Windows Agent Version 8.x Release Notes

Version 8.3 - Beta

11/08/2023

Known Issue: Syncplicity preventing ThreatLocker machines from checking in to the portal

New Features

• The default value for \device\syncplicity will now be null, and clients will need to set their preferred value
• When the EnableLUA registry key is changed and a computer needs a reboot, a flag will now be visible on the Computers Page 
• Override codes are now available for individual Storage Control policies. If a ThreatLocker Override is run, ALL storage policies will be ignored

Improvements

• Updates and improvements to the UAC prompt and the ThreatLocker Tray
• Improvements to how the Monitor PowerShell option is applied to the endpoint
• The error log folder located in the application folder will now clear logs older than 30 days 
• Improvements to the handling of Global Configuration Manager Policies
• Added the support of multiple wildcards within the registry path for Ringfencing exclusions 
• Improved the way hostname is populated to show more than 15 characters 

Bugs and Fixes

• Resolved an issue with the ThreatLocker driver getting stuck in a restart cycle related to the default value for disabled devices 
• Resolved an issue causing excessive logging of the FileInfo and FileInstall in the System Audit 
• Resolved an issue in which opening multiple instances of the real-time audit caused high memory usage 
• Resolved an issue that caused an API to stall when changing the page size on the Applications page 
• Resolved an issue that caused an API to stall when changing the page size on the Applications page 
• Resolved an issue where Network Control caused high CPU when monitoring outbound traffic 
• Resolved an excessive logging issue in the Unified Audit related to the ThreatLocker Ops policy for Log All Logon Events 
• Resolved an issue with conflicting serial number lengths based on differences in Windows 7 and Windows 10 
• Resolved an issue where a client was unable to RDP into his machine by adding IPSec support 
• Resolved an issue with Chrome extensions not being blocked as required 
• Resolved an issue with the Disable UPnP policy in Configuration Manager 
• Resolved an issue that would block a new USB request if there is already a pending, different, USB request in the system 
• Resolved an issue with the UAC where the {Username}@{Domain} format would fail authentication 
• Resolved an issue from 7.6 related to Windows programs that only work properly when run by an administrator, like the Windows Media Creation Tool 
• Resolved an issue from 8.0 where the NetworkPendingQueueSize in the registry was not dropping as expected 
• Resolved an issue in which opening multiple instances of the realtime audit caused high memory usage
•  Resolved an issue for Legacy ThridWall users which affected the excessive failed logon events policy 
• Resolved an issue with built-in SDHC card readers and collecting S/N from SD cards 
• Resolved a rare issue where the Windows API would not read an entire file

Version 8.2.4 - Beta

11/16/2023

Improvements

• Moving forward, ThreatLocker will not include C:\ProgramData\Docker* in the baseline learning process to avoid causing unintended issues. For more information about Baselining, please see our ThreatLocker University course Learning Mode. 

Version 8.2.3 - Live

11/01/2023

Bugs and Fixes

• Resolved an issue that caused excessive logging in Tamper Protection Mode

Version 8.2.2 - Live

10/25/2023

Improvements

• Improvements to outbound network processing
• Added support for exclusions for Outbound Network Control  

Bugs and Fixes

• Fixed a bug with Exclusions where, in certain circumstances, they would not apply as intended

Version 8.2.1 - Live

10/19/2023

Improvements

• Improvements to inbound network processing

Version 8.2 - Live

10/17/2023

New Features

• Added %%actiontype%% as new parameter for post request URL
• Added %%username%% as a parameter for post redirect
• Added Policy Name to the Blocked Items grid - ThreatLocker Agent Tray | ThreatLocker Help Center (kb.help) 
• In the Elevation module, administrators are now able to customize and limit permissions to specific settings - https://threatlocker.kb.help/changes-to-elevation-in-threatlocker-version-82/
• New Configuration Manager module is now available  
• ThreatLocker now includes Isolate, Lockout, and Screen Lock options, which can be found on the Computer's Page
• WhatsApp.com has been added to Configuration Manager's social media controls  
• Lemon8 has been added to Configuration Manager's social media controls 
• Added a feature to recover core.db if it is reporting as malformed  
• Added Network Control to the Override feature   

