Version 8.7.5, 9.0.1, 9.1.4, 9.3.4, 9.4.4 - Live
11/15/2024
Improvements
- Fixed a datatype on SQLite-related limitation
Version 9.4.3 - Live
11/7/2024
Improvements
- Improved Insights data collection by removing hashes for network and command line parameters on execution
Version 9.4.2 - Beta
11/5/2024
Improvements
- Improved collected Insight information by clearing out the cache when the API request has failed
Version 9.4.1 - Beta
10/29/2024
New Features
- Added an Option called 'CoreThrottle1000' that will throttle the downloading of core files to improve performance on machine's affected by excessive download of core files on Patch Tuesday
Version 9.4 - Live
10/29/2024
New Features
- Added a new Configuration Manager policy "Reset Print Spooler ImagePath' that will reset the Print Spooler ImagePath
- Major improvements to the baseline process! Baselining will now scan for a list of Key Files to build built-in policies first, then scan a second time to create additional custom applications and policies as needed. This will help prevent duplication of policies and application files that are shared with existing built-ins, making the baseline process more efficient.
- New File History capturing in which the agent builds a Hash History database detailing how files interact with each other for better tracking of process chains and interactions in preparation for additional features
- Improved security on ThreatLocker files while Tamper Protection is enabled
- Add the capability to bypass the set Proxy on client machines so that the agent can go directly to TL APIs
- Improved the logic to get longer file paths for processes
- Added support for two new options, "AllFilesAsExecutableExSys:WScript.exe" and "AllFilesAsExecutable:Wscript.exe"
- Improved the tray used in the VDI testing environment to have a wider box, helping prevent application names from being cut off in the dropdown
- Added the ability for Detect to monitor and alert on ThreatLocker DB file size
- Added further data validation to the Request Window to help ensure a Reason is inserted when it is required
- Updated the ThreatLocker logo on all tray popups
- The option for DriverDomainNameParsing will now support wildcards (*) and/or process names
- Added logic to close the Tray QR code popup once a Maintenance Mode is started
- Resolved an issue with excessive logging from multiple Password Manager Chromium extensions
Bugs and Fixes
- Resolved an issue in which the service was incorrectly discarding leading wildcards in monitored storage paths
- Resolved an issue where the tray popup for Elevation maintenance mode was not closing properly when ending from the tray or reaching the end of the schedule
- Resolved an issue with Elevation control where administrators were being removed using the 'Remove All Except' that are included in the exception list
- Resolved an issue in which CMD line arguments were not being displayed in the full path in the Unified Audit
- Resolved an issue in which changing a computer's date/time via PowerShell resulted in a temporary pause in the ThreatLocker Service
- Resolved an issue in which Deploying Policies was not clearing the deny cache for Ringfencing
- Resolved an issue in which unknown Chromium extension names were being incorrectly displayed
- Resolved an issue in which unwanted file blocks were occurring due to a recent change in defender atp
- Resolved an issue in which creating or editing a Tag was not forcing a full check-in, resulting in a delay in endpoints receiving the changes
- Resolved an issue where administrators were being removed through Elevation control but not verified to have login privileges, causing the account to not be accessible
- Resolved an issue in which Isolate mode was not disconnecting active network connections
- Resolved an issue in which .py scripts were being logged as executes when being moved using Robocopy
- Resolved an issue in which Network Shares were still accessible when a machine was Isolated
- Resolved an issue in which the Full Path was not showing command line args
- Resolved an issue in which Organization and Group level Exclusions were not working as expected
- Resolved an issue in which the Configuration Manager policy "Delivery Optimization Service" was causing Windows updates to fail
- Resolved an issue where hashes containing only zeros were being reported in installation and elevation logs
- Resolved an issue in which Network Control was interfering with applications being run from a dev drive
- Resolved an issue in which Detect was not alerting when a registry key was changed when a condition to monitor registry keys was set
- Resolved an issue in which Network Control policies set to block access to specified locations were not working as expected until the Browser cache was cleared
- Resolved an issue in which inserting variables into the body of a Call Webhook or Call RestAIP were causing the json to be invalid
- Resolved an issue in which Detect policies would not alert on apps that didn't exist in the apps.db, even when a condition explicitly called out the application
- Resolved an issue in which end users were receiving both the ThreatLocker UAC and the Windows UAC when attempting to run an application as Administrator
- Resolved an issue with removing domain users from the Local Administrators group when using Elevation control. They will be placed in the local users group, if not already, on removal.
