I just heard an ad for this product. It's enterprise-oriented and therefore likely way above home users' budgets. However, for small-office/home users, what would you say comes closest to ThreatLocker? Scroll down the page to the section, "Enterprise-Level Solutions" and see the list of features there. Is there a single consumer-oriented product that puts all these same elements together, or would we need to mix-and-match from a variety of applications?
Microsoft Defender, keeping Windows and Defender current, and avoid being "click-happy" on unsolicited links, popups, attachments and downloads is more than adequate for the vast majority of home users. As for small office solutions, that depends on the business. If it deals with storing customer/client personal information such as credit card information, real names, Social Security or Insurance numbers, bank account information, etc. then I would suggest consulting an IT security expert, or even having one on staff or some sort of retainer. The size and type of business matters too, as well as the "security awareness" and "user discipline" of the employees. Is the business something bad guys might be attracted to? Are the employees security aware? Are they trained in security measures? That is do they understand how to avoid being "click-happy" and to protect business and client data and records? If you have a small handful of employees, and they all understand what social engineering is, and how to mitigate it, then Defender, keeping systems current, and avoid being click-happy is fine there too. That means training, refresher training, and training again - and THAT is all on management! It is important to understand the vast majority of company hacks and breaches happen because (1) an employee was tricked into opening an unsolicited malicious email and clicked on malicious links and (2) the person(s) responsible for system security FAILED to properly do their job by applying security patches in a timely manner AND training their employees on security awareness. That person or persons responsible includes the person responsible for IT security AS WELL AS top management who MUST ensure the IT/Security people are doing their jobs, and have the resources and training to do their jobs. Bad guys typically are lazy, opportunistic bums who go for the easy pickings. Unless specifically targeting you personally, odds are if they see any resistance (signs of decent security) they will move on to lower hanging fruit. Now if a bad guy is specifically out for you personally, you really need to hire a specialist - and as always keep good, current backups. And guard dog or two.
Thanks for the reply. Sorry it took so long to get back to you, we were away. Your advice is of course sensible and appreciated. I was wondering specifically if there's any consumer-level security product out there that approximates the feature that ThreatLocker labels Ringfencing or "application containment."
I think you would need to be more specific about your network configuration, number of computers, number of users per machine - and what it is you are looking for. I personally am not aware of a product for home use like that - in part because I have not seen the need for one. But that's me and my network.
Thanks, that's the sort of thing I was hoping for: an informed viewpoint about how widespread that kind of feature might be, as opposed to a customized assessment for my specific case. I'd never heard before of anything like that "application containment" feature, so I was wondering if it was unique to the ThreatLocker folks or maybe more of an "enterprise" thing.
Well, to me, it would be very similar to running a program (or entire OS) in a VM (virtual machine). This can easily be done in W10/11 and folks who do a lot of testing and experimenting do this to isolate their testing from everything else. Folk also do this to run Linux within Windows, for example. It does offer a significant amount of security, but is it needed for security? I say "no" AS LONG AS you - as noted in the first sentence of my first reply - keep,
Thanks for that. I've done a little toe-dipping into virtual machines, but I hadn't thought about its possibilities in a security context, mostly just to try out old OSes or to set up DOSbox for a family member to play ancient games.
What they call Ringfencing isn't anything new, it's basically another word for behavior blocking. Tools like SpyShelter, OSArmor and HitmanPro.Alert (HMPA) do the same, but they all monitor different things. For example, SpyShelter will block apps from accessing certain protected folders. OSArmor will block apps from launching system/suspicious processes. And HMPA will block apps from injecting code into processes. Of course they also monitor other things.
