Creating Policies to Monitor Storage Locations
When it comes to local drives, ThreatLocker, will not monitor any activity unless there are explicit policies set in place. Currently, there are policies in place by default to monitor the desktop and documents folders locally as well as UNC paths and external storage. This ensures the best use of system resources. If there is a need to add additional areas you wish to be included when Ringfencing file access, these additional areas can be included by creating explicit monitoring policies for them as outlined below.
From the ThreatLocker Portal:
- Navigate to Storage Control > Policies > New Storage Policy.
- Enter a name for the policy. For example: "Monitoring assets on the C Drive".
- Select 'Read & Write' under 'What should this policy do?'.
- Select whether to apply for the entire organization or to apply the policy to a specific group.
- Under 'What paths should this apply to (e.g. "\\server1\share\", ".jpg" or "regex:[0-9]abc")?', select 'Let me select file paths'.
- Select the desired path you would like monitored, then select Add.
- Select Save.
- Select Click to Deploy Policies.
This will include the specified path(s)/location(s) as a protected asset and will start monitoring within 60 seconds of deploying policies.