Purpose
When ThreatLocker is used within a Customer's environment, and it is setup to prevent malicious activity, the installation and update of the Quickpass Agent can be affected.
To ensure proper monitoring during the installation and update process, ThreatLocker has provided the following implementation steps.
Background
Using the Scripted installation method of installing the agent via these KBs, can cause ThreatLocker to incorrectly detect and block the Quickpass Agent from installing.
RMM Installation - https://support.getquickpass.com/hc/en-us/sections/18745885825815-RMM-Monitoring-of-CyberQP
Scripted installation - https://support.getquickpass.com/hc/en-us/articles/4413576799639-Scripted-Agent-Installation
Prebuilt PowerShell Scripts - https://support.getquickpass.com/hc/en-us/articles/4414062591639-PowerShell-Script-for-Agent-Installation
In addition, updates of the Agent may fail when automatically released by CyberQP if the "built-in Policy" is not in use. You can supplement your existing policies by ensuring the "built-in" from ThreatLocker is in place.
Process
-
Enabling RingFence rules:
- Open Modules
- Click Application Control from the left-hand menu. Navigate to the Policies tab in the top right.
- Locate the Powershell policy which is ringfencing these machines.
- By default, this will be at the Computer Group level, but this is configurable and you may have moved it within your own environment.
- Click on the policy to open the Edit Application Policy slideout.
- Scroll down to the Actions section and find the subsection "Restrict this application from accessing the internet?". This will be enabled and the Exclusions tab will be selected by default.
- Switch to the Tags tab. In the Tag dropdown, search for QuickPass to find "ThreatLocker\Quickpass (built-in)"
- Click the blue + icon to add the tag, then click the save button at the bottom of the slideout menu.
- Deploy policies using the rocketship button in the top right of the screen
-
Adding Quickpass "Built-in Policy" to Organization
-
- Select Modules > Application Control > Policies to view the policies for your organization. Set the "Applies to" level to whichever level your policy exists at, then click the policy to open the Edit Application Control Policy slideout.
- In this slideout, locate the Conditions section. This will be set to Selected Applications and will have the applications controlled by this policy visible in the box below. Search for "Quickpass" to find "BUILT-IN\Quickpass (Built-in)". Any Application prefixed with BUILT-IN\ is maintained by ThreatLocker's Applications team for updates.
- Save the policy change, then deploy policies using the Rocket Ship icon in the top right of the main page.
- Select Modules > Application Control > Policies to view the policies for your organization. Set the "Applies to" level to whichever level your policy exists at, then click the policy to open the Edit Application Control Policy slideout.
-
Troubleshooting
CyberQP and ThreatLocker are working together to ensure that updates to agents and new agent installation builds are provided ahead of the general public so that their Built-In Policy has the latest changes.
If you have followed these steps, and are still having challenges with ThreatLocker blocking an installation or update of the agent, please do the following:
- Ensure that the Policy you are using includes the ThreatLocker "built-in".
- Determine if setting the system affected to "Learning Mode" within Threatlocker does indeed allow the installation/update.
- If the Agent installation/Update DOES work when in "Learning Mode", open a ticket with ThreatLocker.
- Create a Support ticket for CyberQP - support@cyberqp.com and include the details of your customer, system name, system OS, and version of Agent being installed/Updated.
- CyberQP will provide details on communicating with ThreatLocker on this specific challenge. This will enable your team, and ThreatLocker to have accurate information to continue improving their Built-In Policy.
Comments
0 comments
Please sign in to leave a comment.