Company logoHelp Center
Visit www.threatlocker.com

Windows Agent Version 9.x Release Notes

14 min. readlast update: 08.30.2024

Version 9.3.1 - Beta

08/30/2024

Improvements

  • Added a new variable to the body section of a Detect Policy to allow the insert of the Detect Policy name
  • The Options dropdown now offers a new option, "DisableLSAProtection," which validates that the proper registry values have been updated/deleted from a machine. This option protects against https://attack.mitre.org/techniques/T1556/002/. Went this version of the service is started, it will enable the LSA protection by default
  • The option for DriverDomainNameParsing will now support wildcards (*) and/or process names
  • Improved the driver to prevent a renamed PowerShell executable from being able to run scripts that should have been blocked
  • Resolved an issue from 8.7.2 and 8.8 where a malformed apps.db would not automatically rebuild 
  • For ThreatLocker Detect Alerts, the Action Log will show both Policy Action and Effective Action
  • The Configuration Manager policy for User Logon Reporting has been depreciated indefinitely. Please speak to a Cyber Hero for an alternative solution using ThreatLocker Detect
  • Improved the checkin process, where if the full check-in fails on service start up then it will keep trying every 5 seconds until it is successful prior to sending a heartbeat checkin
  • In Elevation Control, Domain Accounts will also be removed unless exceptions are listed
  • Improved the check for Disable Tamper Protection Mode, where now, if the scheduled time expires or is ended from the portal, the endpoint will be updated within 5 seconds
  • When enabling the ThreatLocker Detect module, required settings will be included to the impacted organizations. This includes 'DisableArgumentsForElevation' and 'DisableArgumentsForExecution'
  • Added the Schedule Free Space Delete policy into new Configuration Manager
  • Made minor UI improvements to the QR code popup in the tray
  • Added the ability to intercept network traffic from virtual adapters

Bugs and Fixes

  • Resolved an issue in which Detect Conditions were not working as expected when using the Contains and Does Not Contain operators
  • Resolved an issue in which Domain Admins were not being removed from the Local Admin group using the Elevation Control module
  • Resolved an issue in which having an OS in a language other than English was preventing Local Admins from being removed via the Elevation Control page
  • Resolved an issue in which Configuration Manager policies set at the Global level were not being assigned as expected
  • Resolved an issue in which Lockdown and Isolate modes were not being displayed in the Notes section of the Unified Audit
  • Resolved an issue in which multiple Trays were being opened per user on a terminal server
  • Resolved an issue in which Detect conditions that used a full path with starts with or ends with were not operating as expected
  • Resolved an issue in which the 'Configure downloaded Office macros" Configuration Manager policy was not setting the registry setting correctly
  • Resolved an issue in which Tamper Protection was disabled while an apps.db was being rebuilt
  • Resolved an issue in which disabling the Config Manager 'Allow local system to use computer identity for NTLM (NetBios)' policy was not disabling the registry key
  • Resolved an issue in which users were unable to re-add admins to the local admin group when using the Removing Selected Local Admins and removing them from the list until the machine was rebooted
  • Resolved an issue in which inserting variables into the body of a Call Webhook or Call RestAIP were causing the JSON to be invalid
  • Resolved an issue in which Detect policies would not alert on apps that didn't exist in the apps.db, even when a condition explicitly called out the application
  • Resolved an issue in which the ThreatLocker Elevation Request Popup was not launching, preventing the user from requesting Elevation
  • Resolved an issue in which Domain Name Parsing settings were not taking effect when set at the Global level
  • Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
  • Resolved ain issue with wording on a button on the tray
  • Resolved an issue where the Threatlocker Tray was causing a timeout for machines in Kiosk Mode
  • Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint
  • Resolved an issue with ThreatLocker Detect Exclusions where Exclusions would fail unless they has an expiration date set
  • Resolved an issue from the Windows Agent version 9.1.2 where baselining would loop and cause high ram usage
  • Resolved an issue with IPv4 Ringfencing exclusions where exclusions were not allowed as expected
  • Resolved an issue with Self-Approvals where using this option would cause unintended blocks in Monitor Only mode
  • Resolved an issue the Monitor File Paths issue where including Detect policy monitored paths would cause issues when processing Storage Control policies
  • Resolved an issue with the Detect Exclusions when moving a computer to a new group or organization. Detect exlusions will now be removed when computers are moved
  • Resolved an issue where using a custom MSI would redownload the core
  • Resolved an issue where Approval Request\Requestor Reason with Spaces or Digits would cause a 500 error
  • Resolved an issue with ThreatLocker Detect, where the policy to monitor Registry Key Changes was not alerting when changed
  • Resolved an issue with the ThreatLocker Relay Service on Service build 9.1 with downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
  • Resolved an issue in which the HealthService wasn't being started after the Windows Service was installed using an MSI
  • Resolved an issue where hashes that contain only zeros are being seen on Baseline, Install, and Elevation Logs
  • Resolved an issue in which IPv4 Conditions in Detect policies were not being honored
  • Resolved an issue in which .exe was being added to the end of CMD line parameters and causing Detect policies using CMD line parameter conditions to not be honored
  • Resolved an issue in which Master Detect policies weren't being added to the database for new installs and DB rebuilds on version 9.1
  • Resolved an issue in Configuration Manager where the Configure TLS (transport layer security) Protocols policy was setting the TLS setting incorrectly
  • Resolved an issue wherethe policy in Configuration Manager for PowerShell Constrained Language was not on when PowerShell was started
  • Resolved an issue in which Network Control Objects used in Inbound policies were working intermittently
  • Resolved an issue in which the Log in as Admin button in the tray was not directing to the specified Storage Control Policy
  • Resolved an issue with the Configuration Manager policy for Configure Defender Virus & Protection Settings not updating configurations properly on endpoints
  • Resolved an issue in which CMD line Arguments were being logged inconsistently on Windows 10
  • Resolved an issue in which NVME drives were incorrectly displaying as SCSI drives in ThreatLocker
  • Resolved an issue in which .msix files were not being flagged as executables
  • Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
  • Resolved an issue in which users logging in with valid admin credentials using the TL UAC were incorrectly receiving an invalid credentials error
  • Resolved an issue in which disabling Network Control from the portal was not disabling on the endpoint without restarting the ThreatLocker Service
  • Resolved an issue in which the ThreatLocker Service processes Right-to-Left Unicode incorrectly in the Request pop-up
  • Resolved an issue in which port 8811 was incorrectly being used by ThreatLocker when Network Control was disabled
  • Fixed incorrect detection of parent process. Implemented additional mechanisms to pass through file operations from svchost and for tracking actual process start with correct parent process set
  • Resolved an issue in which Ringfence exclusions for files were not correctly being observed
  • Resolved an issue in which users were not receiving a blocked item prompt from ThreatLocker when the iPhone Storage Driver (Built-In) policy was being matched, even though they were being blocked
  • Resolved an issue in which users in the Network Configuration Operators group were unable to use their credentials with the ThreatLocker UAC

