Help CenterThe approval center provides a single location from which admins can permit blocked and requested files, allow access to storage drives, and grant elevation for programs which need administrative privileges.
To access the Approval Center, manage either your parent organization or one of your client organizations and click it from the lefthand menu. Viewing this page from a particular client will allow you to see only that client's active requests. Access from the parent organization will allow you to see all requests from all clients simultaneously.
Clicking on a request to view it will expand a side panel, this will differ slightly depending on the request type. The request type is listed in the "Action Type" column.
Application Requests
Application Requests are created when a user requests to execute a blocked file. These most frequently occur when a file matches the default deny policy, which are configured by default to allow users to request access. The Application Request side panel has three tabs that include various detailst to give admins a more complete picture of what is being requested. : Request Details, Ticket Details, and File History. These tabs include various detailst to give admins a more complete picture of what is being requested, including:
- Request Details
- The full path and filename
- The process that called the file
- Any certificates or signatures attached to the file, if it is signed
- The username of the requestor
- A ThreatLocker hash for the file, generated by our proprietary hashing algorithm
- The process that created this file, if applicable
- The date/time the request was submitted
- The organization name (useful when managing approval requests from the parent organization)
- The hostname for the computer where the request originated
- The status of the approval, which will update after the request is processed to reflect what was done
- ThreatLocker's standard recommended instructions for processing approvals
- Customer Guidelines, instructions used if an organization has Cyber Hero Management
- A button linked to the file's results on VirusTotal
- A button to download the file, if it was attached to the approval request
- Ticket Details
- File History
- Details on the requested file
Below this you can find the ThreatLocker Testing Environment, a Virtualized Desktop which allows files to be tested in an isolated environment. For further details on the Threatlocker Testing Environment, see the following article: The ThreatLocker Testing Environment | ThreatLocker Help Center (kb.help)
Either open the file in the ThreatLocker Testing environment, or skip testing to proceed. If the application matches to a known application, a prompt will be generated where the matching application can be selected.
If you do not want to use an existing application, choose the red box indicated in the picture below. This will allow you to update another application or create a new application.
An existing application can be modified, or a new one can be created. Once you choose an application, you can either manually create rules based on various file parameters or temporarily place a machine in a maintenance mode of your choice. Based on characteristics of the requested file, advanced algorithms may be able to prepopulate certain custom rules, or the file may only be listed by hash
The file above meets several criteria defined by internal algorithms, so rules based on path, process, and signature have been generated. You can also write your own custom rules to expand on what was prepopulated. For furture instructions on writing custom rules, see the following article: Creating Custom Rules | ThreatLocker Help Center (kb.help)
If you choose to temporarily disable protection, there are three separate maintenance modes that can be selected.
- Installation mode will catalog new files installed during that window.
- Learning mode will capture installation, execution, and certain network activity.
- Monitor mode will permit all execution, just as learning and installation mode will, but without cataloging anything for future policies.
Detailed information on maintenance modes can be found in the following article: Maintenance Modes | ThreatLocker Help Center (kb.help)
The next section will deal with the policy created by this approval request. Policies can be set to apply to the requesting machine, to a specified computer group, or the entire organization. Additional protection can be applied to an application with ringfencing, and the application can be granted Local Admin privileges by assisting in elevation. If a policy should only last for a particular period of time, a policy expiration can be set below. Once you have configured the policy, choose 'Approve Request' to complete the approval
Elevation Requests
If a file was permitted, but it needs local admin privileges to execute properly, the user can request elevation. This allows only a specified application the ability to run as a local admin, without the use of admin credentials. This will have a similar structure to the Application Request above, the only difference being that 'Elevate' will be selected rather than 'Do Not Elevate', and that the expiration will be for the elevation policy. If you wish to set a default period for elevation policies, you can do so within your organization options.
File History
Application Requests and Elevation Requests will have a File History tab which will show the recent history of files by that name on the requesting machine. This can indicate a dynamically changing file or an expiring temporary policy
Ticket Details
Every request will have a Ticket Details section where end user contact information and the reason included in their request are listed, along with a spot to list support ticket numbers and any comments made by Administrators processing the request.
Storage Requests
If a user attempts to read or write to a particular storage location or device, denied by your current policy configuration, they can request read or write access to that location. In the demonstration below, the Standard User on this desktop attempted to access a protected documents folder.
If you choose to permit this access, you can either use an existing policy and add the device to the storage policy, or create a new storage policy. Using a permit policy and adding the device allows a list of permitted drives to be used and maintained in the same policy.
If you choose to create a new storage policy, options will generate allowing you to configure the policy exactly as you want to.
The first option will deal with the Policy Level, where the policy is applied and how many machines it covers.
By default, these policies will be set to the computer level, but you can set them to the group or organization level as well. The policy hierarchy for storage policies is
- Entire organization Policies
- Computer Policies
- Computer Group Policies
Below this, there are options to define the policy name (which will default to the name of the storage device, but can be configured to your preference) and the permission level. Below that, you can specify the interface type, any users and groups, file paths, storage devices, and whether this policy will apply to encrypted or non-encrypted drives. The policy configuration below, for example, will allow only this machine to read documents in the protected documents directory, and only until the policy expires.
