Company logoHelp Center
Visit www.threatlocker.com

Windows Agent Version 9.x Release Notes

18 min. readlast update: 10.21.2024

Version 9.4 - Beta

10/18/2024

New Features

  • Added a new Configuration Manager policy "Reset Print Spooler ImagePath' that will reset the Print Spooler ImagePath
  • Major improvements to the baseline process! Baselining will now scan for a list of Key Files to build built-in policies first, then scan a second time to create additional custom applications and policies as needed. This will help prevent duplication of policies and application files that are shared with existing built-ins, making the baseline process more efficient.
  • New File History capturing in which the agent builds a Hash History database detailing how files interact with each other for better tracking of process chains and interactions in preparation for additional features
  • Improved security on ThreatLocker files while Tamper Protection is enabled
  • Add the capability to bypass the set Proxy on client machines so that the agent can go directly to TL APIs
  • Improved the logic to get longer file paths for processes
  • Added support for two new options, "AllFilesAsExecutableExSys:WScript.exe" and "AllFilesAsExecutable:Wscript.exe"
  • Improved the tray used in the VDI testing environment to have a wider box, helping prevent application names from being cut off in the dropdown
  • Added the ability for Detect to monitor and alert on ThreatLocker DB file size
  • Added further data validation to the Request Window to help ensure a Reason is inserted when it is required
  • Updated the ThreatLocker logo on all tray popups
  • The option for DriverDomainNameParsing will now support wildcards (*) and/or process names
  • Added logic to close the Tray QR code popup once a Maintenance Mode is started
  • Resolved an issue with excessive logging from multiple Password Manager Chromium extensions

Bugs and Fixes

  • Resolved an issue in which the service was incorrectly discarding leading wildcards in monitored storage paths
  • Resolved an issue where the tray popup for Elevation maintenance mode was not closing properly when ending from the tray or reaching the end of the schedule
  • Resolved an issue with Elevation control where administrators were being removed using the 'Remove All Except' that are included in the exception list
  • Resolved an issue in which CMD line arguments were not being displayed in the full path in the Unified Audit
  • Resolved an issue in which changing a computer's date/time via PowerShell resulted in a temporary pause in the ThreatLocker Service
  • Resolved an issue in which Deploying Policies was not clearing the deny cache for Ringfencing
  • Resolved an issue in which unknown Chromium extension names were being incorrectly displayed
  • Resolved an issue in which unwanted file blocks were occurring due to a recent change in defender atp
  • Resolved an issue in which creating or editing a Tag was not forcing a full check-in, resulting in a delay in endpoints receiving the changes
  • Resolved an issue where administrators were being removed through Elevation control but not verified to have login privileges, causing the account to not be accessible
  • Resolved an issue in which Isolate mode was not disconnecting active network connections
  • Resolved an issue in which .py scripts were being logged as executes when being moved using Robocopy
  • Resolved an issue in which Network Shares were still accessible when a machine was Isolated
  • Resolved an issue in which the Full Path was not showing command line args
  • Resolved an issue in which Organization and Group level Exclusions were not working as expected
  • Resolved an issue in which the Configuration Manager policy "Delivery Optimization Service" was causing Windows updates to fail
  • Resolved an issue where hashes containing only zeros were being reported in installation and elevation logs
  • Resolved an issue in which Network Control was interfering with applications being run from a dev drive
  • Resolved an issue in which Detect was not alerting when a registry key was changed when a condition to monitor registry keys was set
  • Resolved an issue in which Network Control policies set to block access to specified locations were not working as expected until the Browser cache was cleared
  • Resolved an issue in which inserting variables into the body of a Call Webhook or Call RestAIP were causing the json to be invalid
  • Resolved an issue in which Detect policies would not alert on apps that didn't exist in the apps.db, even when a condition explicitly called out the application
  • Resolved an issue in which end users were receiving both the ThreatLocker UAC and the Windows UAC when attempting to run an application as Administrator
  • Resolved an issue with removing domain users from the Local Administrators group when using Elevation control. They will be placed in the local users group, if not already, on removal.
  • Resolved an issue in which file paths were incorrectly being monitored, causing unexpected Ringfencing denies
  • Resolved an issue in which Elevation Control > Remove Selected was unable to removed Domain Users from the local Administrator group if the Domain User was already in the local Users group

Version 9.3.3 - Live

9/30/2024

Improvements

  • Updated configuration changes when using the DisableLSAProtection option for improved stability across Windows devices running builds 2200 and below
  • Built a new MSI installer for 9.3.3

 

Version 9.3.2 - Live

09/19/2024

Bugs and Fixes

  • Implemented security enhancements and fixes

 