- Resolved an issue in which file paths were incorrectly being monitored, causing unexpected Ringfencing denies
- Resolved an issue in which Elevation Control > Remove Selected was unable to removed Domain Users from the local Administrator group if the Domain User was already in the local Users group
Version 9.3.3 - Live
9/30/2024
Improvements
- Updated configuration changes when using the DisableLSAProtection option for improved stability across Windows devices running builds 2200 and below
- Built a new MSI installer for 9.3.3
Version 9.3.2 - Live
09/19/2024
Bugs and Fixes
- Implemented security enhancements and fixes
Version 9.3.1 - Live
09/10/2024
Improvements
- Improved the tray used in the VDI testing environment to have a wider box, helping prevent application names from being cut off in the dropdown
- Added a new variable to the body section of a Detect Policy to allow the insert of the Detect Policy name
- The option for EnableDriverDomainNameParsing will now support wildcards (*) and/or process names
- Improved the driver to prevent a renamed PowerShell executable from being able to run scripts that should have been blocked
- Resolved an issue from 8.7.2 and 8.8 where a malformed apps.db would not automatically rebuild
- For ThreatLocker Detect Alerts, the Action Log will show both Policy Action and Effective Action
- The Configuration Manager policy for User Logon Reporting has been depreciated indefinitely. Please speak to a Cyber Hero for an alternative solution using ThreatLocker Detect
- Improved the checkin process, where if the full check-in fails on service start up then it will keep trying every 5 seconds until it is successful prior to sending a heartbeat checkin
- Improved the check for Disable Tamper Protection Mode, where now, if the scheduled time expires or is ended from the portal, the endpoint will be updated within 5 seconds
- When enabling the ThreatLocker Detect module, required settings will now be included for the impacted organizations. We have added 2 new options to disable these default settings: 'DisableArgumentsForElevation' and 'DisableArgumentsForExecution'
- Added the Schedule Free Space Delete policy into new Configuration Manager
- Made minor UI improvements to the QR code popup in the tray
- Added the ability to intercept network traffic from virtual adapters
Bugs and Fixes
- Resolved an issue in which Detect Conditions were not working as expected when using the Contains and Does Not Contain operators
- Resolved an issue in which having an OS in a language other than English was preventing Local Admins from being removed via the Elevation Control page
- Resolved an issue in which Configuration Manager policies set at the Global level were not being assigned as expected
- Resolved an issue in which Lockdown and Isolate modes were not being displayed in the Notes section of the Unified Audit
- Resolved an issue in which multiple Trays were being opened per user on a terminal server
- Resolved an issue in which Detect conditions that used a full path with starts with or ends with were not operating as expected
- Resolved an issue in which the 'Configure downloaded Office macros" Configuration Manager policy was not setting the registry setting correctly
- Resolved an issue in which Tamper Protection was disabled while an apps.db was being rebuilt
- Resolved an issue in which disabling the Config Manager 'Allow local system to use computer identity for NTLM (NetBios)' policy was not disabling the registry key
- Resolved an issue in which users were unable to re-add admins to the local admin group when using the Removing Selected Local Admins and removing them from the list until the machine was rebooted
- Resolved an issue in which inserting variables into the body of a Call Webhook or Call RestAIP were causing the JSON to be invalid
- Resolved an issue in which Detect policies would not alert on apps that didn't exist in the apps.db, even when a condition explicitly called out the application
- Resolved an issue in which the ThreatLocker Elevation Request Popup was not launching, preventing the user from requesting Elevation
- Resolved an issue in which Domain Name Parsing settings were not taking effect when set at the Global level
- Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
- Resolved ain issue with wording on a button on the tray
- Resolved an issue where the Threatlocker Tray was causing a timeout for machines in Kiosk Mode
- Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint
- Resolved an issue with ThreatLocker Detect Exclusions where Exclusions would fail unless they has an expiration date set
- Resolved an issue from the Windows Agent version 9.1.2 where baselining would loop and cause high ram usage
- Resolved an issue with IPv4 Ringfencing exclusions where exclusions were not allowed as expected
