Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  From the Organizations Page, there are dropdown menus called 'Modules' (formerly Product) on the right side of the page, with check box options. When closed they say 'X items checked'. These dropdown menus list all of the available ThreatLocker modules, which can be combined to customize your coverage.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  There are options which offer granular control over your users and machines, and which can be located in the Options Tab within the Computer, Computer Groups or Entire Organization Pages. The options below are linked to the version of ThreatLocker software your system is running.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. The ThreatLocker Portal ThreatLocker has removed the option to create a rule by hash in the Approval Center.  Custom rules protect your flow of business by allowing for future updates. A hash, however, will be static.

Portal Help Desk Location To access Help Desk, click on the Help button towards the top-right of the screen within the ThreatLocker Portal to open the Help Menu.  Within this menu, you will see 5 options:  Chat with a Cyber Hero: Starts a new chat or submits an offline Help Desk ticket. ThreatLocker University: Opens ThreatLocker University in a new window. Knowledge Base: Opens ThreatLocker's Knowledge Base in a new tab.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find directions for using multiple parameters in a single search field in the Unified Audit, by scrolling down in the article.  Ways to Search the Unified Audit within the ThreatLocker Portal There are many ways to search the Unified Audit. Combining two or more fields in the search request will reduce the number of query returns.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. The Approval Center allows you to view requests sent in from your end users for Application Control access, Elevation, and Storage Control access. The hostname and storage device where each request originated are listed, along with the requested action type (Read/Write for Storage Control, Execute for Application Control, or Elevate, for Elevation).

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. To create a new organization, navigate to the Organizations Page and select the '+ New Organization' button towards the top left of the screen.  The 'Create New Organization' panel will populate.  Here, you can configure the details and settings for your new organization to meet your needs.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. Tags are collections of items that can be applied to Network Control policies and Application Control policies with Network Ringfencing. They can contain strings, with or without wildcards, IPv4 addresses or IPv6 addresses. Tags allow for efficient, centralized management of allowed network domains and IP addresses.

Overview Tamper Protection is a system which prevents malicious actors, end users, and other security software attempting to modify, stop, or delete ThreatLocker files and services. Offboarding or troubleshooting may require Tamper Protection to be disabled temporarily.   Disabling Tamper Protection for a Single Computer Navigate to the Computers page in the ThreatLocker Portal Click on a computer name to open the 'View/Edit Computer' side panel Navigate to the Maintenance tab  Select 'Disable Tamper Protection' from the 'Maintenance Typ'e dropdown Start the maintenance mode with the 'Schedule Maintenance' button at the bottom of the side panel.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. Be aware of the scope of policies you apply this to. Setting this up on a Workstations Default Deny policy or a directory-wide storage policy may lead to a large amount of unwanted emails. Storage and Application Control policies can be configured to notify administrators via email whenever a policy is matched.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. ThreatLocker provides reports to help clients view relevant data in an easy and usable form. If a report does not currently exist which presents the desired data, or if you would like to schedule daily/weekly automated delivery of a report, please contact the Cyber Heroes.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find directions for creating a new support ticket by scrolling down in the article. For more information about the Help Desk, visit our ThreatLocker University course, Help Desk. Creating a New Ticket in the ThreatLocker Portal. Click on the 'Help' button located towards the top-right of the page and select 'Help Desk' from the drop-down menu.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. The Login Settings Page provides a central location to manage where and how your administrators are able to access the ThreatLocker Portal. Here, you can set Organization-wide restrictions on which Countries or IP addresses your users can log in from, restrict MFA options, Allow SSO, and override the MFA restrictions for specific users.

The "Administrators" tab is located in the menu under the ThreatLocker logo on the left-hand side of the portal. After you've chosen your organization and managed it, the Administrators tab will populate any and all relevant admins for your organization. This guide will talk about the different buttons found on this part of the portal. New Administrator This button is used for creating a new administrator for your organization.

View in Browser OTC (one-time-code) authentication enables you to use the authentication application of your choice for 2-Factor Authentication.   Navigate to the Administrators page. Select the 'Edit' button next to the user you would like to enable OTC for. In the popup window, scroll to the 2-Factor Authentication section. From the dropdown menu, select OTC. A QR Code will appear below the dropdown menu. Scan this QR Code with the authentication application of your choice.

View in Browser This feature has currently been released for public Beta testing. Passwordless Authentication allows you to enable 2-factor authentication without using an authentication application. Once configured, an automated phone call will be made to the phone number you have set up. You will be required to answer the phone and input your preconfigured 4-8 digit PIN number into the telephone's keypad before being logged into the ThreatLocker Portal.

View in Browser The System Audit Page is where the activity in your ThreatLocker organization is logged.  Navigate to Security Center > System Audit. You can view this System Audit per organization, or you can view all your organizations' activity by selecting 'Show audit for all child organizations' in the parent organization's System Audit. Search Filters Much like the Unified Audit page, there are multiple filters you can apply when searching this audit to refine your search results.

O365 SSO can only be enabled and set up by a ThreatLocker super-admin.   To enable SSO on existing administrator accounts, you will need to have a password reset email sent by the Cyber Heroes. ThreatLocker does not recommend using SSO for your ThreatLocker Account because SSO relies on the security of a 3rd party and that security is out of ThreatLocker's control.  Currently, 0365 SSO requires the settings in Azure to be configured to 'Allow user consent for apps'.

