Help CenterNote: This Agent Setting requires ThreatLocker Windows Agent 10.3.4 or above.
When you load a .psm1 file, ThreatLocker records it as a 'read' action by default because of how Windows interprets these files. Although the system flags the activity as a 'read', the file is still being loaded. In the Unified Audit, this can appear misleading and may not fully represent what’s happening on the machine. To address this, ThreatLocker now provides an Agent Setting that lets you override these 'read' action types and display them as 'execute' instead, giving you more accurate visibility into .psm1 file executions within your environment.
To apply this setting, navigate to the '+ New Setting' button in the 'Agent Settings' page. From here, select the 'Setting Type' dropdown and choose 'Override Read as Execute’.
In the 'Parameters' section, provide the 'Process Name' of what you will be overriding, along with the 'File Extension'.
For .psm1 files, it is recommended that the 'Process Name' be powershell.exe and the 'File Extension' be listed as psm1.
Select the '+' button to the right of the 'File Extension' field to add additional overrides to the' Parameters' list.
When you have finished entering your information, select the 'Create' button at the bottom of the page. Then, ensure that you select the 'Update Agents' button.