ThreatLocker
The application that ThreatLocker places files it identifies as drivers in is called
$hostname\drivers
ThreatLocker places Miscellaneous Windows files that it profiles during Learning Mode into which application?
$hostname\windows
By default, Installation Mode is enabled for
1 hour
How long are you required to leave your endpoints in learning mode
1) mode? There is no required amount of time
Place the Policy Hierarchy in the correct order from first to last
1. Global, 2. entire organization, 3. single computer, 4. workstations group
Which of the following is the correct syntax for adding an IPv4 address to a tag?
10.0.0.221
What is the default duration of Learning Mode for new installs?
21 days
The majority of learning is completed in the first ______ days after deploying the ThreatLocker Agent
5
What port is required in order to set up an Authorization Host
8810
Who has the ability to grant access to an application from an application request
A ThreatLocker Administrator with approval privileges
How can ThreatLocker be used to block a RDP
A network control policy
If you indicate a GroupName that doesn't match Workstations or Servers, what will occur
A new group with that name will be created automatically
How does ThreatLocker decide what to create policies for during the initial learning period
Advanced algorithms
Bob created a custom rule as follows:File Matches c:\program files (x86)\myapplication\*.dll AND Process matches c:\program files (x86)\myapplication\direct\runapp.exeWhat does this rule mean?
Any .dll in the c:\program files(x86)\myapplication\ folder can run if it is called by c:\program files (x86)\myapplication\direct\runapp.exe
A(n) __________________ request means there is currently no permission to run the requested software on the requesting endpoint
Application
A/an ____________________________ is a set of file hashes, certificates, or other custom rules that define exactly what files are required for an application to run
Application Definition
ThreatLocker recommends adding Ringfencing restrictions to Elevated applications to prevent __________________________.
Application Hopping
Where can all approval requests received from end users in an organization be viewed in the ThreatLocker Portal?
Approval Center
Select Multiple: Choose all the correct statements
Both installation mode and learning mode temporarily disable file blocking Both learning mode and installation mode can be enabled from the quick dropdown menu on the Computers page
A/An _____________ can be used to permit brand new software in your environment without placing the endpoint into learning or installation mode
Built-in application definition
Select Multiple: Which advanced controls do you have access to when you use the Maintenance Mode window versus using the quick dropdown menu
Can enable multiple modes at once. Choose if the end user receives a popup. Can schedule ahead of time.
Select Multiple: Amanda is enabling Network Control for the first time. She wants to create a Policy to control internal (LAN) access to her fileserver that has the hostname "fileserver", and IP address of 192.128.24.3. She is unsure of what to select in the Object dropdown menu. Which of the following options should you instruct her to use
Computers Organizations Groups
Which of the following is the most secure way to permit a file in the windows\temp folder that has a dynamic file name, and changing hash that will allow future updated versions of the file to run?
Create a custom rule to permit the file by certificate and path, placing wildcards in the dynamic parts of the path.
When you approve an Elevation Request, ThreatLocker
Creates a second policy for the application with Elevation enabled
the goal of learning mode is to ______________
Define the ruleset needed to keep your environment running
Select Multiple: How can you stop ThreatLocker from monitoring a Configuration
Delete the policy Deactivate the Policy
Which 2 default storage policies are turned off by default
Deny Write to C$ Shares Deny Write to Admin$ Shares
By default, ThreatLocker monitors network shares. The ____________ and ____________ folders are the only local folders monitored by default, although you can set policies to monitor others.
Desktop and Documents
You download the Stub Installer named ThreatLockerStubX64_Â ys6t9cn2blu90ilvyokz7u2e.exe. When deploying the ThreatLocker agent in Command Prompt you type the following command: ThreatlockerStubX64 InstallKey="ys6t9cn2blu90ilvyokz7u2e" What Computer Group will this computer be placed in?
Either Workstations or Servers, depending on the Stub Installer you downloaded
Once you have finished installing new software or updating existing software, you should __________________
End maintenance period and secure all endpoints
While in Automatic Learning Mode, ThreatLocker will learn the IP addresses an application with Ringfencing is communicating with and place them in the _________________ tab.
Exclusions
Select Multiple: Which of the following are ways you can change your endpoints to a secured status?
