Domain Name Parsing

2 min. readlast update: 09.05.2024

Beginning in ThreatLocker Version 9.0, Domain Name Parsing can be added for specific processes. This will add domain names to be included in the Unified Audit entries when the specified processes make or attempt to make any outbound connections and allow our ThreatLocker service to enforce any policies using domains for network traffic. Originally, we handled this feature as an all or nothing processing with the use of an option applied for the organization, computer group, or individual machine. Now starting with agent version 9.0, we improved the efficiency of our service to only parse domain names for processes that would need it rather than for every process that is running on an endpoint, improving overall performance of our agent.

Before configuring this feature, the administrator must first enable the option "EnableDriverDomainNameParsing". For more information about options, please see our KB article https://threatlocker.kb.help/options-tab-choices-and-descriptions-for-the-computers-page-the-computer-groups-page-and-the-entire-organization-page/.

Adding Domain Name Parsing for a Process

Outbound Network Control and Ringfencing Unified Audit entries that do not already display a domain name, when expanded,  now include a button titled 'Add Domain Name Parsing'.'

Once selected, the Edit Domain Name Parsing Settings sidebar will open.

  1.  Select the level at which to apply this process inclusion.
  2. Select Enabled to ensure this setting will be active once the 'Save' button is pressed.
  3. The process path from the Unified Audit entry will be prepopulated.  Select the blue 'Add' button to add the process to the list of processes to enable Domain Name Parsing on. If desired, other full process paths can be input into the textbox and added to the list by pressing the 'Add' button. Please note: This needs to be a full path, with no wildcards.
  4. Press Save to commit these processes to the list of processes to be included in Domain Name Parsing.

 

The Edit Domain Name Parsing Settings is also available from the Network Control page in the hamburger menu.

 

The processess that ThreatLocker provides default Ringfencing policies for will automatically have their process paths added to the Domain Name Parsing Settings at the Entire Organization level.

This default list will include the following:

c:\Windows\System32\msdt.exe

c:\Windows\SysWOW64\msdt.exe

c:\Program Files (x86)\microsoft\edge\application\msedge.exe

c:\program files\google\chrome\application\chrome.exe

c:\ windows\system32\rundll32.exe

c:\ windows\SysWOW64\rundll32.exe

c:\windows\system32\windowspowershell\v1.0\powershell.exe

c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exe

c:\windows\system32\curl.exe

c:\windows\SysWOW64\curl.exe

c:\windows\system32\cmd.exe

c:\windows\SysWOW64\cmd.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files (x86)\Internet Explorer\iexplore.exe

c:\program files\Windows Defender\mpcmdrun.exe

c:\windows\system 32\spoolsv.exe

c:\windows\sysWOW64\spoolsv.exe

c:\windows\system32\wscript.exe

c:\windows\SysWOW64\wscript.exe

 

Was this article helpful?