Table of Contents
After our recent “What is ThreatLocker's Testing Environment” blog, we wanted to dive deeper into the technical aspects of ThreatLocker’s Testing Environment feature and asked our social media audience for their burning questions. In this blog, we address six of the frequently asked questions received to share the answers with you!
Does this protect my machine/network from possible bad software?
The Testing Environment alone does not protect you from “bad” software, but it does allow you to make informed and immediate evaluations based on flags learned from installing using the Testing Environment. The administrator can see the results of various checks performed during installation to decide if it should be allowed to be installed in a production environment or not.
Why Is the Testing Environment sandboxed?
The Testing Environment allows you to evaluate an application without taking the risk of running an unknown/untrusted application in your production environment. The Testing Environment is a temporary isolated VDI in which to run any requested application. This allows you to stay protected and assess risks without compromising your own or your users’ environment.
What kind of evaluations are being performed inside of the VDI?
When the application runs, ThreatLocker's Risk Center opens and performs the following evaluations:
- Checks the application in VirusTotal to see if any AV vendors have flagged it as malicious or suspicious.
- Checks to see if the application attempts to access data storage locations using canary files.
- Checks to see if the application made changes at the System level (e.g., inserting itself into the startup folder).
- Checks to see if the application accesses the internet.
- Checks to see if the application makes changes to the registry.
- Checks the signatures of the application and its dependencies.
- Shows all new files that have been installed.
- Shows an audit of the activity in real time.
How does the VDI allow me to evaluate applications without interrupting workflow?
Once a new application is run through the Testing Environment, there will be a log of alerts in the risk center to give the administrator additional information. All data in the testing environment is logged in real-time, giving you the critical information needed to understand the risk before allowing a user to install new software. This prevents the administrator from conducting heavy external research. Each of those checkpoints alerts in red for risks, and the tabs provide full details of the impact in a single click. This risk assessment allows the administrator to quickly and confidently act upon an application install request.
Do I have to take my machine out of secured mode to learn a program on the VDI?
No. The beauty of the Testing Environment is that it is a separate sandboxed environment, so your machines can stay secure while you use the Testing Environment to gather the information you need to determine if the application is safe to run for the organization.
Is the Testing Environment still in Beta?
Yes, as of December 2022, it is still in beta while we work to make it the best it can be. If you would like to add the Testing Environment to your allowlisting solution, speak with your account manager today.
For more on Zero trust cybersecurity, book a demo to see how ThreatLocker endpoint security could be the perfect fit for your business.