SemperDefend: Zero Trust Endpoint Protection Platform

Application Allowlisting

Application Allowlisting denies all applications from running except those that are explicitly allowed. This means untrusted software, including ransomware and other malware, will be denied by default.

HOW DOES IT WORK?

When the agent is first installed, it operates in Learning Mode. During this period, all applications and their dependencies found on the computer are cataloged and policies are created to permit them. After the Learning period, the IT administrator can review the list of applications, remove those that are not required, and secure the computer. Once the computer is secured, any untrusted applications, scripts, or libraries that try to execute will be denied. The user can request new software from the IT administrator, which can be approved in 60 seconds.

WHY ALLOWLISTING?

Application Allowlisting has long been considered the gold standard in protecting businesses from known and unknown malware - including ransomware. Unlike antivirus, Application Allowlisting puts you in control of what can run on your endpoints and servers. This approach not only stops malicious software, but also stops other unpermitted applications from running. This process minimizes cyber threats and other rogue applications from running in your network.

WHAT IS THE USER EXPERIENCE?

When a user wishes to add new software to your environment, they will receive a pop-up notifying them that the software was blocked. The user will be able to see information about the program, including where it was developed and what data access it is requesting.

BENEFITS 

Firewall-like Policies

A powerful firewall-like policy engine that allows you to permit, deny, or restrict application access at a granular level.

Built-in Application Definitions

Predefined lists of applications that include all dependencies and updates tracked by ThreatLocker®.

Time-based Policies

Temporarily permit software and automatically block after the policy expires. 

Malware Blocking

Unlike antivirus, Allowlisting blocks both known and unknown malware from running.

Testing Environment 

ThreatLocker® Testing Environment utilizes a Virtual Desktop Infrastructure (VDI) to provide administrators with a clean, isolated, cloud-based environment to evaluate unknown or untrusted application requests. Without risking potential harm to their environment, administrators can safely execute unknown files and observe their behavior before actioning an approval request

WHY IS THIS IMPORTANT?

When users request new applications, IT administrators need to know what dependencies the application requires and validate the application to ensure it’s not doing anything it shouldn’t be.

ThreatLocker® Testing Environment gives IT administrators visibility of a file’s behavior before they decide whether to permit the requested application without putting their organization at risk. It also catalogs all dependencies within the installer, so the IT admin does not need to use Installation or Learning Mode on the user’s computer.

HOW DOES IT WORK?

Directly from an Approval Request, IT administrators can catalog files using the Testing Environment instead of placing one of their computers into Installation Mode, keeping their environment secure. ThreatLocker® will spin up a clean, temporary VDI to run the requested file. ThreatLocker® Testing Environment will evaluate the file’s safety based on industry knowledge and observed file behavior. It will provide the information administrators need to decide the best course of action for their specific organization.

BENEFITS

Canaries

Bait files that include simulations of real data. The testing environment will monitor for access or changes to those files.

Real-time Audit

Provides an on-screen real-time audit of file activity within the testing environment, including any new files being created.

Application Behavior

Applications will be monitored in real-time for unexpected behavior, such as registry interactions, system changes, or internet access, while also evaluating known malicious behavior.

Application Evaluation

Each file created within the testing environment is evaluated against multiple virus databases, and the results are displayed.

Ringfencing 

Ringfencing™ allows you to control what applications can do. For example, while both Microsoft Word and PowerShell may be permitted, Ringfencing™ will prevent Microsoft Word from being able to call PowerShell, thus preventing an attempted exploit of a vulnerability such as the Follina vulnerability from being successful.

WHY IS THIS IMPORTANT?

Under normal operations, all applications permitted on an endpoint have the same access to other applications, files, the network, and the registry that the operating user has. If compromised, an attacker can use the application to steal or encrypt files, abuse legitimate tools, communicate with malicious IPs, and make changes to the system. Ringfencing™ allows you to create boundaries to permit applications access to only what they need.

HOW DOES IT WORK?

When you first deploy Ringfencing™, your device will automatically be aligned with the default ThreatLocker® policies. These policies are then automatically applied to a list of known applications such as Microsoft Office, PowerShell, or Zoom. The default policies aim to provide a baseline level of protection for all endpoints. Policies can be created and changed to fit any environment.

BENEFITS

Mitigate Against Fileless Malware

Stop fileless malware by limiting what applications are allowed to do.

Granular Application Policies

Stop applications from interacting with other applications, network resources, registry keys, files, and more.

Limit Application Attacks

Limit application attacks like application hopping by limiting what applications can access.

Limit Access To Your Files

The average computer has over 500 applications, and only a handful of those need to access your files. With Ringfencing™, you can choose which applications need to see which files.

Elevation Control

Elevation Control enables users to run specific applications as a local administrator, even when they do not have local admin privileges. Elevation Control puts IT administrators in the driver's seat, enabling them to control what applications can run as a local admin without giving users local admin rights.

HOW DOES IT WORK?

When ThreatLocker® is first deployed, all existing applications are learned. Administrators can review the applications and select which can be run as a local administrator. Once enabled, a user can run the

software as a local administrator without entering credentials.

WHY IS THIS IMPORTANT?

Local administrator credentials are a sought-after target for cybercriminals. An attacker who has gained access to an endpoint with local admin rights can impersonate other logged-on users or exploit tools locally, potentially pivoting into the entire network.

