Managing Applications

Applications are lists of files, hashes, certificates or paths that are used to create policies. Applications are normally created automatically by either the ThreatLocker Policy builder for new installs, or using Installation Mode.

In some cases, you may want to create applications yourself in advance. For example, you may want to create an application to include a certain list of folders, or certain trusted certificates.

Creating Applications

To create an application:-

  1. Login to the ThreatLocker Portal;
  2. Select Application Control > Applications from the left Menu;
  3. Select the New Application button;
  4. From the new application page, enter a name for your application;
  5. You can now add entries into your Application.
  6. If you want to add an application to apply to everything in the windows\system32 folder, you could add an entire folder.
    1. Enter the folder name in the path field, for example c:\windows\system32\drivers\*.
    2. Select the Add button; and
    3. The item will be added to the list.
  7. If you want to add any folders signed by Microsoft that are in the Windows\System32 folder, you can add a combination of the cert and the path.
    1. Enter the path as c:\windows\system32\*;
    2. Enter the certificate as “CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”;
    3. Select the Add button; and
    4. Item will be added to the list.
  8. You can also add files by their hash. ThreatLocker uses MD5 hashes for hashing files that are smaller than 1MB. Files that are larger than 1MB, ThreatLocker uses a proprietary method of hashing, that uses a combination of MD5, SHA256 and other techniques. This method improves performance without compromising security. You can get the hash of a file from the ThreatLocker Application audit. To add a file hash into an application:-
    1. Enter the Hash in the Hash field;
    2. Select the Add button; and
    3. The hash will be added to the list.
  9. When adding items to a list, you can use a combination of path, process, hash or certificate. When leaving any field empty, no match is required. If you want to allow a certain process to be able to open any dll:
    1. Enter the process path in the process path (e.g. c:\windows\system32\notepad.exe");
    2. Enter *.dll in the path;
    3. Select the Add button; and
    4. The item will be added to the list.

Advanced Patterns

When add a path or a process to an application, you can add a wildcard to the beginning, end or middle of the path. For example:-

  1. If you want to include any files in the windows directory, enter c:\windows\*.
  2. To include all dll files in the windows directory, enter c:\windows\*.dll;
  3. To include all dll files in general, enter *.dll

You can also further enhance pattern matching by using regular expressions. To add a regular expression you prefix the path or the process with regex: (e.g. “regex:c:\\windows\\[0-9][a-z]”).

Warning: When using regular expressions take extra care when. An error in a regular expression could cause ThreatLocker to use additional system resources.