Threatlocker is not another anti-virus software, and it is also not a replacement for anti-virus software.
Traditional anti-virus software works by fundamentally creating a bad list of software hashes and adding them to a blocklist. When an application opens, it checks against the blocklist and blocks it if listed in the blocklist database. This is very effective against known viruses.
However, there are thousands of new malware/viruses developed every day. And as a result modern anti-virus software use advanced heuristics, behaviors analytics, and artificial intelligence but are still behind the fight against sophisticated ransomware and virus attacks.
The concept of Threatlocker application is zero trust, or nothing can run unless it is trusted. It has two major components:
1. Application Whitelisting
Unlike antivirus software, Application Whitelist blocks everything by default. It works opposite to how AV software works. It gives your IT administrator control over what software is running. It sets up policies to automatically block untrusted software regardless of whether the user tries to run or execute through vulnerabilities or back door.
The idea of Ringfencing is “don’t trust anything beyond what it needs to be trusted.” Enabling ringfence allows your IT department to control all of the application interactions with each other.
When deploying ThreatLocker, it can be set up in “learning mode” to identify the behavior of all applications. During learning mode, the software learns work behaviors and automatically creates policies required to run all installed applications safely. Once the learning mode is over, ThreatLocker will lock down the machine.
Once you lock down a machine, it will create a fence between your applications and stop any unauthorized interaction with applications on the computer.
This is an excellent way of protecting your network as cybercriminals often find vulnerabilities on applications and use them to filter and attempt to access PowerShell or other similar tools.
If your Zoom application is compromised, attackers try to request access to PowerShell, Registry, or DLL file through the Zoom software. If Ringfencing policies are enabled, these requests will be denied as zoom does not need to access PowerShell in normal behavior.
Anti-virus software alone will not be able to spot sophisticated threats such as the one described above. Therefore, it is important that anti-virus software is complemented with ThreatLocker for maximum protection.
Triella can help you implement ThreatLocker in your work environment. Call us now to learn more! 647.426.1004
Indika Ekanayake is a Lead Consultant at Triella. We are a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium-sized firms. Indika can be reached at 647.426.1004. For additional articles, go to our blog page. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.
© 2021 by Triella Corp. All rights reserved. Reproduction with credit is permitted.