Overview
To promote a smoother experience and help prevent ThreatLocker from flagging the ScreenConnect Windows installer as being from an “unidentified developer,” ThreatLocker recommends signing your ScreenConnect Certificate, running the ScreenConnect installer during Installation Mode (new installations only), and adding a few custom rules to the Application Files.
The article below will detail these instructions.
The expectation is that the unique net new installers and update files that do not match the Built-In will be added to the application. The core components of ScreenConnect will be permitted using the ThreatLocker Built-in.
Add a Certificate in ConnectWise ScreenConnect
ConnectWise provides an extension that allows administrators to sign the Windows access agent installers with their own trusted code-signing certificate or with a generated self-signed certificate. Please see the ConnectWise University article titled “Certificate Signing” for detailed instructions on how to install this extension and a certificate.
Full link to article: https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/Supported_extensions/Administration/Certificate_Signing
Once the certificate signing is complete, the installation files will then contain two certificates: the ConnectWise cert and the Self-Signed cert.
Build a New Install
Note: This step is only needed for users who do not already have an installer. If you already have ScreenConnect installed in your environment, you can proceed to the section titled “Add Custom Rules”.
Navigate to the Access page and select Build+ to build a new installer.
Complete the following fields and select an option for sharing the installer. In this example, we will copy the URL.
Run the Install Setup
To install, the impacted device must first be placed in Installation Mode.
Depending on your environment, Elevation Mode may also need to be enabled for this install.
For more information on how to place a device in Installation Mode or Elevation Mode, please see the related KB articles:
· Maintenance Modes | ThreatLocker Help Center (kb.help)
· Permitting Software From the Computers Page | ThreatLocker Help Center (kb.help)
· ThreatLocker Elevation – Quick Start Guide | ThreatLocker Help Center (kb.help)
Note: Some devices may not immediately show the newly signed files. If the ScreenConnect agents are out of date when you add the certificate, the certificate may not immediately be attached to the update files. The newly signed files should show after their pending updates are allowed.
Notice the Certificate shown in ConnectWise now matches the SHA256 Digital Signature of your installer .exe properties. You will need this certificate information in the next step.
Add Custom Rules
Navigate to the Application Control module and search your applications for “screen” to locate your ScreenConnect application.
Select the application.
Locate the Path, Process, and the Certificate. Within the ThreatLocker Portal, you can find them within the application files tab in the Notes section of the regex Full Path.
Custom Rule 1 – Account for Different Users
Under the File Rules section, select Full Path for Condition 1 and paste your process copied from the notes in Value 1. Replace the area between c:\ and \screenconnect with a wildcard (highlighted in the example below) to account for multiple users and file locations.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=, blurred in the example) in Value 2.
Select Add.
Custom Rule 2 – Account for Multiple Install Files
Under the File Rules section, select Full Path for Condition 1 and paste your process Value 1. Replace the area between c:\ and \screenconnect with a wildcard to account for multiple users and file locations; and add space, open parenthesis, wildcard, and close parenthesis (highlighted in the example) after clientsetup before .exe to account for multiple install files.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=) in Value 2.
Select Add.
Custom Rule 3 – Account for Future Updates (1 of 2)
Under the File Rules section, select Full Path for Condition 1 and paste your AppData Local Path in Value 1. Replace the user’s name with a wildcard (*).
Note: The guid that is displayed after \screenconnect\and before \setup.msi is a unique id for each ScreenConnect Server. If your organization manages multiple ScreenConnect Servers, the most secure way is to build a rule for each ScreenConnect Server.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=) in Value 2.
Select Add.
Custom Rule 4 – Account for Future Updates (2 of 2)
Under the File Rules section, select Full Path for Condition 1 and type c:\windows\installer\*.msi in Value 1.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=) in Value 2.
Select Add.