From the Organizations Page, there are dropdown menus called “Module” (formerly Product) on the right side of the page, with check box options. When closed they say "X itmes checked". These dropdown menus are a list of all of the available ThreatLocker modules, which can be combined to customize your coverage.  This article will detail what each of those modules entails, why some are occasionally grayed out, and how to change these options for your organization.

There are options which offer granular control over your users and machines, and which can be located in the Options Tab within the Computer, Computer Groups or Entire Organization Pages. The options below are linked to the version of ThreatLocker software your system is running. Some options will not function on previous versions. For the highest functionality, please update to 7.10.6+. If you are having trouble with these options, we encourage you to reach out to a Cyber Hero.

ThreatLocker removed the option to create a rule by hash in the Approval Center.  Custom rules protect your flow of business by allowing for future updates. A hash, however, will be static. When adding a custom rule with process and path, AND hash, users may unknowingly nullify the dynamic ability for the rule to update. This change reduces a user’s ability to unknowingly nullify the custom rule, ultimately making it easier to permit without denying by mistake.

Portal Help Desk Location To access Help Desk, click on the Help button towards the top-right of the screen within the ThreatLocker Portal to open the Help Menu.  Within this menu, you will see 5 options:  Chat with a Cyber Hero: Starts a new chat or submits an offline Help Desk ticket. ThreatLocker University: Opens ThreatLocker University in a new window. Knowledge Base: Opens ThreatLocker's Knowledge Base in a new tab.

View in Browser To assist you in creating the most concise search results possible, ThreatLocker has added the ability to specify multiple parameters within a single search field in the Unified Audit. Utilizing the pipe symbol "|", you can combine the exact parameters you wish to include, exclude, or use a combination of both. All textboxes in the Unified Audit page will support the use of the "|" symbol.

View in browser View our showcase video of this feature here The release of ThreatLocker’s new Approval Center brings about a plethora of changes. Here we will cover the significant differences between the two builds. Previously the Approval Center allowed you to either permit a file or ignore it by the use of the following two buttons: The approval center has eliminated these buttons and now allows for optimum configuration.

The first improvement you will notice is that the ‘Monitor Only’ mode box has been removed. It has been replaced with a quick dropdown ‘Status’ box which represents the current security status of ThreatLocker and provides a quick way of changing this status.   Enabling Protection The ‘Enable Protection’ box ends all maintenance periods and secures all the selected computers. At any time, to end all maintenance periods and re-enable protection, select the box next to the computer you wish to end maintenance on and enable protection on and click the ‘Enable Protection’ box placing the selected computer into a ‘Secured’ status.

View in Browser Navigate to the Organizations Page. Choose the 'New Organization' button at the top of the screen. It will populate a window where you can configure the settings for your new organization.   General Tab Under the 'General' tab, you can enter the name of the organization. In the 'Identifier' blank, you will need to put the name of the organization as it is in your RMM if you use one.

The use of Tags requires Agent version 6.0 or greater Tags are a collection of items that can be applied to Network policies with Ringfencing. They can contain strings, with or without wildcards, IPv4 addresses or IPv6 addresses. Tags are very efficient to manage and any changes made to the tag are automatically applied to the endpoints. The same tag can be easily applied to multiple policies.  Creating Tags To create a tag, navigate to 'Application Control'.

View in browser Overview The following article covers the steps required to disable Tamper Protection. Tamper Protection can be disabled on a single device or be disabled on multiple devices at once. Please note that disabling Tamper Protection will place computers that are in Learning Mode into Secured Mode. To avoid this, computers should be placed into Monitor Only Mode before disabling Tamper Protection. Disabling Tamper Protection For a Single Computer Log into the ThreatLocker Portal.

We do not suggest doing this to a default policy. Setting this up on a default policy may lead to a large amount of unwanted emails. If you would like to set up ThreatLocker to email you when a particular policy is matched, first navigate to the Organizations page and manage the organization you want to enable this on.   Navigate to Application Control > Policies. Change the dropdown in the Applies To menu to reflect your desired policy location.

