Overview
ThreatLocker provides the ability to specify certain processes that will be excluded from monitoring by ThreatLocker. This should only be used in very specific circumstances. Nothing will be blocked, or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes that have been set to be excluded. This should only be used in very specific circumstances.
It is important to note that the processes are excluded based on the path you specified, not the hash. Care must be taken when deciding to exclude a process from monitoring by ThreatLocker.
Setting Up an Excluded Process
Navigate to the Computer Groups page within the ThreatLocker Portal and select the Computer Group that you would like to configure the excluded process for.
In the 'Update Computer Group' panel, find 'Excluded Process' under the 'Computer Group Settings' section.
In the 'Process' text field, enter the specific process you'd like to exclude. Select the 'Exclusion Type' from the dropdown menu. Click the + icon to add the exclusion.
Note: Only a full process name, regardless of the directory (i.e., python.exe, code.exe, etc.), will apply to Excluded Processes. Wildcards are not usable in this text field.
If you'd like to remove an exclusion, click the - icon.
Select 'Update Computer Group' to save your changes.
Please reach out to a Cyber Hero if you are considering setting up an Excluded Process so they can be sure you are keeping your environment as secure as possible.