Using the Approval Center

Application Requests | Elevation Requests | Web Control Requests | Storage Requests | Approval Request Window Tabs

The Approval Center allows you to view requests sent in from your end users for Application Control, Elevation, Web Control, and Storage Control access. The Approval Center is located in the Response Center > Approval tab.

The hostname and storage device where each request originated are listed, along with the requested action type (Read or Write for Storage Control, Execute for Application Control, Network for Web Control, or Elevate for Elevation). Following this are details on the requested file path, the request's status, when it was last updated, the request date, request info, who the request was assigned to, and actions you can take on the request.

To navigate to the Approval Center, select the ‘Response Center’ tab from the left-hand menu.

Application Requests

Application Requests provide the user with the necessary information to identify a request. Users will be able to see the following information from a request if it is available:

Full Path – The path of where the requested file is located.

Process – The Process that the file was called from.

Certificates – Who the file is signed by.

Username – Username of the user who requested the application.

Reason – Reasoning from the user, they can put anything into this text field.

Hash – The hash of the file generated from the unique ThreatLocker hashing algorithm.

Sha256 – The Sha256 hash belonging to the file, this is also a unique identifier.

Created By – The process that created the requested file.

Request Date – Date and time that the request was created.

Organization Name – The organization that the user requesting is from.

Hostname – The hostname of the machine, this also can include the make and model of it.

Approval Status – Status of the application request.

Below the file details will be buttons for ‘Virus Total’, ‘Download File’, and ‘Insights’.

Selecting the VirusTotal button will open a VirusTotal page on the requested file.

You can use this feature to review if any security vendors have previously reported this file’s hash as malicious.

You can select the ‘Download File’ button to download the file directly to your machine. This is useful when the VirusTotal button does not yield a result as the downloaded file can also be run through VirusTotal.

Lastly, selecting the ‘Insights’ button will open a popup window displaying anonymized data about the file which ThreatLocker has collected across its customer base including file insights, connections, permit history, popularity, and risk score. For more information on insights, see:

ThreatLocker Insights | ThreatLocker Help Center

If the request made had a downloadable file, it will also allow you to run the file in a virtual testing environment.

Select the ‘Open Testing Environment’ button to open a VDI.

If the file being requested matches a known application, the option to open a testing environment will appear like this:

If you have any questions regarding the ThreatLocker testing environment, please consult the following article:

The ThreatLocker Testing Environment | ThreatLocker Help Center

The next section allows you to choose which application you will use to make a policy. For this example, the file already matches an existing application. Select the dropdown arrow to see which application(s) match.

If you do not want to use a known application, you can also select the ’Do not use known application’ button, which appears under the ’Matching Applications’ dropdown menu.

Selecting this button instead provides you with two new options for permitting your application: New Install or Update Existing.

New Install – Allows you to create a new application by providing all information necessary to create a new policy.

Update Existing – Allows you to choose from a list of existing applications within your organization. If a policy already exists for the user requesting access, you can use it or create a new one.

After the application has been chosen, you should also select ‘Add Dependencies’ if necessary. This prompt will appear if there are other associated files the application is known to have that it may be dependent on. This can be resolved by approving the request using a Built-In application, or by running it through the ThreatLocker Testing Environment. You can also set the machine into Application Control Installation Mode through this approval request window to ensure that all related files are also learned into the newly created policy.

Now, you can move on to the section titled ‘How do you want to allow this software?’. Here, you will be given four options to approve this software:

File Hash or Custom Rules – Approving software by hash is the most secure method. Approving software using custom rules is a good way to permit software that has similar file paths and comes from the same directories as other software. Custom rules can be set within this window. If you have any questions regarding custom rule creation, please consult the following article:

Creating Custom Rules | ThreatLocker Help Center

Temporarily Disable Protection for one hour and learn installed files with Application Control Installation Mode – Installation mode is a feature that allows users to create a new application consisting of all files that are ‘Installed’ during the application’s installation. This can be enabled within this window, and an additional switch labeled ‘Start Installation Mode Upon File Execution’ can also be selected. If turned on, this will give you an option for how long Installation Mode will be on the machine. By default, ThreatLocker will select 7 days. The minimum time will be 1 hour; the maximum will be 30 days.

Temporarily Disable Protection for one hour and learn all installed files and executed files with Application Control Learning Mode – Selecting this mode will automatically enable Application Control Learning Mode for one hour. This will learn all files that are installed or executed on the machine within that hour-long period.