Permitting Software from the Legacy Portal Approval Center
You can quickly permit files directly from the Approval Center.
Navigate to the Approval Center page.
Click the blue 'View' button next to the request you want to expand.
The Application Request window will open. At the top, you will see the file details including the certificate, if it has one, the hostname, and the username of the requestor.
Permitting Software with Matching Applications
ThreatLocker will let you know if the file matches an existing application, either a built-in or one learned in your organization. You can select the matching application from the dropdown menu.
Actions
This is where you will decide what type of policy you want to create for this application.
- 'Deny the application explicitly' - This option will deny this application and the end user will no longer receive a popup to request access to this application.
- 'Use suggested Ringfencing policy' - If the application you have selected above has a ThreatLocker suggested Ringfencing policy, this option will be available and selecting it will automatically apply the ThreatLocker suggested Ringfencing policy to the application.
- 'Permit the application and add Ringfencing restrictions' - This option permits the application and allows you to add in Ringfencing restrictions.
- 'Permit the application without restriction' - This will permit the application without adding Ringfencing restrictions.
Policy Expiration
Here you can select an expiration date for this policy if you wish.
Elevation
The 'Elevation' section follows. If you have an Elevation license, here you can decide if you would like to assist in elevating this application or not. If you choose 'Do not assist with elevation', and the end user needs to use elevation, they will receive a ThreatLocker popup window so they can request elevation.
Policy
This is where you choose where to apply the new policy to:
- The entire organization - applies the policy to the entire organization
- A computer group - applies the policy just to a specified computer group
- This computer only - applies the policy just to this computer
Administrator Notes
This is where you can put ticket or requestor information, or comments if your internal policies require this.
The blue 'Save' button in the bottom right corner needs to be pressed to save your policy. Back on the main page, click the 'Deploy Policies' button in the top left to push the policy change out to your endpoints.
Permitting Software Without Matching Applications
If the software does not have a matching application, ThreatLocker will give you the following message: 'This file does not appear to match any known applications. Do you want to update the definition of an existing application or create a new application definition?'
If you know this file is part of an existing application definition and you wish to add this to it, you can select 'Add the file(s) to an existing application definition'.
If you do not wish to add this to an existing definition, you can create a new application definition for it. Choose 'Create a new application definition' and type a name for your application in the textbox.
Rules
Note: You will not get this section if using a matching application. You will if you choose to add to an existing application.
Next, you will need to create the rule for your new application. Your choices are:
- 'Create a rule for the application automatically based on this file' - This will allow ThreatLocker to permit this one file. For a single executable, this will be fine. However, in the cases of an installer, only a single file will be permitted and all the other files required for installation will be blocked.
- 'Automatically catalog files using Learning Mode' - This will put the requesting computer into learning mode, file blocking will be temporarily disabled, and the files that are installing and executing that would have been caught by the default-deny policy will be cataloged. Learning Mode is helpful for updating software that is currently installed on the computer.
- 'Automatically catalog files that are installed using Installation Mode' - This will put the requesting computer into installation mode. File blocking will be temporarily disabled and all the files that are installing that would have been caught by the default-deny policy will be cataloged. Installation Mode is helpful for installing software that doesn't currently exist on the computer.
- 'Manually choose options'- This will allow you to create a custom rule using path, process, created by, and certificate. In the case of a file that is frequently changing hash, ThreatLocker will recommend this manual option and will also select the options it recommends you use.
For more information on the difference between Learning Mode and Installation Mode, please see our related article here.
Actions
This is where you will decide what type of policy you want to create for this application.
- 'Deny the application explicitly' - This option will deny this application and the end user will no longer receive a popup to request access to this application.
- 'Permit the application and add Ringfencing restrictions' - This option permits the application and allows you to add in Ringfencing restrictions.
- 'Permit the application without restriction' - This will permit the application without adding Ringfencing restrictions.
- 'Don't create any new policies, just update the application definition' - This will not create a policy for this application, only an application definition. This is useful if it is an update to an existing application you have a policy for. If you don't have a policy for it, this application will not be able to run until you create a policy for it.
Policy Expiration
Here you can select an expiration date for this policy if you wish.
Elevation
If you have an Elevation license, here you can decide if you would like to assist in elevating this application or not. If you choose 'Do not assist with elevation', and the end user needs to use elevation, they will receive a ThreatLocker popup window so they can request elevation.
Policy
This is where you choose where to apply the new policy to:
- The entire organization - applies the policy to the entire organization
- A computer group - applies the policy just to a specified computer group
- This computer only - applies the policy just to this computer
Administrator Notes
This is where you can put ticket or requestor information, or comments if your internal policies require this.
The blue 'Save' button in the bottom right corner needs to be clicked to save your policy. You will not need to click 'Deploy Policies' because the change will automatically be applied with no further input. Within a minute, the end user will be able to run the requested software.