Permitting Software from the Approval Center

Updated September 6, 2023

The approval center provides a single location from which admins can permit blocked and requested files, allow access to storage drives, and grant elevation for programs which need administrative privileges.

To access the Approval Center, manage either your parent organization or one of your client organizations and click it from the lefthand menu. Viewing this page from a particular client will allow you to see only that client's active requests. Access from the parent organization will allow you to see all requests from all clients simultaneously.

Clicking on a request to view it will expand a side panel, this will differ slightly depending on the request type. The request type is listed in the "Action Type" column.

Application Requests

Application Requests are created when a user requests to execute a blocked file. These most frequently occur when a file matches the default deny policy, which are configured by default to allow users to request access. The Application Request side panel has three tabs that include various detailst to give admins a more complete picture of what is being requested. : Request Details, Ticket Details, and File History. These tabs include various detailst to give admins a more complete picture of what is being requested, including:

Request Details

The full path and filename
The process that called the file
Any certificates or signatures attached to the file, if it is signed
The username of the requestor
A ThreatLocker hash for the file, generated by our proprietary hashing algorithm
The process that created this file, if applicable
The date/time the request was submitted
The organization name (useful when managing approval requests from the parent organization)
The hostname for the computer where the request originated
The status of the approval, which will update after the request is processed to reflect what was done
ThreatLocker's standard recommended instructions for processing approvals
Customer Guidelines, instructions used if an organization has Cyber Hero Management
A button linked to the file's results on VirusTotal
A button to download the file, if it was attached to the approval request

Ticket Details
File History
Details on the requested file

Below this you can find the ThreatLocker Testing Environment, a Virtualized Desktop which allows files to be tested in an isolated environment. For further details on the Threatlocker Testing Environment, see the following article: The ThreatLocker Testing Environment | ThreatLocker Help Center (kb.help)

Either open the file in the ThreatLocker Testing environment, or skip testing to proceed. If the application matches to a known application, a prompt will be generated where the matching application can be selected.

If you do not want to use an existing application, choose the red box indicated in the picture below. This will allow you to update another application or create a new application.

An existing application can be modified, or a new one can be created. Once you choose an application, you can either manually create rules based on various file parameters or temporarily place a machine in a maintenance mode of your choice. Based on characteristics of the requested file, advanced algorithms may be able to prepopulate certain custom rules, or the file may only be listed by hash

The file above meets several criteria defined by internal algorithms, so rules based on path, process, and signature have been generated. You can also write your own custom rules to expand on what was prepopulated. For furture instructions on writing custom rules, see the following article: Creating Custom Rules | ThreatLocker Help Center (kb.help)

If you choose to temporarily disable protection, there are three separate maintenance modes that can be selected.

Installation mode will catalog new files installed during that window.
Learning mode will capture installation, execution, and certain network activity.
Monitor mode will permit all execution, just as learning and installation mode will, but without cataloging anything for future policies.

Detailed information on maintenance modes can be found in the following article: Maintenance Modes | ThreatLocker Help Center (kb.help)

The next section will deal with the policy created by this approval request. Policies can be set to apply to the requesting machine, to a specified computer group, or the entire organization. Additional protection can be applied to an application with ringfencing, and the application can be granted Local Admin privileges by assisting in elevation. If a policy should only last for a particular period of time, a policy expiration can be set below. Once you have configured the policy, choose 'Approve Request' to complete the approval

Elevation Requests

If a file was permitted, but it needs local admin privileges to execute properly, the user can request elevation. This allows only a specified application the ability to run as a local admin, without the use of admin credentials. This will have a similar structure to the Application Request above, the only difference being that 'Elevate' will be selected rather than 'Do Not Elevate', and that the expiration will be for the elevation policy. If you wish to set a default period for elevation policies, you can do so within your organization options.

File History

Application Requests and Elevation Requests will have a File History tab which will show the recent history of files by that name on the requesting machine. This can indicate a dynamically changing file or an expiring temporary policy

Ticket Details

Every request will have a Ticket Details section where end user contact information and the reason included in their request are listed, along with a spot to list support ticket numbers and any comments made by Administrators processing the request.

Storage Requests

If a user attempts to read or write to a particular storage location or device, denied by your current policy configuration, they can request read or write access to that location. In the demonstration below, the Standard User on this desktop attempted to access a protected documents folder.

If you choose to permit this access, you can either use an existing policy and add the device to the storage policy, or create a new storage policy. Using a permit policy and adding the device allows a list of permitted drives to be used and maintained in the same policy.

If you choose to create a new storage policy, options will generate allowing you to configure the policy exactly as you want to.

The first option will deal with the Policy Level, where the policy is applied and how many machines it covers.

By default, these policies will be set to the computer level, but you can set them to the group or organization level as well. The policy hierarchy for storage policies is

Entire organization Policies
Computer Policies
Computer Group Policies

Below this, there are options to define the policy name (which will default to the name of the storage device, but can be configured to your preference) and the permission level. Below that, you can specify the interface type, any users and groups, file paths, storage devices, and whether this policy will apply to encrypted or non-encrypted drives. The policy configuration below, for example, will allow only this machine to read documents in the protected documents directory, and only until the policy expires.

Permitting Software from the Legacy Portal Approval Center

You can quickly permit files directly from the Approval Center.

Navigate to the Approval Center page.

Click the blue 'View' button next to the request you want to expand.

The Application Request window will open. At the top, you will see the file details including the certificate, if it has one, the hostname, and the username of the requestor.

Permitting Software with Matching Applications

ThreatLocker will let you know if the file matches an existing application, either a built-in or one learned in your organization. You can select the matching application from the dropdown menu.

Actions

This is where you will decide what type of policy you want to create for this application.

'Deny the application explicitly' - This option will deny this application and the end user will no longer receive a popup to request access to this application.
'Use suggested Ringfencing policy' - If the application you have selected above has a ThreatLocker suggested Ringfencing policy, this option will be available and selecting it will automatically apply the ThreatLocker suggested Ringfencing policy to the application.
'Permit the application and add Ringfencing restrictions' - This option permits the application and allows you to add in Ringfencing restrictions.
'Permit the application without restriction' - This will permit the application without adding Ringfencing restrictions.

Policy Expiration

Here you can select an expiration date for this policy if you wish.

Elevation

The 'Elevation' section follows. If you have an Elevation license, here you can decide if you would like to assist in elevating this application or not. If you choose 'Do not assist with elevation', and the end user needs to use elevation, they will receive a ThreatLocker popup window so they can request elevation.

Policy

This is where you choose where to apply the new policy to:

The entire organization - applies the policy to the entire organization
A computer group - applies the policy just to a specified computer group
This computer only - applies the policy just to this computer

Administrator Notes

This is where you can put ticket or requestor information, or comments if your internal policies require this.

The blue 'Save' button in the bottom right corner needs to be pressed to save your policy. Back on the main page, click the 'Deploy Policies' button in the top left to push the policy change out to your endpoints.

Permitting Software Without Matching Applications

If the software does not have a matching application, ThreatLocker will give you the following message: 'This file does not appear to match any known applications. Do you want to update the definition of an existing application or create a new application definition?'

If you know this file is part of an existing application definition and you wish to add this to it, you can select 'Add the file(s) to an existing application definition'.

If you do not wish to add this to an existing definition, you can create a new application definition for it. Choose 'Create a new application definition' and type a name for your application in the textbox.