ActiveX Control Files (.ocx)
To increase security on devices using ThreatLocker, we have changed .ocx files to be processed as executable files rather than read-only files. This is similar to the approach we took with .ps1 and .bat files in order to prevent rogue scripts from executing on your endpoints. As a result of this change, you may see blocks for applications using .ocx files.
If after the ThreatLocker update you find that you have denied .ocx files in the Unified Audit and this change is impacting your organization, two options are presented below to solve this issue.
Option 1: Use this option if you need an immediate return to your organization’s previous settings. This option is less secure but has an immediate return to allowing .ocx files to run unrestricted. This option involves creating a policy to permit all files of a single file extension type. This will be a three-step process and directions can be found below. (Building the policy, reviewing the policy matches, removing the policy)
Option 2: You can permit individual blocked .ocx files by using traditional steps within the Unified Audit. Using this option will allow you to select all files that have the .ocx file extension and easily permit them in their respective applications by hash. By default, .ocx files will remain denied until each policy is created. This is a more secure option but will also take more time to initiate. (For this option, begin following the directions below at step 2. When searching for denied items in the Audit, instead of searching by Policy name, search by Path *.ocx. All other steps will be the same.)
Option 1 Directions, STEP 1: Building a Permit All .ocx Policy
- Begin by creating a new application.
- Enter name as “Permit OCX Files”
- Under Path, add *.ocx
- Click Add
- Save the application
- Navigate to the Policies Tab and select the appropriate Computer Group for the policy. Entire Organization or Global are recommended for this policy.
- Then select the New Application Policy button
- Name the policy Permit OCX Files
- Under the “What application does this policy apply to?” section, select “Only the following applications.”
- Add the Permit .OCX Files application you’ve just created
- Save your policy
- Deploy your policy
STEP 2: Reviewing the Policy Matches
After a specified amount of time, the Unified Audit should be reviewed for policy matches.
- Begin that process by navigating to the Unified Audit
- Enter the Permit OCX Files
- Set the Start date to the date you created the .OCX policy.
- Select Show Audit for Child Organizations, then Seach
- Select the log you wish to incorporate into an application
- Select Add to Application and link the application to the associated software
- Use caution when selecting multiple deny logs to add to one application.
Remove the old allow-all OCX policy once you’ve created the appropriate new policies for .ocx files.