Version 9.3.1 - Live

09/10/2024

Improvements

  • Improved the tray used in the VDI testing environment to have a wider box, helping prevent application names from being cut off in the dropdown
  • Added a new variable to the body section of a Detect Policy to allow the insert of the Detect Policy name
  • The option for EnableDriverDomainNameParsing will now support wildcards (*) and/or process names
  • Improved the driver to prevent a renamed PowerShell executable from being able to run scripts that should have been blocked
  • Resolved an issue from 8.7.2 and 8.8 where a malformed apps.db would not automatically rebuild 
  • For ThreatLocker Detect Alerts, the Action Log will show both Policy Action and Effective Action
  • The Configuration Manager policy for User Logon Reporting has been depreciated indefinitely. Please speak to a Cyber Hero for an alternative solution using ThreatLocker Detect
  • Improved the checkin process, where if the full check-in fails on service start up then it will keep trying every 5 seconds until it is successful prior to sending a heartbeat checkin
  • Improved the check for Disable Tamper Protection Mode, where now, if the scheduled time expires or is ended from the portal, the endpoint will be updated within 5 seconds
  • When enabling the ThreatLocker Detect module, required settings will now be included for the impacted organizations. We have added 2 new options to disable these default settings: 'DisableArgumentsForElevation' and 'DisableArgumentsForExecution'
  • Added the Schedule Free Space Delete policy into new Configuration Manager
  • Made minor UI improvements to the QR code popup in the tray
  • Added the ability to intercept network traffic from virtual adapters

Bugs and Fixes

  • Resolved an issue in which Detect Conditions were not working as expected when using the Contains and Does Not Contain operators
  • Resolved an issue in which having an OS in a language other than English was preventing Local Admins from being removed via the Elevation Control page
  • Resolved an issue in which Configuration Manager policies set at the Global level were not being assigned as expected
  • Resolved an issue in which Lockdown and Isolate modes were not being displayed in the Notes section of the Unified Audit
  • Resolved an issue in which multiple Trays were being opened per user on a terminal server
  • Resolved an issue in which Detect conditions that used a full path with starts with or ends with were not operating as expected
  • Resolved an issue in which the 'Configure downloaded Office macros" Configuration Manager policy was not setting the registry setting correctly
  • Resolved an issue in which Tamper Protection was disabled while an apps.db was being rebuilt
  • Resolved an issue in which disabling the Config Manager 'Allow local system to use computer identity for NTLM (NetBios)' policy was not disabling the registry key
  • Resolved an issue in which users were unable to re-add admins to the local admin group when using the Removing Selected Local Admins and removing them from the list until the machine was rebooted
  • Resolved an issue in which inserting variables into the body of a Call Webhook or Call RestAIP were causing the JSON to be invalid
  • Resolved an issue in which Detect policies would not alert on apps that didn't exist in the apps.db, even when a condition explicitly called out the application
  • Resolved an issue in which the ThreatLocker Elevation Request Popup was not launching, preventing the user from requesting Elevation
  • Resolved an issue in which Domain Name Parsing settings were not taking effect when set at the Global level
  • Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
  • Resolved ain issue with wording on a button on the tray
  • Resolved an issue where the Threatlocker Tray was causing a timeout for machines in Kiosk Mode
  • Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint
  • Resolved an issue with ThreatLocker Detect Exclusions where Exclusions would fail unless they has an expiration date set
  • Resolved an issue from the Windows Agent version 9.1.2 where baselining would loop and cause high ram usage
  • Resolved an issue with IPv4 Ringfencing exclusions where exclusions were not allowed as expected
  • Resolved an issue with Self-Approvals where using this option would cause unintended blocks in Monitor Only mode
  • Resolved an issue the Monitor File Paths issue where including Detect policy monitored paths would cause issues when processing Storage Control policies
  • Resolved an issue with the Detect Exclusions when moving a computer to a new group or organization. Detect exlusions will now be removed when computers are moved
  • Resolved an issue where using a custom MSI would redownload the core
  • Resolved an issue where Approval Request\Requestor Reason with Spaces or Digits would cause a 500 error
  • Resolved an issue with ThreatLocker Detect, where the policy to monitor Registry Key Changes was not alerting when changed
  • Resolved an issue with the ThreatLocker Relay Service on Service build 9.1 with downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
  • Resolved an issue in which the HealthService wasn't being started after the Windows Service was installed using an MSI
  • Resolved an issue where hashes that contain only zeros are being seen on Baseline, Install, and Elevation Logs
  • Resolved an issue in which IPv4 Conditions in Detect policies were not being honored
  • Resolved an issue in which .exe was being added to the end of CMD line parameters and causing Detect policies using CMD line parameter conditions to not be honored
  • Resolved an issue in which Master Detect policies weren't being added to the database for new installs and DB rebuilds on version 9.1
  • Resolved an issue in Configuration Manager where the Configure TLS (transport layer security) Protocols policy was setting the TLS setting incorrectly
  • Resolved an issue wherethe policy in Configuration Manager for PowerShell Constrained Language was not on when PowerShell was started
  • Resolved an issue in which Network Control Objects used in Inbound policies were working intermittently
  • Resolved an issue in which the Log in as Admin button in the tray was not directing to the specified Storage Control Policy
  • Resolved an issue with the Configuration Manager policy for Configure Defender Virus & Protection Settings not updating configurations properly on endpoints
  • Resolved an issue in which CMD line Arguments were being logged inconsistently on Windows 10
  • Resolved an issue in which NVME drives were incorrectly displaying as SCSI drives in ThreatLocker
  • Resolved an issue in which .msix files were not being flagged as executables
  • Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
  • Resolved an issue in which users logging in with valid admin credentials using the TL UAC were incorrectly receiving an invalid credentials error
  • Resolved an issue in which disabling Network Control from the portal was not disabling on the endpoint without restarting the ThreatLocker Service
  • Resolved an issue in which the ThreatLocker Service processes Right-to-Left Unicode incorrectly in the Request pop-up
  • Resolved an issue in which port 8811 was incorrectly being used by ThreatLocker when Network Control was disabled
  • Fixed incorrect detection of parent process. Implemented additional mechanisms to pass through file operations from svchost and for tracking actual process start with correct parent process set
  • Resolved an issue in which Ringfence exclusions for files were not correctly being observed
  • Resolved an issue in which users were not receiving a blocked item prompt from ThreatLocker when the iPhone Storage Driver (Built-In) policy was being matched, even though they were being blocked
  • Resolved an issue in which users in the Network Configuration Operators group were unable to use their credentials with the ThreatLocker UAC

