Skip links

Threatlocker: Zero Trust Security Application

12

Overview

What?

Threatlocker is a security tool which works alongside our anti-virus protection, preventing problems with malicious software by allowing us to control what can and can not run on the computer. If a piece of software is not recognised by Threatlocker, nor on our specific whitelist, Threatlocker will stop it from running at all, preventing it from causing damage. Its another layer to our security stack, which starts to work in the unlikely event something gets through other protection systems. 

How?

Threatlocker is installed on your computer automatically via our Remote Monitoring and Management (RMM) Tool.  Threatlocker gets to work straight away, monitoring your system.  For the first two weeks, it runs in Learning Mode, gaining an understanding of your working habits and requirements.
For example:
  • What system files and what applications are used on a daily basis? 
  • Do you run any bespoke applications or just Microsoft 365?
Once we are happy the system has learned enough, we turn off Learning Mode, which puts your computer into SECURED Mode, and now only the programs that have been running during the learning time and those that are on our Whitelist are allowed to run on your computer.  Everything else gets stopped.

Why?

Let’s assume someone you know gets compromised.  Their emails are being used to send out junk links in an effort to get more accounts compromised.  You’ve received an email from this person whom you usually trust (and are unaware they have been compromised), including a link (which is normal for this person to send you).  You’ve carried out the usual checks: This email is from someone I know, the email address is correct, and the content is what I would expect.  So you click on the link, which in turn takes you to a compromised website.  The website includes instructions to download something to your computer, open PowerShell, and run malicious scripts to take over your machine.

As the website instructs your computer to open Powershell and start running a malicious script, Threatlocker steps in and says, “I’ve never seen this user download scripts from the internet before and automatically start them in Powershell.  This is not normal behaviour; stop everything”, and your computer now doesn’t load PowerShell, stopping the attack in its tracks.

 

Auto-Elevation

Known Application Updaters

Programs like Sage and AutoCAD update regularly.  We can use Threalocker to allow this to happen automatically.  When an update is required, assuming it’s on the Whitelist, which we keep updated, Threatlocker will report to your computer “I know what this is, I am expecting it, allow this to run and, grant the user my Administrator rights to complete it”.  This means users can update programs like Sage and AutoCAD without needing to call us to get Administrative Privileges.

Pop-ups

Pop-ups will appear in the bottom corner of the screen when Threatlocker has to step in.  They will look something like the one below.

40

If you click REQUEST ACCESS, we get an alert that includes your details, your computer’s details, and those of the application that’s been blocked.  We can then work through the security implications and either allow or block it accordingly.  However, this can take some time, so if you are in a rush or need something to happen quickly, please don’t hesitate to call us and bring it to our attention.

If you click DON’T SHOW AGAIN, the pop-up is hidden; Threatlocker adds the program to the blocked list and no longer reports on it the next time it’s loaded.  Please use this button with caution as it can cause confusion when something doesn’t work, and there’s nothing reported as to why not.

Learning Mode for Troubleshooting

We can, for a short period of time, put a computer back into Learning Mode.  This is used for us to troubleshoot computers, and by some of our clients who carry out complex instructions on their systems, usually in Powershell or Command Prompt.  This should not be needed if you’re a purely Microsoft 365 user, but it’s worth noting for future reference.

Unknown but Expected Applications

If you buy a new piece of software or install a new printer that needs a new driver, Threatlocker will report it as unexpected and shut it down before it starts.  If this is the case, you will get the pop-up above, and we can act according to your wishes.

 

If we can further assist you regarding your Threatlocker Zero Trust Security Application, please do not hesitate to contact the Service Desk Team at Better-IT.

13
🍪 This website uses cookies to improve your web experience.