Company logoHelp Center
Visit www.threatlocker.com

Linux Agent Release Notes

9 min. readlast update: 06.25.2025

Linux Agent 

Officially Supported Versions

Linux 

Supported Kernel Version 3.10 and up

RHEL 7.9 

3.10.0-1160.el7.x86_64; 
3.10.0-1062.el7.x86_64; 
3.10.0-1127.el7.x86_64; 
3.10.0-862.el7.x86_64 

RHEL 8.9 

4.18.0-553.16.1.el8_10.x86_64 

RHEL 8.10 

4.18.0-553.16.1.el8_10.x86_64 

RHEL 9.x 

5.14.0-503.19.1.el9_5.x86_64
5.14.0-362.8.1.el9_3
5.14.0-284.11.1.el9_2.x86_64
5.14.0-427.18.1.el9_4.x86_64
5.14.0-427.28.1.el9_4.x86_64
5.14.0-427.20.1.el9_4.x86_64

Oracle Server 7.9  

4.14.35-2047.515.3.el7uek.x86_64 

CentOS 8
(Several versions are temporarily unsupported. See known issues.)

4.18.0-408.el8.x86_64
4.18.0-448.el8.x86_64
4.18.0-526.el8.x86_64
4.18.0-536.el8.x86_64
4.18.0-536.el8.x86_64+debug
4.18.0-544.el8.x86_64
4.18.0-546.el8.x86_64
4.18.0-546.el8.x86_64+debug
4.18.0-552.el8.x86_64

CentOS 9

5.14.0-386.el9.x86_64
5.14.0-437.el9.x86_64
5.14.0-119.el9.x86_64
5.14.0-479.el9.x86_64
5.14.0-419.el9.x86_64
5.14.0-460.el9.x86_64
5.14.0-446.el9.x86_64
5.14.0-480.el9.x86_64
5.14.0-372.el9.x86_64
5.14.0-373.el9.x86_64

5.14.0-582.el9.x86_64
5.14.0-583.el9.x86_64
5.14.0-585.el9.x86_64
5.14.0-587.el9.x86_64
5.14.0-590.el9.x86_64

 

To use ThreatLocker Agent on Ubuntu systems you need to meet exact kernel version support. For example 6.8.0-51-generic, not 6.8.0 or 6.8.0-59

For correct error handling you need to install curl on your Ubuntu system. 

Ubuntu 16.04
Desktop/Server

4.15.0-1113-azure
4.15.0-112-generic
4.4.0-31-generic
4.4.0-210-generic
4.15.0-142-generic
4.13.0-1021-oem

Ubuntu 18.04
Desktop/Server

5.4.0-1109-azure
5.4.0-150-generic
4.15.0-213-generic
5.4.0-150-lowlatency
5.4.0-48-generic
5.3.0-28-generic
4.15.0-126-generic
4.15.0-194-generic

Ubuntu 20.04
Desktop/Server  

5.15.0-46-generic; 

Ubuntu 22.04
Desktop/Server 

5.15.0-105-generic; 
6.8.0-50-generic 

Ubuntu 24.04
Desktop/Server
 

6.8.0-51-generic 

Kernel Compatibility Guidance for ThreatLocker's Linux Agent 

ThreatLocker's Linux agent is designed to operate only on specific, supported Linux kernel versions, with compatibility defined down to the exact kernel build number.

Installing the ThreatLocker Agent on a supported kernel and subsequently updating the kernel to an unsupported version can lead to critical system instability, potentially rendering the machine inoperable.

If a kernel update to an unsupported kernel version is absolutely necessary, the ThreatLocker Agent should be uninstalled before proceeding with the update to prevent system failure.

