Overview ThreatLocker is cloud-based but requires a local agent to be installed on your endpoints. The ThreatLocker agent runs at the kernel level, allowing it to stop threats such as WannaCry, malware, or malicious software pushed out through your RMM. For minimum system requirements, please see ThreatLocker Supported OS Builds | ThreatLocker Help Center (kb.help)  The 'Install Computer' Button After you have verified that your organization and computer group settings are configured as desired, select the 'Install Computer' Button to begin the deployment process.

View in Browser To make the onboarding process easier, ThreatLocker has developed a Deployment Center page. The Deployment Center lays out the steps that are needed to be taken to successfully deploy and secure the ThreatLocker Agent. Progress along these steps will be tracked and displayed to provide a quick look at what has been done so far and what still needs to be completed. Links to help documents and online courses are included for each step in case you would like some extra guidance.

View in browser Overview If you utilize any form of internet filtering or proxy, you may need to allow the ThreatLocker Agent access to the ThreatLocker Datacenters. Ports We require port 443 for all traffic to ThreatLocker and basic api communication.  We require port 8443 for ThreatLocker Testing Environment/VDI outbound traffic. Network Control requires port 8810 for Keywords and port 8811 for local objects. By Hostname You will need to allow access to:

ThreatLocker plays nicely with existing antivirus software. We will neither conflict nor interfere with your AV software from running. However, you may need to create exceptions to prevent your antivirus software from blocking ThreatLocker. We recommend you exclude the following files from scanning: Windows Antivirus software exclusions C:\Program Files\ThreatLocker\threatlockerservice.exe C:\Program Files\ThreatLocker\threatlockertray.exe C:\Program Files\ThreatLocker\ThreatLockerConsent.exe C:\Windows\System32\drivers\ThreatLockerDriver.sys C:\ProgramData\HealthTService\Healthservice.exe C:\Program Files\ThreatLocker\ThreatLockerMinHook.x64.dll C:\Program Files\ThreatLocker\ThreatLockerMinHook.x86.dll C:\Program Files\ThreatLocker\6.0AMD64.db C:\Program Files\ThreatLocker\6.0x86.db  C:\Program Files\ThreatLocker\6.1AMD64.db  C:\Program Files\ThreatLocker\6.1x86.db C:\Program Files\ThreatLocker\6.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  Changing the App Name within the ThreatLocker Portal Along with changing the logos that appear in the ThreatLocker popup windows and the Tray icon, you can also change the App Name that appears at the top of the request popup.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  Before getting started, there are a couple of pre-requisites. Logo must be a 100x100 pixel image (JPG format). Logo must be in a URL format ( e.g. https://www.mysite.com/logo.jpg). How to Change the Organization Logo in the Threatlocker Portal Navigate to your Organizations page and select the name of the organization you want to change the default branding on.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. Contents of Article: Pre-requisites for the Tray Branding How to Implement Tray Branding on the ThreatLocker Portal How to Implement Tray Branding on the ThreatLocker Legacy Portal How to Confirm Your Tray Icon Image Has Been Saved How to Force End the ThreatLocker Tray and Restart It You can freely change your Tray branding icon in addition to the banner now.

View in Browser After you deploy the ThreatLocker agent, it will do its first learning based on what it finds and it will continue learning as your computers are in Learning Mode. By default, your computers will automatically be placed into Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient Policies so that everything that is permitted and running today can continue to work once you lock down your endpoints.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  When it comes to local drives, ThreatLocker, will not monitor any activity unless there are explicit policies set in place. Currently, there are policies in place by default to monitor the desktop and documents folders locally as well as UNC paths and external storage.

View in browser Download the Stub Installers Stub Installers can be located in 3 separate locations: The Computers Page The Computer Groups Page The Deployment Center For more information about downloading stub installers, please see ThreatLocker Stub Installer | ThreatLocker Help Center (kb.help)  Using the Stub Installers The Stub Installer requires internet access to complete. It is the preferred method of deployment as it will always grab the latest stable version of ThreatLocker to install.

ThreatLocker Elevation allows you to elevate a local user's privileges to that of a local administrator for a selected application. If you are using the ThreatLocker Elevation module, it is important to know that it will not be affected by 'Learning Mode'.   When you first deploy ThreatLocker, your computers will default into 'Learning Mode' whereby applications are not blocked by ThreatLocker and ThreatLocker learns the files used by that application.

ThreatLocker is an Application Whitelisting tool that is used to protect you from ransomware attacks and stop malicious files from running in your environment.   Requesting a New Application When you try to run a program that is not permitted (not Whitelisted), you will receive a popup informing you that the program is blocked. If this is a program that you don't need for business, and not having this program is not interfering with your work, choose 'Don't show again'.

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  Cyber Hero Management allows the ThreatLocker Cyber Heroes to handle requests from your end users and make decisions on your behalf using ThreatLocker judgment and any additional instructions you provide. However, there may be times when a request requires your attention.

View in Browser You should strive to keep your computers in a Secured status as much as possible and only change the status as needed for specific uses, such as installing new software.  Navigate to the Computers Page. You can select the checkbox next to 'Show Computers for Child Organizations' if you want to list all the computers for all of your organizations. At the bottom of the page, you can increase the number of computers displayed per page by changing the page size.

View in browser Overview This article covers the order of policies as they apply to your computers. The first policy that a file matches is the one that is processed and no further policies will be applied to that file.   Application Control Global - (Designed for MSPs) policies under the Global computer group will apply first to the parent organizations and all child organizations. Policies placed at this level will apply FIRST.

View in browser Log into ThreatLocker and navigate to Administrators. Select New Administrator. Input the desired email address and a random password (you will not need to log in with this so we advise a secure password). Check the "Notify on request" checkbox. Once completed, select Save.

Storage control gives you very granular control over who and what can access your important shares. It can allow you to block any or all external storage devices from being able to reach your shares, helping to prevent data loss. Storage control policies are processed from the top down, so any permit policy needs to be located above the deny policy. These policies can easily be reordered by dragging and dropping.

View In Browser ThreatLocker Access gives you control of which ThreatLocker staff can access your account and whether they can view it only or make changes on your behalf. By default, Solutions Engineers will have Full Control access to your account. During your trial, we recommend you keep this set at Full Control so your Solutions Engineers can make changes on your behalf and assist you with the onboarding process.

View in browser Our service is delivered from the Cloud and requires a small agent to run on each computer. After signing up for a free trial of ThreatLocker, you will receive an email with login details for the ThreatLocker Portal.  Accessing the ThreatLocker Portal To access the ThreatLocker portal: Navigate to https://portal.threatlocker.com Log in using your email address and the newly created password. Downloading and Installing ThreatLocker  Navigate to the Computers page using the menu on the left-hand side of the portal.

Important: The ThreatLocker service requires to be run as System. Changing it to a user can cause major problems, including (but not limited to) the ability to turn off Tamper Protection. Deploy the ThreatLocker Agent to your endpoints. Computers will automatically be in Learning Mode so nothing will be blocked while ThreatLocker learns what Applications are running on your computers.    Add suggested Ringfencing policies for Applications you use. In addition to the default Ringfencing policies that are automatically applied at deployment, there are some additional recommended templates available to be added if and where applicable.

Enabling Elevation on Your ThreatLocker Account Before you can leverage the Elevation Control product, you will need to enable it on your ThreatLocker account.  Navigate to the Organizations page.  Find the Organization you want to enable Elevation on and click the dropdown menu under the 'Product' column.  Click the checkbox next to Elevation to enable it.  Elevation Control will be enabled the next time the endpoints check in to the portal.