 

 

Version 9.1.3 - Live

08/16/2024

  • Resolved an issue where the Challenge Listener was receiving a (400) Bad Request from client services

 

Version 9.1.2-Live

08/01/2024 - updated

  • Resolved an issue with the Source and Destination IPs not working as expected as conditions on Endpoint Detect
  • Resolved an issue that did not properly update the endpoint's public IP address in the portal when it changed

 

Version 9.1.1 - Live

7/16/2024

Improvements

  • Added Service support for module-specific maintenance modes
  • Added a forced full Service check-in once the ThreatLocker Driver is bound and once an Override Code is used
  • Added Service support for the ability to Deploy Policies to a single endpoint
  • Added the Schedule Free Space Delete policy into the new Configuration Manager
  • Added CVE-2023-36563 MS WordPad Vulnerability, CVE-2013-3900 WinVerifyTrust Signature Validation, and Disable Local LM Hash Storage policies to the new Configuration Manager
  • Changed the Unified Audit to only log denied Registry actions to improve performance
  • Added a new option, DebugNetworkChallenge to be used when troubleshooting Network Challenges
  • Made improvements to Detect alert cache logic so that only one alert per check-in period will be sent if all conditions are met.
  • Made changes to the ThreatLocker Tray to accommodate more characters in branding
  • Added checkboxes in the Tray Options to force end-users to include an email and/or message with an approval request
  • Added support for two new options, "AllFilesAsExecutableExSys:WScript.exe" and "AllFilesAsExecutable:Wscript.exe"
  • Improved the HealthService update to happen when the update file downloads and not on ThreatLockerService restarts

