy a custom application that has multiple dlls, executables, or dependencies, and that application hasn't already been permitted in ThreatLocker, either through a built-in policy or a previous custom policy, you may use learning mode to track all of the changes required to run the new application. Learning Mode can be started a few different ways, however, if you are pushing software out through a remote management tool or software deployment tool, it is easier to start learning mode from the computers page.

Click the Console App icon located at the bottom of the screen as shown below to open the Console App. Click 'Start streaming' inside the Console window. Insert 'threatlocker' into the search bar to verify that the ThreatLocker App is running. You can also navigate to the ThreatLocker Portal Computers Page and verify that the Mac is visible in the portal. 

The ThreatLocker Unified Audit is a central location where all audited information is displayed.  When using ThreatLocker Application Control, information about executables, scripts, and libraries are recorded in near real-time. Information about these actions is searchable in the Unified Audit, including: All executables, libraries, and script files that were cataloged on your devices during the initial baseline, excluding Windows Core Files All executables, libraries, and script files executed in your environment, and files installed since installing the ThreatLocker agent.

ThreatLocker is currently undergoing testing of the use of the CVE-2021-40444 vulnerability. This vulnerability allows an attacker to launch Internet Explorer from Microsoft Office and run a malicious ActiveX control (.ocx file).  The malicious files taking advantage of this exploit attempt to download and run an executable. As long as your device is secured with a default - deny policy, TL will not allow the malicious executable to run.  

Why is an application that matches a Built-In Application being blocked? ThreatLocker creates pre-defined definitions of Applications that include a list of files that are required to run those Applications. When those Applications update, ThreatLocker monitors them and adds the new files into the definition.  When your computer is initially profiled, we will try to match existing installed Applications to known Built-In Definitions. If we can add them, we will automatically create a Policy for that Application.

View in Browser During the upgrade process to Windows 11, Windows can remove some security programs, and we have seen instances where this has included ThreatLocker.   This process results in the computer being left without the ThreatLockerService. It deletes the ThreatLockerService but the ThreatLockerDriver, all files, and settings remain intact. The Health Service will also remain intact and will automatically resolve this within 30 seconds.  The Health Service will be called HealthTLService in your Services list.

  ThreatLocker is committed to data security and privacy. When using ThreatLocker's products and services, ThreatLocker may collect information necessary to provide the services. ThreatLocker ensures that all information and configurations are protected using the best standards in the industry. ThreatLocker implements controls and procedures in line with the following standards:  CMMC Level 4/5 NIST 800-171 (Required for DFARS 252.204-7012) CIS Controls V7 ISO 27001/2 HIPAA Our security controls and practices are audited at least once per year by an independent auditor certified by AICPA, and a SOC 2 Type II report is issued.

ThreatLocker trials by default are 14 days long. While you are on trial, at the top of every page in the ThreatLocker Portal, there will be a banner containing a trial countdown that informs you of the date that your trial will be ending.   Click this banner to be taken directly to your quote. Once the quote is signed, you will no longer be on trial, and the countdown will be removed from the ThreatLocker Portal.

When processing Approval Requests, administrators can leverage ThreatLocker's VDI environment when using Installation Mode. This enables the admin to install the new application in a clean sandbox environment, and the file will be evaluated by the ThreatLocker Risk Center, and the findings will be visible to the administrator. The Risk Center performs the following evaluations on the application being installed: Checks the application in VirusTotal to see if any AV vendors have flagged it as malicious or suspicious.

In order for the ThreatLockerService to be able to retrieve your active directory groups, the Domain Computers must be a member of the Windows Authorization Access Group. Steps for Allowing ThreatLockerService to Retrieve your AD Groups: Navigate to your Active Directory Users and Computers. Under your domain controller click on the Builtin folder. Toward the bottom of the folder right click the "Windows Authorization Access Group" security group and click properties.

Summary: When ThreatLocker introduced Network Access Control (NAC) as a product for ThreatLocker versions 7.0 and newer, processing was added to the driver and service to monitor network traffic passively to allow the new product to be enabled and used at the partner's discretion. In some situations, we have isolated reports of machines (typically servers) with large amounts of DNS entries that would potentially flood the caching tables and interrupt network traffic.