Improvements

• Improved logging for the Network Challenge feature 
• Improved the real-time audit logs to show in the time zone of the machine 
• Requester email is now included in the UAC prompt for Elevation and Approval Requests
• In order to avoid unintended blocks, if a policy with a .dll only is above a policy for the same application with a .exe and the same .dll, when the first policy runs, the 2nd policy with the .exe and .dll will match and permit. This change could cause policies to process in an unexpected order 
• Improvements to the Approve Applications process, including identification of a matching application to happen inside the virtual testing environment 
• Improved the processing of UDP traffic 
• Improvements to Isolation Mode in Configuration Manager, including blocking TCP & UDP traffic 
• Improved internal logging of events related to temp files, delete actions, sleep/hibernation behaviors, and more  
• The Stub Installer is now integrated into the MSI Installer 
• Improvements made to new applications and the amount of logging in the Unified Audit 
• Improved the Windows Service and Driver features to harden the process of service downgrading, stopping/starting of the service and driver, and Tamper Protection 
• Reinstated Green Denies on Network Control in the Unified Audit when no policies exist but the Module is enabled 
• Improved error messaging around Chromium Extensions which return an empty string 
• SHA256 captures will now be enabled by default and users will have the ability to disable this feature under the Organization Options 
• Added a Kill Running Process option to ThreatLocker Ops 
• Improved Threatlocker Ops by adding canary files 
• Elevation buttons have been changed to look more prominent 
• Configuration Manager now has a policy to block Developer Mode in MS Edge Chromium and Google Chrome 
• Improved the handling of temporary files to reduce data set kept in memory cache 
• Windows machines will now display the major and minor version in the Portal 
• Improved the cache of items in the Unified Audit to reduce noise. This will not affect Denies. All denies will log
• Updates and improvements to the UAC prompt 
• Updates to Configuration manger including the Set Screen Saver policy and how it logs in the Unified Audit 
• Added Tray notification messaging for the Isolate/Un-isolate feature 
• Added functionality to disable the notification that users see when programs install or update 
• Improved the speed of cert.db download speed 
• Improved the way hostname is populated to show more than 15 characters 
• Reduced minimum monitored file size from 16 bytes to 4 bytes 

