June 26, 2025

Manage application risk with approved software policies

Written by:

You play a critical role in managing applications, keeping essential ones up-to-date and blocking those that pose a risk.

Known good software

To keep your environment secure, your IT department must maintain a list of approved software used within the organization. This typically includes essentials like a preferred web browser, a specific PDF reader, and any custom-built tools—such as applications developed for the sales team. While offering multiple choices can enhance the user experience, it also expands the attack surface for cybercriminals. Good IT teams can recommend the right software. Great ones document it. The best enforce it.

An example of approved software being permitted to install by ThreatLocker.

Shadow IT

Shadow IT refers to the use of technology without the approval or knowledge of IT. To combat this, IT administrators often restrict users from installing software. However, developers often find workarounds, such as enabling installs from the downloads folder. Unmonitored USB drives are another common source of shadow IT where users can share software. Regardless of how they get in, these unauthorized apps introduce risk, expand your attack surface, expose systems to zero-day threats, and often remain unpatched and vulnerable.

‍

An example of a user requesting an unknown application in ThreatLocker.

High-risk applications

If applications only did what they were designed to do, cybersecurity would be far simpler. But when they enable unexpected actions, vulnerabilities arise. Take PowerShell, for example: a valuable tool for tasks, such as automation and software installation. In the wrong hands, though, it can be used to encrypt files across entire networks, crippling operations. Applications with the potential to impact core systems are considered high-risk and should be tightly controlled.

An application that is high risk. Note that Threatlocker is restricting its access to other applications and files with Ringfencing, denoted by the blue icons.

Truly terrible software

Some software simply doesn’t belong in a corporate environment. The main reason for controlling which applications are allowed is to keep out dangerous programs, like a browser that mines cryptocurrency in the background, a free PDF editor bundled with malware, or an email attachment that silently opens a reverse shell. This kind of software has no place in your environment and should be preemptively blocked with a deny-by-default approach to software.

Software running in The ThreatLocker Testing Environment has triggered multiple alerts on VirusTotal.

How ThreatLocker can help

It is impossible to stay ahead of threats by acting reactively. So, ThreatLocker takes a proactive approach to blocking unwanted software. Instead of trying to identify and stop malicious applications, it only allows approved software to run. Everything else is denied by default.

During installation, ThreatLocker uses Learning Mode to detect and log all software executed on an endpoint. This gives administrators visibility over what’s running in their environment. After denying what they don’t want and Learning Mode ends, only approved applications are allowed to run.

ThreatLocker Ringfencing(r) can help manage the risk of high-risk tools that are necessary to an environment. Rather than banning it outright, Ringfencing can restrict the application from other applications, your files, the registry, or the internet.