Long Arrow Right External Link angle-right Search Times Spinner angle-left

ThreatLocker Override Codes

ThreatLocker override codes allow you to disable Application Control blocking on a computer that does not have access to the internet or the ThreatLocker Data Centers. 

ThreatLocker Override Codes require version 5.25 or above. 

Under your account, you will see an Application Called ThreatLocker Override Codes. This application gives you a list of automatically generated override codes for your account. If you edit the application you will see a list of SHA256 representations of the codes. The codes are stored in an irreversible hash format to stop attackers from reading the code on the computer and entering it manually. 

To access the ThreatLocker Override Codes: 

  • Select Application Control > Applications from the navigation menu. 
  • Search for the Application named ThreatLocker Override Codes 
  • Edit the Application.
undefined
  • For your convenience, ThreatLocker has stored the unhashed password in the notes field. We recommend you take note of these passwords and store them in a secure location.   
  • You can add additional override codes by adding a SHA256 of the code in the Path AND the Hash. Make sure you store the unencrypted password in a secure location. You can generate a SHA256 by visiting https://codebeautify.org/sha256-hash-generator

By default the Override codes policy is disabled. You can either enable the standard override code policy or create your own override policy. 

Please note that override policies must be named "ThreatLockerOverride".

You can also create override policies at individual computers, groups, or MSP global level. 

Creating a new Override Policy

Navigate to Application Control > Policies.

Select the New Application Policy button.

Name the Policy ThreatLockerOverride.

undefined

Under 'What applications does this policy apply to?', select ThreatLocker Override codes and then click 'Add'.

undefined

Under 'Do you want this policy to apply to the entire organization or a selected computer group?', select the group you would like to place this policy on.

undefined

All other settings can be left at their defaults. Remember to click 'Save'.

To access your override codes, click on the smaller font name under the policy name. This will open the Application definition where you can access the codes as needed.

undefined

undefined

To enable the default override policy:

  • Select Application Control > Policies from the Navigation Menu
  • Select Entire Organization in the top right corner. 
  • Toggle the On/Off switch to the On position in the portal. 
undefined

Once you use an override code, you should delete the code from the Application. The code will then be disabled and the computer comes online, it will become ineffective. 

How to activate an override code on ThreatLocker Agent 5.29 and above

From the ThreatLocker Portal, navigate to Application Control > Policies. Find your Override Policy. Click the smaller font below the Policy name to open the Application Definition.

undefined

Expand one of the entries and copy the unhashed key from the 'Notes' section as shown below.

undefined

From the ThreatLocker Tray Icon, select the option "Override" -- this will populate a text box where you will enter the key. Enter that key in this textbox and click "Save".

undefined

Once an override code has been used, you should immediately delete it from your application list.

Override codes expire when the hash value is removed from the application, and the ThreatLocker service has been restarted on the endpoint. Supplemental conditions include: the device has to check-in again to register that the key is no longer relevant.

In the Unified Audit, files that were permitted while in Override will appear as a green deny. When you expand the audit entry, you will see a green tag at the bottom of the entry that says 'Override'.

undefined

IMPORTANT NOTE: Before an override code will be removed from your endpoint, the computer will need to successfully check-in AND the ThreatLocker Service needs to be restarted.

How to activate a temporary override code on older ThreatLocker Agent versions

Note: The following instructions are applicable to agents between 5.25.10.1050 and 5.29
  • To use the temporary override code, create a new text file:-
  • c:\programdata\threatlocker\ override.txt 
  • Enter the password in the file in its original format (not SHA). Once you save the file, ThreatLocker will stop blocking within 10 seconds.