ThreatLocker Security and Privacy

6 min. readlast update: 11.28.2023

 

ThreatLocker is committed to data security and privacy. When using ThreatLocker® products and services, ThreatLocker may collect information necessary to provide the services. ThreatLocker ensures that all information and configurations are protected using the best standards in the industry. ThreatLocker implements controls and procedures in line with the following standards: 

  1. CMMC Level 4/5
  2. NIST 800-171 (Required for DFARS 252.204-7012)
  3. CIS Controls V7
  4. ISO 27001/2
  5. HIPAA

Our security controls and practices are audited at least once per year by an independent auditor certified by AICPA, and a SOC 2 Type II report is issued. The results of the audit are available to customers upon request and under a non-disclosure agreement. 

ThreatLocker undergoes regular penetration tests both internally and externally. 

ThreatLocker Cyber Hero Support and Solutions Engineers are available to help customers with configuration and onboarding. Customers are able to granularly configure who has access to their data. Within their organization, they can choose between over 50 permissions for their team. Customers can also choose who on ThreatLocker’s staff can read or change their settings. 

All access and changes are logged and visible within the System Audit, which is accessible by customers by logging into the portal.

All confidential information, as well as information transmitted to or from the agent, is encrypted both in transit and at rest. 

The data that is collected by ThreatLocker is never sold or transferred to third parties. The data collected varies based on the features that are being used. Outlined below is the data collected by each component.

Upon request, ThreatLocker may enter into a DPA (Data Protection Agreement) with your organization to satisfy GDPR or CCPA requirements. 

ThreatLocker Portal

If you are an administrator of your account and log into the ThreatLocker portal, ThreatLocker may collect the following data to identify you or grant you access to the ThreatLocker portal: 

  1. Full name
  2. Address 
  3. Telephone number 
  4. Business email address 
  5. IP address that you access the portal from
  6. Job title 

ThreatLocker may use this information to contact you about alerts or configurations on your account, as well as send you information about updates to our product, outages, or recommendations. 

ThreatLocker Agent

When an agent is installed on your computer, ThreatLocker collects basic information to authenticate your computer and provide services for features that may be enabled. The following information may be collected regardless of which feature sets are enabled: 

  1. Computer public IP address
  2. Computer hostname
  3. Logged-in users, including the domain name (e.g. ThreatLocker\JohnSmith)
  4. Operating System, Including build and CPU type (e.g. Windows 10 Professional, AMD64)
  5. Make and Model (e.g. Dell Latitude 5200)
  6. A list of ThreatLocker products and services that are installed or on your computer 

When additional features are enabled, the following information is collected alongside logs of additional features: 

  1. Username, including domain name 
  2. The hostname of the computer 
  3. Date and time an action was taken 
  4. Interface type a hard drive is connected with (e.g. USB or SAS)
  5. The serial number of the disk and volume 

ThreatLocker Allowlisting

The following information is collected when performing an initial baseline scan of your computer: 

  1. A list of all Executable files, including libraries, script files, and other supporting application extensions, including the following file information:
    1. File name and path
    2. MD5 and SHA256 HASH of the file, and SHA1 (if enabled)
    3. Certificate information from the file, including the certificate subject and an irreversible SHA256 of the signer (we do not collect private keys)
    4. File size
  2. Depending on your policy configuration, ThreatLocker may audit instances of new program files being created or being executed. This includes all of the above information, as well as:
    1. The username of the person who opened the program, including the domain name 
    2. The date and time the program or library was opened 
    3. The name and the process ID of the process that called the program 

ThreatLocker Ringfencing™

ThreatLocker Ringfencing allows I.T. administrators to control what applications can do once they have been executed. Ringfencing™ controls access to other applications, as well as network traffic, file access, and registry changes. 

In order to provide these levels of controls, ThreatLocker logs the following information, which varies based on the configuration of policies: 

Where an application has restricted access to the network, ThreatLocker shall log the following network information that the said application attempts to or successfully connects to: 

  1. All IP addresses, including internal or public IP addresses 
  2. A hostname from the DNS cache matching the IP address 
  3. The TCP/IP port 

Where an application has restricted access to documents and files, ThreatLocker shall log the following file information that the application accesses: 

  1. Full file name, including the path 
  2. File size 

Where an application has restricted access to write to the registry, ThreatLocker shall log the following registry information that the application has attempted to or successfully changed:

  1. The full registry key 

ThreatLocker Elevation

ThreatLocker Elevation allows administrators to either temporarily or permanently grant an application administrative permissions. When enabled, ThreatLocker shall log the following additional information: 

  1. Any attempt to elevate, regardless of whether the elevation was completed or not 
  2. Any elevation that ThreatLocker assists with 
  3. The application information, including all information that is collected by the Application Whitelisting module 

ThreatLocker Storage Control

ThreatLocker storage control allows I.T. professionals to control access to storage, including USB drives, network shares, or local storage, when enabled and based on policy configuration. ThreatLocker shall log the following information:

  1. Full file name, including the path 
  2. Size of the file 
  3. The action that is taken (i.e. read, write, delete or move) 
  4. The process name, process ID and process path that accessed the file 

ThreatLocker Network Control

ThreatLocker Network Control allows I.T. professionals to control access to the internet and the network and prevent connections from remote hosts when enabled and based on policy configuration. ThreatLocker shall log the following information:

  1. IP Address of remote hosts. 
  2. Source port and destination port of the connection. 
  3. Local IP address
  4. Hostname resolved from DNS. 
  5. The process name, process ID, and process path that accessed the file 

ThreatLocker Tray

The ThreatLocker tray is an application that allows users to request access to a program or storage device easily. The tray application displays a message to a user when something is blocked. If a user requests access to a file, the following information is recorded: 

  1. The user's login name and domain name 
  2. File information, as listed in the feature section (e.g. Application Whitelisting) 
  3. The user’s email address, if they explicitly enter it, in which case the user will be notified when the file is approved 
  4. The reason the user wishes to open the file, if the user entered a reason, which is optional 
  5. The file contents, but only if the box is checked to upload a copy of this program for review 

ThreatLocker shall not make use of the information collected for any reason other than processing the request. 

Was this article helpful?