Help CenterNote: The option to open a testing environment is not available for macOS application requests.
When processing Approval Requests, administrators can leverage the ThreatLocker Testing Environment, a virtual desktop infrastructure (VDI). The Testing Environment will be in Installation mode, enabling the administrator to install the new application in a clean sandbox environment without threat to their own environment. The newly installed application will be evaluated by the ThreatLocker Risk Center, and all findings will be displayed to the admin in real time.
The Risk Center performs the following evaluations on the application being installed:
-
Checks the application in VirusTotal to see if any antivirus vendors have flagged it as malicious or suspicious.
-
Checks to see if the application attempts to access data storage locations using canary files.
-
Checks to see if the application made changes at the System level (e.g. inserting itself into the startup folder).
-
Checks to see if the application accesses the internet.
-
Checks to see if the application makes changes to the registry.
-
Checks the signatures of the application and its dependencies.
-
Shows all new files that have been installed.
-
Shows an audit of the activity in real time.
This enables the administrator to evaluate an application and its behavior on a transient VDI, keeping the administrator's own environment secure and safe from any potential misbehavior, and provides the information the administrator needs to make an educated decision on whether to permit this application in their own environment.
From the Approval Request, select the option Open Testing Environment.
If the application matches into an existing application, a different option will be displayed. Selecting the text that states Run in Testing Environment anyway will open the testing environment as well.
Note: The option to open a testing environment will only appear if there is a VDI available and if the user selected to provide a downloadable file when placing their request. It is only recommended that applications that will fully execute be run in the testing environment. Executables and .msi files will usually run, whereas .dll files are better evaluated by running them through VirusTotal.
Once the button is selected, the VDI will open separately from the approval request window. While the VDI is open, your approval window will show this:
The file from the approval will automatically be downloaded onto the VDI. Select Run Now to begin the installation.
During the installation, the green Risk Center tabs across the top of the screen will change to red if any suspicious activity is observed in that area.
To expand the Risk Center and view each tab's information, select the expand symbol.
Here, you can select each individual tab to view the activity associated with each area. In the screenshot below you can see which files were flagged as potentially malicious, by which AV vendors, and if they classified the file as a specific type of threat.
A tab with no results shows that no activity was observed in that area. In the screenshot below, no results in the Canary tab shows that the application did not attempt to access the canary files located on the VDI.
Select the Network tab to show if the application made any connection to the Internet. An entry in the Warning column will be shown if the activity observed is suspicious.
Select the Audit tab to view the file activity occurring on the VDI in real-time. You can see the path and process path of every file executing and installing on the VDI. New files will be highlighted in orange.
To view only the newly created files, select the New Files tab.
Once the installation is complete, if you deem that this application is safe to permit in your environment, you can choose to add this application to an existing one or create a new application within the organization.
Selecting the option labeled Add to an existing application will provide you with a dropdown menu of all applications in your organization. Select the one you wish to use to permit this application.
Note: Built-In applications will not appear here as changes to Built-In applications can only be made by the ThreatLocker Applications team.
Additionally, if you do not have an existing application in your organization related to the file being requested, you can choose the Install application for the first time option instead. Selecting this option will prompt you to input the name of the new application you would like to create. You can insert this into the available field.
Once you have done either of these options, you can select the End and Capture button. Depending on which option you chose, it will insert all New Files into either the existing application you chose or the new application you are creating.
If this application is not something you wish to permit in your environment, select Discard. No policy will be created, and these files will NOT be saved within your environment. The VDI will be recycled, and you can close the window.
Note: When exiting out of your VDI, be sure to close it using either the End and Capture button or Discard. Exiting using the X at the top of the window will not properly recycle the VDI causing one less VDI to be available until the timer finishes on the VDI (1 hour after opening).
Once your VDI has been closed, if you did not discard the files, the approval request window will appear again and show that your application matches a known application.
Now, you can go through the regular process to permit your approval request. This includes creating custom rules, creating a new policy if a policy does not already exist, or adding elevation. You can also choose to put the machine in learning mode, installation mode, or monitor mode depending on the user’s needs.
Note: When using the ThreatLocker Testing Environment to process an approval request of an RMM Installer, the Testing Environment will appear as a device on your RMM. This is expected behavior and if this occurs, you can safely remove the device from your RMM without uninstalling from the VDI as the VDI is reverted after you finish your request.
Note: Some web browser extensions can affect how the ThreatLocker Testing Environment operates. For more information, please see our article Browser Extensions Affecting the ThreatLocker Testing Environment | ThreatLocker Help Center (kb.help)