ThreatLocker Override Codes

Overview

ThreatLocker Override Codes allow you to disable different aspects of ThreatLocker on a computer that does not have access to the internet or the ThreatLocker Data Centers. What you can disable is dependant on the version of ThreatLocker you are running.

• Below ThreatLocker Version 7.6, you are able to disable Application Control.
• ThreatLocker Version 7.6 and above, you are able to disable Application Control and Tamper Protection blocking.
• ThreatLocker Version 8.2 and above, you are able to disable Application Control, Tamper Protection blocking, and Network Control.
• ThreatLocker Version 8.3 and above, you are able to disable Application Control, Tamper Protection blocking, Network Control, and Storage Control.

On ThreatLocker Versions 7.6 and Above

Machines on ThreatLocker Versions 7.6 and newer have Override Codes by default. Admins can run the report "Override Codes (Agent 7.6 or above)" to see the unique override code linked to each hostname. These unique codes are automatically regenerated every day per computer you have installed in the portal. The most recent code registered for a machine is based on its most recent check-in. Your code is active for 24 hours. If the machine is restarted or the override code is stopped, you will be issued a new code the next time you check-in. If a machine is offline for more than 24 hours, the code will regenerate upon the next check-in.

To end the override state, navigate to the the ThreatLocker Tray and right click, select "Override", then select "Stop Override" from the popup.

NOTE: There may be a delay of up to 10 seconds for the ThreatLockerService to fully remove the Override functionality

On Legacy ThreatLocker Versions below 7.6

Under your account, you will see an Application Called ThreatLocker Override Codes. This application gives you a list of automatically generated override codes for your account. If you edit the application you will see a list of SHA256 representations of the codes. The codes are stored in an irreversible hash format to stop attackers from reading the code on the computer and entering it manually. 

To access the ThreatLocker Override Codes: 

• Select Application Control > Applications from the navigation menu. 
• Search for the Application named ThreatLocker Override Codes 
• Edit the Application.

• For your convenience, ThreatLocker has stored the unhashed password in the notes field. We recommend you take note of these passwords and store them in a secure location.   
• You can add additional override codes by adding a SHA256 of the code in the Path AND the Hash. Make sure you store the unencrypted password in a secure location. You can generate a SHA256 by visiting https://codebeautify.org/sha256-hash-generator

On versions below 7.6, the Override Codes Policy is disabled by default. You can either enable the standard override code policy or create your own override policy. 

Please note that override policies must be named "ThreatLockerOverride".

You can also create override policies at individual computers, groups, or MSP global level. 

Creating a new Override Policy

Navigate to Application Control > Policies.

Select the New Application Policy button.

Name the Policy ThreatLockerOverride.

Under 'What applications does this policy apply to?', select ThreatLocker Override codes and then click 'Add'.

Under 'Do you want this policy to apply to the entire organization or a selected computer group?', select the group you would like to place this policy on.

All other settings can be left at their defaults. Remember to click 'Save'.

To access your override codes, click on the smaller font name under the policy name. This will open the Application definition where you can access the codes as needed.

To enable the default override policy:

• Select Application Control > Policies from the Navigation Menu
• Select Entire Organization in the top right corner. 
• Toggle the On/Off switch to the On position in the portal. 

Once you use an override code, you should delete the code from the Application. The code will then be disabled and the computer comes online, it will become ineffective. 

How to activate an override code on ThreatLocker Agent 5.29 and above

From the ThreatLocker Portal, navigate to Application Control > Policies. Find your Override Policy. Click the smaller font below the Policy name to open the Application Definition.

Expand one of the entries and copy the unhashed key from the 'Notes' section as shown below.

From the ThreatLocker Tray Icon, select the option "Override" -- this will populate a text box where you will enter the key. Enter that key in this textbox and click "Save".

Once an override code has been used, you should immediately delete it from your application list.

Override codes expire when the hash value is removed from the application, and the ThreatLocker service has been restarted on the endpoint. Supplemental conditions include: the device has to check-in again to register that the key is no longer relevant.

In the Unified Audit, files that were permitted while in Override will appear as a green deny. When you expand the audit entry, you will see a green tag at the bottom of the entry that says 'Override'.

IMPORTANT NOTE: Before an override code will be removed from your endpoint, the computer will need to successfully check-in AND the ThreatLocker Service needs to be restarted.

How to activate a temporary override code on older ThreatLocker Agent versions

Note: The following instructions are applicable to agents between 5.25.10.1050 and 5.29

• To use the temporary override code, create a new text file:-
• c:\programdata\threatlocker\override.txt 
• Enter the password in the file in its original format (not SHA). Once you save the file, ThreatLocker will stop blocking within 10 seconds.