Windows Agent Version 8.x Release Notes

17 min. readlast update: 02.20.2024

Version 8.5.4 - Beta

02/19/2024

Bugs and Fixes

  • Resolved an issue where ThreatLocker Ops policies were causing a delay in loading policies for other modules

 

Version 8.5.3 -  Live

02/16/2024 - Updated

Improvements

  • Improved the way missing files are logged and recovered when services are updated or downgraded
  • Improvements to ThreatLocker Ops file path monitoring
  • Added visibility of Event Log IDs in the ThreatLocker Ops Alerts sidebar
  • Added visibility of Ringfenced Registry items in the Blocked Items tray
  • Minor improvements to ThreatLocker Ops policy action caching to support quicker addition of new actions to an existing policy
  • ThreatLocker Ops policies will be able to action based on the SHAs, Hashes, Certs, and Application IDs of a parent process
  • The option to Disable Remote Presence has been changed to Enable Remote Presence
  • The ThreatLocker Tray will now alert end-users of our research on their software requests, including software name and company name, countries of operation, and software categories. This will allow end-users insight into the software they are requesting and help guide their decision-making process before requesting the install

Bugs and Fixes

  • Resolved an issue with how the Registry is protected while Tamper Protection is Enabled
  • Resolved an issue in which the Network Challenge was incorrectly permitting traffic from more than source objects
  • Resolved an issue with Application Control and the caching of parent processes
  • Resolved an issue with the Configuration Manager reports "Event Logon Reporting" and "Enable User Logon Reporting"
  • Resolved an issue with the ThreatLocker Elevation popup not reverting to the Windows UAC when Elevation was disabled
  • Resolved an issue with ThreatLocker Ops where Destination or Source IP Addresses with CIDR Notation would not process as expected
  • Resolved an issue with the Disable SMB V1 policy in Configuration Manager, where SMB was not disabled as expected when the policy was enabled
  • Resolved an issue where the ThreatLocker UAC would not support certain file paths based on prefix characters
  • Resolved an issue with the ThreatLocker Tray and the close tray process not working as intended
  • Resolved an issue with the ThreatLocker Administrator Password System (TAPS) where generating a password would fail and cause a 400 error
  • Resolved an issue that caused Tray icon ghosting during ThreatLocker service restarts

 

Version 8.5.2 - Beta - Rolled Back

02/09/2024

 

Version 8.5.1 - Live - Rolled Back

02/05/2024

 

Version 8.5 - Live

2/5/2023 

Bugs and Fixes

  • Resolved an issue with the ThreatLocker Tray and the close tray process not working as intendedUAC 
  • Resolved an issue with Storage Control and/or Storage Audit and the monitoring of drives
  • Resolved an issue with the Configruation Manager policy for Restrict Local Admin Tools and the Exempt Local Admin feature
  • Resolved an issue with ThreatLocker Ops Exclusions when logged from the Response Center
  • Resolved an issue with the UAC and cached Active Directory credentials if the machine is taken off the Active Directory network
  • Resolved an issue with ThreatLocker Ops Destination Domain option and wildcards not functioning as intended
  • Resolved and issue the Exclusions section when the process is run as Administrator or System
  • Resolved an issue that caused Tray icon ghosting during ThreatLocker service restarts
  • Resolved an issue with the ThreatLocker Tray caching which caused caching to turn off unintentionally
  • Resolved an issue with excessive logging from multiple Password Manager Chromium extensions

 

Version 8.4.1 - Live

1/26/2024

New Features

  • Six new Configuration Manager Policies are now available!
    • Disable TLS 1.0 Protocol
    • Enable SMB Signing
    • Disable Link-Local Multicast Name Resolution
    • Disable Multicast DNS
    • Disable Anonymous enumeration of SAM accounts and shares
    • Require Network Level Authentication for Remote Connections
  • The ThreatLocker Tray will now alert end-users of our research on their software requests, including software name and company name, countries of operation, and software categories. This will allow end-users insight into the software they are requesting and help guide their decision-making process prior to requesting the install 

Improvement

  • ThreatLocker Ops policies will be able to action based on the SHAs, Hashes, Certs, and Application IDs of a parent process 
  • The option to Disable Remote Presence has been changed to Enable Remote Presence
  • Approval Requests will no longer allow invalid emails when emails are set as a required field
  • End-Users who utilize a terminal server setup will now only be able to see their own real-time Unified Audit logs in the tray. Administrators will need to use our portal to see a complete list of all user activity

