Help CenterNote: This is a guide for the Windows agent. For instructions on installations for other operating systems, please navigate to the following articles:
MAC Agent Installation | ThreatLocker Help Center
Linux Agent v2.0+ Installing and Uninstalling process | ThreatLocker Help Center
Deploying ThreatLocker to Windows XP | ThreatLocker Help Center
Our service is delivered from the Cloud and requires an agent to run on each computer. After signing up for a free trial of ThreatLocker, you will receive an email with login details for the ThreatLocker Portal.
Accessing the ThreatLocker Portal
To access the ThreatLocker Portal:
-
Navigate to https://portal.threatlocker.com
-
Log in using your email address and the newly created password.
Downloading and Installing ThreatLocker
ThreatLocker can be installed onto your machine through two different methods. The first is done through the 'Devices' tab.
The 'Devices' tab can be located on the left-hand side of the portal.
By selecting the 'Devices' tab, a new page will open that displays all devices in the organization.
There is now a button at the top-left corner of the page labeled 'Install Computer'. Selecting this button will open a popup window to download the ThreatLocker Installer.
Alternatively, each page of the ThreatLocker Portal has an 'Install Computer' button at the top right side of your page. This will be located in-between the 'Help Desk' and 'Deploy Policies' buttons.
Selecting either of these buttons will open a popup window to download the ThreatLocker Installer.
The popup window will provide two dropdown menus pertaining to your deployment method. Here, you can select 'Manual Deployment' or deployment from a variety of RMM options.
The following link will provide you with a list of Knowledge Base articles associated with other ThreatLocker deployment methods:
Additionally, selecting the RMM method of deployment also provides you with the installation script (1) and a link to a set of step-by-step instructions on how to deploy the installation script via the chosen RMM (2).
If you are deploying with the 'Manual Deployment' method, select the dropdown menu labeled 'Select your deployment method', then select the option 'Manual Deployment'.
Next, use the dropdown menu labeled 'Computer Group' to select the computer group that this machine will belong to. In this example, the machine we are installing will belong to the 'Workstations' Computer Group.
Note: It is important that you select the correct Computer Group for the device as this will determine what group the machine will be installed into. This will be useful when creating group policies for specific computer groups later on.
Once the Computer Group is selected for the machine, options for the installation method will appear. ThreatLocker offers 3 different types of Manual Deployment installation methods:
-
Stub Installer
-
-
(x64) Stub Installer
-
-
-
(x86) Stub Installer
-
-
MSI Installer
-
-
(x64) MSI Installer
-
-
-
(x86) MSI Installer
-
-
-
(ARM) MSI Installer
-
-
PowerShell Script
Note: Do not rename the installer. The installer code in the file name is required and if changed will cause the installation to fail.
Choose the installer that you want for your machine by selecting the corresponding button on the page. Once selected, your installation should start automatically.
After installing the ThreatLocker client, your computer will automatically be scanned for existing software.
Within a few hours, new policies will automatically be created for the files we found on your computer. These policies act as a baseline of what is already installed.
Working with your existing antivirus
ThreatLocker is able to work alongside existing antivirus software. We will neither conflict nor interfere with your current AV.
However, you may need to create exceptions to prevent your antivirus from blocking ThreatLocker. Please review the following article for the up-to-date exclusions required:
Working with Your Existing Antivirus | ThreatLocker Help Center
Reviewing and Managing your Policies
After a few days of running ThreatLocker in Learning Mode, we recommend that you review the policies that were automatically created to see if there are any applications you do not want to be permitted. To review automatically created policies:
- Select the 'Modules' tab dropdown, then 'Application Control' from the left-hand navigation menu.
- Change the tab from Applications to Policies utilizing the buttons on the top right portion of the screen.
- Change the Applies To dropdown menu to the group you would like to check. This dropdown contains all levels of policies that exist in your organization, including ones for the Entire Organization, Global, Computer Group, and individual machine. In this example, we will be reviewing policies that were permitted for the TESTTL machine.
You can now review all of the policies that have been created in your organization. This list will also show you the Policy Action, which is a quick way to view if this policy is permitted, denied, ringfenced, or elevated for that group or computer.
By selecting the individual policy, a popout window will appear labeled 'Edit Application Policy'. This window will allow you to change the parameters of the policy.
You can change the policy to 'Deny' by changing the 'Actions' from 'Permit' to 'Deny', then selecting 'Save'.
Alternatively, you can delete the policy by selecting the trashcan icon on the right-hand side of the screen.
Note: Exercise caution when removing applications that may interact with the kernel. We recommend you uninstall these applications before blocking them.
Learning Mode will bypass all Application Allowlisting Deny Policies but does not stop our Advanced Ringfencing or Storage Control Polices from protecting your systems.
Reviewing the Audit
After you have reviewed your automatic policies that have been created, you can utilize the Unified Audit to review what files are executing and which Policies apply.
Select 'Unified Audit' from the left-hand menu.
The Unified Audit displays a list of all Applications and libraries that are executed on your computers.
From here, you can set filters to simplify use of the Unified Audit. To get the desired parameters, the 'Action Type' has been changed to 'Execute' utilizing the dropdown menu. After this, select the 'Advanced Filter' button located to the right of the 'Search' button.
Once the 'Advanced Search' popup appears, you can then change the 'Field' dropdown to 'Policy Name' and insert your desired application name into the 'Keyword' space. Select search after this is done.
You will now be shown a list of audit logs that meets the inserted parameters.
Permitting Software that was not Automatically Profiled
ThreatLocker does not automatically profile software in certain folders, such as the Desktop and Downloads folder, or other software that might imitate suspicious software trends. You may permit this software manually from the Unified Audit.
Selecting one of the logs in the Unified Audit will open a popout window.
From this window, the user is given the option to permit the application. Select the button labeled Permit Application shown at the top of the screen.
Selecting this button will open the Permit Application window. Instructions on how to permit applications from this window can be found in the following article:
Q: What about software that keeps hitting the deny policy after I have permitted it?
If you find software keeps hitting the default Policy after you have permitted it. It could be that the software is self-updating, not signed and/or not a known Application. We recommend you contact ThreatLocker for assistance to create a restrictive policy that will allow this software to run.
Securing your Computers
Once you are satisfied that you have the policies you require, you may take your computers out of Learning Mode and Secure them. This ensures that anything that has not already been permitted is denied.
To Secure your machine, navigate to the Devices page utilizing the left-hand menu.
From here, all machines in the organization will be listed. Select the machines you want to put in Secure Mode and then select the Secure Mode button:
Additionally, you can choose the Select All Checkbox to select all machines at once, then select the Secure Mode Button.
Confirm if you want to continue with the computers you have selected.
After selecting 'Yes', your selected machines will now be put into 'Secured Mode'.
Select the 'Deploy Policies' button after this is done.