This article covers the steps required to permit all the files in a single directory that are signed by a particular vendor. This is useful for applications you use frequently, limiting the number of times an application must be requested. If you are familiar with the application and know that it is coming from a safe vendor, you can utilize the file’s certificate to make a custom rule.
Log into the ThreatLocker Portal.
Navigate to the Unified Audit using the menu on the left-hand side of the page.
Use the search bar to locate the desired directory name. For this example, we will be using the following directory:
-
c:\program files\notepad++\notepad++.exe
Select the desired result from the unified audit.
Once the popout window has been opened, select the button labeled Add to Application, which is located in the top-right corner of the window. This will prompt you to enter the name of the application you would like to add this custom rule to. Enter the desired application name into the search bar, then select the name of the application.
From here, you will be brought to the Application Files tab of the application definition. On this page, you can view all of the hashes and custom rules that have been learned into this application definition. To create a new custom rule with the information received in the Unified Audit, select the dropdown labeled Condition 1, then select Full Path from the list. This will populate the file’s full path as the first condition.
Now, replace everything after the desired directory with a * in the Full Path field.
Note: Here, you can add a .dll or .exe after the * depending on your requirements.
Next, select the Condition 2 dropdown, then select Certificate from the list. This will populate the certificate as the second condition.
Note: If there are multiple certificates, you can select the different ones as individual conditions.
Select the Add Rule button.
Once this is selected, you will see your newly created custom rule within the list of Application Files.
This can be done with other files and file types as you see fit. Creating these custom rules will be essential in limiting files that will be requested throughout the day while also ensuring that the permitted files are related and safe for each user.