 A Customer Deal Registration is when a ThreatLocker Partner provides identification information (the domain) of a client/prospect in order to remain the selling entity, barring the client/prospect from going around the partner to buy directly from ThreatLocker.   How does it protect ThreatLocker Partners?   If the provided client/prospect domain attempts to purchase directly from ThreatLocker, the client/prospect will be directed back to the registered partner for up to six months. 

Note: This article is based on documentation from Bleeping Computer. Source: https://www.bleepingcomputer.com/news/security/goanywhere-mft-zero-day-vulnerability-lets-hackers-breach-servers/ What is GoAnwhere MFT Zero-Day Exploit? GoAnywhere MFT is a secure web file transfer solution that allows companies to transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files. A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT, according to Bleeping Computer. ThreatLocker Mitigation: Firstly, DO NOT permit the application through our Allowlisting solution.

 Pre 7.9, an issue was identified with the detection and execution of .ocx files.  Some .ocx files were not being detected by Microsoft Windows as executing, and thus ThreatLocker was unable to secure those files or log the activity within the Unified Audit.  The ThreatLocker Solution As a solution, ThreatLocker will now log all .ocx files as executables rather than read-only. This prevents .ocx files from running without being tracked or secured within the ThreatLocker platform.

Trending issue is known for ThreatLocker versions 7.0 to 7.4 where a service restart that is sent from the ThreatLocker portal via the computers page does not successfully stop the driver leaving it in a pending or suspended state. This will also cause the service to not check in to the portal making the computer appear offline despite the service runnning. The current workaround for this issue is a system restart, and is recommended to be done as soon as possible to correct functionality in our service.

For more information regarding CVE-2023-2033, please see: A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution (cisecurity.org)  What is CVE-2023-2033? CVE-2023- 2033 is a remote code execution vulnerability in Google Chrome that impacts versions prior to 112.0.5615.121. This can be triggered by visiting a malicious website.  ThreatLocker Recommendations Google has released an emergency, out-of-band update to address this actively exploited zero-day vulnerability. The most up-to-date patch should be applied as soon as possible.

1 Log in to your Google Cloud console to create a google cloud bucket Select Cloud Storage Buckets 2 Once in the Buckets section: Select Create Name your Bucket [Name Must be unique] accept the default settings Select Create Make sure to uncheck Enforce public access prevention on this bucket as this bucket need to be public facing for the ingress of data to work

What is the MOVEit Vulnerability (CVE-2023-34362)? The MOVEit Vulnerability (CVE-2023-34362) is a SQL injection vulnerability that has been found in the MOVEit Transfer web application. It could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.  Common Mitigations Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications. Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.

Overview ThreatLocker recommends for our clients to use our Knowledge Base article, Allowing ThreatLocker through your Firewall | ThreatLocker Help Center (kb.help), to open up the IP's on the firewall to our addresses. In the event that a client would prefer an alternative, ThreatLocker has an available proxy. The ThreatLocker Proxy allows organizations to dedicate a single computer to proxy all endpoint connections to the ThreatLocker Cloud.   Benefits and Dangers  A proxy has its benefits over a completely isolated system.

Before ThreatLocker Agent 8.1, when elevating a user to be able to edit IP address in Network Settings, the user would be allowed to change the IP address, but also allowed to change other information like hostname. Improvements to ThreatLocker Agent 8.1 allow administrators to customize and limit permissions to specific settings. The new options added include: ArgumentsForExecution - if set, will build out command line arguments for executions

ThreatLocker Version 8.1 introduces a new prompt to replace the Windows UAC prompt, allowing the user to request elevation. 

Some web browser extensions can affect how the ThreatLocker Testing Environment operates. In scenarios where a browser extension is impacting the performance of the ThreatLocker Testing Environment, the recommendation is to add an exclusion for ThreatLocker or to disable/turn off the extension.  This article will address known issues with identified extensions and include the steps to take to resolve the issue.  Dark Reader The ThreatLocker Testing Environment will appear as a black screen when using the Chromium extension Dark Reader.

There has been a reported issue regarding Network Control on ThreatLocker Version 8.1. If an organization has enabled Network Control but has not created any Network Control policies, then administrators will not see any simulated denies.

There has been a reported issue regarding the option MonitorPowerShell on ThreatLocker Version 8.2. If you have the option enabled for MonitorPowerShell, it will cause an issue where PowerShell will not open.