Bugs and Fixes

• Resolved an issue with Excluded Processes and they will now exclude Install action types 
• Resolved an issue using wildcards (*) in Storage Control Policies in the "What program does this apply to?" field 
• Resolved an issue with Network Control that was causing intermittent incorrect denies 
• Resolved an issue with RAID drives and ringfencing
• Resolved an issue with baselining that caused high CPU usage 
• Resolved an issue with MSI files trying to elevate 
• Resolved an issue with thumb drives and logging of encryption status 
• Improved file logging in the Unified Audit to only record Reads and Writes, either in Permit or Deny policies, for .exe and .dll files, reducing white noise and unintentional blocks 
• Resolved an issue with Network Control and deleted Authorization Hosts 
• Resolved an issue identified in 7.10 where some Chromium extensions would not read as executable 
• Resolved an issue where some extensions were not being blocked in Chrome 
• Resolved an issue from 7.10.2 and 8.0 with svchost.exe and hash showing incorrectly on installs 
• Resolved an issue for Legacy ThridWall users which affected the excessive failed logon events policy 
• Resolved an issue with \\localhost\c$\*\ related to storage devices and excessive logging 
• Resolved an issue from 7.6.1 where the tray notification would not populate at the correct time 
• Resolved an issue where a user was getting BSOD when connecting to a home network 
• Resolved an issue with Chrome extensions not being blocked as required 
• Resolved an issue with Network Control not caching as expected and then sometimes failing the Challenge
• Resolved an issue with Chromium Extensions that were being denied via storage policies 
• Resolved an issue where FortiNet VPN allowed RDP connections with Network Control RDP deny policies in place 
• Resolved an issue with Elevation that gave incorrect permissions based on the ThreatLocker Consent setting
•  Resolved an issue with storage policies when multiple policies use different drives 
• Resolved an issue related to capturing core files from all drives, which caused some core files to be blocked 
• Resolved an issue that would block a new USB request if there is already a pending, different, USB request in the system 
• Resolved an issue that was allowing non-permitted files to execute from the C:\Windows\Assembly folder 
• Resolved an issue that allowed files to be renamed even though they were protected by Tamper Protection 
• Resolved an issue with Ringfencing failing to block Reads/Writes as expected 
• Resolved an issue which caused the Tray to crash for users on .NET 4.8+ 
• Resolved an issue with Tamper Protection Deny logs which caused excessive logging 
• Resolved an issue with proxy and service loss 
• Resolved an issue that allowed Ringfencing to process when only Default Deny was selected 
• Resolved an intermittent issue found on Windows 10 where certain files were being logged as execute even though they were not .exe files 
• Resolved an issue with system stress caused by installations 
• Resolved an issue where the SHA256 was captured but not showing in the Unified Audit 
• Resolved an issue with Network Control and error messages populating incorrectly 
• Resolved an issue with Configuration Manager and the Set Password Protected Screen Saver enable/disable feature 
• Resolved an issue with UDP Multicast IPs and now they are no longer be blocked and/or logged 
• Resolved an issue with the capture of UDP traffic if a registry value was set 
• Resolved an issue where any binaries run by rundll32 will be blocked by ThreatLocker as a normal user 
• Resolved an issue with the Created By Process and custom rules 
• Resolved an issue with Network Control and unnecessary logging of ThreatLocker domains 

Version 8.0.2

7/15/2023

Bugs and Fixes

•  Resolved a minor issue with RoboCopy which was causing high CPU usage

Version 8.0.1

07/07/2023

Improvements

• Improved the way hostname is populated to show more than 15 characters  

Version 8.0

6/16/2023

Bugs and Fixes

• Resolved an issue with Tamper Protection not disabling when an Override would be applied
• Resolved several issues with the tray, including crashing and missing attachments 
• Resolved an issue with devices being blocked due to language settings 
• Resolved an issue with corrupt pk.dat files  
• Resolved several issues with Network Control, including authorization host timeouts, objects not applying to IPv6, and issues with keywords 
• Resolved an issue where Tamper Protection would set prior to a successful checkin 
• Resolved an issue with the ThreatLocker service not honoring DNS changes  
• Resolved an issue in 7.10 where Created by Custom rules would not apply 
• Resolved an issue where the Run Now button would not close when running a .dll file 
• Resolved an issue where users got a BSOD from a single IP address 
• Resolved an issue where Bypass I/O was not supported by the ThreatLocker Driver. This will now work for new installs of 8.0 but not updates to 8.0
• Resolved an issue where corrupted tags.json would not recover 
• Resolved an issue where Administrators would not get correctly redirected to their approvals after logging into the portal 
• Resolved an issue where system32 paths would be stopped when killing all running processes 
• Resolved an issue where VirtualBox virtual machines would get stuck on service restarts 
• Resolved an issue where deployment could have caused duplicate machines 
• Resolved an issue when a workstation freshly boots up and wants to authenticate but the server does not know this workstation yet 
• Resolved an issue where storage approvals would not generate a popup after an approval had been actioned 

New Features

• New Microsoft© Azure Service integration with Ringfencing 
• Configuration Manager! This feature will allow you to quickly design policies that help mitigate the most common threat vectors.

Improvements

• Improvements to security by only allowing one instance of ThreatLocker service to run at a time 
• When the user is System, files run by powershell.exe or rundll32.exe to not be processed as executing 
• Improved how deny actions are recorded

 Find older release notes here: Windows Agent Version 7.x Release Notes