Elevation Control eliminates these credentials from being hijacked without hampering productivity.

BENEFITS

Complete Visibility of Administrative Rights

Gives you the ability to approve specific applications to run as an administrator, even if the user is not a local administrator.

Streamlined Permission Requests

Users can request permission to elevate applications and attach files and notes to support their requests. 

Varied Levels of Elevation

Enables you to set durations for how long users are allowed access to specific applications by granting temporary or permanent access.

Stops Application Hopping

Ringfencing™ ensures that users cannot hop between elevated applications.

Remove Local Administrator Accounts

Automatically remove local administrator accounts not listed as exceptions.

Storage Control

Storage Control provides policy-driven control over storage devices, whether a local folder, a network share, or external storage.

ThreatLocker® Storage Control allows granular policies to be set, which could be as simple as blocking USB drives or as detailed as blocking access to your backup share, except when accessed by your backup application.

HOW DOES IT WORK?

Policies can be created to permit or deny access to storage locations based on the user, window of time, type of file, and the application in use. When a storage device or location is blocked, a user can be presented with a pop-up where they can request access to the device or location. The administrator can then permit the storage device in as little as 60 seconds.

WHY IS THIS IMPORTANT?

As a high-value target for threat actors, protecting data from unwanted access is important. ThreatLocker® Storage Control enables the creation of granular policies to permit and deny access to network shares, local folders, and external storage by specific users or applications, as well as to enforce encryption on external storage devices.

PROTECTING CRUCIAL DATA AND FILES

ThreatLocker® Storage Control will now include read, write, and delete actions from SharePoint and OneDrive locations. Monitoring of these actions will also be available in the ThreatLocker® Unified Audit. Additionally, ThreatLocker® administrators will be able to specify the cloud locations to monitor.

BENEFITS

Audit Access to Files

Within minutes of a file being opened, a full, detailed audit of all file access on USB, Network, and Local Hard Drives is centrally accessible.

Granular Storage Policies

These policies allow or deny access to storage based on user, time, applications, and more.

Simple Requests for Access

Upon denial due to policy, a pop-up appears to provide the user with an option to request access to the storage device.

Simple USB Blocking

USB Policies allow access based on device serial number, vendor, and file type.

Automatically Alert or Block When Thresholds are Exceeded

When used with ThreatLocker® Detect, you can automatically alert or block access if a user reads or changes too many files within a period of time. This can prevent data exfiltration or mass encryption.

ThreatLocker® Detect

ThreatLocker® Detect is a policy-based Endpoint Detection and Response (EDR) solution. This EDR addition to the ThreatLocker® Endpoint Protection Platform watches for unusual events or Indicators of Compromise (IoCs). ThreatLocker® Detect can send alerts and take automated actions if an anomaly is detected.

ThreatLocker® Detect leverages the vast telemetry data collected from other ThreatLocker® modules and Windows Event logs. This information gives essential insights into an organization’s security, enabling them to identify, respond to and remediate possible cyber threats.

Why ThreatLocker® Detect?

ThreatLocker® Detect has an edge over other EDR tools in detecting and responding to potential threats. Its advanced technology identifies and addresses known malicious activities while providing visibility of threats beyond just known ones.

ThreatLocker® Detect’s automated responses can give information, enforce rules, disconnect machines from the network, or activate Lockdown mode quickly. When Lockdown mode starts, it blocks all activities, including task execution, network access, and storage access, ensuring maximum security.

With the capability of detecting remote access tools or PowerShell elevation, ThreatLocker® Detect also identifies events such as abnormal RDP traffic or multiple failed login attempts, an event log is erased or if Windows Defender finds malware on a device. This proactive approach enables organizations to swiftly identify and respond to potential threats before they can cause significant damage.

How does ThreatLocker® Detect work?

ThreatLocker® Detect continuously monitors the behavior of trusted and untrusted applications across all devices where the ThreatLocker® Agent is installed.

“IT experts can make custom rules and policies for decision-making instead of relying on AI or standardized criteria.” 

These policies can have a set of conditions or responses that look for behaviors based on a threshold that indicates a compromise may have occurred. When conditions are met, ThreatLocker® Detect will automatically respond based on the rules created.

Policies are continually evaluated in real-time by the ThreatLocker® agent on the endpoint, which means policies are enforced in milliseconds whether or not the endpoint is connected to the internet. IT experts can have complete control over their priorities and event responses. This level of automation and control ensures that incident response actions align with the  organization’s overall security strategy.

Community-Shared Policies

ThreatLocker® offers recommended policies based on frameworks such as MITRE and CISA Indicators of Compromise. ThreatLocker® has introduced a platform known as “ThreatLocker® Community”. IT experts can share policies they created with other members of the ThreatLocker® Community on the platform.

BENEFITS

Alerts and Detection

Using industry-known indicators of compromise, ThreatLocker® Detect can identify and alert IT professionals that their organization may be under an attempted attack based on customizable thresholds and notification methods.

Leverage Knowledge

IT admins can easily share their own ThreatLocker® Detect policies or “shop” for vetted policies shared by their industry peers and the ThreatLocker® team.

Respond

Set policies to enable, disable, or create Application Control, Storage Control, or Network Control policies in response to specified observations.

Set Custom Thresholds

Policies can be tailored to alert and respond differently based on the threat level to reduce alert fatigue