From the dropdown status box next to the computer name on the Computers page, Using the "Secured Mode" button at the top of the Computers page
Select Multiple: Which of the following are valid switches that can be used when deploying via Command Prompt with the Stub Installer?
GroupName, company, key
The _____________ is located in the MSI or Stub Installer file names
InstallKey
_____________ catalogs the files that are installing but does not catalog files that are executing which would normally be stopped by the default-deny policy
Installation Mode
_____________ is useful when installing new software as it captures only the newly created files on the endpoint
Installation Mode
Select Multiple: In response to detecting malicious or anomalous behavior, what can ThreatLocker Ops be configured to do
Isolate a machine. Turn another policy on/off. Trigger an Alert
The Severity of a health center alert directly relates to the Threat Level values. Match the Severity selection to the correct threat level change
Log = No change in Threat Level Info = Increase threat level by 1 Warn = Increase Threat Level by 5 Danger = Increase threat level by 10
In the ThreatLocker Portal, which part of the menu should you go to view/edit Application Control policies within platform?
Modules
When you enable Network Control Policies, the Network Control will go into
Monitor mode to showcase the different Source Ips, Destination Ips, and the ports they are connecting to. It is necessary to manually create the appropriate policies that permit desired actions before creating a deny all policy at the top of the policy hierarchy
Place the following parameters for permitting a file in order from the most to least secure
Most Secure = Hash Second Best = Certificate combined with either path, process, or created by Third Best = by Certificate Alone (for a very trusted vendor). Least Secure = Combination of path, process and created
In the ThreatLocker Portal, where can you find a list of organizations you have permission to view?
Organizations
Given the following audit excerpt, what is the most secure way you can allow these files assuming the processes above will not change?
Permit by c:\programdata\ups\wstd\updatedir\before.bat AND Process matches c:\windows\syswow64\cmd.exe AND Created by c:\program files (x86)\ups\wstd\worldshiptd.exe
How can you set a policy to observe what changes an application makes to the registry but not block any of those actions on endpoints that are in a secured state
Permit the application with Ringfencing, set the status to "Monitor Only", and then select the checkbox next to "Restrict these applications from making registry changes except for the below rules"
Match the terminology with the correct definitions
Policy Conditions = Monitored parameters which may indicate potential compromise or weakness Policy Actions = Actions which are triggered based on meeting designated policy conditions. Threat Levels = Custom numerical levels which contain action policies that activate as configured.
If possible, ThreatLocker recommends adding Ringfencing to prevent applications from interacting with _________________.
PowerShell
Select Multiple: Which of the following options can be used to deploy/install the ThreatLocker Agent?
PowerShell, Active Directory via GPO, MSI, RMM
Leveraging the ________________ button will reduce your policy list drastically
Remove Unused Policies
What does this status of "Secured" mean
Ringfencing will be enforced even if the computer is in Learning Mode
Where can you get more advanced options, such as scheduling a start time, when switching your computer into a Maintenance Mode
Schedule Maintenance Button
How can you add 2 suggested policies to the policy level you selected
Select the 2 desired suggested policies from the list and click the "Add 2 Suggested Policies" button
How can you set up alerts for when new policies are triggered
Set up policy in ThreatLocker Ops to alert
Place the steps for enabling Elevation on your account in order
Step 1 = Navigate to the Organizations Page Step 2 = Locate the Organization you want to enable Elevation on Step 3 = Click the "Modules" dropdown menu Step 4 = Click the checkbox next to Elevate
What are tags
Tags are a collection of IP addresses or domains that can be applied to multiple policies
If you have a policy for an application set at the entire organization level and then you set an Elevation policy for the same application at the computer group level, what will happen
The Elevation policy will never be matched because the entire organization policy will be matched first
Bob has just deployed ThreatLocker to his client's PCs, and they are in Learning Mode. He has created a storage policy to deny all USB drives. What will happen when a user tries to use a USB drive on one of the PCs in Learning Mode
The USB will be blocked
If an expiration is set on the Elevation portion of a policy, once elevation expires
The application can be run as a normal user
What will you view if you click on the smaller "Jetbrains" that the red arrow is pointing to?
The application definition
Select Multiple: What fields can be edited/configured when creating or editing a Configuration Manager policy?
The hierarchy level the policy applies to. An expiration date for the policy. If policy will show up at the top or at the bottom of your existing Configuration Manager policies list. Whether or not the policy will be active when created.