It should be noted that the operating system itself, as well as Defender or most other free (if includes a real-time component) or paid alternative does all that effectively as well. The days of needing layer upon layer of "different" security software products are long over. We need to remember (and for some, accept) that, contrary to what many want us to believe, Microsoft does not want our systems to get infected. Why? Because they know they will be relentlessly and viciously chastised for failing to do so if they don't - even though it is the bad guys perpetrating the offenses. They know this from nearly 25 years of history - ever since XP came out. So, again, contrary to what many want us to believe, Defender really is very capable at keeping our computers, and the data on them, safe and secure. But again, that is AS LONG AS we keep Windows and Defender current, AND we avoid being "click-happy" on unsolicited links, popups, downloads, and attachments - the EXACT SAME things we must do, BTW, regardless our security solution of choice. And we know Defender is fully capable of protecting its users, for several reasons. If it wasn't protecting users, there would be 10s, 100s of millions of Defender users out there with compromised systems - and there aren't. If it wasn't, the extremely biased, anti-Microsoft members of the IT media, bloggers, and Microsoft and Defender-hating forum posters would constantly be raising uproars, and they aren't - at least not about Defender failing us. The popular and respected Windows security testing labs, AVTest and AV-Comparatives (scroll to near bottom and the "Award levels reached..." section) have consistently rated Defender as a "Top Product" and awarded it "3 Stars" with an "Advanced+" rating. Note that is on par with many of the popular free and paid (and costly! ) alternatives. It even bested some popular products like AVG, TotalAV, Avast, Trend Micro, and Malwarebytes in some areas. Let me quickly add, I am NOT promoting Defender or any other product and I am not going to debate which is best. The differences between the top rated offerings are to too insignificant to matter. I am just pointing out Defender is just as capable as the other leading alternatives, plus it's totally free (with no prodding to get us to upgrade to "premium" versions) and its already in W10 and W11. I personally don't care what solution you use. Just use one and keep it current. And don't be "click-happy". One last thing. I like Malwarebytes but note the free version does not have a real-time component. I also think everyone should have a secondary solution for "on-demand" scannings just to ensure the user, ALWAYS the weakest link in computer security, or the primary solution didn't let something slip by. And Malwarebytes Free is great for that - even though it scored poorly due to "false positives". For me, it has on occasion tagged a safe and "wanted" program as a "PUP" (potentially unwanted program) - easily rectified by adding the file to its "Allow list". FTR, Malwarebytes has never (since W8 and Defender came out in 2012) found anything malicious Defender missed. I'm just saying... .
What sets tools like HMPA, OSArmor and SpyShelter apart, is that they can block attacks even when AV's like Windows Defender are bypassed. That's the part that certain people seem to miss, I guess it's a lack of knowledge? Don't forget, when it comes to more advanced attacks like with so called trojanized apps, AV's will often fail. You won't see this in most of those big sponsored tests. So let's say malware is able to bypass AV, then a tool like HMPA can still block infostealers from stealing data from the browser. Or it can still block ransomware from encrypting files via CryptoGuard. A tool like OSArmor might block fileless malware from loading powershell.exe for example. And SpyShelter might block malware from loading a rootkit driver. So basically, that's what Threatlocker calls ringfencing, but it's just another word for behavior blocking. So in contrary to what certain people want us to believe, these extra protection tools, who act as an extra layer in case AV's fail, are still very useful. Fact of the matter is that AV's are still not able to block 100% of all malware, sometimes because the cloud analysis isn't good enough, and sometimes because AV's are simply getting terminated.
Huh? Lack of knowledge? Kind of an underhanded insult there, dude! That's just total nonsense. Just how are "AV's like Windows Defender" bypassed? Where's your evidence this is happening? The marketing hogwash from HMPA, OSArmor and SpyShelter? Who would believe that? I guess that would be the gullible who lack the knowledge of the truth. More nonsense. Where's your supporting evidence this is happening? For the truth and for the record, all "AV's like Windows Defender", including Defender (it has not been called "Windows Defender" for over 6 years!) include behavior analyze and blocking. That is, their "real-time" components are constantly monitoring the "environment" - that is, what is happening in real-time within the operating system and RAM and the processors - actively looking for suspicious behavior, and immediately blocking it, if found. THEY ALL DO THAT! Rasheed wants you to believe that Avast, AVG, Avira, Bitdefender, Eset, F-Secure, Kaspersky, McAfee, Defender, Norton, TotalAV and a few others - ALL OF WHOM received the highest ratings/awards in the critical category of "Protection" for our computers by those highly regarded testing labs - are inadequate! Where's his evidence? He wants you to believe these highly reputable products can somehow, be "bypassed" or "simply terminated" without providing any evidence this is happening. He want you to believe the bad guys are "simply" able to slip by our router's DHCP features, our router's firewalls, our computer's firewall, and "bypass" our OS's and security solution's own self-protection features, and "simply terminate" our security! Really? And he wants you to believe that none of those top scoring programs are capable of protecting our computers like his programs can. Yeah right! And oh, BTW - what incentive do his programs, as well as Norton, McAfee, and the others have to rid the world of malware? None! Why? If malware goes away, they go out of business. Now what incentive does Defender have to rid the world of malware? It is to stop getting blamed for the security mess the bad guys, and the FAILURE of the commercial anti-malware industry, put us in. Remember, it is totally free and doesn't even have a premium version for us home users. So, with our routers, the security and firewall features in our routers, the firewalls on our computers, the anti-malware solutions running on our computers, and the security features included in Windows itself, that is already multiple layers of protection. But hey! If you want to believe Rasheed is right, go ahead and add a 6th or 7th deadbolt on your door. It won't (hopefully) hurt anything - other than use up more system resources doing something all "AV's like Windows Defender", including Defender already do.
