Help Center| Module | Feature | Operating System | |
| Windows | Mac | ||
| Application Control | |||
| Default Deny | X | X | |
| Popup for Blocked Files | X | X | |
| Send Approval Request | X | X | |
| Send Approval Request | X | X | |
| Action Approval Request - Permit using new application/existing application | X | X | |
| Permit Using Custom Rules/Hashes | X | X | |
| Explicit Deny Policy | X | X | |
| Baseline on Install | X | X | |
| Rescan Baseline | X | X | |
| Built-In Applications | X | X | |
| OS Core File Definition | X | X | |
| Policy Hierarchy - All policy levels work | X | X | |
| Apply Policies to AD Users | X | - | |
| Policy Schedule/Policy Expiration | X | X | |
| Kill Running Process | X | X | |
| Log to the Unified Audit | X | X | |
| Permit from the Unified Audit | X | X | |
| Send Email when Policy is Matched | X | - | |
| Show Policy Match in Audit | X | X | |
| Show Matching Application in Approval Request Window | X | X | |
| Unified Audit Data (Cert, Sha, SN, bytes, etc) | X | X | |
| Tags | X | X | |
| Disabled Policies | X | X | |
| Add to Application Button in UA (Unified Audit) | X | X | |
| Policies Page - Update Last Match Date | X | X | |
| Policies Page - Remove Unused Policies | X | X | |
| Send File with Approval Request | X | X | |
| Ringfencing™ | |||
| Application Interaction | X | X | |
| Files | X | X | |
| Network Tags and custom | X | X | |
| Statuses while Secured (Inherit, Secured, Monitor Only) | X | X | |
| Statuses while Monitor Mode (Inherit, Secured, Monitor Only) | X | X | |
| Elevation Control | |||
| Do not Elevate | X | X | |
| Allow Elevation | X | X | |
| Elevate Silently | X | X | |
| Network Control | |||
| Block All | X | X | |
| Permit/Block using IP Address | X | X | |
| Permit/Block using Keyword | X | X | |
| Permit/Block using Tag | X | X | |
| Permit/Block using Objects | X | X | |
| Apply policy to IP Address | X | X | |
| Apply policy to Tag | X | X | |
| Block all ports | X | X | |
| Permit specific ports | X | X | |
| Authorization Hosts | X | X | |
| Storage Control | |||
| Network | X | X | |
| Local Paths | X | X | |
| External Drives | X | X | |
| Permit/Block by Interface | X | X | |
| Permit/Block by Storage Device | X | X | |
| Permit/Block by Path | X | X | |
| Apply Policies to Encrypted or Unencrypted Drives | X | X | |
| Apply Policies to all programs or specific programs | X | X | |
| Policy Expiration | X | X | |
| Log to the Unified Audit | X | X | |
| Send an Email on Policy Match | X | - | |
| Customize Blocked File Popup | X | X | |
| Configuration Manager | |||
| Sidebar for Detailed Review | X | Version 6.x | |
| Multi-Select Options for Quick Actions | X | Version 6.x | |
| Legacy TL Policy Configurations Archive | X | Version 6.x | |
| ThreatLocker Detect | |||
| Policy Conditions | X | Version 5.x | |
| Policy Actions | X | Version 5.x | |
| Threat Levels | X | Version 5.x | |
| Alert Center | X | Version 5.x | |
| Multi-Select Options for Quick Actions | X | Version 5.x | |
| Exclusions Management | X | Version 5.x | |
| Remediator Access | X | - | |
| Telemetry Data Utilization | X | Version 5.x | |
| Client | |||
| Tray Branding supported | X | X | |
| Override Code | X | X | |
| Blocked Items Table | X | X | |
| Realtime Unified Audit Table | X | X | |
| Maintenance Mode | X | X | |
| Reset Local History | X | X | |
| Rapid Check-In Option | X | X | |
| Installer | |||
| Stub Installer and MSI Installer | X | - | |
| PKG Installer | - | X | |
Application Control
Windows and Mac both have Application Control with Default Deny. Both operating systems can permit or deny applications using Full Path, Process Path, Certificate, and Hash Only Rules. Mac does not currently support Application Control via Parent Process.
Both Mac and Windows support Policy-driven access, with the ability to schedule policies and expire policies. Both systems also allow granularity by defining who the policy will apply to. Windows policies can take advantage of Users and Groups, along with Integrations like Active Directory, to define who a policy will apply to. Mac currently only supports Computer and Group level policies. Windows supports Computer, Group, Organization, Global Groups, and Global level policies.
Both Mac and Windows have Built-In Applications, managed by ThreatLocker.
Ringfencing™
The product for both Windows and Mac offers a comprehensive set of features designed to provide robust security and seamless interaction. Application Interaction allows for detailed control and monitoring of how applications interact with each other and the system, ensuring that only authorized interactions occur. The Files feature provides extensive management and security for file access and operations, ensuring that sensitive data is protected and only accessible by authorized users and applications. Network Customization offers advanced network configuration options, allowing you to tailor network settings to meet specific security and operational requirements. Network Tags enable the use of tags to categorize and manage network resources efficiently, making it easier to apply policies and monitor network activity.
In the secured mode, the product offers three statuses: Inherit, which inherits the security settings from a parent policy or configuration; Secured, which applies strict security measures to protect the system and data; and Monitor Only, which monitors activities without enforcing security measures, useful for observing behavior before applying policies. Similarly, in monitor mode, the product also offers three statuses: Inherit, which inherits the monitoring settings from a parent policy or configuration; Secured, which continues to apply security measures while in monitor mode; and Monitor Only, which focuses solely on monitoring activities without enforcing security measures.
