Note: This feature is currently only available on Windows machines and requires ThreatLocker Windows Agent Version 10.6.2 or greater.
Whenever an application is opened on a machine, there is always a parent process that is used to open it. In logs found in ThreatLocker, this parent process is displayed as the 'Process Path'. This parent process is typically an application located in our Windows Core Files (Built-In) or a process directly associated with the executed application itself. ThreatLocker now allows users to restrict an application to be opened only by specified applications that match the Process Path. This article explains how to create a policy that restricts applications from being opened by any process other than a specified parent process.
Applying Parent Process Restrictions
To access this feature, navigate to the 'Modules' dropdown on the left-hand side of the portal and select 'Application Control' from the list.
Now in 'Application Control', select the 'Policies' tab found in the top right corner of the page, or choose the '+ New Policy' button. For questions about creating a new policy, please navigate to the following article:
ThreatLocker Application Control Quick Start Guide | ThreatLocker Help Center
Create your policy as usual if you are creating a new policy. If you are editing an already-existing one, navigate to the 'Conditions' section of the 'Edit Application Policy' page. Please note that this feature is only available for Windows machines, meaning that opening or creating a policy for anything other than Windows will not display this feature. In the 'Conditions' section, locate the switch labeled 'Restrict to the following parent processes?'
Switching this 'on' will display a new field to insert application names into, populating a list of Built-In applications and applications from your organization to choose from.
Note: Keeping this switched turned off will allow the application you have selected to execute via any Process Path.
Insert the names of known applications you would like to permit to execute this application. Many applications might be executed from explorer.exe, which is the File Explorer and is part of the 'Windows Core File (Built-In)' application. Other applications might have a process path from Microsoft Edge or Google Chrome, such as an installation file. Using the Unified Audit, you can monitor which applications are known to execute the application.
Note: You must enter at least one application in this field if you opt to use this feature.
Once you have entered the expected applications, select 'Save' or 'Create' at the bottom of the page and ensure that you deploy policies.
When a user executes an application that matches into this policy, ThreatLocker will monitor it to confirm that the Process Path matches at least one of the applications you entered. If it matches, the application will execute as expected. Otherwise, the application will be denied. The respective actions will be displayed in the Unified Audit as long as the policy is set to log them there.
When the application is denied and the user has the option to request access to the application, the following message will display on the user's screen:
You can monitor the Unified Audit after applying this policy to ensure that expected process paths for an application are included in the list of permitted parent processes.