Bugs and Fixes

  • Resolved an issue with the ThreatLocker Tray caching, which caused caching to turn off unintentionally
  • Resolved an issue with the Windows Core Files on the Testing Environment Virtual Machines, which caused unintended blocks
  • Resolved an issue with ThreatLocker Ops where policies were being actioned multiple times due to an error with caching. Ops policies will only action once until the alert is cleared by a user
  • Resolved an issue with the ThreatLocker Tray and time not stored in UTC
  • Resolved an issue with the Tray where Chromium extension names were displayed incorrectly
  • Resolved an issue with the ThreatLocker Administrator Password System (TAPS) where generating a password would fail and cause a 400 error
  • Resolved an issue where Chromium extensions were not blocking as intended if Storage Control was not enabled
  • Resolved an issue that caused Tray icon ghosting during ThreatLocker service restarts
  • Resolved an issue with Ops condition Occurrences, and the option has been readded for use in policies
  • Resolved an issue with Default Deny working when not enabled based on Ringfencing settings

 

Version 8.4 - Live

01/22/2024

New Features

  • Added a new Configuration Manager policy to Enable/Disable PowerShell Constrained Language Mode 
  • Added a new Configuration Manager policy for CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability 

Bugs and Fixes

  • Resolved an issue related to zipped files with executables running on secured machines
  • Resolved an issue where the service would not start/restart or check-in due to a corrupt driver  
  • Resolved an issue where users were not getting the UAC prompt on version 8.2.3 when trying to run a program as an administrator 

 

Version 8.3.5 - Live

12/28/2023

Improvements

  • New option to disable installation file monitoring
  • New option to disable remote presence by default

Bugs and Fixes

  • Resolved an issue with serial numbers not logging based on abbreviations

 

Version 8.3.4 - Live

12/15/2023

Bugs and Fixes

  • Resolved an issue where the ThreatLocker Tray failed to start
  • Resolved an issue where parent processes were not matching the full path as expected

 

Version 8.3.3 - Live

12/15/2023

Bugs and Fixes

  • Resolved an issue where expired policies were causing core file blocks 
  • Resolved an issue where the ThreatLocker Service would fail to start 
  • Resolved an issue with Ukrainian/Cyrillic characters displaying in the Portal 
  • Resolved an issue with the display name of browser extensions 

 

Version 8.3.2 - Live

12/05/2023

Improvements

  • Built-in applications that include Windows Core files will no longer process prior to custom rules

Bugs and Fixes

  • Resolved an issue with the delete action not logging in the Unified Audit as expected

 

Version 8.3.1

11/29/2023

Known Issue: Syncplicity preventing ThreatLocker machines from checking in to the portal

 

New Features

  • The default value for \device\syncplicity will now be null, and clients will need to set their preferred value
  • When the EnableLUA registry key is changed, and a computer needs a reboot, a flag will now be visible on the Computers Page 
  • Override codes now also apply to Storage Control policies. If a ThreatLocker Override is run, all Storage Control denies will be permitted.
  • Configuration manager now has the option to enable Crash Dump complete file collection 

Improvements

  • Updates and improvements to the UAC prompt and the ThreatLocker Tray
  • Improvements to how the Monitor PowerShell option is applied to the endpoint
  • The error log folder located in the application folder will now clear logs older than 30 days 
  • Improvements to the handling of Global Configuration Manager Policies
  • Added the support of multiple wildcards within the registry path for Ringfencing exclusions 
  • Improved the way hostname is populated to show more than 15 characters 
  • Improved logging in the Check Errors section of the Computer's tab, including starting, stopping, and restarting of the service 
  • Increased several API timeouts 

Bugs and Fixes

  • Resolved an issue with the ThreatLocker driver getting stuck in a restart cycle related to the default value for disabled devices 
  • Resolved an issue causing excessive logging of the FileInfo and FileInstall in the System Audit 
  • Resolved an issue in which opening multiple instances of the real-time audit caused high memory usage 
  • Resolved an issue that caused an API to stall when changing the page size on the Applications page 
  • Resolved an issue that caused an API to stall when changing the page size on the Applications page 
  • Resolved an issue where Network Control caused high CPU when monitoring outbound traffic 
  • Resolved an excessive logging issue in the Unified Audit related to the ThreatLocker Ops policy for Log All Logon Events 
  • Resolved an issue with conflicting serial number lengths based on differences in Windows 7 and Windows 10 
  • Resolved an issue where a client was unable to RDP into his machine by adding IPSec support 
  • Resolved an issue with Chrome extensions not being blocked as required 
  • Resolved an issue with the Disable UPnP policy in Configuration Manager 
  • Resolved an issue that would block a new USB request if there is already a pending, different, USB request in the system 
  • Resolved an issue with the UAC where the {Username}@{Domain} format would fail authentication 
  • Resolved an issue from 7.6 related to Windows programs that only work properly when run by an administrator, like the Windows Media Creation Tool 
  • Resolved an issue from 8.0 where the NetworkPendingQueueSize in the registry was not dropping as expected 
  • Resolved an issue in which opening multiple instances of the realtime audit caused high memory usage
  •  Resolved an issue for Legacy ThridWall users which affected the excessive failed logon events policy 
  • Resolved an issue with built-in SDHC card readers and collecting S/N from SD cards 
  • Resolved a rare issue where the Windows API would not read an entire file
  • Resolved an issue with the Configuration Manager policy to Disable NetBios related to network adapter settings 
  • Resolved an issue where default ThreatLocker branding did not apply when clients had not implemented custom branding 
  • Resolved an issue where ProxyURLs were using port 443 

