Options Tab: Choices and Descriptions: for the Computers Page, the Computer Groups Page, and the Entire Organization Page

7 min. readlast update: 10.29.2024

There are options which offer granular control over your users and machines, and which can be located in the Options Tab within the Computer, Computer Groups or Entire Organization Pages.

The options below are linked to the version of ThreatLocker software your system is running. Some options will not function on previous versions. For the highest functionality, please update to 8.0+. If you are having trouble with these options, we encourage you to reach out to a Cyber Hero.

 

These options should be used with extreme care as changing these options may greatly impact ThreatLocker’s ability to monitor and secure your environment. We encourage you to apply these options at the group level or lower, to review the funtionality prior to expanding their reach within your enviornment.

 

To begin:

  • Navigate to either the Computers Page, Computer Groups Page, or the Organizations Page
  • Select the machine, group, or organization
  • Select Options on the right-hand panel
  • Select the dropdown arrow to populate the list

undefined

 

undefined

 

Options Include 

  • EnableSHA256: (System Restart Required) This will use the SHA256 hash and apply it into a policy. Traditionally, ThreatLocker uses its own hashes. Now, SHA256 hashes can be used and added to policies. With this option enabled, when malicious SHA256 hashes are identified, they can be blocked. This behavior is the default behavior in ThreatLocker Version 8.2 and above.
  • DotnetDll Explanation: Traditionally .net dll extensions are flagged as executing and are automatically blocked. If your machines were onboarded on versions 6.7 or below, this option is designed to help with .dll unintended blocks. With these options, your computer/group/system will be able to learn or monitor .dll extensions and log the behaviors in the Unified Audit.  
    • DotnetDllLearnComputer – This will apply to a specific computer, see explanation of option above.
    • DotnetDllLearnGroup – This will apply to a specific computer group, see explanation of option above.
    • DotnetDllLearnSystem – This will apply to the entire global organization, see explanation of option above.
    • DotnetDllMonitorOnly – This will monitor the computer/group/org based on where the options tab was opened, see explanation of option above. 
    • It is important to make sure that these options are applied to the computer/group/org appropriately. See the 4 choices for this option below:
  • EnforceCPL: (System Restart Required) Traditionally, ThreatLocker does not block access to the control panel because the action is not logged as an executable. When activated, this option will allow the block as needed.  
  • PermitPsScript: Quite often when starting up PowerShell, Microsoft will run a PowerShell command to know if you are running AppLocker. This action is permitted in Monitor only or Learning mode, but denied if you are secured. When activated, this option permits this action, even when secured. 
  • MonitorPowerShell: When activated, this option allows you to monitor PowerShell in the Unified Audit. We suggest using this option sparingly, or only as needed because it does create a lot of unified audit logs.
  • SCDisableDirectoryListing: When activated, this option applies to all storage control policies. Traditionally, users would be able to view, but not interact with a blocked location. This option hides the contents of the blocked location.  
  • InterceptLocalhostOutbound: (System Restart Required) Certain antivirus software will affect how outbound traffic is logged in the Unified Audit, causing outbound traffic to appear as local and thus be ignored by ThreatLocker. This option will allow your system to monitor and log this traffic, whether it is Application Control, Ringfencing or Network Access Control policies that are affected.  
  • LogRegistryPermit: Traditionally, Ringfencing will restrict applications from interacting with the registry. When activated, this will allow the interaction and log the permits.
  • AllFilesAsExecutableExsys:Explorer.exe: When activated, this option will treat any file that explorer.exe touches as an execute, no matter the extension. (SYSTEM)
  • AllFilesAsExecutable:Explorer.exe: When activated, this option will treat any file that explorer.exe touches as an execute, no matter the extension. (Non-SYSTEM Users)
  • AllFilesAsExecutableExsys:rundll32.exe: When activated, this options will treat any file that rundll32.exe touches as an execute, no matter the extension. (SYSTEM)
  • AllFilesAsExecutable:rundll32.exe: When activated, this option will treat any file that rundll32.exe touches as an execute, no matter the extension. (Non-SYSTEM Users)
  • IgnoreExternalPOnObject: When activated, this allows environments with multiple subnets to still use objects in their NC policies. It is designed for sub-netted networks that use multiple external IPs. This option must be applied at the Organization level and the object within the policy needs to target the Organization, rather than groups or hostnames. 
  • OCXLearn Explanation: Previous to version 7.9, .ocx file extensions were not flagged as executing in the ThreatLocker environment and therefore not learned during onboarding. If you would like .ocx files to be automatically learned, please upgrade to version 7.10.6+ and make sure this option is enabled for the needed group hierarchy levels.
    • OCXLearnComputer – This will apply learned files to a specific endpoint, see explanation of option above.
    • OCXLearnGroup – This will apply to a specific computer group, see explanation of option above.
    • OCXLearnSystem – This will apply to the system level policies for a specific endpoint , see explanation of option above.
    • OCXMonitorOnly – This will enable monitoring of .ocx files for the computer/group/org based on where the options were enabled, see explanation of option above.
    • These options allow you to enable/disable automatic learning of .ocx files, or set your environment to Monitor Only for .ocx files. 
    • Users who are on Manual Updates, or who cannot install a 7.10.6+ version, are encouraged to review our KB on keeping your system safe from OCX files
    • It is important to make sure that these options are applied to the computer/group/org appropriately. See the 4 choices for this option below: 
  • DisablePyFileMonitoring - Traditionally, ThreatLocker treats .py files as executables. When activated, ThreatLocker Application Control ignores .py files and does not treat them as executables.
  • HonorDriverCallsAsExecuteFlag - When activated, this option will enforce that files called by a driver that the Operating System flags as executes (regardless of whether they are executable files) will be treated by ThreatLocker as executed files. 
  • DisableSHA256: (System Restart Required) Beginning in ThreatLocker Version 8.2, SHA256 captures will be enabled by default. When activated, users will have the ability to disable this feature.
  • ArgumentsForExecution -When activated, this option will build out command line arguments for executions.
  • ArgumentsForNewProcess - When activated, this option will build out command line arguments for new processes.
  • ArgumentsForElevation - When activated, this option will build out command line arguments for elevation.
  • UseDNSCacheToGetHostnames - When activated, this option will attempt a DNS lookup if the driver does not return back a domain using domain name parsing. If not set, the domain will be empty if the driver returns nothing. 
  • EnableDriverDomainNameParsing - When activated, this option will utilize the driver to return back a domain using domain name parsing.
  • EnableRemotePresence - This option enables the monitoring of Remote Presence for Storage Control policies.
  • CoreThrottle1000 - This option will throttle the download of core files to a limit of 1000 files, waits a minute, then continues this process until all files have been downloaded. Only recommended to be used if machine performance is impacted during Patch Tuesday.

undefined

 

How to Select Options on the ThreatLocker Portal

  • To add an option, select it from the drop-down list. 
  • To remove an option, click the X to the right of the option's name. 
  • Make sure to click "Update Computer/Group/Organization" from the bottom of the page before you select it

undefined

 

  • Once your choices are saved, the changes will reflect immediately (unless they are flagged for a service restart above). 

Note: New child organizations will inherit options enabled by the parent organization.

 

If you need more assistance, please reach out to a Cyber Hero.  

Was this article helpful?