Stay secure over the holidays with the ThreatLocker Lights-Out Checklist

Application Allowlisting

Allow only the software you need, and block everything else - including ransomware.

What is Application Whitelisting (Allowlisting)?

Application Allowlisting, previously known as "Application Whitelisting," works by a simple rule: if it's not expressly permitted, it's blocked. This robust form of access control prevents untrusted software, including all types of malware and ransomware, from running. It's a key part of endpoint security that ensures only specific, safe applications operate on your network.

How does Application Whitelisting (Allowlisting) work?

When the agent is first installed, it operates in Learning Mode. This phase involves cataloging every application and its dependencies currently on the system. It creates a list of these applications, forming the basis of your allowlist. Post Learning Mode, the IT admin reviews this list, removing non-essential apps to enhance security. Once secured, any executable file, script, or library not on the allowlist is automatically blocked. The user can request new software from the IT administrator, and it can be approved in 60 seconds.

Ilustration of Stopwatch and 60second Approval

The Buyer's Checklist for Allowlisting

We've compiled this free checklist to make it easy to understand the non-negotiable features that any Allowlisting solution should have.

Why Allowlisting?

Considered a top-tier security strategy, Application Allowlisting gives you control over which software, scripts, and libraries run on your devices and servers. It's more effective than traditional antivirus or EDR solutions. Application Whitelisting blocks not just malicious software but also any unauthorized applications. This greatly reduces the chances of cyber threats and rogue programs affecting your network, protecting your sensitive data.

Allowlisting case studies

Click the video thumbnails below to watch our customers talk about how they've used allowlisting to keep their organizations secure.

Eliminate the risk and guesswork of Application Whitelisting

In addition to Allowlisting, ThreatLocker Testing Environment is a powerful tool that allows for risk-assessed approvals that eliminate the guesswork.

The Testing Environment enables administrators to evaluate new applications thoroughly within a virtual desktop infrastructure (VDI). This real-time analysis provides the necessary insight to make informed decisions, enhancing your overall security solutions against malware attacks.

Frequently asked questions

What is the onboarding process for Allowlisting?

The goal of Zero Trust is to only allow what is needed and to block everything else. To stop business interruption, ThreatLocker will automatically learn what your environment requires, and will build policies that include applications and their dependencies in Learning Mode. The first step is to deploy the agent, which can be deployed using various automation tools.

The agent will not block anything during the initial deployment; instead, it will go into Learning Mode. After a week of learning, you can review the list of policies that have been created, then deny or limit any software you do not want and secure your environment.

Does ThreatLocker Allowlisting do version control?

Yes, in the sense that we do add the newest versions to the application for the customer to make a policy for, but we do not let the user to choose which version of the built-in to approve or anything like that. Assuming that it is an update and not a new product. Kieran says that he believes the built-in applications are continuously monitored and often updated in under 24 hours. Need more clarification/specifics.

Can we control who is permitted to run an application within ThreatLocker?

Yes, ThreatLocker allows you to create multiple policies for an application to further restrict access by User or by Group. 

How long does Learning Mode take?

Most companies are secured in under a week. Almost all are 10 days or under.

How is my environment secured after Learning Mode?

Before you secure your environment, you will have the option to simulate potential denies based on a period of time. This will ensure no strange applications will cause issues.

ThreatLocker will walk you through this process by scheduling weekly calls to deploy, review policies, and help you secure your environment.

How long will it take for my environment to be fully secured?

A typical deployment in a medium to large business should take about 5 calls from deployment to fully secured.  

Who decides what to allow? Is it my organization or a pre-approved vendor list?

Ultimately, your IT administrator decides what should be allowed to run. The ThreatLocker learning process will create a list of policies, which you can review and amend before enabling protection and securing your systems.

ThreatLocker does not allow applications simply because they're from an approved vendor. From a cybersecurity perspective, the fewer applications are permitted to run in an environment, the better. Allowing all applications by a specific vendor or vendors flies in the face of this approach.

Is ThreatLocker Allowlisting conducted at a kernel level?

ThreatLocker runs at the kernel level, meaning it doesn't matter if something is executed by an administrator, system, or user, if it hasn't been allowed to run via the Allowlist, it will be blocked.

ThreatLocker also has extremely stringent tamper protection, which, combined with its kernel level services, makes it nearly impossible to interfere with its operation.

How are application updates handled?

Allowlisting may block changes to the application if the application updates. ThreatLocker solves this problem by having a predefined list of built-in application definitions. If you have a policy for a built-in application, ThreatLocker will automatically update the policy when new updates are released. Our team monitors over 6,000 tracked applications, and updates the definitions 24/7/365.

For unknown applications that have automatic updates, your Solutions Engineer can help you create custom rules and definitions using a combination of hashes, filenames, calling processes, certificates and creating processes. If the IT team deploys the update, you can use installation mode to track the changes by the installer.

Are the ratings of the applications tied to a specific industry standard?

The ratings coming from our internal system based on the business use case of the application as well as both previous and current exploits of vulnerabilities in that application.

Can we make an exception to global policies?

At the moment, we cannot make an exception to a Global policy with a policy at another level. You can still use Users/Groups to make exceptions at the Global level.

Does application control apply to scripts, batch files, and portable applications?

Yes. Application Control controls any executable's ability to run on your endpoints.

Once secured, are we able to allow new things to run on our user's systems as needed?

Absolutely. We provide multiple secure ways to allow new applications. You can utilize our built-ins or use installation mode in our virtual testing environment.

What kind of support do you have available if we need help with any of this?

ThreatLocker support is available 24/7/365 and is accessed via a chat function on the portal. All chats are answered within 60 seconds, and our Cyber Hero team can assist via chat or Zoom.

We also have an extremely comprehensive knowledge base, as well as ThreatLocker University, which provides self-paced a la carte courses, or pre-determined learning tracks up to Cyber Hero Certification.

Allowlisting features

allowlisting clipboard

Deny by default

Deny any application from running on your device that is not a part of the allowlist.

Firewall illustration

Firewall-like policies

A powerful firewall-like policy engine that allows you to permit, deny or restrict application access at a granular level.

illustration of hourglass window

Time-based policies

Permit access to applications for a specified amount of time. Automatically block the application after the policy has expired.

toolset for automatic updates

Automatic updates

ThreatLocker automatically adds new hashes when application and system updates are released, allowing your applications to update without interference while preventing updates from being blocked.

Take control of your organization's security

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker