Computers Page: ThreatLocker 6.0
The first improvement you will notice is that the ‘Monitor Only’ mode box has been removed. It has been replaced with a ‘Status’ box which represents the security status of ThreatLocker.
The Status box will show you the current status of ThreatLocker on the selected computer.
Enabling ProtectionThe ‘Enable Protection’ box ends all maintenance periods and secures all the selected computers. At any time, to end all maintenance periods and re-enable protection, select the box next to the computer you wish to end maintenance on and enable protection on and click the ‘Enable Protection’ box placing the selected computer into a ‘Secured’ status.
Disabling ProtectionThe ‘Disable Protection’ box allows you to place computers into Monitor Only Mode or Learning Mode.
Enabling Monitor Only ModeTo place a computer in Monitor Only Mode, select the ‘Disable Protection’ box. From the dropdown menu, select the date and time you wish to re-enable protection, and do not select the box next to ‘Allow Learning based on Group Settings’.
You will see the status read ‘Monitor Only’ in red. This status means that no execution or Ringfencing policies that don’t have explicit denies will be blocked. Nothing will be learned in ‘Monitor Only’ Mode.
Enabling Learning Mode
To enter ‘Learning Mode’ you need to click the check box next to ‘Allow Learning Based on Group Settings’.
After clicking ‘Start’ the status will change to ‘Learning Mode’.
When computers are first installed, they will stay in ‘Learning Mode’ based on the computer group settings. Navigate to ‘Computer Groups’, then the specific group to enter the group management window where you can view or change the default monitor mode duration setting via the ‘Default Monitor Mode Duration’ dropdown menu.
The ‘Client Version’ box allows you to easily select which version of ThreatLocker you want to run on the selected computer. You can choose to ‘Inherit from Group’, or choose any version of ThreatLocker you have installed.
The ‘Maintenance Mode’ button replaces the ‘Start Learning Mode’ button from earlier versions. It opens up the ‘Maintenance Schedule’ menu. There are five different types of maintenance you can schedule. Multiple maintenance schedules can run at the same time.
To select the ‘Elevation Mode’, you must have the ThreatLocker Elevation product. It allows you to automatically elevate any programs that require elevation for all users or selected users.
To add an elevation period, select a start date and an end date. The default time period is one hour. Then select ‘Add Maintenance Schedule’. If you select the ‘All the user to End the schedule from the Computer’, a popup box will appear on the end user’s computer showing that Elevation Mode is enabled and the user can click to end the elevation period when they are done. There is also a countdown timer on the popup showing how much time is remaining.
If the ‘Allow the user to End the schedule from the Computer’ box is not checked, the popup will not appear, and Elevation Mode will run silently on the computer.
Installation Mode turns off blocking for execution and Ringfencing policies and learns any changes or new installed files on the system.
Learning Mode is similar to Installation Mode. It learns what files are being installed on the computer and it learns what files would be denied using the default deny policy. If you have an application already installed and you want to learn what files are required to run it, you can put the computer into ‘Learning Mode’, select the application from the ‘Application’ dropdown menu and click ‘Add Maintenance Schedule’ to place the computer in Learning Mode.
There is also an ‘Automatic’ option in the ‘Application’ list. This is the default mode when installing new computers. This automatically learns the application name and creates policies. When you first install, the time period is set to one week. When setting on ‘Automatic’ it is not recommended to select ‘Allow the user to End the schedule from the Computer’.
‘Monitor Only’ mode is similar to the others. You select ‘Monitor Only’ and choose the start and end times. You choose which users to apply it to and then select ‘Add Maintenance Schedule’. This will turn off blocking temporarily but it will not learn. If you select the ‘Allow the user to End the schedule from the Computer’ box then the user will receive a popup stating that Monitor Only mode is temporarily enabled.
Tamper Protection Disabled
‘Tamper Protection Disabled’ allows you to disable tamper protection for a period of time. For example, if you need to disable ThreatLocker to diagnose an issue, you can do that. It is recommended to only disable Tamper Protection when working with ThreatLocker Support.
Select ‘Tamper Protection Disabled’ and choose the start and end times. ‘Tamper Protection Disabled’ must be applied to all users. If you want the end user to receive a popup, select the box next to ‘Allow the user to End the schedule from the Computer’. Click ‘Add Maintenance Schedule’ to start the ‘Tamper Protection Disabled’ period. The status will be flagged in red.
‘Move Computer’ allows you to move multiple computers at once. Choose the computers you wish to move and then click the ‘Move Computer’ button.
Then you will choose the ‘Target Organization’ and the ‘Target Computer Group’ from the dropdown menus to move computers easily from one organization to another.
It is important to note that the policies applied to those computers do not get carried over to the new organization. For this reason, you may want to click the box next to ‘Enable Learning and Rescan Baseline’ before you click ‘Move’. This is not a required step, but if you do not choose this, it may block existing software on the computer.
When you click on ‘Rescan Baseline’ you can choose whether or not to ‘Enable learning based on group settings’. If you choose not to ‘Enable learning based on group settings’, no policies will be created automatically. You will get a list of all the files on that computer in the ‘Unified Audit’.