 

Version 9.1.3 - Live

08/16/2024

  • Resolved an issue where the Challenge Listener was receiving a (400) Bad Request from client services

 

Version 9.1.2-Live

08/01/2024 - updated

  • Resolved an issue with the Source and Destination IPs not working as expected as conditions on Endpoint Detect
  • Resolved an issue that did not properly update the endpoint's public IP address in the portal when it changed

 

Version 9.1.1 - Live

7/16/2024

Improvements

  • Added Service support for module-specific maintenance modes
  • Added a forced full Service check-in once the ThreatLocker Driver is bound and once an Override Code is used
  • Added Service support for the ability to Deploy Policies to a single endpoint
  • Added the Schedule Free Space Delete policy into the new Configuration Manager
  • Added CVE-2023-36563 MS WordPad Vulnerability, CVE-2013-3900 WinVerifyTrust Signature Validation, and Disable Local LM Hash Storage policies to the new Configuration Manager
  • Changed the Unified Audit to only log denied Registry actions to improve performance
  • Added a new option, DebugNetworkChallenge to be used when troubleshooting Network Challenges
  • Made improvements to Detect alert cache logic so that only one alert per check-in period will be sent if all conditions are met.
  • Made changes to the ThreatLocker Tray to accommodate more characters in branding
  • Added checkboxes in the Tray Options to force end-users to include an email and/or message with an approval request
  • Added support for two new options, "AllFilesAsExecutableExSys:WScript.exe" and "AllFilesAsExecutable:Wscript.exe"
  • Improved the HealthService update to happen when the update file downloads and not on ThreatLockerService restarts

Bugs and Fixes

  • Resolved an issue with the ThreatLocker Relay Service on agent build 9.1 by downloading built-in applications. For clients utilizing the ThreatLocker Relay Service, please upgrade to agent version 9.1.1
  • Resolved an issue with the Rebuild Core process. Moving forward, the Rebuild Core action will only function on Windows version 9.1 or newer versions
  • Resolved an issue in which the registry values for the Configuration Manager CVE 2023-36563: MS WordPad Vulnerability policy were being incorrectly set
  • Resolved an issue with the Configuration Manager policy for 'Configure Defender Virus & Protection Settings' not updating configurations properly on endpoints
  • Resolved an issue in which Detect policies monitoring Event Log ID 4732 were not alerting as expected
  • Resolved an issue in which the Configuration Manager policy 'Password Must Meet Complexity Requirements' was not correctly enforcing password complexity
  • Resolved an issue in which UNC paths were being incorrectly displayed as \device\lanmanredirector
  •  Resolved an issue in which .msix files were not being flagged as executables
  • Resolved an issue in which the Health Service was hanging due to a failed API call
  • Resolved an issue in which Detect policy exclusions were not being downloaded consistently
  • Resolved an issue in which Network Control Objects were not being applied correctly for devices on the same subnet
  • Resolved an issue in which closing an approval request popup without sending a request was causing the popup to not be showed again
  • Resolved an issue where some software would require users to be located in an administrator group and would not allow installation with Elevation Mode
  • Resolved an issue in which other services that start before ThreatLocker could potentially lock the ThreatLocker files, preventing it from running
  • Resolved an issue in which a Storage Control policy was remaining enforced once disabled
  • Resolved an issue in which Detect exclusions were not being honored as intended
  • Resolved an issue in which accessing/transferring shared files was slowed down while ThreatLocker was running
  • Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
  • Resolved an issue in which UDP traffic was not being logged correctly
  • Resolved an issue in which Override Codes were not overriding Network Ringfencing
  • Resolved an issue with Leap Software where installing with Elevation Mode would cause excessive CMD popups
  • Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
  • Resolved an issue where Control Panel would launch via a shortcut once the user had done a full restart on the endpoint if using the 'EnforceCPL' option
  • Resolved an issue with the service getting a null exception when processing keywords in Network Control configurations that was preventing a task from starting

