ThreatLocker has provided default Policies to permit some common business Applications for you right out of the box. These default policies exist to help make your onboarding process quicker and easier.
Select the dropdown arrows below to expand each list of default permits and denies.
Workstations Group Default Policies
Default Permit:
-
RoboCopy.exe (Ringfenced)
-
Adobe Acrobat (Ringfenced)
-
vssadmin.exe (Built-In)
-
Microsoft Teams (Ringfenced)
-
Windows WScript.exe (RingFenced)
-
SpoolSv.exe (Ringfenced)
-
RingCentral Meetings (Ringfenced)
-
Zoom Video Communications, Inc. (Ringfenced)
-
Lifesize Video Conferencing Software (Ringfenced)
-
Cisco WebEx LLC (Ringfenced)
-
Blue Jeans (Ringfenced)
-
GoToMeeting (Ringfenced)
-
msdt.exe (Ringfenced)
-
Microsoft Edge Chromium (Ringfenced)
-
Microsoft Office Installer (Ringfenced)
-
Microsoft Office (Ringfenced)
-
Chrome Updater (Built-In)
-
Google Chrome (Ringfenced)
-
Microsoft Onedrive (Built-In)
-
Powershell ISE (Ringfenced)
-
Xcopy.exe (Ringfenced)
-
Windows Communication App (Built-In)
-
Windows Phone (Built-in)
-
Windows Defender (Ringfenced)
-
Internet Explorer (Ringfenced)
-
Windows Command Prompt (Ringfenced)
-
Curl (Ringfenced)
-
Powershell (Ringfenced)
-
RunDLL - Block Internet (Ringfenced)
-
CScript (Ringfenced)
-
Windows RegSVR32 (Ringfenced)
-
Windows Scheduled Tasks (Ringfenced)
-
WMI (Ringfenced)
-
Windows Core Files (Built-In)
-
Windows Update (Built-In)
-
Microsoft Windows HCL Publisher (Built-In)
-
PowerShell Add-Type .NET Custom Rules (Built-In)
-
Windows Assembly .NET Custom Rules (Built-In)
Default Deny:
-
Block Hyper-V (Built-In): Hyper-V is a built-in Windows tool that allows you to create virtual computers within your computer. ThreatLocker blocks this by default to prevent a bad actor from spinning up a virtual machine in your environment to bypass your security software, including ThreatLocker.
-
Deny bcdedit.exe (Built-In): BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
-
Deny CERUTIL.EXE (Built-In): CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
-
Deny Disney+ (Built-In): Disney+ is a Windows Startup process and we recommend keeping this policy in place for businesses who wish to deny access to streaming services.
-
Deny SIGNTOOL.EXE (Built-In): SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
-
Deny Spotify (Built-In): Spotify is a Windows Startup process and we recommend keeping this policy in place for businesses who wish to deny access.
-
PSScriptPolicy Tester – Deny This App (Built-In): PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
-
Default – Workstations: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.
Servers Group Default Policies
Default Permit:
-
RoboCopy.exe (Ringfenced)
-
vssadmin.exe (Built-In)
-
Windows WScript.exe (RingFenced)
-
SpoolSv.exe (Ringfenced)
-
Powershell ISE (Ringfenced)
-
Xcopy.exe (Ringfenced)
-
Microsoft Onedrive (Built-In)
-
Windows Communication App (Built-In)
-
Windows Phone (Built-in)
-
Windows Defender (Ringfenced)
-
Internet Explorer (Ringfenced)
-
Microsoft Edge Chromium (Ringfenced)
-
Windows Command Prompt (Ringfenced)
-
Curl (Ringfenced)
-
Powershell (Ringfenced)
-
RunDLL - Block Internet (Ringfenced)
-
CScript (Ringfenced)
-
Windows RegSVR32 (Ringfenced)
-
Windows Scheduled Tasks (Ringfenced)
-
WMI (Ringfenced)
-
Windows Core Files (Built-In)
-
Windows Update (Built-In)
-
Microsoft Windows HCL Publisher (Built-In)
-
PowerShell Add-Type .NET Custom Rules (Built-In)
-
Windows Assembly .NET Custom Rules (Built-In)
Default Deny:
-
Deny bcdedit.exe (Built-In): BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
-
Deny CERTUTIL.EXE (Built-In): CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
-
Deny SIGNTOOL.EXE (Built-In): SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
-
PSScriptPolicy Tester – Deny This App (Built-In): PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
-
Default - Servers: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.
MAC Group Template Policies
Default Permit:
-
Adobe Acrobat – MAC (Built-In)
-
Cisco WebEx LLC – MAC (Built-In)
-
Zoom Video Communications, Inc – MAC (Built-In)
-
Microsoft Office –MAC (Built-In)
-
Google Chrome – MAC (Built-In)
-
GarabeBand (Built-In)
-
IMovie (Built-In)
-
Pages (Built-In)
-
Numbers (Built-In)
-
Keynote (Built-In)
-
MacOS Core Files (Built-In)
Default Deny:
- Default – MAC: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.
Additional Computer Groups Policies
Default Permit:
-
vssadmin.exe (Built-In)
-
msdt.exe (Ringfenced)
-
Microsoft Edge Chromium (Ringfenced)
-
Microsoft Office Installer (Ringfenced)
-
Microsoft Office (Ringfenced)
-
Chrome Updater (Built-In)
-
RoboCopy.exe (Ringfenced)
-
Xcopy.exe (Ringfenced)
-
Google Chrome (Ringfenced)
-
Windows WScript.exe (RingFenced)
-
SpoolSv.exe (RingFenced)
-
Powershell ISE (Ringfenced)
-
Microsoft Onedrive (Built-In)
-
Windows Communication App (Built-In)
-
Windows Phone (Built-in)
-
Windows Defender (Ringfenced)
-
Internet Explorer (Ringfenced)
-
Windows Command Prompt (Ringfenced)
-
Curl (Ringfenced)
-
Powershell (Ringfenced)
-
RunDLL - Block Internet (Ringfenced)
-
CScript (Ringfenced)
-
Windows RegSVR32 (Ringfenced)
-
Windows Scheduled Tasks (Ringfenced)
-
WMI (Ringfenced)
-
Windows Core Files (Built-In)
-
Windows Update (Built-In)
-
Microsoft Windows HCL Publisher (Built-In)
-
PowerShell Add-Type .NET Custom Rules (Built-In)
-
Windows Assembly .NET Custom Rules (Built-In)
Default Deny:
-
Deny bcdedeit.exe (Built-In): BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
-
Deny CERTUTIL.EXE (Built-In): CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
-
Deny SIGNTOOL.EXE (Built-In): SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
-
PSScriptPolicy Tester –Deny This App (Built-In): PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
-
Default - (Name of Workstation): At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.