BTW, I've just read a post of a certain someone, and I now know for sure that it's a lack of knowledge. He seems to believe that it's impossible to bypass AV's, which of course is complete nonsense. Most security experts know about this fact. He also seems to believe that Win Defender's behavior blocking works exactly the same as specialized tools. You must understand that AV's like Win Defender rely mostly on the cloud, so it isn't anything like HMPA's CryptoGuard, which doesn't rely on the cloud, which has its advantages. And there are plenty of tests out there that will show that AV's sometimes miss certain malware samples and sometimes even get terminated. Of course I'm not saying that these specialized behavior blockers can't get bypassed. But I think this whole ''extra lock on the door'' concept is hard to grasp for certain people, so that's why they will often come up with advice that ''Win Defender + not being click happy is all you need.'' Now that I think of it, if AV's can really block all malware, then you might as well BE click happy LOL.
Well, this "certain someone" asks you once again, You said, "let's say malware is able to bypass AV". So once again, You claimed, "AV's are simply getting terminated." So I ask again, And "AV's like Win Defender rely mostly on the cloud". There's more of your nonsense. Do they use the cloud? Of course - that is where the anti-malware developers put their most current "zero day" code so it is available NOW. So users don't have to wait for the latest update files. That is where they put their latest definition/signature files. And guess what? HMPA, OSArmor, and SpyShelter all rely on the cloud for those reasons too. And of course, most of those products, including Defender, have "off-line" scanning options too. If you, Rasheed, can't provide any evidence these popular solutions are getting "bypassed" and "simply terminated" and therefore require additional security software to keep us secure, then STOP making unsubstantiated claims. That is doing a disservice to readers. And for sure, STOP being dishonest about what this "certain someone" claims. I never said, suggested, or even implied that these products behavior blocking works "exactly the same" as anything! I said they all "include behavior analyze and blocking." The truth more likely is each one does it slightly different, in their own way. Once again, for our fellow readers, if you want to believe Rasheed just because he says something is so, fine. That's your right. But if you do believe him when he claims the top rated anti-malware solutions Norton, McAfee, AVG, BitDefender and the others "are simply getting terminated" or "bypassed" and therefore need these extra layers - especially if you use one of those top rated programs! - I would urge you to "simply" ask for his evidence. Have him show you what he claims to be a problem, really "IS" a real-world problem. Have him show you where your security solution is inadequate.
@Rasheed187 and @Bill_Bright -- thank you for the discussion shedding light (and some heat ) on my question! I use secondary resident anti-malware software on my computers (mostly HMP.A and BlackFog) as well as on-demand scanners, including MBAM Free and the ESET and F-Secure Online Scanners. It's good to know that some of the former are already doing the kinds of special things that ThreatLocker is offering in the enterprise context.
Wow! Out of curiosity, what malicious files did any of those secondary solutions find on your computers that your primary real-time scanner missed? If any, are you the only user of your computers? I mentioned before that the user is ALWAYS the weakest link in security. But I should have added that if others use your computers too and they may be less disciplined about being "click-happy" or they, perhaps, visit "illegal" gambling or pornography sites or roam around the dark-web, then an additional real-time solution might be prudent. As I also noted above, the only thing my secondary found was a couple safe and "wanted" PUPs. Nothing malicious - ever. But I don't visit the wrong side of town either.
