Help CenterNote: This Agent Setting requires the ThreatLocker Windows Agent Version 10.5.3 or above. This Agent Setting is not currently available on MAC or Linux devices.
Please note that if an application updates and you have opted to ONLY learn by hashes and NOT custom rules, new hashes will be learned through Application Control Learning Mode but new custom rules will need to be made manually. ThreatLocker can create custom rules for applications to permit expected files and file paths outside of hashes. Depending on your choice of Agent Settings, you might experience more application file blocks as custom rules are not being created by ThreatLocker.
By default, when a machine is placed into Application Control Learning Mode, if a file is executed or installed and ThreatLocker does not already have a Built-In application for it, a custom application will be created. This custom application will contain a list of all necessary hashes for running the application, as well as custom rules created by the ThreatLocker algorithm. For questions regarding custom rules, please refer to the following article:
Creating Custom Rules | ThreatLocker Help Center
ThreatLocker will create these custom rules by default; however, there is now an Agent Setting that allows you to learn only hashes for new custom applications when in Application Control Learning Mode.
To apply this Agent Setting, navigate to the 'Agent Settings' page using the left-hand side of the portal, then select the '+ New Setting' button to open the 'Create Settings' sidebar. Once here, select the 'Setting Type' dropdown and choose 'Automatic Learning - Application File Creation' from the list.
Ensure that you select where you would like to apply this setting. By default, 'Entire Organization' will be selected, but you can also choose to apply it to a specified computer group or individual machine.
Once you have selected the 'Setting Type', the 'Parameters' section will now populate. This section will include a dropdown titled 'Application File Creation Settings'.
ThreatLocker offers two options within this dropdown:
- Learn recommended custom rules and hashes
- This is the default setting for Application Control Learning Mode. This means that when a custom application is created or updated using the ThreatLocker algorithm, it will learn hashes using the ThreatLocker hashing algorithm AND create custom rules that apply to this application.
- Learn hashes only
- This setting ensures that ThreatLocker does not create custom rules and only creates hash-only application files in your custom applications.
Once you have selected all of the parameters, select the 'Create' button at the bottom of the page, then select the 'Update Agents' button at the top of the page.
These settings will now apply whenever a machine to which this setting is applied is placed into Application Control Learning Mode.