Threat Locker Exclusions Settings for Password Boss

Setting up the exclusion in Threat Locker

Generally, Google Chrome and Edge Chromium do not require access to Command Prompt. However, some Chrome or Edge Chromium extensions may need to call out to Command Prompt to talk to other applications. If you don't have an extension that requires the ability to communicate with Command Prompt, we recommend that you Ringfence Chrome and Edge Chromium to prohibit communication with Command Prompt.

The default Google Chrome and Edge Chromium policies in ThreatLocker are set to block the ability of these browsers to call out to Powershell, RegSVR32, CScript, Command Prompt, and Forfiles. This is to prevent Chrome and/or Chromium from potentially launching other applications on your system such as running a fileless malware attack.


However, if you use certain extensions, such as Password Boss, that need Chrome or Chromium to communicate with Command Prompt, you will need to edit the standard policy to allow for this communication.

Editing the Default Chrome or Edge Chromium Policy

Navigate to Application Control > Policies. Click the edit button (pencil icon) next to the policy that is interfering with the communication between your browser and Command Prompt (generally the policy closest to the top of your list).


Alternatively, you can reach the policy that is interfering by clicking the hyperlink located in the Unified Audit entry of one of the denied interactions as shown below. Clicking the link will open the exact same policy edit window as using the edit button.


Scroll down to the Application Interaction tab. Select the 'X' next to Built-in/Windows Command Prompt (Built-in).


Click the 'Save' button in the top left.


Next, you will need to deploy policies. If this policy is for the organization you are managing, you can use the large 'Deploy Policies' button at the top of the main menu.


Alternatively, if this policy change is for multiple organizations, navigate to the Organizations page, select the checkbox next to the organizations that will need this policy change, and then click the 'Deploy Policies' button at the top of the page.


Before Ringfencing changes will take effect, the application will need to be shut down and restarted. (e.g. shut down Chrome or Chromium)