Linux Agent Version 2.0.2: Beta 6/25/25

Please note: This build is only available for distro versions 8.0 and greater

Bug Fixes

  • Resolved an issue with caching that would cause performance issues

Linux Agent Version 2.0.1: Live 6/24/25

New Features

  • Updated Stub Installer with error message handling on Secure Boot 
  • Added support for CentOS 9 Kernels: 
    5.14.0-582.el9.x86_64,
    5.14.0-583.el9.x86_64,
    5.14.0-585.el9.x86_64,
    5.14.0-587.el9.x86_64,
    5.14.0-590.el9.x86_64

Bug Fixes

  • Resolved an issue with High CPU Usage
  • Resolved an issue with forceful swap of instances 
  • Resolved an issue with Tamper Protection reapplying
  • Resolved an issue with RHEL 7.9 not matching built-ins
  • Resolved an issue with ability to change API with Tamper Protection Enabled

Linux Agent Version 2.0: Live 5/27/25

New Features

  • Network Control
  • Added support Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04
  • Added support Centos 7.9, 9
  • Added support RHEL 7.9
  • Added support RHEL 9.x
  • Added support RHEL 8.4, 8.5, 8.6, 8.8, 8.9, 8.10
  • Added support Oracle Server 7.9
  • Implemeted a Stub Installer
  • Added Override Codes
  • Increased stability

Bug Fixes

  • Resolved an issue with downgrading the agent not properly working
  • Resolved an issue in the Unified Audit with the Computer Mode for Linux showing the wrong values
  • Resolved an issue where the Override Code was not bypassing Tamper Protection
  • Resoved an issue where finishing a Baseline scan does not remove the "Waiting for Baseline" message on the Computers Page
  • Resolved an issue in which Linux applications were being learned with the incorrect order by number

New list of supported systems:

Oracle Server 7.9: 2.0.0-692_ol_7_9.x86_64.rpm 
Red Hat Enterprise Linux Server 7.9: 2.0.0-692_rhel_7.x86_64.rpm 
RHEL [8.4, 8.5, 8.6, 8.8, 8.9, 8.10]: 2.0.0-692_rhel_8.x86_64.rpm 
RHEL 9: 2.0.0-692_rhel_9.x86_64.rpm 
CentOS 8: 2.0.0-692_rhel_8.x86_64.rpm 
CentOS 7.9: 2.0.0-692_rhel_7.x86_64.rpm 
CentOS 9: 2.0.0-692_rhel_9.x86_64.rpm [5.14.0-565.el9.x86_64] 

You need to install this package for all RPM-based systems:
threatlocker_2.0.0-692_modules.rpm 

Ubuntu Server 16.04: 2.0.0-692_ubuntu_16_4.x86_64.deb 
Ubuntu Server 18.04: 2.0.0-692_ubuntu_18_4.x86_64.deb 
Ubuntu Server 20.04: 2.0.0-692_ubuntu_20_4.x86_64.deb 
Ubuntu Server 22.04: 2.0.0-692_ubuntu_22_4.x86_64.deb 
Ubuntu Server 24.04: 2.0.0-692_ubuntu_24_4.x86_64.deb 

You need to install this package for all DEB-based systems:
threatlocker_2.0.0-692_modules.deb 

We still removed support for the following kernels due to inaccessible CentOS 8 repositories (temporary):
4.18.0-536.el8.x86_64
4.18.0-544.el8.x86_64
4.18.0-546.el8.x86_64

Known issues:
- it is possible to delete /etc/sudoers.d/threatlocker/ folder if it is empty (it will be re-created on Policy Update automatically, does not affect operations)
- it is possible to delete /var/cache/threatlocker/updates and /var/cache/threatlocker/downloads folders if they are empty (breaks auto-update)
- Some events can delay their appearance on the portal under heavy load

Installation/uninstallation instructions for ThreatLocker Linux Agent v2.0+:
Linux Agent v2.0+ Installing and Uninstalling process

Linux Agent Version 1.4: Beta 3/4/25

New Features

  • Added support Ubuntu 18.04
  • Added support Ubuntu 16.04
  • Added support Centos 7.9
  • Added support Centos 8
  • Updated heartbeat check in to call a new endpoint
  • Implemeted a Stub Installer

Bug Fixes

  • Downgrading not properly working
  • Unified Audit - Computer Mode for Linux shows wrong values
  • Add override capability to antitamper module
  • Finishing a Baseline does not remove "Waiting for Baseline" message on Computers Page
  • Build the ability to block specified TCP/UDP Traffic OUTBOUND
  • Log Network Traffic Inbound and Outbound
  • Logging Serial Number/Service Tag for Computers
  • Resolved an issue in which Linux applications were being learned with the incorrect order by number

