When processing Approval Requests, administrators can leverage ThreatLocker's VDI environment when using Installation Mode. This enables the admin to install the new application in a clean sandbox environment, and the file will be evaluated by the ThreatLocker Risk Center, and the findings will be visible to the administrator.
The Risk Center performs the following evaluations on the application being installed:
- Checks the application in VirusTotal to see if any AV vendors have flagged it as malicious or suspicious.
- Checks to see if the application attempts to access data storage locations using canary files.
- Checks to see if the application made changes at the System level (e.g. inserting itself into the startup folder).
- Checks to see if the application accesses the internet.
- Checks to see if the application makes changes to the registry.
- Checks the signatures of the application and its dependencies.
- Shows all new files that have been installed.
- Shows an audit of the activity in real time.
This enables the administrator to evaluate an application and its behavior on a transient VDI, keeping the administrator's own environment secure and safe from any potential misbehavior, and provides the information the administrator needs to make an educated decision on whether or not to permit this application in their own environment.
From an Approval Request, in the 'Rules' section, select 'Automatically catalog files using a VDI'.
Please note: The 'ThreatLocker VDI' option will only show if there is a VDI available. If all the VDIs are in use, the option will be hidden.
Complete the Approval Request as you normally would and then click the blue 'Save' button in the bottom right-hand corner.
Once you click 'Save', you will receive a URL for the VDI. Click 'Go To VDI' to be taken to the VDI.
The file from the approval will automatically be downloaded onto the VDI. Click 'Run Now' to begin the installation.
During the installation, the green Risk Center tabs across the top of the screen will change to red if any suspicious activity is observed in that area.
To expand the Risk Center and view each tab's information, click on the white expand symbol.
Here, you can click each individual tab to view the activity associated with each area. In the screenshot below you can see which files were flagged as potentially malicious, by which AV vendors, and if they classified the file as a specific type of threat.
A tab with no results shows that no activity was observed in that area. In the screenshot below, no results in the Canary tab show that the application did not attempt to access the canary files located on the VDI.
Select the Network tab to show any connectivity with the internet, and will provide you with a flag in the 'Warning' column if the activity observed is suspicious.
Select the Audit tab to view the file activity occurring on the VDI in real-time. You can see the path and process path of every file executing and installing on the VDI. New files will be highlighted in orange.
To view only the newly created files, select the New Files tab.
Once the installation is complete, you can click 'End and Capture' if this application is something you wish to permit in your environment. This will save the application according to the settings you selected in the approval request. The VDI will be recycled and you can close the window.
If this application is not something you wish to permit in your environment, click 'Discard'. No policy will be created. The VDI will be recycled and you can close the window.
Note: When using the ThreatLocker Testing Environment to process an approval request of an RMM Installer, the Testing Environment will appear as an device on your RMM. This is an expected behavior and if this occurs, you can safely remove the device from your RMM without uninstalling from the VDI as the VDI is reverted after you finish your request.
Note: Some web browser extensions can affect how the ThreatLocker Testing Environment operates. For more information, please see our article Browser Extensions Affecting the ThreatLocker Testing Environment | ThreatLocker Help Center (kb.help)