Bugs and Fixes

  • Resolved an issue with the ThreatLocker Relay Service on agent build 9.1 by downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
  • Resolved an issue with the Rebuild Core process. Moving forward, the Rebuild Core action will only function on Windows version 9.1 or newer versions
  • Resolved an issue in which the registry values for the Configuration Manager CVE 2023-36563: MS WordPad Vulnerability policy were being incorrectly set
  • Resolved an issue with the Configuration Manager policy for 'Configure Defender Virus & Protection Settings' not updating configurations properly on endpoints
  • Resolved an issue in which Detect policies monitoring Event Log ID 4732 were not alerting as expected
  • Resolved an issue in which the Configuration Manager policy 'Password Must Meet Complexity Requirements' was not correctly enforcing password complexity
  • Resolved an issue in which UNC paths were being incorrectly displayed as \device\lanmanredirector
  •  Resolved an issue in which .msix files were not being flagged as executables
  • Resolved an issue in which the Health Service was hanging due to a failed API call
  • Resolved an issue in which Detect policy exclusions were not being downloaded consistently
  • Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
  • Resolved an issue in which closing an approval request popup without sending a request was causing the popup to not be showed again
  • Resolved an issue where some software would require users to be located in an administrator group and would not allow installation with Elevation Mode
  • Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
  • Resolved an issue in which a Storage Control policy was remaining enforced once disabled
  • Resolved an issue in which Detect exclusions were not being honored as intended
  • Resolved an issue in which accessing/transferring shared files was slowed down while ThreatLocker was running
  • Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
  • Resolved an issue in which UDP traffic was not being logged correctly
  • Resolved an issue in which Override Codes were not overriding Network Ringfencing
  • Resolved an issue with Leap Software where installing with Elevation Mode would cause excessive CMD popups
  • Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
  • Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint if using the 'EnforceCPL' option
  • Resolved an issue with the service getting a null exception when processing keywords in Network Control configurations that was preventing a task from starting

 

Version 9.0 - Live

05/29/2024

Improvements

  • Improvements to the Network Challenge to always challenge if the IP address is private, regardless of subnet
  • Added a new feature to Enable Domain Name Parsing per Process for Outbound Network Control and Ringfencing entries in the Unified Audit
  • Added new Configuration Manager options for Windows Defender to control Cloud-delivered protection, Automatic Sample Submission, and Tamper Protection
  • Reduced the memory footprint of the Tray by 25-50%
  • Text for Outbound Network Contol, when using a VM, will need the EnableDriverDomainNameParsing option enabled

Bugs and Fixes

  • Resolved an issue in which an empty FTP folder was unable to be read due to domain name parsing
  • Resolved an issue where the Unified Audit would show logs for Outbound Network control without a policy
  • Resolved an issue in which choosing to 'Log in as Admin' from a storage block was redirecting to a legacy page
  • Resolved an issue in which the 32-bit Windows agent was incorrectly learning hashes
  • Resolved an issue in which utilizing FTP over TLS resulted in file access being denied
  • Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
  • Resolved an alignment issue for text on the ThreatLocker Tray
  • Resolved an issue in which the option EnableDriverDomainNameParsing was causing certain applications to experience slowness
  • Resolved an issue where certain Chromium Extensions were causing excessive logging
  • Resolved an incorrect detection of parent processes
  • Resolved an issue in which the service would not restart after Windows 2012R2 / 2008R2 was rebooted
  • Resolved an issue where returning the Print Nightmare Configuration Manager policy to "not configured" was not returning the Registry value to the Windows default setting
  • Resolved an issue in which disabling Network Control was causing Ringfencing Internet to sometimes fail
  • Resolved an issue in which the Configuration Manager policy CVE-2013-3900 WinVerifyTrust Signature Validation was incorrectly setting a DWORD instead of a REG-SZ String
  • Resolved an issue in which AzureAD user accounts were not being removed from the local Administrator group
  • Resolved an issue with Tags not working as expected on Network Control policies
  • Resolved an issue where some locked-down endpoints were not able to reboot while locked down
  • Resolved an issue with file deletion related to terminating a running process, which caused a false positive
  • Resolved an issue with ThreatLocker Ops where Occurrences were not being incremented if the TL Ops/Detect policy condition contains an Occurrences condition
  • Resolved an issue with DomainNameParsing, where the option was causing slowness on the driver
  • Resolved an issue where email formatting was not enforced on elevation policies
  • Resolved an issue with Ringfencing when utilizing a Bitglass Proxy
  • Resolved an issue with excessive logging from multiple Password Manager Chromium extensions
  • Resolved an issue with the processing of .exe exclusions
  • Resolved an issue with the redirect to the Chrome or Edge store from an approval request for an extension
  • Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
  • Resolved an issue with conflicting serial number lengths based on differences in Windows 7 and Windows 10

 

Version 8.7.4 - Live

05/13/2024

Bugs and Fixes

  • Resolved an issue that caused a repeated error multiple times an hour on some machines, starting with threatlockerservice.CleanPath... 
  • Resolved an issue with ThreatLocker Detect that caused the Detect database to grow larger than intended
  • Resolved an issue with ThreatLocker Detect related to the logic around handling errors
  • Resolved an issue with Network Control, which prevented Objects from working as intended on startup with local IP addresses in the same subnet

 

Version 8.7.3 - Beta

04/23/2024

Improvements

  • Added a new Option that disables network traffic monitoring for Network Control called 'DisableInterceptNetworkAccessForAll'

 

To view older release notes for 8.x, click here

Was this article helpful?