Company logoHelp Center
Visit www.threatlocker.com

The Remediator

4 min. readlast update: 04.02.2024

The Remediator is an enhancement to the ThreatLocker Detect module. It provides secure shell access to managed endpoints from within the ThreatLocker portal. For added security, the Remediator is a separate service, and must be intentionally installed. Without the Remediator's presence on the target computer, there is no shell access from the ThreatLocker portal.

Requirements:

  • Windows OS
  • ThreatLocker Detect
  • ThreatLocker Service > 8.6
  • Create an Application Control Policy to permit the ThreatLocker Remediator (Built-In)
  • Separate Installation of the Remediator Service via MSI 
  • Remediator tab can only be accessed by ThreatLocker admins that have MFA enabled
  • Admins will need the 'Allow Remediation' permission to gain access to the Remediator tab (even Super Admins will need this permission applied separately) 

Downloading the Remediator Service

The Remediator installation files are located in the Install Computer window and in the Remediator tab of the ThreatLocker Detect sidebar for any computer that doesn't already have the Remediator installed.

From the Install Computer Button

From any page in the portal, select the 'Install Computer' button located at the top of the page.

Next select 'Manual Deployment' and the target 'Computer Group'. The Remediator Service installers are located below the ThreatLocker Service installer files.

Select the correct version (x64 or x86) for the target computer.

From the Computers Page/Response Center

From the Computers page or the Response Center > Threats tab, select a computer. On the slideout, ensure that the ThreatLocker Detect tab is selected down the left-hand side of the slideout and then navigate to the Remediator tab.

Select the correct version (x64 or x86) for the target computer.

You will then be presented with the EULA. You will be required to read and accept the EULA before the download will begin.

Installing the Remediator

Before the Remediator can be installed, a policy to permit it must be created. ThreatLocker has a built-in application called ThreatLocker Remediator (Built-In). Create a policy to permit this application at the level needed. For more information on creating Application Control Policies, see: Managing Application Policies | ThreatLocker Help Center (kb.help)

Once a policy has been created to permit the Remediator, be sure to 'Deploy Policies'.

Next, Tamper Protection will need to be disabled on the target computers. (In a future release the need to disable Tamper Protection will be removed.) For more information on disabling Tamper Protection, see: Disable Tamper Protection | ThreatLocker Help Center (kb.help) 

Now the Remediator installer can be run on the target computers.

How to Use the Remediator Tab

Please Note: Only Administrators that have logged into the ThreatLocker Portal using MFA will have access to the Remediator Tab.

Navigate to either the Computers Page or the Response Center > Threats page. Click on a computer or active alert. In the slideout, select the 'ThreatLocker Detect' tab on the left-hand side, and then select 'Remediator' at the top of the screen.

Press 'Connect' to begin a connection.

Once a connection is established, a PowerShell session will be initiated.

At the top of the PowerShell interface is a dropdown where you can select to view only your own commands, or all user account commands.

There is also a dropdown to select a period of time, up to 24 hours, to display commands run within that time frame.

At the bottom of the PowerShell interface is a text box and a blue 'Enter' button.

The textbox can accomodate scripts or single commands. Type or copy/paste commands or scripts into the input box and press the blue 'Enter' button.

The command or script will be run on the target computer and a response will be returned.

The Remediator can only process one command at a time. When a response is pending, the 'Enter' button will be disabled and display a pending animation. 

If the Remediator has not received a command and is not waiting on a response, the session will auto-terminate after 10 minutes. 

To kill a running query, press the 'Disconnect' button.

 

Multi-user Support

The Remediator has been built to support multiple users managing the same computer. In the event another user has already connected to the computer using the Remediator, when the tab is first opened, instead of a 'Connect' button, there will be a 'Disconnect' button. 

Each user will be denotated in the PowerShell interface with their initials at the beginning of the input prompt. When selecting to show 'All User Accounts' in the Commands dropdown, use these intials to differentiate between user commands.

If there is a pending response from another user, you will be unable to press 'Enter'  until the response is received.

 

Was this article helpful?