ThreatLocker Application Control Quick Start Guide

ThreatLocker Application Control gives you the ability to control what applications and storage devices are used in your Organization.

Our service is delivered from the Cloud and requires a small agent to run on each computer. After signing up for a free trial of ThreatLocker, you will receive an email with login details for the ThreatLocker Portal. 

Accessing the ThreatLocker Portal
To access the ThreatLocker portal, visit https://portal.threatlocker.com
Log in using the credentials you were provided. 

Downloading and Installing ThreatLocker
Navigate to the Computers Groups page using the left menu. ThreatLocker policies are assigned to computer groups. When installing ThreatLocker, the installer will automatically add the computer to the group based on the downloaded installer. 

To download the installer, either select an existing group or create a new group, and then select the inline download link.

Note: Do not rename the installer, as it requires the installer code in the file name. 

To install ThreatLocker simply click on the downloaded MSI, or you can deploy from any deployment system that can deploy MSIs. 

During the initial installation, we recommend that you put your Computer Group into Monitor Mode. The default groups will automatically be in Monitor Mode, which allows you to configure your policies without the fear of inadvertently blocking applications.  

After installing the ThreatLocker client, your computer will automatically be scanned. Within a few hours, new policies will automatically be created for the files we found on your computer. These policies act as a baseline of what is already installed. 

Working with your existing antivirus
ThreatLocker plays nicely with existing antiviruses. We will not interfere with your AV from running, and will not conflict. However, you may need to create exceptions to prevent your antivirus from blocking ThreatLocker. We recommend you exclude the following files from scanning. 
c:\program files\threatlocker\threatlockerservice.exe
c:\program files\threatlocker\threatlockertray.exe
c:\windows\system32\drivers\threatlockerdriver.sys
c:\program files\threatlocker\corehash.bin
c:\program files\threatlocker\appfilesV2.bin
c:\program files\threatlocker\applicationsv2.bin
c:\program files\threatlocker\actioncache.bin

Reviewing and Managing your Policies
After a few days of running ThreatLocker in Monitor mode, we recommend you review the default policies, and see if there are any applications that you do not want to permit. To review automatically created policies:-

  1. Select Application Control > Policies from the left navigation menu.

  2. Select the Computer Group from the top right dropdown list.

  3. Review the list of the policies created automatically.

  4. If you do not wish to permit any of these applications, you can delete the policy.

Note: Exercise caution when removing applications that may interact with the kernel. We recommend you uninstall these applications before blocking them. 

 

Creating a default deny policy
We recommend that you create a policy to deny any applications that do not have an explicit permit policy. While in monitor mode, the Deny policy will not block, but we recommend you create one so you can see what would be blocked after you remove the group from Monitor Mode. To create a default deny policy:-

  1. Select the New Policy button at the bottom of the Application Policies Page;

  2. Give the new policy a name. For example "Default Deny";

  3. Under "What should this policy do?", change the action to deny;

  4. If you wish users to be able to request permission to blocked applications, check "Allow the user to request permission";

  5. If you would like administrators to be able to receive notifications when a user requests permission, select "Notify the following admins", and add the administrators e-mail addresses to the list;

  6. Scroll down to the bottom of the page, and under the section "Do you want this policy to run before or after existing policies?" Select "After". Applications policies run in order, so the Default Deny policy should be at the bottom of the list.

Reviewing the Audit
After you are happy the default policies have been created, and you have put a default deny policy in place, you can use the Audit to review what files are executing and which policies apply. 

  1. Select Application Control > Audit from the left menu;

  2. The audit page displays a list of all applications and libraries that are executed on your computers. Before disabling Monitor Mode it is a good idea to check nothing unintended it hitting the deny policy;

  3. To search by the policy name, select the advanced button. Then check the policy check box. Clear all other check boxes;

  4. Enter the name of the deny policy is the search box, and select search.

If you wish to reduplicate the results, use the Group By drop down list.

Turning off Monitor Mode

Once you are happy nothing is hitting the default deny policy that shouldn't be, you can disable Monitor Mode.  To turn off Monitor Mode:-

  1. Select Computer Groups from the left Menu;

  2. Select the Computer Group you wish to edit;

  3. Clear the Monitor Mode checkbox;