<h2 aria-level="1" role="heading" lang="EN-US" class="Paragraph SCXW67014337 BCX8">Overview<span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335557856&quot;:16777215,&quot;335559738&quot;:360,&quot;335559739&quot;:480}" class="EOP SCXW67014337 BCX8">&nbsp;</h2>
<blockquote>
Note: Requires ThreatLocker Windows Agent Version 10.3 or greater.
</blockquote>
The first few bytes of a file are called "magic bytes" and they tell the operating system if a file is executable, disregarding the file's named extension (such as "jpg", "exe", etc.).&nbsp;
Attackers can manipulate executable files, renaming them with non-executable file extensions, such as taking a file named 'malware.exe' and changing it to 'invoice.pdf', which can trick systems and users.&nbsp;
The Option "EnableHexCode" can be enabled in ThreatLocker to allow the ThreatLocker Agent to use the hex code of a file to determine what type of file it is. See the associated article <a rel="noopener noreferrer" href="https://threatlocker.kb.help/options-tab-choices-and-descriptions-for-the-computers-page-the-computer-groups-page-and-the-entire-organization-page/" target="_blank">here</a> for more information on enabling Options.
<h2 aria-level="1" role="heading" lang="EN-US" class="Paragraph SCXW67014337 BCX8">Warnings</h2>
Enabling this Option may lead to additional denies. If you are going to enable this option, it is highly recommended to either be in Learning Mode or slowly roll out the deployment. You can enable this Option at a single computer or group level for initial testing before deploying across the organization.

OVERVIEW 

> Note: Requires ThreatLocker Windows Agent Version 10.3 or greater.

The first few bytes of a file are called "magic bytes" and they tell the operating system if a file is executable, disregarding the file's named extension (such as "jpg", "exe", etc.). 

Attackers can manipulate executable files, renaming them with non-executable file extensions, such as taking a file named 'malware.exe' and changing it to 'invoice.pdf', which can trick systems and users. 

The Option "EnableHexCode" can be enabled in ThreatLocker to allow the ThreatLocker Agent to use the hex code of a file to determine what type of file it is. See the associated article for more information on enabling Options.


WARNINGS

Enabling this Option may lead to additional denies. If you are going to enable this option, it is highly recommended to either be in Learning Mode or slowly roll out the deployment. You can enable this Option at a single computer or group level for initial testing before deploying across the organization.

Understanding Magic Bytes in ThreatLocker

Custom Notes

Web Control Module

The Remediator

Elevation Control Module

Windows and Mac Feature Comparison

Understanding and Changing the Module Options on the Organizations Page

Options Tab: Choices and Descriptions: for the Computers Page, the Computer Groups Page, and the Entire Organization Page 

How to Use Multiple Parameters in a Single Search Field in the Unified Audit 

Creating a New Organization

Creating Tags

Disable Tamper Protection

Guide to Using the Reports Page 

Help Desk

Login Settings

Navigating the Administrators Page

Passwordless Authentication 

System Audit Page

How to Enable O365 SSO 

Storage Policy Tray Notifications

Deleting Applications/Storage Devices applied to policies

Post Request URL

Realtime Action Log

ActiveX Control Files (.ocx)

How to Use a Template Organization

Isolate/Lockdown/Screen Lock Selected Computer(s)

Setting a Default Time Period for Elevation

ThreatLocker Detect

Configuring Logout Timer Settings for the Organization

Enabling a Proxy Server

Forwarding Information to Splunk using ThreatLocker Detect

Applications Page

ThreatLocker Configuration Manager 

Cloud Detect

Cyber Hero Managed Detection and Response

API Users

Mutual Action Plan

Allowing End User to Self-Approve Applications

ThreatLocker Administrator Password System (TLAPS) 

The ThreatLocker Detect Alert Center

Response Center

ThreatLocker Detect Alert Sidebar - Response Details

Enhanced Token Theft Protection

The Application Store

ThreatLocker Access App and  Devices Page

Creating Named Locations to Use in M365 Conditional Access

Triggered Installation Mode

Elevation UAC Customization

Detect Dashboard

Patch Management

Customizing the Request Window Appearance

Cloud Control

Configuration Manager Policies

How to Copy Policies

Using the Group By Function in the Unified Audit

Forwarding Information to your SIEM using ThreatLocker Detect

Optimizing Performance with Network Control Policy Placement

Utilizing the Not Learned Status

Password Recovery

Using the Approval Center

Definitions of ThreatLocker Detect Variables

Schemas and Queries to use with Microsoft Sentinel and ThreatLocker Detect

Application Control Monitor Only Appearing When Dotnet DLL Options are Enabled

Navigating the Defense Against Configuration Dashboard

Scheduling and Building Custom Reports

Creating a Policy for a Local User Group

How to Upgrade a Machine From Windows 10 to 11 Using DAC

Scheduling ThreatLocker Agent Updates

Incident Center

Portal Guides

Search our Knowledge Base