Windows
After you deploy the ThreatLocker agent, it will do its first learning baseline on what it finds and it will continue learning as your computers are in Application Control Learning Mode. By default, your computers will automatically be placed into Application Control Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient policies so that everything that is permitted and running currently can continue to work once you lock down your endpoints.
The ability for ThreatLocker to create these policies during the learning period is known as Automatic Policy Creation. ThreatLocker uses unique hashing algorithms during Automatic Policy Creation. Additional options include MD5, SHA1, and SHA256.
Although most things are, not every application will be automatically cataloged during Application Control Learning Mode. ThreatLocker uses advanced algorithms combined with past experiences to create Application Definitions and policies when your endpoints are in Application Control Learning Mode. These algorithms can change from application to application.
As a general rule, applications that are installed in correct locations such as the Program Files folder, AppData, and in the Windows directory are going to be learned and have policies automatically created for them.
Applications that are installed in your Documents folder, Downloads folder, Desktop folder, Users folders, or files at the root of C:\ are not going to be profiled during the automatic learning period (baselining) unless ThreatLocker is able to match them to an application name.
ThreatLocker uses various algorithms and parameters to decide an application's name. When you are onboarding, ThreatLocker is trying to figure out what all your applications are. ThreatLocker uses the location of the application, what process is calling it, and many other rules in its algorithms to decide what an application is and what to name it.
Mac
After you deploy the ThreatLocker agent, it will perform its initial baseline based on what it detects and will continue learning while your computers are in Application Control Learning Mode. By default, your computers will automatically be placed into Application Control Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient policies so that everything that is permitted and running currently can continue to work once you lock down your endpoints.
The ability for ThreatLocker to create these policies during the learning period is known as Automatic Policy Creation. ThreatLocker uses unique hashing algorithms during Automatic Policy Creation. Additional options include MD5, SHA1, and SHA256.
Although most things are, not every application will be automatically cataloged during Application Control Learning Mode. ThreatLocker uses advanced algorithms combined with past experiences to create Application Definitions and policies when your endpoints are in Application Control Learning Mode. These algorithms can change from application to application.
As a general rule, applications that are installed in typical locations, such as the Applications folder and Library folders, are going to be learned and have policies automatically created for them. Applications that are installed in cloud storage are not going to be profiled during the automatic learning period (baselining).
ThreatLocker uses various algorithms and parameters to decide an application's name. When you are onboarding, ThreatLocker is trying to figure out what all of your applications are. ThreatLocker uses the path of the application, its Developer ID, what process is calling it, and many other rules in its algorithms to decide what to name an application.