Approval Center – Revamped
Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.
The Approval Center allows you to view requests sent in from your end users for Application Control access, Elevation, and Storage Control access.
The hostname and storage device where each request originated are listed, along with the requested action type (Read/Write for Storage Control, Execute for Application Control, or Elevate, for Elevation). Following this are details on the requested file path, the request's status, the requestor, and when the request was issued.
Opening an Application Request will detail information on the requested file, the process that called it, the circumstances under which it was run, and the current status of the approval request, along with customer guidelines if laid out for Cyber Hero Management.
Clicking on the 'Virus Total' button will redirect you to a link with the file's VirusTotal results and the potential actions to take with the file. If the file was attached to the approval request, it can be loaded into the ThreatLocker Testing Environment for review in an isolated, virtualized Windows environment. Files can be added to either a new or existing application, by hash or by custom rules set as parameters you define, or a machine can be placed in learning or installation mode from this panel.
Policies created from these approval requests can be set at the desired hierarchy level (from computer to Global), permitted, ringfenced, or denied. If the approval request is for a file that matches a built-in application with a suggested Ringfencing™ template established by ThreatLocker, that template can be applied by selecting 'Suggested Ringfencing' from the available options. Additionally, Elevation can be applied to assist in running an application as an administrator. A policy can be configured to expire within this panel as well.
Elevation requests will follow a similar format to Application Control requests, with Elevation (and an Elevation expiration, if you have specified a default Elevation time frame for your organization) enabled automatically.
Similar to an Application Request, you can configure the 'Request Details' section to set a desired policy level and whether to apply Ringfencing™. Elevation will be selected by default, as well as an Elevation expiration if one is set, but any of these details can be changed individually.
Opening a Storage request will give information on the requesting user, the requested file path, and the serial number for the device holding the requested file path.
From the options available, you can either create a policy to permit the requested action or add the serial number for that storage location to an existing storage policy.
The above configuration would permit only this machine to access the protected directory until the 'Policy Expiration'. Each option can be configured to control the level of access this policy grants at a granular level.
Each approval request, regardless of action type, will have a 'Ticket Details' tab listing information provided by the end-user or added by the technician processing the request, including Ticket, Requestor Email, Requestor Reason, and Comments.
The release of ThreatLocker’s new Approval Center brings about a plethora of changes. Here we will cover the significant differences between the two builds.
Previously the Approval Center allowed you to either permit a file or ignore it by the use of the following two buttons:
The approval center has eliminated these buttons and now allows for optimum configuration. In the following example, we see file c:\users\bob\desktop\putty.exe in the approval center.
Selecting the view button will open the View Request Window as shown in Figure 1.
A Deeper Look into the View Request Window
The first section of the VR window will display the file details:
This section includes the full path, hash, and certificate(s) of the requested file.
Additionally, the process will be shown, along with the hostname, username, and the date and time in which the request arrived.
Use matching application – This option will allow you to select any application that matches the file.
Important note: This dropdown box will display all applications in your environment that match.
Add the file(s) to an existing application definition – This option will allow you to add the file to an already existing application.
Create a new application definition – This option will allow you to create an entirely new application for you to place the file in.
When creating custom applications or adding our own definitions, we have the option to determine how we would like to create the rule.
Create a rule for the application automatically based on this file – This option analyzes the file and creates a rule based on its findings.
For example: For this putty.exe it will presumably permit the single hash. However, if for example, the file is in the Program Files folder and signed by a certain vendor, it would presumably create a rule allowing anything in the Program Files folder with the same vendor.
Automatically catalog files using Learning Mode – This is an automatic rule that is based on about 8,000 different combinations. In essence, this will allow and track files that are trying to open that would have ordinarily been denied.
Automatically catalog files that are installed using Installation Mode – This option is best suited for new installations, or new software that your ThreatLocker account has not seen prior. This will track newly installed files.
Note: When in doubt about which option to select, please consult with a Cyber Hero as they will be happy to assist.
Manually choose options – This option allows you to create a custom rule. For example, you may wish to permit by hash and by certificate, or by path and process. ThreatLocker recommends always using at least 2 options to create a more secure rule.
Deny the application explicitly. (Future denies will be silent) – This will deny the application for an indefinite amount of time. As stated, future denies will be silent.
Permit the application and add Ringfencing restrictions – This option allows you to add Ringfencing to your application.
You will have the following options:
Permit the application without restriction – This will permit the application without Ringfencing enabled.
Don’t create any new policies, update the application definition – This option will update the definition, but will not create a policy for the application.
The entire organization – This creates a policy for the entire organization.
A computer group – This option creates a policy for a specific computer group.
This computer only – This option creates a policy for a specific computer.
If you are approving the file in question within a ticket, this section will allow you to add notes. You may enter the ticket number, requestor, and additional comments. This will keep a record of when an individual permits an instance.