Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker Application Control Agent Data Collection

3 min. readlast update: 03.04.2024

View in browser

ThreatLocker collects certain Metadata from devices to provide the services we offer. ThreatLocker does not share information collected by the ThreatLocker agent with third parties. 

The following information is collected by the ThreatLocker agent to register the device.

  1. Computer Hostname
  2. Operating System
  3. IP Address of the Computer
  4. The date and time the agent first connected to the ThreatLocker data centers, and the time it most recently connected

The following information is collected by each module in the "Application Control" category:

  • Default Deny
    • Logged in Username, including the domain name (e.g. DOMAIN\JohnDoe)
    • Action Type (Execute\Install)
    • Timestamp
    • Full Path, including file name and extension
    • File size
    • An irreversible hash of the file
    • Information about the signer and attached certificate of the file
    • The serial number of the storage location where the file executed from
    • The processes responsible for creating and calling the file
  • Elevation
    • Logged in Username of the Computer, including the domain name (e.g. DOMAIN\JohnDoe) and whether that user has administrator privileges
    • Action Type (Elevation)
    • Timestamp of Elevation
    • Full Path, including file name and extension
    • File size
    • An irreversible hash of the file
    • Information about the signer and attached certificate of the file
    • The serial number of the storage location where the file executed from
    • The process that interacted with the file
  • Ringfencing
    • Applications, filepaths, registry locations, and IP addresses which a program attempts to interact with
    • The process that triggered this interaction
    • Timestamp
    • File size
    • An irreversible hash of the file
    • Information about the signer and attached certificate of the file
    • The serial number of the storage location where a file is stored

The ThreatLocker Agent also collects the same information for programs and executables found on the computer during the initial baseline. This information is only collected for the initial policy creation and is only stored temporarily. 

ThreatLocker stores information for the retention period defined in the Customer Agreement. The default retention for Application Control is 30 days, but it can be extended for an additional charge or reduced without charge. 

Was this article helpful?