Temporarily Disable Protection for one hour and do not learn any files but log monitored activity with Application Control Monitor Only Mode – This option will set Application Control Monitor Only Mode on the machine for one hour. This will not learn any files, but it will log all files that are run during the time that this option is enabled. During this period, there will be no restrictions on what applications can be run on the machine.

Note: Application Control Installation Mode can only be set up on this screen. It is no longer available on the ‘Devices’ page.

In the ‘Applies To’ section, select which device or devices this policy will apply to. You can select between:

This Computer – Applies the policy only to the machine that requested the application.

Computer Group – Applies the policy to the computer group that is selected. A dropdown listing all of the available computer groups will populate if this is chosen.

Entire Organization – Applies the policy to every device within the organization.

In the ‘Conditions’ section, you can set your policy expiration. By default, the policy will be permanent, but you can use the slider bar provided to set it for a shorter amount of time if the user does not require permanent access to this application.

Finally, in the ‘Actions’ section, you can select to permit the application with or without Ringfencing. For questions regarding ringfencing and setting it up on a policy, please consult the following article:

Ringfencing a New Application | ThreatLocker Help Center

You can also apply elevation in this section.

By default, ThreatLocker will not apply elevation to your application. Selecting ‘Elevate’ will grant the user admin access for that application while the elevation policy is in place. If ‘Elevate’ is selected, ThreatLocker will automatically select permanent elevation. You can utilize the slider bar provided to select a different amount of time that elevation is active. The same will apply to silent elevation. For further questions regarding elevation, please consult the following article:

ThreatLocker Elevation – Quick Start Guide | ThreatLocker Help Center

Once all parameters have been filled out to your liking, within the ‘Request Details’ tab, navigate to the bottom of the page.

Here, you will be able to Approve or Reject the request based on your findings. Selecting the ‘Approve’ button will create a new policy based on the parameters you input in the approval request window.

Selecting ‘Reject’ will open a popup window titled ‘Reject Approval Request’. Here, you will need to input a title and reason regarding why the request was rejected. You can also select the checkbox provided at the bottom labeled ‘Notify Requester’ to send this rejection message to the user that requested the application.

Select the ‘Submit Rejection’ button when you have filled out all necessary fields.

The rejection button can be used for cases in which a user requests malicious software that should not be permitted. It can also be used whenever a user requests software that is not malicious but doesn’t belong in your environment (i.e. gaming software).

Once you have approved or rejected the approval request, it will disappear from the ‘Pending’ status page of the Approval Center.

Elevation Requests

Elevation requests will follow a similar format to Application Control requests, with Elevation (and an Elevation expiration, if you have specified a default Elevation time frame for your organization) enabled automatically.

Elevation requests are received when files that are already permitted to execute are attempting to run with elevated permissions. The process of approving or rejecting is similar to Application Control requests. All information included in the request remains the same, including file information, the ability to run through a testing environment, and the ability to create a new policy.

The main difference here is that while application control requests select ‘Do not Elevate’ by default, elevation requests automatically select ‘Elevate’ for you.

You can evaluate this elevation request as you would a normal application control request. Then, you can choose how long you would like to permit elevation for. By default, permanent elevation will be selected, but you can use the slider bar provided to change this.

Note: The Elevation Time Period cannot be set to last longer than the Policy Expiration.

Once all parameters have been properly selected, you can approve the request. You can also select to reject the request.

Approving or rejecting the request will remove the elevation request from the ‘Pending’ status page of the Approval Center.

Web Control Requests

Web Control is used to limit websites that users with ThreatLocker can access. If a user is denied access to a website and ‘Allow User to Request’ is switched on, the user will be able to request access to websites they are restricted from using.

Selecting the Web Control request will show you details regarding the request that was made. This includes the following if the information is available:

Domain – Site being requested

IP Address – The IP address belonging to the requested domain.

Process Path – Where the request originated from. This will be the browser used to navigate to the restricted website.

Policy Matched – Name of the policy that denied access to this website.

Username – Hostname and username of the user that requested access to this website.

Reason – Optional reasoning provided by the user.

Request Date – When the request was made.

Organization Name – Which organization this user belongs to.

Hostname – Hostname of the machine that the user requested access from.

Approval Status – Status of the approval.

Under the details section, a VirusTotal link will be provided. This link will search the domain name on VirusTotal and retrieve information on whether or not this domain has been reported as malicious. This function operates similarly to the VirusTotal button provided along with Application Requests and Elevation Requests.

