How to Use Ringfencing Internet Exclusions
Exclusions function like tags and are updated immediatly after the Add button is pressed. If the endpoint is still able to access the Excluded website, clear the endpoint browser cache and history and restart the ThreatLocker service.
In ThreatLocker, under the 'Internet' tab on Ringfencing policies, there is an 'Exclusions' tab. This tab functions much like the ThreatLocker tags feature. Here you can create a whitelist of IPv4 addresses, IPv6 addresses, or domains that the Application whose Policy you are editing can interact with. And, like tags, you do not need to deploy Policies for the changes to take effect.
To reach the 'Exclusions' tab, you need to navigate to Application Control > Policies. Find the Policy you would like to edit and click the pencil icon (edit button).
Once the popup window opens, scroll down and you will see 4 tabs in a row. Select the 'Internet' tab.
Then you need to select the checkbox next to 'Restrict these Applications from accessing the internet, except for the below rules'. This will allow you to create a whitelist of IP addresses and domains that the chosen Application can communicate with.
After you select that, the 'Exclusions' and 'Custom Rules' tabs will appear. Click on the 'Exclusions' tab to view and edit your 'Exclusions'.
Learning Mode and Exclusions
While in automatic Learning Mode, ThreatLocker will automatically learn the IP addresses an Application with Ringfencing is communicating with and will place those addresses in this 'Exclusions' box.
You can easily add to this list or delete items if you find the Application is communicating with an undesired address. Once this list is edited, you will not need to deploy Policies. The changes will automatically be applied.
Manually Adding Values
To add a domain name to the 'Exclusions' list, choose 'text' from the 'Value' dropdown menu and then type in the text you wish to include in the tag. You can use wildcards in the text string. Then click the 'Add' button to add your value to the list below. Be sure to add the wildcard before the dot and domain name. This will protect you from a wider variety of impersonation sites.
To add an IPv4 address, choose 'IPv4' from the 'Value' dropdown menu and then type the address you want to include in the tag. Then click the 'Add' button to add your value to the list below.
To add an entire subnet of addresses, choose 'IPv4' from the 'Value' dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Then click the 'Add' button to add your value to the list below.
To add an IPv6 address, choose 'IPv6' from the 'Value' dropdown menu and then type the address you want to include in the tag, being sure to click the 'Add' button when you are finished.
To remove an 'Exclusion' from the list, click the 'Delete' button beside the item you want to remove.
When you are finished manipulating your Exclusions list, you can click the 'Save' button in the top left corner of the Policy window, or you can simply exit out of the window. The changes will automatically be saved and applied to your endpoints as you are editing them.
A Note About Custom Rules
Custom Rules are a legacy feature. While they continue to work as expected, the Exclusions feature is the prefered method for Ringfencing.