Lookback Period

2 min. readlast update: 10.21.2021

The initial 5 days after deploying the ThreatLocker agent is when the majority of learning is completed. The Unified Audit will be filled with a lot of green denies as ThreatLocker is profiling all the Applications that are running in your environment and creating Policies to permit them. For this reason, the first 5 days are excluded from the lookback period to give you a more accurate view of what would have been potentially blocked had the computers been in Secured Mode.

A lookback period is the period of time between the computer's initial 5 days of Learning Mode and the present. For example, if your clients have been deployed for 7 days, subtract the first 5 days of Learning, which gives you a 2-day lookback period. These 2 days create a simulation of what that environment would have looked like had your client been in Secured Mode at that point in time. 

The longer your client is in Learning Mode, the longer your lookback period will be. If you have a client that is sensitive to something being blocked, a longer lookback period can help you prevent these types of frustrations.  

You can extend your lookback period to 2 weeks, 3 weeks, 4 weeks,for as long as you are comfortable with. This allows you to look back at a much longer period of time. If you waited a month to lock down, the first 5 days are the main learning period, and that gives you a 25-day lookback period. The longer lookback period helps to ensure that if you have software that self-updates once a month, the update will be captured during Learning Mode and a Policy will be automatically created to allow this self-updating to continue. It also allows you the opportunity to review what would have been blocked and create custom rules to prevent future blocks (e.g. an Application that creates .dll files on the fly). 

To review potentially denied items in your lookback period, navigate to the Unified Audit Page. From there, set the beginning date of your search to the first day of your lookback period (5 days after your initial deployment). Then you can select 'Any Deny' from the Action dropdown menu to see only items that would have been denied.  

Was this article helpful?