New list of supported systems:

Oracle Server 7.9 - 1.4.0-569_ol_7_9.x86_64.rpm
Red Hat Enterprise Linux Server 7.9 - 1.4.0-569_rhel_7.x86_64.rpm
RHEL 8.9 - 1.4.0-569_rhel_8.x86_64.rp
RHEL 8.10 - 1.4.0-569_rhel_8.x86_64.rpm
RHEL 9 - 1.4.0-569_rhel_9.x86_64.rpm
Centos 8 - 1.4.0-569_rhel_8.x86_64.rpm
Centos 7.9 - 1.4.0-569_rhel_7.x86_64.rpm

You need to install this package for all RPM based systems:
threatlocker_1.4.0-569_modules.rpm

You need to install both the threatlocker rpm and the module at the same time.

Example: sudo dnf install ./1.4.0-583_rhel_8.x86_64.rpm ./threatlocker_1.4.0-583_modules.rpm

 

 

Ubuntu Server 16.04 - 1.4.0-569_ubuntu_16_4.x86_64.deb
Ubuntu Server 18.04 - 1.4.0-569_ubuntu_18_4.x86_64.deb
Ubuntu Server 20.04 - 1.4.0-569_ubuntu_20_4.x86_64.deb
Ubuntu Server 22.04 - 1.4.0-569_ubuntu_22_4.x86_64.deb
Ubuntu Server 24.04 - 1.4.0-569_ubuntu_24_4.x86_64.deb

 

You need to install this package for all DEB based systems:
threatlocker_1.4.0-569_modules.deb

Example: sudo apt install ./1.4.0-583_ubuntu_24_4.x86_64.deb ./threatlocker_1.4.0-583_modules.deb

You need to install both the threatlocker deb and the module at the same time.


Linux Agent Version 1.3: Beta 3/4/25

New Features

  • Added an Ubuntu Server 20.04 Agent
  • Added an RHEL 8.9, 8.10 Agent
  • Added support for Built-In Applications
  • Added logging of inbound and outbound network traffic
  • Made improvements to the baselining process
  • We build and install our kernel modules on all systems including 5.0+ kernels. So now you need to install both packages on any supported system. 
    (For example, Ubuntu 24.04 require to install both [1.3.0-495_ubuntu_24_4.x86_64.deb, threatlocker_1.3.0-495_modules.deb])
  • Added Override Codes

Bug Fixes

  • Resolved an issue in which Applications were not learned until after the baseline was scanned
  • Resolved an issue in which ThreatLocker modules were not installed on kernel update
  • Resolved an issue in which snap applications for Linux do not fully capture in Learning Mode unless a baseline scan is run
  • Resolved an issue with override capability to antitamper module
  • Resolved an issue in which downgrading was not properly working

New list of supported systems:

Oracle Server 7.9 - 1.3.0-495_ol_7_9.x86_64.rpm
Red Hat Enterprise Linux Server 7.9 - 1.3.0-495_rhel_7.x86_64.rpm
RHEL 8.9 - 1.3.0-495_rhel_8.x86_64.rp
RHEL 8.10 - 1.3.0-495_rhel_8.x86_64.rpm
RHEL 9 - 1.3.0-495_rhel_9.x86_64.rpm

You need to install this package for all RPM based systems:
threatlocker_1.3.0-495_modules.rpm

Ubuntu Server 20.04 - 1.3.0-495_ubuntu_20_4.x86_64.deb
Ubuntu Server 22.04 - 1.3.0-495_ubuntu_22_4.x86_64.deb
Ubuntu Server 24.04 - 1.3.0-495_ubuntu_24_4.x86_64.deb

You need to install this package for all DEB based systems:
threatlocker_1.3.0-495_modules.deb

 

Linux Agent Version 1.2.1:  Beta 3/4/25

Bug Fixes

  • Resolved an issue in which downgrading was not properly working

 

