Long Arrow Right External Link angle-right Search Times Spinner angle-left

Default Computer Group Policies

View in Browser

ThreatLocker has provided default Policies to permit some common business Applications for you right out of the box. These default policies exist to help make your onboarding process quicker and easier.

Workstations Group Default Policies

Permit:

  • WScript.exe (Ringfenced)
  • SpoolSv.exe (Ringfenced)
  • RingCentral Meetings (Ringfenced)
  • Zoom Video Communications, Inc. (Ringfenced)
  • Lifesize Video Conferencing Software (Ringfenced)
  • Cisco WebEx LLC (Ringfenced)
  • Blue Jeans (Ringfenced)
  • GoToMeeting (Ringfenced) 
  • Microsoft Edge Chromium (Ringfenced) 
  • Microsoft Office Installer (Ringfenced) 
  • Microsoft Office (Ringfenced) 
  • Chrome Updater (Built-In) 
  • Google Chrome (Ringfenced) 
  • Windows Communication App (Built-In)
  • Windows Phone (Built-In)
  • Windows Defender (Ringfenced)
  • Internet Explorer (Ringfenced)
  • Windows Command Prompt (Ringfenced)
  • Curl (Ringfenced)
  • Powershell (Ringfenced)
  • RunDLL - Block Internet (Ringfenced)
  • CScript (Ringfenced)
  • Windows RegSVR32 (Ringfenced)
  • Windows Scheduled Tasks (Ringfenced) 
  • WMI (Ringfenced)
  • Windows Core Files (Built-In)
  • Windows Update (Built-In)
  • Microsoft Windows HCL Publisher (Built-In)

Deny:

  • Block Hyper-V (Built-In): Hyper-V is a built-in Windows tool that allows you to create virtual computers within your computer. ThreatLocker blocks this by default to prevent a bad actor from spinning up a virtual machine in your environment to bypass your security software, including ThreatLocker.  
  • Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool. 
  • Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy. 
  • Deny PScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
  • Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.  

Servers Group Default Policies

Permit:

  • WScript.exe (Ringfenced)
  • SpoolSv.exe (Ringfenced)
  • Windows Communication App (Built-In)
  • Windows Defender (Ringfenced)
  • Internet Explorer (Ringfenced)
  • Windows Command Prompt (Ringfenced)
  • Curl (Ringfenced)
  • Powershell (Ringfenced)
  • RunDLL - Block Internet (Ringfenced)
  • CScript (Ringfenced)
  • Windows RegSVR32 (Ringfenced)
  • Windows Scheduled Tasks (Ringfenced)
  • Windows Core Files (Built-In)
  • Microsoft Windows HCL Publisher (Built-In)

Deny:

  • Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool. 
  • Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy. 
  • Deny PScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
  • Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.