Where in the ThreatLocker Portal do you go to open Configuration Manager
The modules dropdown
The Loopback Period is what
The period of time between the days of initial learning and the present
Select Multiple: When preparing to install a new computer into an existing group in the ThreatLocker Portal, where can you locate the Stub Installer you will need
The top-right of any page > Install Computer Button, The Computer Groups Page > Download Installer Icon, The Computers Page > Install Computer Button
Select Multiple: Which of the following are true regarding a Web Extension
They are not tracked by ThreatLocker. They can be malicious
Select Multiple: Which of the following is an advantage of using tags
They can be shared across multiple organizations. Changes made to tags are automatically applied to the endpoints without deploying policies
Which of the following is true of drivers
They can sometimes be misidentified by ThreatLocker
ThreatLocker requests can only be approved by a(n) ________________.
ThreatLocker Account Administrator
Select Multiple: Which of the following statements are true
ThreatLocker Ops policies process from top down. A policy configured to monitor threat levels must be located after any policies that increase the threat level
Pick the true statement
ThreatLocker will create custom applications based on your baseline
The most secure way to permit a file is by hash
True
Where in the ThreatLocker Portal can you review your Lookback Period for denied files?
Unified Audit
Select Multiple: Select the ways you configure Network Control (NC) to solve a conflicting public IP address and private IP address drawn from different firewalls on the same Local Area Network (LAN)
Utilize Authorization Hosts with Keywords with Network Control policies Toggle on the Network Control Challenge to support Objects in a single LAN multi-WAN environment (Version 8.2 and above only
Where can you find the Help Desk page within the ThreatLocker Portal?
Within the Help button at the top-right of the screen
Which of the following is true about signed files
You can permit them by certificate as well as another parameter
What would be the expected search result of the following Advanced Search?
You would see a list of all logs with a process that ends in .exe
A policy set for a single computer will be processed before ___________________
a policy for a computer group
Select the BEST answer: Which ThreatLocker Module(s) can ThreatLocker Ops interact with
all threatlocker modules
When viewing the "Add to Application" window, the newest rules will be ___________________.
at the top
Select Multiple: Which of the following information can you see by expanding an entry in the Unified Audit?
complete file path, application, base64 encoding of the file
By default, you will be on the Regular Update Channel, and updates are made according to your _____________________ settings.
computer group
Which of the following is the default selection for creating and applying policies after the Baseline upload
computer policies only
To add a tag to a policy, under the "Internet" tab check the box next to "Restrict these applications from accessing the internet, except for the below rules". Then you will need to choose the _________ tab
custom rules
By default, which of the following are included in the protected files? (Choose 2)
external storage network shares
Unsigned files that are created on the fly, such as C:\windows\temp\*, should be permitted by certificate and process path
false
Where can you look to quickly compare the hash of a file as it has been observed in your environment
file history button in the unified audit
The ____________ is the same as your company's Unique Identifier, which is located in the RMM and Script Deployment windows.
key
Which computer mode catalogs all the files installing and executing in your environment
learning mode
When custom rules are made, ThreatLocker __________________
learns from them
To search for all files that were called by a specific process, use the __________ search box
process
Which of these folders is automatically learned during baselining
program files
_______________ allows you to restrict how an application can interact with your
ringfencing
How can I put multiple computers into learning mode quickly without setting each
schedule maintenance button
You should strive to keep your endpoints in ___________________ as much as possible to keep your environment protected
secure mode
The _____________ file is the preferred way to manually install the ThreatLocker Agent because it will receive the same ThreatLocker version as your computer group settings
stub installer
Out of the following options, which option below is profiled during real-time learning but not profiled during baselining
temporary folders
Select Multiple: Which of the following are not impacted by a computer being in Learning Mode?
threatlocker ops, elevation control, storage control
Choose Two: Application control policies are processed from __________ to _________.
top, bottom
NC Authorization Hosts are destination servers and rely on keyword handshakes every 5 minutes to allow communication
true
Signed files should be permitted by certificate and one of these options: path, process, or created by
true
Where can you view the comprehensive activity log for an organization in the ThreatLocker Portal?
unified audit
Select Multiple: Choose the policies that ThreatLocker creates by default for the Servers group
windows core files, windows defender
