ThreatLocker
Installation mode
Installation mode is like learning mode as it turns off blocking for execution and ringfencing policies, but is more for learning changes to newly installed applications or changes. The difference between Learning Mode and Installation mode is Installation Mode will target files following install and Learning Mode will Target files following a default deny.
Ringfencing
Ringfencing is one of the things that set ThreatLocker aside from its competition prevents lateral movement between the applications in your environment and your local powershell and other command line services. Any application can be ringfenced, regardless if it is a built in. You can get very specific with your ringfence policy, you can restrict internet access, you can block access to shares, you can block interaction with high risk apps, and block registry writes. You can make a list of specific ip addresses that can have access in your policy. Basically If the internet cant get to your powershell or command line, it cant run that malware thats going to encrypt all of your files.
Application Control
Application control is a way of whitelisting your applications, with global policies at the top and goes all the way down to workstation groups with a default deny policy at the bottom. It gives the admin the ability to permit, deny and ringfence anything on their application policy list. if you want employees to use chrome only, you can make a permit policy to allow the use of chrome, you can deny the use of edge. You can make custom rules on your policies where you can permit or deny specific paths, processes, hashes, or based on the certificate. The unified audit will keep an ongoing log of all of your applications getting permitted and denied, and you can make changes to your application list on the spot if you notice something needs to be permitted or denied.
Elevation
Elevation gives a user the ability to request admin rights in order to run an application that requires admin rights. If the admin wants to grant elevation, they have the ability to set that elevation period for however long they want. If it only takes an end user an hour to get what they need with admin rights, than you can grant elevation for an hour. Just yesterday I had to request elevation to use the Devolutions app so I can do certain app checks. I initially wasnt able to install the app, I got a popup on my screen asking me to request elevation, I clicked it, and Brandon eventually approved, that easy.
Monitor Mode
In Monitor Only mode, nothing will be learned, only monitored. Unless you have explicit denies in place, nothing will be executed or ringfenced. If an organization wants to essentially stop using ThreatLocker for their computers for a given period of time, and eventually go back to using ThreatLocker as intended, they can just leave these computers in Monitor mode for as long as needed.
Learning Mode
Learning mode disables application control. Learning mode will allow anything that passes through, and learn your environment and what would be denied with the default deny. If you have an application that would have been denied or ringfenced, they will permit and still show in the audit as what would have been if the policy was secured. Whatever you want your environment to be, it is beneficial to put all of that into learning mode so eventually you can do what you need to do. The difference between Learning Mode and Installation mode is Installation Mode will target files following install and Learning Mode will Target files following a default deny.
Override Codes
Override Codes give you the option to disable application control on an enduser that does not have access to the internet or ThreatLocker. We have had admins come into support who need to make override codes for an organization that is mainly based on ships, and therefor run into network issues. For their protection, the codes are stored in an irreversible hash format to stop hackers from reading the code and entering them manually.
Storage Control
Storage control gives you the option to permit, deny and monitor anything that is considered an external source. you can get very picky with your storage policies. you can have them apply to specific paths and only read from the desktop. you can permit to read only from usb's and deny reading cds, you can choose to only read a device if it is encrypted. It provides another layer of security to further harden your environment, and is all about zero trust.
Tags
Tags are apart of application control and ringfencing. You can add them in the internet tab of the policy. After you add a tag, you can associate that tag to specific network addresses to give them the ability to access the internet. You can add wildcards to the ip addresses if you want, and maybe in a future Threatlocker version have the ability to add port numbers. On the portal there is a Tags tab, and you can easily make view and make changes to your tags there. Its a feature that can make your policies cleaner, and help to harden your environment.
Approval Center
The Approval Center is where requests go if end users want to request to use an application that was not previously learned. In the request you will see the hash path and certificate of the file. If a built in app application matches the request, it will show. You can make rules that will permit an app by vendor, in case it changes hash. You can make custom rules and permit by path and process, and many other options. This is all to further protect from vulnerabilities and harden your environment. Also just wanted to add, if that Colonial Pipeline had Threatlocker, wed all still have gas
ThreatLocker
Threatlocker is a service that is based on absolute zero trust. You have the option to permit and deny applications and storage devices based on what is necessary for your environment. It also gives you the tools to harden your environment to prevent certain apps that use the internet from calling out to your local services like powershell and command prompt, which is very often how malware spreads. Its extremely user friendly
Remote Presence
Using Storage Control policies, you can prevent access to your shares by any computer not running ThreatLocker. You will need to create 2 basic policies on your server: a policy to deny remote access to your file shares to all remote computers, and a policy to permit remote access to only remote computers running ThreatLocker. These will protect your files from the server side, allowing only computers running ThreatLocker to access the shares you specify.