 

Version 8.2.4

11/16/2023

Improvements

  • Moving forward, ThreatLocker will not include C:\ProgramData\Docker* in the baseline learning process to avoid causing unintended issues. For more information about Baselining, please see our ThreatLocker University course Learning Mode

 

Version 8.2.3

11/01/2023

Bugs and Fixes

  • Resolved an issue that caused excessive logging in Tamper Protection Mode

 

Version 8.2.2

10/25/2023

Improvements

  • Improvements to outbound network processing
  • Added support for exclusions for Outbound Network Control  

Bugs and Fixes

  • Fixed a bug with Exclusions where, in certain circumstances, they would not apply as intended

 

Version 8.2.1

10/19/2023

Improvements

  • Improvements to inbound network processing

 

Version 8.2

10/17/2023

New Features

Improvements

  • Improved logging for the Network Challenge feature 
  • Improved the real-time audit logs to show in the time zone of the machine 
  • Requester email is now included in the UAC prompt for Elevation and Approval Requests
  • In order to avoid unintended blocks, if a policy with a .dll only is above a policy for the same application with a .exe and the same .dll, when the first policy runs, the 2nd policy with the .exe and .dll will match and permit. This change could cause policies to process in an unexpected order 
  • Improvements to the Approve Applications process, including identification of a matching application to happen inside the virtual testing environment 
  • Improved the processing of UDP traffic 
  • Improvements to Isolation Mode in Configuration Manager, including blocking TCP & UDP traffic 
  • Improved internal logging of events related to temp files, delete actions, sleep/hibernation behaviors, and more  
  • The Stub Installer is now integrated into the MSI Installer 
  • Improvements made to new applications and the amount of logging in the Unified Audit 
  • Improved the Windows Service and Driver features to harden the process of service downgrading, stopping/starting of the service and driver, and Tamper Protection 
  • Reinstated Green Denies on Network Control in the Unified Audit when no policies exist but the Module is enabled 
  • Improved error messaging around Chromium Extensions which return an empty string 
  • SHA256 captures will now be enabled by default and users will have the ability to disable this feature under the Organization Options 
  • Added a Kill Running Process option to ThreatLocker Ops 
  • Improved Threatlocker Ops by adding canary files 
  • Elevation buttons have been changed to look more prominent 
  • Configuration Manager now has a policy to block Developer Mode in MS Edge Chromium and Google Chrome 
  • Improved the handling of temporary files to reduce data set kept in memory cache 
  • Windows machines will now display the major and minor version in the Portal 
  • Improved the cache of items in the Unified Audit to reduce noise. This will not affect Denies. All denies will log
  • Updates and improvements to the UAC prompt 
  • Updates to Configuration manger including the Set Screen Saver policy and how it logs in the Unified Audit 
  • Added Tray notification messaging for the Isolate/Un-isolate feature 
  • Added functionality to disable the notification that users see when programs install or update 
  • Improved the speed of cert.db download speed 
  • Improved the way hostname is populated to show more than 15 characters 
  • Reduced minimum monitored file size from 16 bytes to 4 bytes 