Under the VirusTotal button, you will be able to create a new Web Control Policy or use an existing policy. By default, the field when ‘Create New Policy’ is selected will populate the domain or network address if no other name for the policy is chosen.

In the ‘Applies To’ section, you can select who this policy applies to. By default, ThreatLocker will select to apply the policy to the computer it was requested from, and to all Users & Groups on that machine. You can change this to apply to a specific computer group or the entire organization. You can also apply the policy to only specifically selected users or groups.

Lastly, the ‘Conditions’ section will allow you to add additional domains, IPv4, and IPv6 addresses to this policy. You can also choose specific categories instead of domains to add here. ThreatLocker will populate the requested domain by default.

At the bottom of the 'Conditions' section, users will also be provided with a 'Policy Expiration' slider. By default, the policy will be set to 'Permanent', but you can use this slider to change how long a policy will be active.

Once all policy parameters have been set to your liking, select the ‘Approve’ button provided at the bottom of the page. If you do not want to approve this request, you can alternatively select ‘Reject’.

Storage Requests

Storage requests will differ in appearance from application and elevation requests. A storage request will provide you with information on the device and user that requested access, the file path of the storage device, and the serial number of the storage device.

In the first section, you can either create a new policy or use an existing one to permit the request. In the field provided when creating a new policy, you can add a new name to it. If you do not fill in this area, the policy will be named the path or device name that access was requested to.

In the ‘Conditions’ section, you can make changes to the policy that will be created:

Choose between Read or Read/Write to determine if the user can only view the requested path or device, or if they will also be allowed to make changes to it.

Choose between All Interfaces or Selected Interface to determine if this user will have access to all interfaces or only certain ones (i.e. USB, DVD, SATA, etc.)

Choose between All File Paths or Selected File Path. The file path being requested will populate here. For security purposes, ThreatLocker recommends only permitting selected file paths, as permitting all file paths will allow the user full access.

This is the field in which the file path can be changed if necessary. ThreatLocker will automatically populate the requested file path.

Choose between All Devices, Encrypted Only, or Non-Encrypted Only.

Use the slider bar to determine the amount of time the policy will be in effect prior to expiration. By default, ThreatLocker will set the policy time to be ‘Permanent’.

Finally, in the actions section, you will see that the action is set to ‘Permit’. This can’t be changed.

Once all fields have been filled out, you can select the ‘Approve’ button at the bottom of the page. If this Storage Request is not something you would like permitted for this user or within your environment, you can alternatively select the ‘Reject’ button.

Approval Request Window Tabs

The Approval Request window also provides you with different tabs to view more information regarding the request. The possible tabs that can be viewed are Additional Files, Ticket Details, and File History.

Note: Only Application Control and Elevation requests will be able to contain all four of these tabs at once as they deal with executable files. These requests require the information that can be provided from the ‘Additional Files’ and ‘File History’ tabs. Storage and Web Control Requests do not deal with requests of that nature and therefore do not have the ‘Additional Files’ or ‘File History’ tabs. Additionally, while Storage Requests will provide you with the ‘Ticket Details’ tab, Web Control Requests will only give you the Request Details.

Additional Files

The 'Additional Files’ tab provides you with a list of files that matched the same policy as the requested file during the same 10-minute timeframe. This gives you a bit of information regarding what other files might have been run around that time, and what other files may need to be permitted. The 'Additional Files' tab can also help when the file being requested is a .dll file. You will have the opportunity to see if the setup file related to the .dll was blocked and not requested. In this scenario, you would then be able to examine and approve the entire application instead of only the .dll file, minimizing the amount of blocked files experienced by the user.

Ticket Details

The ‘Ticket Details’ tab provides you with an area to add information regarding the request that was made. The sections provided are Ticket, Requestor Email Address, Approving Manager, and Comments. When information is added to this section and the request is approved or rejected, that information will be saved and remain viewable.

Note: The ‘Ticket Details’ tab will appear differently for Storage Requests. This will instead have the fields for Ticket, Requestor, Requestor Reason, and Comments. If a requestor reason is provided by the user, their reason will populate in the ‘Requestor Reason’ field.

File History

The ‘File History’ tab will show you instances of related files and what was used to permit or deny them in the past. This is useful when trying to view related files to see if this software has been permitted in the environment already.

Table of Contents