From the ThreatLocker Portal Approval Center
Navigate to the Approval Center to view requests.
Selecting the View icon will bring up the Application Request dialogue box. There are four main sections as follows:
Information about the file being permitted
Here you will see the requested file, details about the file, and the user and host that requested it. There is also a hyperlink to virustotal.com where you can see if any of the top antivirus software has flagged the file as potentially malicous based on the SHA-256 hash of the file.
In the case of a browser extension, the bottom of this area will also have hyperlinks to view the extension on the Chrome Store and/or the Edge Store where you can view the user ratings of the extension and receive more information about it.
Matching Applications
- Use the matched application - Choose the matching application you wish to add to from the dropdown menu.
- Add to an existing application - Choose the existing application you want to add this file to from the dropdown menu.
- Create a new application - Type the name of your choice in the text box, and then the Rules area will appear.
Rules (will not appear if you choose to use an existing application)
- Create a rule for the application automatically based on this file
- Automatically catalog files that are installed using Intallation Mode - The endpoint will be put into Installation Mode for 1 hour. Please note that Installation Mode will only catalog install files.
- Automatically catalog files using Learning Mode - The endpoint will be put into Learning Mode for 1 hour. Unlike Installation Mode, Learning Mode will capture both install files and execute files.
- Manually choose options - You can choose to create the rule by a combination of hash, certificate, path, or process. The more stipulations you choose, the more secure your rule will be.
Actions
Here you can choose if you want to permit the file, deny the file, or permit the file with Ringfencing.
Policy Expiration
Elevation
If you have an Elevation license, here you can choose to apply Elevation to this file, and set an expiration for the Elevation.
Policy
Here you will choose where to apply this newly created policy.
Adminstrator Notes
The notes section is for your own internal use.
Don't forget to click 'Save'.
From the ThreatLocker Portal Unified Audit
Navigate to Unified Audit.
Change the Action dropdown list to Any Deny, and select Search.
This will display everything currently being denied by ThreatLocker. Utilize the Advanced Search to filter the results further - i.e. by Username, Hostname, Filename, etc.
Review the results, and expand any of the rows for more details.
- View File History - Shows you the history of that file on that computer. You will see if has ever been permitted, and when it first appeared.
- Permit Application - Takes you to the same Application Request dialogue box as explained above.
- Add to Application - Allows you to add this one file to an existing application.
Enter the name for you application in the name text box.
Next, we see several fields that show Path, Process Path, Hash and Certificate, this allows us to be very granular on what we are allowing. In the case of a file that is changing hash, the best practice is if a file has a Signed Certificate that we trust, we can allow this. To do so we remove the file from the path above and replace it with an asterisk e.g. c:\program files (86x)\notepad++\* - We also remove the Hash and Process Path. You will need to choose the certificate from the dropdown menu.
Click 'Add'. Click 'Save'. And then click 'Deply Policies'.
From the Desktop
Right-click the Threatlocker Icon in the system tray and choose Blocked Items.
That will populate a list of all the blocked items. Click 'View' next to one of the blocked items to receive a Request Permission popup.
- Send Request - Sends a request through the portal to the Approval Center and if set up, alert by email of the awaiting request.
- Login as Admin - Allows you to enter administrator credentials and bring you to the Application Request Dialogue box.
- Cancel - Closes the request popup.