 

Version 9.0 - Live

05/29/2024

Improvements

  • Improvements to the Network Challenge to always challenge if the IP address is private, regardless of subnet
  • Added a new feature to Enable Domain Name Parsing per Process for Outbound Network Control and Ringfencing entries in the Unified Audit
  • Added new Configuration Manager options for Windows Defender to control Cloud-delivered protection, Automatic Sample Submission, and Tamper Protection
  • Reduced the memory footprint of the Tray by 25-50%
  • Text for Outbound Network Contol, when using a VM, will need the EnableDriverDomainNameParsing option enabled

Bugs and Fixes

  • Resolved an issue in which an empty FTP folder was unable to be read due to domain name parsing
  • Resolved an issue where the Unified Audit would show logs for Outbound Network control without a policy
  • Resolved an issue in which choosing to 'Log in as Admin' from a storage block was redirecting to a legacy page
  • Resolved an issue in which the 32-bit Windows agent was incorrectly learning hashes
  • Resolved an issue in which utilizing FTP over TLS resulted in file access being denied
  • Resolved an issue in which the UAC was showing an invalid credentials message instead of informing the user that the requested operation requires Elevation
  • Resolved an alignment issue for text on the ThreatLocker Tray
  • Resolved an issue in which the option EnableDriverDomainNameParsing was causing certain applications to experience slowness
  • Resolved an issue where certain Chromium Extensions were causing excessive logging
  • Resolved an incorrect detection of parent processes
  • Resolved an issue in which the service would not restart after Windows 2012R2 / 2008R2 was rebooted
  • Resolved an issue where returning the Print Nightmare Configuration Manager policy to "not configured" was not returning the Registry value to the Windows default setting
  • Resolved an issue in which disabling Network Control was causing Ringfencing Internet to sometimes fail
  • Resolved an issue in which the Configuration Manager policy CVE-2013-3900 WinVerifyTrust Signature Validation was incorrectly setting a DWORD instead of a REG-SZ String
  • Resolved an issue in which AzureAD user accounts were not being removed from the local Administrator group
  • Resolved an issue with Tags not working as expected on Network Control policies
  • Resolved an issue where some locked-down endpoints were not able to reboot while locked down
  • Resolved an issue with file deletion related to terminating a running process, which caused a false positive
  • Resolved an issue with ThreatLocker Ops where Occurrences were not being incremented if the TL Ops/Detect policy condition contains an Occurrences condition
  • Resolved an issue with DomainNameParsing, where the option was causing slowness on the driver
  • Resolved an issue where email formatting was not enforced on elevation policies
  • Resolved an issue with Ringfencing when utilizing a Bitglass Proxy
  • Resolved an issue with excessive logging from multiple Password Manager Chromium extensions
  • Resolved an issue with the processing of .exe exclusions
  • Resolved an issue with the redirect to the Chrome or Edge store from an approval request for an extension
  • Resolved an issue from 8.2 where the Configuration Manager policy Monitor PowerShell would cause a PowerShell crash
  • Resolved an issue with conflicting serial number lengths based on differences in Windows 7 and Windows 10

 

Version 8.7.4 - Live

05/13/2024

Bugs and Fixes

  • Resolved an issue that caused a repeated error multiple times an hour on some machines, starting with threatlockerservice.CleanPath... 
  • Resolved an issue with ThreatLocker Detect that caused the Detect database to grow larger than intended
  • Resolved an issue with ThreatLocker Detect related to the logic around handling errors
  • Resolved an issue with Network Control, which prevented Objects from working as intended on startup with local IP addresses in the same subnet

 

Version 8.7.3 - Beta

04/23/2024

Improvements

  • Added a new Option that disables network traffic monitoring for Network Control called 'DisableInterceptNetworkAccessForAll'

 

To view older release notes for 8.x, click here

Was this article helpful?