ThreatLocker has provided default Policies to permit some common business Applications for you right out of the box. These default policies exist to help make your onboarding process quicker and easier.
Workstations Group Default Policies
Permit:
- Adobe Acrobat (Ringfenced)
- Blue Jeans (Ringfenced)
- Chrome Updater (Built-In)
- Cisco WebEx LLC (Ringfenced)
- CScript (Ringfenced)
- Curl (Ringfenced)
- Google Chrome (Ringfenced)
- GoToMeeting (Ringfenced)
- Internet Explorer (Ringfenced)
- Lifesize Video Conferencing Software (Ringfenced)
- Microsoft Edge Chromium (Ringfenced)
- Microsoft Office (Ringfenced)
- Microsoft Office Installer (Ringfenced)
- Microsoft Onedrive (Built-In)
- Microsoft Teams (Ringfenced)
- Microsoft Windows HCL Publisher (Built-In)
- msdt.exe (Ringfenced)
- Powershell (Ringfenced)
- RingCentral Meetings (Ringfenced)
- RunDLL - Block Internet (Ringfenced)
- SpoolSv.exe (Ringfenced)
- vssadmin.exe (Built-In)
- Windows Command Prompt (Ringfenced)
- Windows Communication App (Built-In)
- Windows Core Files (Built-In)
- Windows Defender (Ringfenced)
- Windows Phone (Built-in)
- Windows RegSVR32 (Ringfenced)
- Windows Scheduled Tasks (Ringfenced)
- Windows Update (Built-In)
- Windows WScript.exe (RingFenced)
- WMI (Ringfenced)
- Zoom Video Communications, Inc. (Ringfenced)
Deny:
- Block Hyper-V (Built-In): Hyper-V is a built-in Windows tool that allows you to create virtual computers within your computer. ThreatLocker blocks this by default to prevent a bad actor from spinning up a virtual machine in your environment to bypass your security software, including ThreatLocker.
- BCDedit Deny: BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
- Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
- Deny Disney+: Disney+ is a Windows Startup process and we recommend keeping this policy in place for businesses who wish to deny access to streaming services.
- Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
- Deny Spotify Policy: Spotify is a Windows Startup process and we recommend keeping this policy in place for businesses who wish to deny access.
- Deny PSScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
- Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.
Servers Group Default Policies
Permit:
- CScript (Ringfenced)
- Curl (Ringfenced)
- Internet Explorer (Ringfenced)
- Microsoft Edge Chromium (Ringfenced)
- Microsoft Onedrive (Built-In)
- Microsoft Windows HCL Publisher (Built-In)
- Powershell (Ringfenced)
- RunDLL - Block Internet (Ringfenced)
- SpoolSv.exe (Ringfenced)
- vssadmin.exe (Built-In)
- Windows Command Prompt (Ringfenced)
- Windows Communication App (Built-In)
- Windows Core Files (Built-In)
- Windows Defender (Ringfenced)
- Windows Phone (Built-in)
- Windows RegSVR32 (Ringfenced)
- Windows Scheduled Tasks (Ringfenced)
- Windows Update (Built-In)
- Windows WScript.exe (RingFenced)
- WMI (Ringfenced)
Deny:
- BCDedit Deny: BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
- Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
- Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
- Deny PSScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
- Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.
MAC Group Template Policies
Permit:
- GarageBand (Built-In)
- Google Chrome - MAC (Built-In)
- iMovie (Built-In)
- Keynote (Built-In)
- macOS Core Files (Built-In)
- Microsoft Office - MAC (Built-In)
- Numbers (Built-In)
- Pages (Built-In)
Additional Computer Groups Policies
Permit:
- CScript (Ringfenced)
- Curl (Ringfenced)
- Google Chrome (Ringfenced)
- Google Updater (Built-In)
- Internet Explorer (Ringfenced)
- Microsoft Edge Chromium (Ringfenced)
- Microsoft Office (Ringfenced)
- Microsoft Office Installer (Ringfenced)
- Microsoft Onedrive (Built-In)
- Microsoft Windows HCL Publisher (Built-In)
- msdt.exe (Ringfenced)
- Powershell (Ringfenced)
- RunDLL - Block Internet (Ringfenced)
- SpoolSv.exe (RingFenced)
- vssadmin.exe (Built-In)
- Windows Command Prompt (Ringfenced)
- Windows Communication App (Built-In)
- Windows Core Files (Built-In)
- Windows Defender (Ringfenced)
- Windows Phone (Built-in)
- Windows RegSVR32 (Ringfenced)
- Windows Scheduled Tasks (Ringfenced)
- Windows Update (Built-In)
- Windows WScript.exe (RingFenced)
- WMI (Ringfenced)
Deny:
- BCDedit Deny: BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally.
- Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool.
- Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy.
- Deny PSScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
- Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.