ThreatLocker Application Control Quick Start Guide

ThreatLocker Application Control gives you the ability to control what applications and storage devices are used in your Organization.

Our service is delivered from the Cloud and requires a small agent to run on each computer. After signing up for a free trial of ThreatLocker, you will receive an email with login details for the ThreatLocker Portal. 

Accessing the ThreatLocker Portal
To access the ThreatLocker portal, visit https://portal.threatlocker.com
Log in using the credentials you were provided. 

Downloading and Installing ThreatLocker
Navigate to the Computers Groups page using the left menu. ThreatLocker policies are assigned to computer groups. When installing ThreatLocker, the installer will automatically add the computer to the group based on the downloaded installer. 

To download the installer, either select an existing group or create a new group, and then select the inline download link.

Note: Do not rename the installer, as it requires the installer code in the file name. 

To install ThreatLocker simply click on the downloaded MSI, or you can deploy from any deployment system that can deploy MSIs. 

After installing the ThreatLocker client, your computer will automatically be scanned. Within a few hours, new policies will automatically be created for the files we found on your computer. These policies act as a baseline of what is already installed. 

Working with your existing antivirus
ThreatLocker plays nicely with existing antiviruses. We will not interfere with your AV from running, and will not conflict. However, you may need to create exceptions to prevent your antivirus from blocking ThreatLocker. We recommend you exclude the following files from scanning. 
c:\program files\threatlocker\threatlockerservice.exe
c:\program files\threatlocker\threatlockertray.exe
c:\windows\system32\drivers\threatlockerdriver.sys
c:\program files\threatlocker\corehash.bin
c:\program files\threatlocker\appfilesV2.bin
c:\program files\threatlocker\applicationsv2.bin
c:\program files\threatlocker\actioncache.bin

Reviewing and Managing your Policies
After a few days of running ThreatLocker in Monitor mode, we recommend you review the default policies, and see if there are any applications that you do not want to permit. To review automatically created policies:-

  1. Select Application Control > Policies from the left navigation menu.

  2. Select the Computer Group from the top right dropdown list.

  3. Review the list of the policies created automatically.

  4. If you do not wish to permit any of these applications, you can delete the policy.

Note: Exercise caution when removing applications that may interact with the kernel. We recommend you uninstall these applications before blocking them. 

Reviewing the Audit
After you are happy the automatic policies have been created, you can use the Audit to review what files are executing and which policies apply. Before changing the default policy to deny, it is a good idea to check nothing unintended it hitting the deny policy;

  1. Select Application Control > Audit from the left menu;

  2. The audit page displays a list of all applications and libraries that are executed on your computers.

  3. To search by the policy name:-

    1. Select the Advanced Search button;

    2. Enter the name of the deny policy is the search box, and select search.

If you wish to reduplicate the results, use the Group By drop down list.

Creating a default deny policy
ThreatLocker automatically creates a default permit policy when adding new groups. Once you are happy nothing is hitting the Default policy that should not be, you can change the Default policy to deny any unauthorized software.

  1. Select the Inline edit button for the Default Policy for the group. This policy should be at the bottom of the page for the group;

  2. Under "What should this policy do?", change the action to deny;

  3. If you wish users to be able to request permission to blocked applications, check "Allow the user to request permission";

  4. If you would like administrators to be able to receive notifications when a user requests permission, select "Notify the following admins", and add the administrators e-mail addresses to the list;

  5. Scroll down to the bottom of the page, and under the section "Do you want this policy to run before or after existing policies?" Select "After". Applications policies run in order, so the Default Deny policy should be at the bottom of the list.