ThreatLocker has incorporated some very useful reports to help our clients consolidate needed information into an easy and useable form. To access these reports, navigate to the Reports page. Here you will see 2 dropdown menus: Category and Report. Category All – this will show you all the report options 3CX – this will show you applications or files that contain 3CX files or hashes API Reports – this will allow you to pull active licenses by organizations Applications – this is the location of your application reports Approval – this will show you your approval request report options Audit – this is where you access your blocked file reports and process count Computers – this populates a list of computer reports you can run Cyber Hero Management – this will provide the approvals processed by Cyber Heroes Log4j – this will show you applications containing old Log4j files Network Access Control – this will show active Network Access Control (now know as Network Control) policies Organizations – this will provide a list of your organizations Policies – this provides your policy reports Spring Framework – this will show you applications containing old Spring Framework files Storage Control – this shows deleted file reports and processes accessing a UNC report Storage Devices – this will give you a report of your USB Serial Numbers Support – this will provide a report of applications with custom rules containing two unnecessary “*” asterisk wildcards next to each other Users – this will populate a list of users  Report The Report dropdown menu allows you to select the specific report you would like to generate.

When you click 'Get help from a Cyber Hero' a ticket will be automatically opened for you. To view, edit, or close any ticket, navigate to the Help Desk Page by clicking 'Help Desk' under the 'Help and Support' drop-down in the menu on left-hand side. New tickets can also be opened from the Help Desk Page. To Open A New Support Ticket Click the 'Open New Ticket' button located at the top left of the screen.

 Log into the ThreatLocker Portal and navigate to ‘Application Control’ and then to ‘Policies’. You can select who the policy applies to in the upper right-hand corner of the portal.  Policy Group Hierarchy  Global Global Workstations or Global Servers Entire Organization Computers Computer Groups Global policies run first, then the global workstations or servers, then the entire organization, followed by computers and computer groups are last.

View in Browser The Login Settings Page provides a central location to manage the Geo Restrictions and MFA settings on your ThreatLocker account. Here, you can set restrictions on organization-wide Geo Restrictions by countries and/or IP addresses, restrict MFA options, and override the MFA restrictions for specific users.  Navigate to Security Center > Login Settings. Geo Restrictions In the Geo Restrictions tab, you can specify countries and/or IP addresses from which logins to your ThreatLocker account are permitted or prohibited.

The "Administrators" tab is located in the menu under the ThreatLocker logo on the left-hand side of the portal. After you've chosen your organization and managed it, the Administrators tab will populate any and all relevant admins for your organization. This guide will talk about the different buttons found on this part of the portal. New Administrator This button is used for creating a new administrator for your organization.

View in Browser OTC (one-time-code) authentication enables you to use the authentication application of your choice for 2-Factor Authentication.   Navigate to the Administrators page. Select the 'Edit' button next to the user you would like to enable OTC for. In the popup window, scroll to the 2-Factor Authentication section. From the dropdown menu, select OTC. A QR Code will appear below the dropdown menu. Scan this QR Code with the authentication application of your choice.

View in Browser This feature has currently been released for public Beta testing. Passwordless Authentication allows you to enable 2-factor authentication without using an authentication application. Once configured, an automated phone call will be made to the phone number you have set up. You will be required to answer the phone and input your preconfigured 4-8 digit PIN number into the telephone's keypad before being logged into the ThreatLocker Portal.

View in Browser The System Audit Page is where the activity in your ThreatLocker organization is logged.  Navigate to Security Center > System Audit. You can view this System Audit per organization, or you can view all your organizations' activity by selecting 'Show audit for all child organizations' in the parent organization's System Audit. Search Filters Much like the Unified Audit page, there are multiple filters you can apply when searching this audit to refine your search results.