Bugs and Fixes

  • Resolved an issue with Excluded Processes and they will now exclude Install action types 
  • Resolved an issue using wildcards (*) in Storage Control Policies in the "What program does this apply to?" field 
  • Resolved an issue with Network Control that was causing intermittent incorrect denies 
  • Resolved an issue with RAID drives and ringfencing
  • Resolved an issue with baselining that caused high CPU usage 
  • Resolved an issue with MSI files trying to elevate 
  • Resolved an issue with thumb drives and logging of encryption status 
  • Improved file logging in the Unified Audit to only record Reads and Writes, either in Permit or Deny policies, for .exe and .dll files, reducing white noise and unintentional blocks 
  • Resolved an issue with Network Control and deleted Authorization Hosts 
  • Resolved an issue identified in 7.10 where some Chromium extensions would not read as executable 
  • Resolved an issue where some extensions were not being blocked in Chrome 
  • Resolved an issue from 7.10.2 and 8.0 with svchost.exe and hash showing incorrectly on installs 
  • Resolved an issue for Legacy ThridWall users which affected the excessive failed logon events policy 
  • Resolved an issue with \\localhost\c$\*\ related to storage devices and excessive logging 
  • Resolved an issue from 7.6.1 where the tray notification would not populate at the correct time 
  • Resolved an issue where a user was getting BSOD when connecting to a home network 
  • Resolved an issue with Chrome extensions not being blocked as required 
  • Resolved an issue with Network Control not caching as expected and then sometimes failing the Challenge
  • Resolved an issue with Chromium Extensions that were being denied via storage policies 
  • Resolved an issue where FortiNet VPN allowed RDP connections with Network Control RDP deny policies in place 
  • Resolved an issue with Elevation that gave incorrect permissions based on the ThreatLocker Consent setting
  •  Resolved an issue with storage policies when multiple policies use different drives 
  • Resolved an issue related to capturing core files from all drives, which caused some core files to be blocked 
  • Resolved an issue that would block a new USB request if there is already a pending, different, USB request in the system 
  • Resolved an issue that was allowing non-permitted files to execute from the C:\Windows\Assembly folder 
  • Resolved an issue that allowed files to be renamed even though they were protected by Tamper Protection 
  • Resolved an issue with Ringfencing failing to block Reads/Writes as expected 
  • Resolved an issue which caused the Tray to crash for users on .NET 4.8+ 
  • Resolved an issue with Tamper Protection Deny logs which caused excessive logging 
  • Resolved an issue with proxy and service loss 
  • Resolved an issue that allowed Ringfencing to process when only Default Deny was selected 
  • Resolved an intermittent issue found on Windows 10 where certain files were being logged as execute even though they were not .exe files 
  • Resolved an issue with system stress caused by installations 
  • Resolved an issue where the SHA256 was captured but not showing in the Unified Audit 
  • Resolved an issue with Network Control and error messages populating incorrectly 
  • Resolved an issue with Configuration Manager and the Set Password Protected Screen Saver enable/disable feature 
  • Resolved an issue with UDP Multicast IPs and now they are no longer be blocked and/or logged 
  • Resolved an issue with the capture of UDP traffic if a registry value was set 
  • Resolved an issue where any binaries run by rundll32 will be blocked by ThreatLocker as a normal user 
  • Resolved an issue with the Created By Process and custom rules 
  • Resolved an issue with Network Control and unnecessary logging of ThreatLocker domains 

 

Version 8.0.2

7/15/2023

Bugs and Fixes

  •  Resolved a minor issue with RoboCopy which was causing high CPU usage

 

Version 8.0.1

07/07/2023

Improvements

  • Improved the way hostname is populated to show more than 15 characters  

 

Version 8.0

6/16/2023

Bugs and Fixes

  • Resolved an issue with Tamper Protection not disabling when an Override would be applied
  • Resolved several issues with the tray, including crashing and missing attachments 
  • Resolved an issue with devices being blocked due to language settings 
  • Resolved an issue with corrupt pk.dat files  
  • Resolved several issues with Network Control, including authorization host timeouts, objects not applying to IPv6, and issues with keywords 
  • Resolved an issue where Tamper Protection would set prior to a successful checkin 
  • Resolved an issue with the ThreatLocker service not honoring DNS changes  
  • Resolved an issue in 7.10 where Created by Custom rules would not apply 
  • Resolved an issue where the Run Now button would not close when running a .dll file 
  • Resolved an issue where users got a BSOD from a single IP address 
  • Resolved an issue where Bypass I/O was not supported by the ThreatLocker Driver. This will now work for new installs of 8.0 but not updates to 8.0
  • Resolved an issue where corrupted tags.json would not recover 
  • Resolved an issue where Administrators would not get correctly redirected to their approvals after logging into the portal 
  • Resolved an issue where system32 paths would be stopped when killing all running processes 
  • Resolved an issue where VirtualBox virtual machines would get stuck on service restarts 
  • Resolved an issue where deployment could have caused duplicate machines 
  • Resolved an issue when a workstation freshly boots up and wants to authenticate but the server does not know this workstation yet 
  • Resolved an issue where storage approvals would not generate a popup after an approval had been actioned 

New Features

Improvements

  • Improvements to security by only allowing one instance of ThreatLocker service to run at a time 
  • When the user is System, files run by powershell.exe or rundll32.exe to not be processed as executing 
  • Improved how deny actions are recorded

 

 

 Find older release notes here: Windows Agent Version 7.x Release Notes
Was this article helpful?