Application Allowlisting
Allow the software you need, and block everything else... Including ransomware.
What Is Application Whitelisting (Allowlisting)?
Application Allowlisting, previously known as "Application Whitelisting," works by a simple rule: if it's not expressly permitted, it's not allowed. This robust form of access control prevents untrusted software, including all types of malware and ransomware, from running. It's a key part of endpoint security that ensures only specific, safe applications operate on your network.
How Does Application Whitelisting (Allowlisting) Work?
When the agent is first installed, it operates in Learning Mode. This phase involves cataloging every application and its dependencies currently on the system. It creates a list of these applications, forming the basis of your allowlist. Post Learning Mode, the IT admin reviews this list, removing non-essential apps to enhance security. Once secured, any executable file, script, or library not on the allowlist is automatically blocked. The user can request new software from the IT administrator, and it can be approved in 60 seconds.
Why Allowlisting?
Considered a top-tier security strategy, Application Allowlisting gives you control over which software, scripts, and libraries run on your devices and servers. It's more effective than traditional antivirus or EDR solutions. Application Whitelisting blocks not just malicious software but also any unauthorized applications. This greatly reduces the chances of cyber threats and rogue programs affecting your network, protecting your sensitive data.
Eliminate the Risk and Guesswork of Application Whitelisting
In addition to Allowlisting, ThreatLocker Testing Environment is a powerful tool that allows for risk-assessed approvals that eliminate the guesswork.
The Testing Environment enables administrators to evaluate new applications thoroughly within a virtual desktop infrastructure (VDI). This real-time analysis provides the necessary insight to make informed decisions, enhancing your overall security solutions against malware attacks.
Allowlisting Features
Deny by Default
Deny any application from running on your device that is not a part of the allowlist.
Firewall-like Policies
A powerful firewall-like policy engine that allows you to permit, deny or restrict application access at a granular level.
Time-Based Policies
Permit access to applications for a specified amount of time. Automatically block the application after the policy has expired.
Automatic Updates
ThreatLocker® automatically adds new hashes when application and system updates are released, allowing your applications to update without interference while preventing updates from being blocked.
Allowlisting FAQs
What is the onboarding process?
The goal of Zero Trust is only to allow what is needed and to block everything else. To stop business interruption, ThreatLocker will automatically learn what is required in your environment and build policies that include applications and their dependencies in a Learning Mode. The first step is to deploy the agent, which can be deployed using various automation tools.
The agent will not block anything during the initial deployment; instead, it will go into Learning Mode. After a week of learning, you can review the list of policies that have been created, deny or limit any software you do not want, and secure your environment.
Before you secure your environment, you have the option to simulate potential denies based on a period of time. This will ensure no strange applications will cause issues.
ThreatLocker will walk you through this process, by scheduling weekly calls to deploy, review policies, and help you secure your environment.
A typical deployment in a medium to large business should take about 5 calls from deployment to fully secured.
See deployment guide
Who decides what to allow? Is it the organization or a pre-approved vendor list?
Ultimately, the IT administrator decides what should be allowed to run. ThreatLocker’s learning process will create a list of policies, which can be reviewed and amended before protection is enabled and systems are secured. ThreatLocker® does not allow applications simply because the vendor is approved. From a cybersecurity perspective, the fewer applications permitted to run in an environment, the better. Allowing all applications by a specific vendor or vendors, flies in the face of this approach.
What support is available?
ThreatLocker support is available 24/7/365 and is accessed via a chat function on the portal. All chats are answered within 60 seconds, and our Cyber Hero Team can assist via chat or Zoom. We also have an extremely comprehensive knowledge base, as well as ThreatLocker® University, which provides self-paced, a la carte courses or predetermined learning tracks up to Cyber Hero Certification.
To learn more about how ThreatLocker's Application Allowlisting can help you enhance your cybersecurity stack, reach out to our Cyber Hero Team today.
Is ThreatLocker Allowlisting conducted at the kernel level?
ThreatLocker® runs at the kernel level, meaning it doesn’t matter if something is executed by an administrator, system, or user, if it hasn’t been allowed to run via the Allowlist, it will be blocked.
ThreatLocker® also has extremely stringent Tamper Protection, which, combined with its kernel level services, makes it nearly impossible to interfere with its operation.
How are application updates handled?
When using allowlisting, changes to the application may be blocked if the application updates. ThreatLocker® solves this problem by having a predefined list of built-in application definitions. If you have a policy for a built-in application, ThreatLocker® will automatically update the policy when new updates are released. Our team monitors over 2,000 tracked applications and updates the definitions 24/7.
For unknown applications that are automatically updated, you can create custom rules and definitions using a combination of hashes, filenames, calling processes, certificates, and creating processes. If the IT team deploys the update, installation mode can be used to track the changes by the installer.
How do you allow new applications?
Permitting new applications is an extremely smooth process. A blocked file can be requested, evaluated, approved, and allowed to run within 60 seconds.