Installation mode is used for installing new software that doesn't have a pre-defined definition or one you haven't created a definition for before. It temporarily disables file blocking and allows you to install the software. Threatlocker catalogs all the files that are installed that would have ordinarily hit the default-deny policy.
You can enable installation mode from the Computers page. Select 'Installation' in the quick dropdown menu next to the computer you are changing the status of.
Next, you will select the name of the application they are installing from the dropdown menu below the status. By default, installation mode will be enabled for one hour, but you can change that by using the '+ 1 Hour' or '+ 1 Day' buttons to add additional time. This time is synchronized with the time zone of the end user's computer. Applications that you currently have a definition for will be available from this dropdown menu. If you are installing something brand new, you will need to go to the 'Maintenance Mode' menu to select options for new software.
The end user will receive a popup that notifies them installation mode has been enabled, and they can end it when they are finished.
Once you have used installation mode on one computer, you shouldn't have to use it on any other machines because you have created the application and it can now be used for any computer in your organization. On rare occasions, certain software uses different files depending on the operating system. In this instance, it is possible that installation mode may need to be repeated on machines with different operating systems to update the application with the additional files needed for different operating systems.
When learning mode is enabled, file blocking is temporarily disabled. ThreatLocker will capture what is being installed on the computer and anything executing on that computer that would have been denied by the default policy. It will not capture executing files that are already permitted or denied by another policy, just files that would normally be caught by the default-deny policy.
The application definition that is created can be used on other computers, eliminating the need to put all the machines into learning mode. While it is uncommon, some applications use different files on different operating systems, so it is possible you will need to repeat the learning mode on machines with different operating systems to update the application definition with the additional files that are needed for the different operating systems.
First, select 'Learning Mode' from the quick status dropdown beside the computer you are changing the status of.
Next, you will select the name of the application they are installing from the dropdown menu below the status. The applications listed here are applications you have existing application definitions for. Along with your list of application definitions, you will have 'Automatic Computer', 'Automatic Group', and 'Automatic System' options. By default, 'Automatic Group' learning will be enabled for one hour, but you can change that by adding time using the '+ 1 Hour' or '+ 1 Day' buttons. Please note that this time is synchronized with the end user's time zone.
When you select the application name from the dropdown menu, ThreatLocker will automatically update the chosen existing application definition. Choosing the application name from the dropdown puts ThreatLocker into an explicit learning mode which enables it to learn files in the Downloads folder, Documents folder, and other areas that are not automatically profiled by ThreatLocker while in implied learning mode. Any policy that uses the application definition will automatically receive the updated application definition.
Selecting an 'Automatic' mode is choosing implied learning, the same type of learning as the initial learning period. It will enable ThreatLocker to automatically create policies for you. ThreatLocker will use various algorithms and parameters to decide an application's name. ThreatLocker uses thousands of rules, the location of the application, and the process calling it to help decide what that application is.
For most applications, 'Automatic' learning works well, although if you are installing a single application there is no benefit to using 'Automatic'. 'Automatic' is most useful when installing multiple items at once.
- 'Automatic Computer' will learn the applications and create policies for the selected computer.
- 'Automatic Group' will learn the applications and create policies for that entire computer group, meaning that other computers in the same group will also be able to run the same applications.
- 'Automatic System' only learns drivers and miscellaneous Windows files so it would not be an appropriate choice for trying to install new software. This 'Automatic System' option is normally used when onboarding new computers to learn the drivers and system files that are unique to that machine.
To enable explicit learning for an application you don't currently have an application definition for, you can access more advanced options in the 'Maintenance Mode' window. From there, you can name the application, and choose where the policy that ThreatLocker creates is applied.