Note: This Advanced Setting requires ThreatLocker Windows Agent 10.3.4 or later.
When a .psm1 file is loaded, Windows reports the action as a Read operation. As a result, ThreatLocker records the event as a Read action by default, even though the file is being executed. This can make Unified Audit events appear misleading and may not accurately reflect activity on the endpoint.
To provide more accurate auditing, ThreatLocker includes the Override Read as Execute Advanced Setting. When enabled, Read actions for .psm1 files are recorded as Execute actions in the Unified Audit, providing clearer visibility into PowerShell module execution within your environment.
To configure this setting, navigate to Advanced Settings, select + New Setting, and then choose Override Read as Execute from the Setting Type dropdown.

In the 'Parameters' section, provide the 'Process Name' of what you will be overriding, along with the 'File Extension'.
For .psm1 files, it is recommended that the 'Process Name' be powershell.exe and the 'File Extension' be listed as psm1.
Select the '+' button to the right of the 'File Extension' field to add additional overrides to the' Parameters' list.
When you have finished entering your information, select the 'Create' button at the bottom of the page. 
Then, ensure that you select the 'Update Agents' button.

Help Center