Cyber Hero Test
what are valid switches that can be used when deploying through command prompt with the stub installer?
group name, company and key
storage control policies and elevation control is not impacted by?
learning mode. elevation popups will still occur when you are in learning mode, for this reason you may want to disable elevation control during learning mode.
elevation control popups will still occur in ________ mode
learning mode. for this reason, you may want to disable elevation during this period
monitor only and learning mode do not apply to?
storage control and elevation
what correct locations will applications be learned in during realtime learning?
Program Files folder, app data, and in the Windows Directory
To view which policies are being used, click the ?
Update last match date" button at the top of the policies page
how does tl decide what to create policies for during the initial learning period?
advanced algorithms
if you are deploying tl via powershell script and AD, the identifier is inserted into the
company =" " field
uodates are made according to your ______ settings
computer group
where can you find an email link to install threatlocker?
computer groups, downloads button next to each group
storage control
create policies to protect from data theft
How long after you onboard should you review policies to remove unused policies?
After a month or 2
when threatlocker profiles drivers, it places them into an application called ?
$hostname\drivers. if threatlocker doesnt recognize a driver as a driver they get added to the $hostname\Windows folder. However, If the driver is located in the Windows\Drivers folder, tl will identify it as a driver.
during the initial baseline and learning period, tl places miscellaneous windows files in an application named?
$hostname\windows. also creates a policy with the same name
during the initial baseline and learning period, tl profiles the drivers running on each computer and places them into an application called?
$hotsname\drivers. tl also creates a policy with the same name
max time for login time ?
2 hrs
How long does it take majority learning mode to be completed?
5 days
how many built in applications does tl have?
500
Ringfencing
Allows you to create boundaries protecting your powerful administrative tools such as command prompt, powershell, run dll and regserv from compromised applications. It also enables you to block applications from accessing the internet entirely or or allow applications to only access certain sites.
Threatlocker does not automatically create certificate rules for applications in folders located at the root of ?
C:\ - any program located here that has a frequently changing hash will require a custom application and policy to be created manually to prevent future blocks when the hash changes. by viewing the view file history, you can identify files that change hash frequently
What folders will applications not be profiled during the automatic learning period unless tl is able to match them to an application name?
Documents foler, downloads folder, desktop folder, users folder, or a folder at the root of C:\
Policy Hierarchy
Global, global computer groups, entire org, individual groups, computer groups
For ringfencing to take effect, make sure to?
Make sure the application you are changing the policy for is shut down and restarted, and make sure to deploy policies
realtime learning goes further than the baseline, it learns and profiles applications running in the....
WinSxS folder and temporary folders that were not profiled in the baseline. realtime learning will also learn things on your network shares.
threatlockers 3 main components?
application control, storage control and elevation
some rmms offer continuous deployment, meaning?
as new computers are added, they will automatically get TL deployed
when elevating a policy, it is important to?
block interaction with all other applications unless they are explicitly required
to change the default learning mode duration, navigate to the computers page, then...
click on the pencil icon next to the group you wish to change (servers, workstations). you can hit the dropdown for Initial learning mode for new computers
what is a tag?
collection of ip addresses and domains
can change default learning mode period in
editing computer groups
if you are deploying with a script via rmm, the _____________ should match the name of your organization in your rmm
identifier (lms-mm)
deleting a computer
if computer checks in, it will reappear on the list. has to be permanently deleted. computer has to be offline for 15 minutes or inactive for 28 straight days before it can be deleted from the portal.
a ringfencing policy will take effect no matter maintenance mode if it is?
if the policy is set to secured
default learning mode is set to learn collectively, meaning?
if you have one computer in that group running Office, the policy created by learning will be shared across the computer group
by default, computers are initially placed into a _____ learning mode and they will learn ______
indefinite / collectively
by default, newly deployed computers are automatically placed into learning mode for how long?
indefinite duration
install key vs key
install key is tied to groups, key is unique identifier at the parent level. using the key, you will not need to specify the unique identifiers for each child account
the ____________ must remain in the file name of the msi for it to install
installkey
what percent cpu usage does tl agent use and how much mb of ram?
less than 1% cpu usage and less than 200 mb of ram. the policies are saved locally so even if it is offline the computer will be protected.
Fileless malware
malware that runs strictly in memory. it is often a powershell script that has been hidden in a legitimate-looking file, like a word document for example. if you were to receive a word document that tried to run on powershell to carry out malicious activity, it would not be able to access powershell because this ringfencing policy blocks office from interacting with powershell.
can you specify a port number with a tag?
no
every chat needs to be picked up within?
one minute
the moment a customer sends you a message, the timers starts. you have to send a response within?
one minute. not be typing it, but send it
to enable or disable a tl product, navigate to?
organizations page, product dropdown menu
how can you set a policy to observe what changes an application makes to the registry but not block any of those actions on endpoints that are in a secured state?
permit the application with ringfencing, set the status to monitor only, and then select the checkbox next to 'restrict these applications from making registry changes except for the rules below.
where can you add tags in a policy?
policy, internet, custom rules dropdown
Threatlocker recommends blocking interaction with the following windows tools
powershell, command prompt, rundll, regserv, regedit, cscript, psexec, windows scheduled tasks
which folder is automatically learned during baselining?
program files
the stub installer will always
push out the latest version of TL
new versions of TL are released by default, what channel is an org on?
regular update channel, inherited from the computer group
secured status on a ringfencing policy?
ringfencing will be enforced even if the computer is in learning mode
explicit deny policy
set to deny at all times, no matter what status the computer is in. there ar eno explicit deny policies by default
when you make a change to tag..
the changes will automatically be applied to all policies it applies to and no need to deploy policies
when tl profiles your drivers, it will profile them based on?
the hash of the file.
Lookback period
the period of time between the computers initial days of learning mode and the present. if your clients have been deployed for 7 days, the first 5 days are the learning period, which gives you a 2 day look back period.
threatlocker does not automatically create certificate rules for applications in folders located at ________
the root of C:\. Any program located here that has a frequently changing hash will require a custom application and policy to be created manually to prevent future blocks when the hash changes.
2 advantages of using tags
they can be shared across multiple organizations, and changes made are automatically made without deploying policies
do not automatically create policies
this would only scan the baseline and not create any policies, places computer into monitor only mode
ringfencing - while in automatic learning mode..
threatlocker will learn the ip addresses an application is communicating with and place them in the exclusions list
after baseline is updated...
tl will do its first learning based on what it finds
Remove Unused Policy button
when you click it, an option to select a date will drop down so you can choose to remove all policies that have not been matched since the date you select. we typically see about 500 policies created when a client onboards and only about a third are used.
Baseline
when you first deploy tl, it is going to scan and catalog the files, including drivers, that are already on your hard drive and create policies based on what is found. your baseline files will be sent up the unified audit.
restart service button
will be done silently without end user knowing, if you are updating, you will need tl sevice to be restarted for changes to take effect.
creating new admin vs inviting new admin
you set the password in create new admin