These features are designed to provide a flexible and secure environment, whether you're using the product on Windows or Mac.
Elevation
Both Mac and Windows systems allow for the full suite of Elevation options. Both systems will allow a specific application to be Elevated to run as a local administrator and include the ability to choose whether or not to notify the end user that Elevation is in place. Both systems also have an option to force the program to run as a standard user. Both systems also allow the elevation to expire based on a time setting within the policy. Windows and Mac Elevate differently, based on OS variances. However, the resulting outcome is the same.
Network Control
The Network Control product for both Windows and Mac provides comprehensive management of inbound and outbound traffic to protected devices. It allows organizations to create detailed access policies based on IP addresses or specific keywords, ensuring that only authorized connections are permitted. Once a connection is authenticated, it remains open for 5 minutes, with periodic checks every minute to maintain the authentication status. If authentication fails, the connection will close within 5 minutes.
To utilize Network Control effectively, organizations must enable the module in their ThreatLocker settings and create specific inbound and outbound policies tailored to their needs. This includes defining source and destination locations, configuring ports, and selecting communication protocols (TCP/UDP). The product also allows you to block all network traffic or permit/block traffic using specific IP addresses, keywords, tags, or objects. Policies can be applied directly to IP addresses or tags, ensuring that specific devices or groups of devices adhere to the desired security protocols. You can block all ports or permit specific ports, giving you flexibility in managing network services.
Additionally, Network Control can be integrated with Authorization Hosts to dynamically permit remote access based on keywords associated with network traffic destinations. Authorization Hosts can be applied to all group levels, ensuring consistent security policies across the network, and can use different ports for further customization. Network Control supports compliance with various security standards by providing detailed logging of network activity through its Unified Audit feature. Overall, Network Control enhances security by allowing organizations to manage network traffic proactively while minimizing unauthorized access risks.
Storage Control
Storage Control is an optional module within ThreatLocker that allows organizations to customize access to various types of storage, such as USB drives, network shares, and local folders. It enables administrators to create granular policies that dictate who can access specific files or folders and under what conditions. Key features of Storage Control include:
1. Access Restrictions: Administrators can block or permit access to certain storage devices based on user roles or specific applications.
2. Policy Creation: Users can create 'Permit' or 'Deny' policies for different file paths, specifying whether the policy applies to all remote computers or only those running ThreatLocker.
3. Wildcards: The use of wildcards in file paths allows for flexible policy definitions that cover multiple files or directories.
4. Device Selection: Policies can be applied to all devices or limited to specific storage devices by serial number.
5. Interface Selection: Administrators can choose which interfaces (e.g., USB, DVD) the policies apply to.
6. Encryption Enforcement: Storage Control can enforce encryption on removable media and restrict access based on encryption status. Overall, Storage Control helps organizations maintain data security by ensuring that only authorized users and applications have access to sensitive information stored across various platforms.
Configuration Manager
Configuration Manager is a place to quickly design policies that help mitigate the most common threat vectors.
Beginning in ThreatLocker Version 9.0, Configuration Manager has undergone a major renovation. Once computers are updated to ThreatLocker Version 9.0, the Legacy policies will no longer be in effect for those endpoints, and moving forward, policies will need to be recreated in the new format supported by Version 9.0.
The new format for Configuration Manager policies will now include the option to revert back to Windows default settings. Many policies have undergone slight name changes. Policies that are better controlled using other ThreatLocker Modules were removed from the Configuration Manager module and will be added as Community policies for the other modules.
ThreatLocker Detect
ThreatLocker Detect is a module that allows organizations to create rules for monitoring and responding to specified events within their systems. It utilizes telemetry data, threat levels, and policies to validate zero-trust security measures. The module provides features such as creating alerts based on certain conditions, managing application control policies, and integrating with other ThreatLocker services like the Remediator for enhanced security management. To navigate to ThreatLocker Detect, users can expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Detect'. The module includes functionalities for adding new policies, configuring policy actions, monitoring threats in real time, and managing remediation states for affected objects. For more detailed information about specific features or how to use them effectively within your organization’s security framework, please refer to the relevant sections of the provided documentation or contact Cyber Heroes for assistance.
Client
Both the Windows Agent and Mac Agent come equipped with a robust set of features designed to enhance your experience and streamline your workflow. These features include the ThreatLocker Tray, which is easily accessible from your system tray, providing quick access to essential functions and information. These include:
- Blocked Items—The Blocked Items display a comprehensive list of items that have been blocked, helping you manage and review security events.
- Override Code - The Override Code allows for a temporary bypass of security policies with an authorized code for use when communication with ThreatLocker is not possible.
- Reset History - The Reset Local History feature clears the local history of actions and events, useful for troubleshooting and maintaining privacy.
- Rapid Check-in - The Rapid Check-In Option enables quick synchronization with the server to ensure that the latest policies and updates are applied promptly.
- Realtime Unified Audit - The Realtime Unified Audit offers a real-time view of audit logs, giving you immediate insights into system activities and security events. Maintenance Mode temporarily suspends security policies to allow for system maintenance without interruptions.
These features are designed to provide a seamless and secure experience, whether you're using the Windows Agent or the Mac Agent.
Installer
Each installer type has its own strengths and is suited to different deployment scenarios. The Stub Installer is ideal for ensuring you have the latest version and maintaining service health, while the MSI Installer offers flexibility in deployment methods for Windows environments. The PKG Installer is the go-to choice for macOS installations.