ThreatLocker's Impact: Forrester TEI Study

Application Allowlisting

Allow the software you need, and block everything else... Including ransomware.

Book Demo

What Is Allowlisting?

Application Allowlisting denies all applications from running except those that are explicitly allowed. This means untrusted software, including ransomware and other malware, will be denied by default.

illustration of portal and policies

How Does Application Allowlisting Work?

When the agent is first installed, it operates in Learning Mode. During this period all applications and their dependencies that are found or running on the computer are cataloged and policies are created to permit them. After the learning period, the IT administrator can review the list of applications, remove those that are not required, and secure the computer. Once the computer is secured, any application, script, or library that tries to execute that is not trusted will be denied. The user can request new software from the IT administrator, and it can be approved in 60 seconds.

See Learning Mode
Ilustration of Stopwatch and 60second Approval

Why Allowlisting?

Application Allowlisting has long been considered the gold standard in protecting businesses from known and unknown malware. Unlike antivirus or traditional EDR, Application Allowlisting puts you in control of what software, scripts, executables, and libraries can run on your endpoints and servers. This approach stops not only malicious software but also stops other unpermitted applications from running. This process greatly minimizes cyber threats and other rogue applications running on your network.

Eliminate the Risk and Guesswork

In addition to Allowlisting, ThreatLocker Testing Environment is a powerful tool that allows for risk-assessed approvals that eliminate the guesswork. The Testing Environment enables administrators to quickly verify an application, providing the critical and timely information needed to make the best decision for their organization.

See Testing Environment
illustration of ThreatLocker Testing Environment


allowlisting clipboard

Deny by Default

Deny any application from running on your device that is not a part of the allowlist.

Firewall illustration

Firewall-like Policies

A powerful firewall-like policy engine that allows you to permit, deny or restrict application access at a granular level.

illustration of hourglass window

Time-Based Policies

Permit access to applications for a specified amount of time. Automatically block the application after the policy has expired.

toolset for automatic updates

Automatic Updates

ThreatLocker® automatically adds new hashes when application and system updates are released, allowing your applications to update without interference while preventing updates from being blocked.

ThreatLocker Use Cases

Frequently Asked Questions

What is the onboarding process?

The goal of Zero Trust is only to allow what is needed and to block everything else. To stop business interruption, ThreatLocker will automatically learn what is required in your environment and build policies that include applications and their dependencies in a Learning Mode. The first step is to deploy the agent, which can be deployed using various automation tools.

The agent will not block anything during the initial deployment; instead, it will go into Learning Mode. After a week of learning, you can review the list of policies that have been created, deny or limit any software you do not want, and secure your environment.

Before you secure your environment, you have the option to simulate potential denies based on a period of time. This will ensure no strange applications will cause issues.

ThreatLocker will walk you through this process, by scheduling weekly calls to deploy, review policies, and help you secure your environment.

A typical deployment in a medium to large business should take about 5 calls from deployment to fully secured.

See deployment guide

Icon - Elements Webflow Library - BRIX Templates

Who decides what to allow? Is it the organization or a pre-approved vendor list?

Ultimately, the IT administrator decides what should be allowed to run. ThreatLocker’s learning process will create a list of policies, which can be reviewed and amended before protection is enabled and systems are secured. ThreatLocker® does not allow applications simply because the vendor is approved. From a cybersecurity perspective, the fewer applications permitted to run in an environment, the better. Allowing all applications by a specific vendor or vendors, flies in the face of this approach.

Icon - Elements Webflow Library - BRIX Templates

What support is available?

ThreatLocker support is available 24/7/365 and is accessed via a chat function on the portal. All chats are answered within 60 seconds, and our Cyber Hero Team can assist via chat or Zoom. We also have an extremely comprehensive knowledge base, as well as ThreatLocker® University, which provides self-paced, a la carte courses or predetermined learning tracks up to Cyber Hero Certification.

To learn more about how ThreatLocker's Application Allowlisting can help you enhance your cybersecurity stack, reach out to our Cyber Hero Team today.

Icon - Elements Webflow Library - BRIX Templates

Is Allowlisting conducted at the kernel level?

ThreatLocker® runs at the kernel level, meaning it doesn’t matter if something is executed by an administrator, system, or user, if it hasn’t been allowed to run via the Allowlist, it will be blocked.

ThreatLocker® also has extremely stringent Tamper Protection, which, combined with its kernel level services, makes it nearly impossible to interfere with its operation.

Icon - Elements Webflow Library - BRIX Templates

How are application updates handled?

When using allowlisting, changes to the application may be blocked if the application updates. ThreatLocker® solves this problem by having a predefined list of built-in application definitions. If you have a policy for a built-in application, ThreatLocker® will automatically update the policy when new updates are released. Our team monitors over 2,000 tracked applications and updates the definitions 24/7.

For unknown applications that are automatically updated, you can create custom rules and definitions using a combination of hashes, filenames, calling processes, certificates, and creating processes. If the IT team deploys the update, installation mode can be used to track the changes by the installer.

Icon - Elements Webflow Library - BRIX Templates

How do you allow new applications?

Permitting new applications is an extremely smooth process. A blocked file can be requested, evaluated, approved, and allowed to run within 60 seconds.

Icon - Elements Webflow Library - BRIX Templates

Case Studies

More ThreatLocker® Solutions

Take Control of Your Organization's Security

Schedule a demo with our Cyber Hero Team

Book a Demo