- Resolved an issue with Self-Approvals where using this option would cause unintended blocks in Monitor Only mode
- Resolved an issue the Monitor File Paths issue where including Detect policy monitored paths would cause issues when processing Storage Control policies
- Resolved an issue with the Detect Exclusions when moving a computer to a new group or organization. Detect exlusions will now be removed when computers are moved
- Resolved an issue where using a custom MSI would redownload the core
- Resolved an issue where Approval Request\Requestor Reason with Spaces or Digits would cause a 500 error
- Resolved an issue with ThreatLocker Detect, where the policy to monitor Registry Key Changes was not alerting when changed
- Resolved an issue with the ThreatLocker Relay Service on Service build 9.1 with downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
- Resolved an issue in which the HealthService wasn't being started after the Windows Service was installed using an MSI
- Resolved an issue where hashes that contain only zeros are being seen on Baseline, Install, and Elevation Logs
- Resolved an issue in which IPv4 Conditions in Detect policies were not being honored
- Resolved an issue in which .exe was being added to the end of CMD line parameters and causing Detect policies using CMD line parameter conditions to not be honored
- Resolved an issue in which Master Detect policies weren't being added to the database for new installs and DB rebuilds on version 9.1
- Resolved an issue in Configuration Manager where the Configure TLS (transport layer security) Protocols policy was setting the TLS setting incorrectly
- Resolved an issue wherethe policy in Configuration Manager for PowerShell Constrained Language was not on when PowerShell was started
- Resolved an issue in which Network Control Objects used in Inbound policies were working intermittently
- Resolved an issue in which the Log in as Admin button in the tray was not directing to the specified Storage Control Policy
- Resolved an issue with the Configuration Manager policy for Configure Defender Virus & Protection Settings not updating configurations properly on endpoints
- Resolved an issue in which CMD line Arguments were being logged inconsistently on Windows 10
- Resolved an issue in which NVME drives were incorrectly displaying as SCSI drives in ThreatLocker
- Resolved an issue in which .msix files were not being flagged as executables
- Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
- Resolved an issue in which users logging in with valid admin credentials using the TL UAC were incorrectly receiving an invalid credentials error
- Resolved an issue in which disabling Network Control from the portal was not disabling on the endpoint without restarting the ThreatLocker Service
- Resolved an issue in which the ThreatLocker Service processes Right-to-Left Unicode incorrectly in the Request pop-up
- Resolved an issue in which port 8811 was incorrectly being used by ThreatLocker when Network Control was disabled
- Fixed incorrect detection of parent process. Implemented additional mechanisms to pass through file operations from svchost and for tracking actual process start with correct parent process set
- Resolved an issue in which Ringfence exclusions for files were not correctly being observed
- Resolved an issue in which users were not receiving a blocked item prompt from ThreatLocker when the iPhone Storage Driver (Built-In) policy was being matched, even though they were being blocked
- Resolved an issue in which users in the Network Configuration Operators group were unable to use their credentials with the ThreatLocker UAC
Version 9.1.3 - Live
08/16/2024
- Resolved an issue where the Challenge Listener was receiving a (400) Bad Request from client services
Version 9.1.2-Live
08/01/2024 - updated
- Resolved an issue with the Source and Destination IPs not working as expected as conditions on Endpoint Detect
- Resolved an issue that did not properly update the endpoint's public IP address in the portal when it changed
Version 9.1.1 - Live
7/16/2024
Improvements
- Added Service support for module-specific maintenance modes
- Added a forced full Service check-in once the ThreatLocker Driver is bound and once an Override Code is used
- Added Service support for the ability to Deploy Policies to a single endpoint
- Added the Schedule Free Space Delete policy into the new Configuration Manager
- Added CVE-2023-36563 MS WordPad Vulnerability, CVE-2013-3900 WinVerifyTrust Signature Validation, and Disable Local LM Hash Storage policies to the new Configuration Manager
- Changed the Unified Audit to only log denied Registry actions to improve performance
- Added a new option, DebugNetworkChallenge to be used when troubleshooting Network Challenges
- Made improvements to Detect alert cache logic so that only one alert per check-in period will be sent if all conditions are met.
- Made changes to the ThreatLocker Tray to accommodate more characters in branding
- Added checkboxes in the Tray Options to force end-users to include an email and/or message with an approval request
- Added support for two new options, "AllFilesAsExecutableExSys:WScript.exe" and "AllFilesAsExecutable:Wscript.exe"
- Improved the HealthService update to happen when the update file downloads and not on ThreatLockerService restarts
Bugs and Fixes
- Resolved an issue with the ThreatLocker Relay Service on agent build 9.1 by downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
- Resolved an issue with the Rebuild Core process. Moving forward, the Rebuild Core action will only function on Windows version 9.1 or newer versions
- Resolved an issue in which the registry values for the Configuration Manager CVE 2023-36563: MS WordPad Vulnerability policy were being incorrectly set
- Resolved an issue with the Configuration Manager policy for 'Configure Defender Virus & Protection Settings' not updating configurations properly on endpoints
- Resolved an issue in which Detect policies monitoring Event Log ID 4732 were not alerting as expected
- Resolved an issue in which the Configuration Manager policy 'Password Must Meet Complexity Requirements' was not correctly enforcing password complexity
- Resolved an issue in which UNC paths were being incorrectly displayed as \device\lanmanredirector
- Resolved an issue in which .msix files were not being flagged as executables
- Resolved an issue in which the Health Service was hanging due to a failed API call
- Resolved an issue in which Detect policy exclusions were not being downloaded consistently
- Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
- Resolved an issue in which closing an approval request popup without sending a request was causing the popup to not be showed again
- Resolved an issue where some software would require users to be located in an administrator group and would not allow installation with Elevation Mode
- Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
- Resolved an issue in which a Storage Control policy was remaining enforced once disabled
- Resolved an issue in which Detect exclusions were not being honored as intended
- Resolved an issue in which accessing/transferring shared files was slowed down while ThreatLocker was running
- Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
- Resolved an issue in which UDP traffic was not being logged correctly
- Resolved an issue in which Override Codes were not overriding Network Ringfencing
- Resolved an issue with Leap Software where installing with Elevation Mode would cause excessive CMD popups
- Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
- Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint if using the 'EnforceCPL' option
- Resolved an issue with the service getting a null exception when processing keywords in Network Control configurations that was preventing a task from starting
Version 9.0 - Live
05/29/2024
Improvements
- Improvements to the Network Challenge to always challenge if the IP address is private, regardless of subnet
- Added a new feature to Enable Domain Name Parsing per Process for Outbound Network Control and Ringfencing entries in the Unified Audit
- Added new Configuration Manager options for Windows Defender to control Cloud-delivered protection, Automatic Sample Submission, and Tamper Protection
- Reduced the memory footprint of the Tray by 25-50%
- Text for Outbound Network Contol, when using a VM, will need the EnableDriverDomainNameParsing option enabled
Bugs and Fixes
- Resolved an issue in which an empty FTP folder was unable to be read due to domain name parsing
- Resolved an issue where the Unified Audit would show logs for Outbound Network control without a policy
- Resolved an issue in which choosing to 'Log in as Admin' from a storage block was redirecting to a legacy page
- Resolved an issue in which the 32-bit Windows agent was incorrectly learning hashes
- Resolved an issue in which utilizing FTP over TLS resulted in file access being denied
- Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
- Resolved an alignment issue for text on the ThreatLocker Tray
- Resolved an issue in which the option EnableDriverDomainNameParsing was causing certain applications to experience slowness
- Resolved an issue where certain Chromium Extensions were causing excessive logging
- Resolved an incorrect detection of parent processes
- Resolved an issue in which the service would not restart after Windows 2012R2 / 2008R2 was rebooted
- Resolved an issue where returning the Print Nightmare Configuration Manager policy to "not configured" was not returning the Registry value to the Windows default setting
- Resolved an issue in which disabling Network Control was causing Ringfencing Internet to sometimes fail
- Resolved an issue in which the Configuration Manager policy CVE-2013-3900 WinVerifyTrust Signature Validation was incorrectly setting a DWORD instead of a REG-SZ String
- Resolved an issue in which AzureAD user accounts were not being removed from the local Administrator group
- Resolved an issue with Tags not working as expected on Network Control policies
- Resolved an issue where some locked-down endpoints were not able to reboot while locked down
- Resolved an issue with file deletion related to terminating a running process, which caused a false positive
- Resolved an issue with ThreatLocker Ops where Occurrences were not being incremented if the TL Ops/Detect policy condition contains an Occurrences condition
- Resolved an issue with DomainNameParsing, where the option was causing slowness on the driver
- Resolved an issue where email formatting was not enforced on elevation policies
- Resolved an issue with Ringfencing when utilizing a Bitglass Proxy
- Resolved an issue with excessive logging from multiple Password Manager Chromium extensions
- Resolved an issue with the processing of .exe exclusions
- Resolved an issue with the redirect to the Chrome or Edge store from an approval request for an extension
- Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
- Resolved an issue with conflicting serial number lengths based on differences in Windows 7 and Windows 10
Version 8.7.4 - Live
05/13/2024
Bugs and Fixes
- Resolved an issue that caused a repeated error multiple times an hour on some machines, starting with threatlockerservice.CleanPath...
- Resolved an issue with ThreatLocker Detect that caused the Detect database to grow larger than intended
- Resolved an issue with ThreatLocker Detect related to the logic around handling errors
- Resolved an issue with Network Control, which prevented Objects from working as intended on startup with local IP addresses in the same subnet
Version 8.7.3 - Beta
04/23/2024
Improvements
- Added a new Option that disables network traffic monitoring for Network Control called 'DisableInterceptNetworkAccessForAll'
To view older release notes for 8.x, click here