O365 SSO can only be enabled and set up by a ThreatLocker super-admin.   To enable SSO on existing administrator accounts, you will need to have a password reset email sent by the Cyber Heroes. ThreatLocker does not recommend using SSO for your ThreatLocker Account because SSO relies on the security of a 3rd party and that security is out of ThreatLocker's control.  Currently, 0365 SSO requires the settings in Azure to be configured to 'Allow user consent for apps'.

By utilizing advanced maintenance modes, you will have the opportunity to schedule maintenance modes as well as customize the modes to fit your needs. From the Computers page, select 'Advanced' from the quick dropdown menu OR select the 'Maintenance Mode' button next to the computer you wish to enable an advanced maintenance period on.  Both options will open the 'Maintenance Schedule' window. In the top left, select the desired maintenance type from the 'Maintenance Type' dropdown menu.

The Tray Redirect URL for a policy can be added and/or modified from the policy popup.

The Storage Policy Tray Notification and Window appearances can be modified and saved to a Deny Request Storage Policy. The Elevation Tray content can be edited and successfully saved to a Computer Group.

Storage Request policy names and options can be modified directly from a request/approval.  Available options include: What paths should this apply to? Apply to all file paths Apply to selected file path What type of interface should this apply to? All Interfaces Select an interface Should this policy apply only to encrypted devices? Apply to both encrypted and not encrypted devices Only encrypted Devices Only not encrypted devices 

When deleting an Application or Storage Device with applied policies, the user will be prompted with a list of affected applications on the Applications page and storage devices on Storage Devices page. A confirmation dialogue is displayed alerting the user that applied policies will be deleted as well.

You can customize the text which appears on requests to access a storage device or run a new program. This can be done by clicking the pencil edit icon next to any policy with the actions deny and request.  Additionally, you may specify a Redirect URL and replace any valid parameters proceeded and followed by "%%" with the corresponding value.   Valid parameters include:  %%Hostname%% %%Filename%%  %%Approvalrequestid%%  %%Requestoremailaddress%%   For example, a client is able to pass their API 2 values, hostname and filename, and use their API parameter names.

The Realtime Action Log will show you everything that is happening on your computer in realtime. This display can be viewed by right clicking on the ThreatLocker tray icon and then selecting "Realtime Action Log".  

To increase security on devices using ThreatLocker, we have changed .ocx files to be processed as executable files rather than read-only files. This is similar to the approach we took with .ps1 and .bat files in order to prevent rogue scripts from executing on your endpoints. As a result of this change, you may see blocks for applications using .ocx files. If after the ThreatLocker update you find that you have denied .

The Permitted Applications page allows users to view all permitted applications in the environment along with the policies associated with those applications.  Navigating to the Permitted Applications Page To Navigate to the Permitted Applications Page, expand the Application Control menu on the left-hand side and click on 'Permitted Applications'. Understanding the Permitted Applications Page This page will show you a list of permitted applications for the environment under the Application Name column.

Configuration Manager is a place to quickly design policies that help mitigate the most common threat vectors.   This Article includes information on how to:  Create Config Manager Policies from scratch or from the Suggested Policies button To open Configuration Manager (aka Config Manager), navigate to the left side main menu, under the Modules drop-down menu.  Add a Suggested Policy To add a suggested policy, click the 'Add Suggested Policy' button.

The Portal Release on 5/1/2023 included a change to how newly created computer groups learn applications and policies from previously installed endpoints. Newly created computer groups will learn Computer Level policies, rather than Group Level policies    This change was implemented to reduce the chances of copying unneeded or unused policies into a new computer group. While the "Learn at Group Level" option is still avaiable, this setting will not carry over to child organizations, even if selected on the template group within the parent organization.

You can create a template organization under your parent organization to easily duplicate modules, policies, and options when creating a new child organization. Begin by navigating to the Organizations page Select the ‘+ Organization’ button at the top of the page Name your new Template Organization ‘Template’ and enter 'Template' in the Identifier area as well. Then, select your Time Zone and navigate to the Options tab.