Approval Center – Revamped
The release of ThreatLocker’s new Approval Center brings about a plethora of changes. Here we will cover the significant differences between the two builds.
Previously the Approval Center allowed you to either permit a file or ignore it by the use of the following two buttons:
The approval center has eliminated these buttons and now allows for optimum configuration. In the following example, we see file c:\users\bob\desktop\putty.exe in the approval center.
Selecting the view button will open the View Request Window as shown in Figure 1.
A Deeper Look into the View Request Window
The first section of the VR window will display the file details:
This section includes the full path, hash, and certificate(s) of the requested file.
Additionally, the process will be shown, along with the hostname, username, and the date and time in which the request arrived.
Use matching application – This option will allow you to select any application that matches the file.
Important note: This dropdown box will display all applications in your environment that match.
Add the file(s) to an existing application definition – This option will allow you to add the file to an already existing application.
Create a new application definition – This option will allow you to create an entirely new application for you to place the file in.
When creating custom applications or adding our own definitions, we have the option to determine how we would like to create the rule.
Create a rule for the application automatically based on this file – This option analyzes the file and creates a rule based on its findings.
For example: For this putty.exe it will presumably permit the single hash. However, if for example the file is in the Program Files folder and signed by a certain vendor, it would presumably create a rule that will allow anything in the Program Files folder with the same vendor.
Automatically catalog files using Learning Mode – This is an automatic rule that is based on about 8,000 different combinations. In essence, this will allow and track files that are trying to open that would have ordinarily been denied.
Automatically catalog files that are installed using Installation Mode – This option is best suited for new installations, or new software that your ThreatLocker account has not seen prior. This will track new installed files.
Note: When in doubt on which option to select, please consult with a Cyber Hero as they will be happy to assist.
Manually choose options – This option allows you to create a custom rule. For example, you may wish to permit by hash and by certificate, or by path and process. ThreatLocker recommends always using at least 2 options to create a more secure rule.
Deny the application explicitly. (Future denies will be silent) – This will deny the application for an indefinite amount of time. As stated, future denies will be silent.
Permit the application and add Ringfencing restrictions – This option allows you to add Ringfencing to your application.
You will have the following options:
Permit the application without restriction – This will permit the application without Ringfencing enabled.
Don’t create any new policies, update the application definition – This option will update the definition, but will not create a policy for the application.
The entire organization – This creates a policy for the entire organization.
A computer group – This option creates a policy for a specific computer group.
This computer only – This option creates a policy for a specific computer.
If you are approving the file in question within a ticket, this section will allow you to add in notes. You may enter the ticket number, requestor, and additional comments. This will keep a record of when an individual permits an instance.