I am the only user of my computers (and I wouldn't have it any other way!). I listed those secondary scanners in order to indicate my agreement with your advice upthread that
Wouldn't the exact same apply to you? To me you are just another poster stating NOTHING but his own opinion without backing up his claims. This is a forum to discus security related stuff and all opinions should be ok without a belittling attack. Post #16: You should be better than that, i assume you like me are not a young gun, but up there in age....50-ish? To the subject: I use MICROSOFT Defender and two other tools which happens to have saved me twice over the years making it worth the money spent IMHO. I am seriously thinking of adding Blackfog which works at the network level and stops data getting out. Just my 2. JEAM, what is your opinion of BF?
Good point, he claims that Win Defender is unbeatable, and that people are never getting hacked, where is his proof? Reminds of those people who claim that macOS is unhackable LOL. In fact the biggest hack EVER, the one on crypto exchange Bybit ($1.5 billion was stolen), months ago, all started on a hacked macOS laptop. Built-in security like XProtect and Gatekeeper were obviously bypassed in this very sophisticated attack. But it's also funny that certain people always advice to ''not be click happy'', which implies that they do know that sooner or later your AV (like Win Defender) might fail to protect against certain malware samples. And that's exactly where those ''extra lock on the door'' tools come in play. But because of a lack of knowledge, they assume that these tools work exactly the same as Win Defender, so no need to use them, which is of course complete nonsense.
I now see that this ''certain someone'' is back paddling. All of a sudden he now claims that Win Defender's behavior blocking capabilities might be implemented in a different way. Sadly enough he isn't aware of the fact that tools like HMPA, OSArmor and SpyShelter do NOT rely on the cloud when it comes to behavior blocking. So again, a lack of knowledge. BTW, to give an example, in this article you can read about 4000 people being infected by the PXA infostealer, I highly doubt these people were not using any AV. In fact, I bet they were likely using Win Defender. But as many people know, when it comes to blocking zero day malware, AV's will sometimes fail. A tool like HMPA might be able to block this PXA infostealer from stealing your info, so don't let anyone with clearly a lack of knowledge tell you that Win Defender is all you need!
BTW, on The PC Security Channel you can find small scale, but interesting malware tests. In some videos I have seen Windows Defender fail to detect infostealers and ransomware. Of course, overall it will do a pretty good job, but only one failed detection can wreak havoc. Tools like HMPA and AppCheck Anti-Ransomware might save you in cases where Win Defender fails. I have also seen a video where Malwarebytes Premium is terminated by ransomware. In this article you can read about how hackers recently abused a legitimate driver to disable AV's. Of course this stuff is mostly used to attack companies, because that's where the money is made, but from a technical point of view, it can also be used to hack home user PC's. And BTW, make sure to check out the video where a ransomware simulator is used that basically simulates zero day malware. Windows Defender (consumer version) failed to detect file encryption, while Bitdefender and Sophos pass. That's because their behavior blocker is simply more advanced. https://pcsecuritychannel.com
It does, but how is anyone to show evidence they are NOT getting infected? Why would they? So then I ask you Sir Percy, can you find any evidence Rasheed is correct? Can you find any evidence that all these major security programs ARE getting bypassed? That they are "simply" being terminated? If you can, I would be happy to retract my statements and apologize to all. But I see nothing here at Wilders. Noting at BleepingComputer. Nothing at any security site. Can you? Where are the millions and millions of Defender and other AV users reporting their computers have been compromised because Defender or their alternative solution failed? As for his link, not the network has already been compromised through stolen credentials. That is not a home network. And how many home users use that driver such that this is a wide spread issue? Does one tiny exception make the rule? To that, see the following. There you go telling falsehoods again. I NEVER said Defender or any solution was unbeatable - as anyone can verify for themselves. So, Sir Percy, who are going to believe? Someone who clearly has no problems telling falsehoods?
LOL It doesn't imply that at all. If you were knowledgeable about how corporate networks are (almost) routinely hacked, it is by users on those networks receiving what looks to be a legitimate email and they click on a link that then compromises the network. And sadly, in most of those cases, it happened because the various operating systems were NOT kept current. Read up on the massive Equifax breach. Even the best security is compromised if the user opens the door, invites the bad guy in and then asks what they want. Time to move on.