Linux Agent Version 1.2:  Live 10/18/24

New Features

  • Added support for Policy statuses
  • Added the ability to use Installation mode
  • Added visibility of the Created By Process on Execute logs, and support to use the Created By Process in custom rules
  • Added the ability to trigger a baseline scan from the portal
  • Added logic to pull down Policies and Application definitions before the baseline scan begins

Bug Fixes

  • Resolved an issue in which Applications were not learned until after the baseline was scanned

Linux Agent Version 1.2:  Beta 09/25/24

New Features

  • Added support for Policy statuses
  • Added the ability to use Installation mode
  • Added visibility of the Created By Process on Execute logs, and support to use the Created By Process in custom rules
  • Added the ability to trigger a baseline scan from the portal
  • Added logic to pull down Policies and Application definitions before the baseline scan begins

Bug Fixes

  • Resolved an issue in which Applications were not learned until after the baseline was scanned

Linux Agent Version 1.1: Live 09/11/24

New Features

  • Added Linux support for Heatbeat Check in and Full Check in

Bug Fixes

  • Resolved an issue in which storage device serial numbers were not displaying correctly in the Unified Audit from a Linux machine
  • Resolved an issue in which the Process Path in the Unified Audit was not reflecting the exact path of a file executed on Linux

 

Linux Agent Version 1.1: Beta 09/09/24

New Features

  • Added Linux support for Heatbeat Check in and Full Check in

Bug Fixes

  • Resolved an issue in which storage device serial numbers were not displaying correctly in the Unified Audit from a Linux machine
  • Resolved an issue in which the Process Path in the Unified Audit was not reflecting the exact path of a file executed on Linux

Linux Agent Version 1.0.5.272: Live 9/9/24 

New Features

  • Install and uninstall instructions found here: https://threatlocker.kb.help/installing-and-uninstalling-the-threatlocker-linux-agent/
  • Added the ability to specify an API URL into the installer file
  • Added the ability to block and unblock files
  • Added Tamper Protection 
  • Added support for Ubuntu Server 22.04.4 LTS (Jammy Jellyfish) and Red Hat Enterprise Linux 9.4 (Plow)
  • Added the ability to request an application/file
  • Added support for enabling/disabling products

Bugs and Fixes

  • Resolved an issue in which user permission was denied on newly created Permit policies
  • Resolved an issue in which the agent was ignoring Application Definition updates
  • Resolved an issue in which installation failed due to lack of synchronization
  • Resolved an issue in which the Linux agent was terminated on reboot if the machine lost internet access
  • Resolved an issue in which actions that were performed with the same file by different users were only logging for the first user
  • Resolved an issue in which multiple policies referring to the same binary were leading to a permanent binary lock
  • Resolved an issue in which unexpected policies were generated for some applications
  • Resolved an issue in which Sudo was not being impacted by Default - Deny
  • Resolved an issue in which the Policy Name and Policy ID were not being displayed in the Unified Audit

Linux Agent Version 1.0.5.272: Beta (8/29/2024)

New Features

  • Install and uninstall instructions found here: https://threatlocker.kb.help/installing-and-uninstalling-the-threatlocker-linux-agent/
  • Added the ability to specify an API URL into the installer file
  • Added the ability to block and unblock files
  • Added Tamper Protection 
  • Added support for Ubuntu Server 22.04.4 LTS (Jammy Jellyfish) and Red Hat Enterprise Linux 9.4 (Plow)
  • Added the ability to request an application/file
  • Added support for enabling/disabling products

Bugs and Fixes

  • Resolved an issue in which user permission was denied on newly created Permit policies
  • Resolved an issue in which the agent was ignoring Application Definition updates
  • Resolved an issue in which installation failed due to lack of synchronization
  • Resolved an issue in which the Linux agent was terminated on reboot if the machine lost internet access
  • Resolved an issue in which actions that were performed with the same file by different users were only logging for the first user
  • Resolved an issue in which multiple policies referring to the same binary were leading to a permanent binary lock
  • Resolved an issue in which unexpected policies were generated for some applications
  • Resolved an issue in which Sudo was not being impacted by Default - Deny
  • Resolved an issue in which the Policy Name and Policy ID were not being displayed in the Unified Audit
Was this article helpful?