ThreatLocker Application Control Quick Start Guide
Our service is delivered from the Cloud and requires a small agent to run on each computer. After signing up for a free trial of ThreatLocker, you will receive an email with login details for the ThreatLocker Portal.
Accessing the ThreatLocker Portal
To access the ThreatLocker portal:
- Navigate to https://portal.threatlocker.com
- Log in using your email address and the newly created password.
Downloading and Installing ThreatLocker
- Navigate to the Computers page using the menu on the left-hand side of the portal.
- Select the "Install New Computer" button at the top.
In the popup window that follows, all groups within the currently managed organization will be displayed along with installers for each group.
- Select the download button under the group that you wish to deploy to.
Note: Do not rename the installer, as the installer code in the file name is required.
ThreatLocker policies are assigned to computer groups. During the installation, ThreatLocker will automatically add the computer to the corresponding group based on the downloaded installer.
We also have a number of scripts for deploying with your Remote Monitoring and Management tool.
After installing the ThreatLocker client, your computer will automatically be scanned for existing software.
Within a few hours, new policies will automatically be created for the files we found on your computer. These policies act as a baseline of what is already installed.
Working with your existing antivirus
ThreatLocker plays nicely with existing antiviruses. We will neither conflict nor interfere with your AV running.
However, you may need to create exceptions to prevent your antivirus from blocking ThreatLocker. Please review our Working with your existing antivirus article here for the up-to-date exclusions required.
Reviewing and Managing your Policies
After a few days of running ThreatLocker in Learning Mode, we recommend you review the automatically created policies and see if there are any applications that you do not want to permit. To review automatically created policies:
- Select Application Control > Policies from the left navigation menu.
- Select the Computer Group from the top right dropdown list.
- Review the list of the policies created automatically.
- If you do not wish to permit any of these applications, you can delete the policy, or select the policy and select the Deny button.
Note: Exercise caution when removing applications that may interact with the kernel. We recommend you uninstall these applications before blocking them.
Learning Mode will bypass all Application Whitelisting Deny Policies, but does not stop our Advanced Ringfencing or Storage Control Policies from protecting your systems.
Reviewing the Audit
After you are happy with the automatic Policies that have been created, you may use the Unified Audit to review what files are executing and which Policies apply.
- Select Unified Audit from the ThreatLocker Portal menu.
The audit page displays a list of all Applications and libraries that are executed on your computers.
- Select Execute from the Action Type dropdown box.
- Search for the policy by entering the name of the default policy in the Policy Name search box and select search.
If you wish to reduplicate the results, use the Group By dropdown list to group by hash or path.
Permitting Software that was not Automatically Profiled
ThreatLocker does not automatically profile software in certain folders, such as the Desktop and Downloads folder, or other software that might imitate suspicious software trends. You may permit this software manually from the audit. To permit, expand the item in the audit and select the Permit button.
Q: What about software that keeps hitting the deny policy after I have permitted it?
If you find software keeps hitting the default Policy after you have permitted it. It could be that the software is self-updating, not signed and/or not a known Application. We recommend you contact ThreatLocker for assistance to create a restrictive policy that will allow this software to run.
Locking Down your Computers
Once you are satisfied you have the policies you require, you may take the computers out of Learning Mode to lock them down. This ensures that nothing that has not already been permitted can run.
To Lock Down:
- Navigate to the Computers page.
- Select the computers you want to lock down, or use the select all checkbox, and select the Enable Protection button - the 'select all' checkbox only selects the computers on the page you are viewing.
For a single machine, you may select 'Secured' from the quick dropdown menu in line with the computer you want to lockdown.
- Click to Deploy Policies.