By utilizing advanced maintenance modes, you will have the opportunity to schedule maintenance modes as well as customize the modes to fit your needs. From the Computers page, select 'Advanced' from the quick dropdown menu OR select the 'Maintenance Mode' button next to the computer you wish to enable an advanced maintenance period on.  Both options will open the 'Maintenance Schedule' window. In the top left, select the desired maintenance type from the 'Maintenance Type' dropdown menu.

The Tray Redirect URL for a policy can be added and/or modified from the policy popup.

The Storage Policy Tray Notification and Window appearances can be modified and saved to a Deny Request Storage Policy. The Elevation Tray content can be edited and successfully saved to a Computer Group. By adding a * into the Optional Reason or Optional Email (ie. Please include your work email.*), the user will be required to add a message and/or an email address.

Storage Request policy names and options can be modified directly from a request/approval.  Available options include: What paths should this apply to? Apply to all file paths Apply to selected file path What type of interface should this apply to? All Interfaces Select an interface Should this policy apply only to encrypted devices? Apply to both encrypted and not encrypted devices Only encrypted Devices Only not encrypted devices 

When deleting an Application or Storage Device with applied policies, the user will be prompted with a list of affected applications on the Applications page and storage devices on Storage Devices page. A confirmation dialogue is displayed alerting the user that applied policies will be deleted as well.

You can customize the text which appears on requests to access a storage device or run a new program. This can be done by clicking the pencil edit icon next to any policy with the actions deny and request.  Additionally, you may specify a Redirect URL and replace any valid parameters proceeded and followed by "%%" with the corresponding value.   Valid parameters include:  %%hostname%% %%filename%%  %%approvalrequestid%%  %%requestoremailaddress%% %%username%% - (requires ThreatLocker Agent Version 8.

The Realtime Action Log will show you everything that is happening on your computer in realtime. This display can be viewed by right clicking on the ThreatLocker tray icon and then selecting "Realtime Action Log".  

To increase security on devices using ThreatLocker, we have changed .ocx files to be processed as executable files rather than read-only files. This is similar to the approach we took with .ps1 and .bat files in order to prevent rogue scripts from executing on your endpoints. As a result of this change, you may see blocks for applications using .ocx files. If after the ThreatLocker update you find that you have denied .

The Permitted Applications page allows users to view all permitted applications in the environment along with the policies associated with those applications.  Navigating to the Permitted Applications Page To Navigate to the Permitted Applications Page, expand the Application Control menu on the left-hand side and click on 'Permitted Applications'. Understanding the Permitted Applications Page This page will show you a list of permitted applications for the environment under the Application Name column.

Configuration Manager is a place to quickly design policies that help mitigate the most common threat vectors.   This Article includes information on how to:  Create Config Manager Policies from scratch or from the Suggested Policies button To open Configuration Manager (aka Config Manager), navigate to the left side main menu, under the Modules drop-down menu.  Add a Suggested Policy To add a suggested policy, click the 'Add Suggested Policy' button.

The Portal Release on 5/1/2023 included a change to how newly created computer groups learn applications and policies from previously installed endpoints. Newly created computer groups will learn Computer Level policies, rather than Group Level policies    This change was implemented to reduce the chances of copying unneeded or unused policies into a new computer group. While the "Learn at Group Level" option is still avaiable, this setting will not carry over to child organizations, even if selected on the template group within the parent organization.

You can create a template organization under your parent organization to easily duplicate modules, policies, and options when creating a new child organization. Begin by navigating to the Organizations page Select the ‘+ Organization’ button at the top of the page Name your new Template Organization ‘Template’ and enter 'Template' in the Identifier area as well. Then, select your Time Zone and navigate to the Options tab.

Administrators and able to use Isolate, Lockout, and Screen Lock options from the Computers page within the ThreatLocker Portal. This feature requires ThreatLocker Agent Version 8.1 or greater. How to Isolate or Lock a Selected Computer Navigate to the Computers page and select the desired computer(s) Click the 'Isolate/Lockout' button Select the desired effect: Isolate Computer: The selected computer or computers will be isolated from all network traffic outside of the ThreatLocker API.

Users can set a default time period for Elevation requests that come through the Approval Center.  To set the default time period, navigate to the Organizations page. Then, select the organization you would like to edit to open the 'Update Organization' panel. Under the 'Settings' section, expand the 'Elevation Time Frame' dropdown menu to select the desired default time period. Once you have chosen you desired time frame, click 'Update Organization' to save your changes.

Overview ThreatLocker provides the ability to specify certain processes that will be excluded from monitoring by ThreatLocker. Nothing will be blocked, or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes that have been set to be excluded. This should only be used in very specific circumstances. How to Exclude Specific Processes from Logging in the Unified Audit Navigate to the Computer Groups page within the ThreatLocker Portal and select the Computer Group that you would like to configure the excluded process for.

The ThreatLocker Ops module validates your zero trust policies by allowing you to create rules that notify or respond to specified events. ThreatLocker Ops uses telemetry data, your threat levels, and your policies to define and communicate the current level of attack on your system.  Navigating to ThreatLocker Ops To navigate to the ThreatLocker Ops module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Ops'.