Troubleshooting
Exclusions function like tags and are updated immediately after the Add button is pressed. If the endpoint can still access the Excluded website, clear the endpoint browser cache and history and restart the ThreatLocker service.
Setup
In ThreatLocker, there is an 'Exclusions' tab under the 'Internet' tab on Ringfencing policies. This tab functions much like the ThreatLocker tags feature. Here, you can create an allowlist of IPv4 addresses, IPv6 addresses, or domains with which the application whose policy you are editing can interact. If this is the first exclusion being added, you MUST deploy policies to apply the change on your endpoints. Otherwise, like tags, exclusions will be updated automatically.
To add exclusions to a policy, navigate to the Application Control > Policies page. Select the ‘Modules’ dropdown from the left-hand side of the page, then select ‘Application Control’. Next, select the Policies tab on the top right corner of the page.
Select the policy you wish to add exclusions for Ringfencing to. This will open the ‘Edit Application Policy’ side panel. Within the side panel, navigate to the ‘Actions’ section and make sure that ‘Permit with Ringfence’ is selected.
Selecting this will show you the different options for Ringfencing. At the bottom of this section is a switch titled ‘Restrict this application from accessing the internet?’
You must enable this switch. This will allow you to create a list of IP addresses and domains with which the chosen application can communicate.
After you select that, the 'Exclusions' and 'Tags' tabs will appear. Select the 'Exclusions' tab to view and edit your 'Exclusions'. By default, there will not be any present.
Note: Any changes made to Internet Exclusions will automatically save and be applied to the policy when the ‘Add’ button is pressed.
Learning Mode and Exclusions
While in automatic Learning Mode, ThreatLocker will automatically learn the IP addresses an Application with Ringfencing is communicating with and will place those addresses in this 'Exclusions' box.
You can easily add to this list or delete items if you find the Application communicating with an undesired address. Once you edit this list, you will not need to deploy policies; the changes will automatically be applied.
Manually Adding Values
To add a domain name to the 'Exclusions' list, make sure that ‘Domain’ is selected from the dropdown menu and then type in the text you wish to include in the field provided. You can use wildcards in the text string. Then, select the 'Add' button to add your value to the list below. Be sure to add the wildcard before the period and domain name as this will protect you from a wider variety of impersonation sites.
To add an IPv4 address, choose 'IPv4' from the dropdown menu and type the address you want to include in the tag. Then, select the 'Add' button to add your value to the list below.
To add an entire subnet of addresses, choose 'IPv4' from the dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Select the 'Add' button to add your value to the list below.
To add an IPv6 address, choose 'IPv6' from the dropdown menu and then type the address you want to include in the tag, being sure to select the 'Add' button when you are finished.
Deleting Exclusions
To remove an 'Exclusion' from the list, select the 'Delete' button beside the item you want to remove. The ‘Delete’ button appears as a trash can icon on the right side of each added IP address or domain name.
When you are finished manipulating your Exclusions list, you can select the 'Save' button found at the bottom of the ‘Edit Application Policy’ page or simply exit the window. The changes will automatically be saved and applied to your endpoints as you edit them.
A Note About Custom Rules
Custom Rules are a legacy feature. While they continue to work as expected, the Exclusions feature is the prefered method for Ringfencing.