It really is, worked a repair shop that had an enterprise cyber-security division for local businesses and it worked great at preventing damage and threats from clueless middle-aged employees.
I use and Love Threat locker. I use it in conjunction with S1. It's definitely not an EDR replacement. Just an extra layer to avoid stuff from even being executed in the first place. I really love the elevation features/polices. It has allowed me to completely remove all local admins and just allow elevation on certain apps automatically. (i.e. application updates, etc). IMO that a even bigger deal to me than the ring fencing. Because you limit your attack vectors even thay much more. It's relatively cheap too. But they definitely want to get you in a contract.
We use this, and although initially it's a pain to setup and get everything that needs to be whitelisted; whitelisted I personally am happy with the product. Paring with an AV is also great as you get the best of both worlds.
o hey, finally a solution that has any real chance of catching a 0 day. My personal go-to is always ida Pro and a VM/sandbox, this is basically that but on a company scale.
Allowing you to run PowerShell as Admin is a gap in your configuration; a standard user should not be allowed to elevate PowerShell in the first place; that's what Elevation Control is for.
zero trust is definitely the way to got for an entreprise environment. 100% of the times any type of virus infects a company is because of user error, be it downloading and opening a file they received on an email or just poor security practices (Ie no firewalls or whatever). For a single home user though, this creates waaaay more problems and solutions. I installed "Simple Wall" the other day because of your video on "How to stop apps from spying on Windows" and omfg was it triggering. I couldn't open absolutely any program without having to add each individual .exe related to it on Simple Wall.
I think both an allow listing and detection based system are necessary. As far as making sure execution is secure, allow listing is the way to go... It just can be difficult for some jobs.
saw a case last week where fog ransomware encrypted the live server vms where threatlocker and S1 were installed. no events logged or no blocked files. absolute disaster.
It would be better since it effectively gives you 100% block rate for unknown (or non standard) applications but of course it relies on manual accept/deny so it doesn't detect if it's safe or not itself.
@@SmilerRyanYT zero trust it self has default rules like forced all user use low root admin to what they want to do,when you try to open important thing need to users need prove identity,this rules decrease attacker steal super admin as securtiy layer
In practice software like this makes security worse because you can't update software.. Some help desk employee who knows nothing about security or your job installs the software and you hope it works and you can never apply security updates because they will be blocked. So, everyone is running two year old versions of everything on there computer. That's my experience at multiple companies.
Looks like TL automatically monitors applications updates, and matches the hash, and allow it including any new DLL's automatically, no need for human intervention, game changer since one of the downsides of allowlisting is precisely these constant application updates like quickbooks.
This is interesting, I have been working on zero-trust solutions and the idea is exactly the same, but like with all software there is definitely going to be some misses, especially if someone knows how these zero-trust solutions works.
Yeah,that why business cybersecurity companies provide more advanced solutions like EPR+XDR,Zero trust,NGFW,MDR,NDR,encryption solutions help for business cybersecurity team more effectively deal with incidents
So since it works in a different way than a typical Anti virus and firewall program, does that mean you can have both on your system without conflicts ?
I'd say it's a complement for anti viruses. Honestly, this tool has great potential since it allows what only an employee it's supposed to do in their duties. Now, the UI and the problem PC said can be solved by a QOL update
I use Threatlocker for my job, and while it's a good protector, you do have to put quite some work into it to properly configure applications so they're both protected, but still work.
@@josemmm11 I meant Kaspersky's Security Module in Anti Virus called "Intrusion Prevention", because its almost the same thing, it does many things the same way but in some ways better.
Its business focused and they have minimum endpoints type buy in. They also offer elevation control, storage control, MDR etc. The full suite is roughly 18$ per month; but the basic product is only like 5.50 per month per device.
@@Cyber-1985 Yup - for the full package with MDR. BUt if you get 80% of your devices into lockdown mode within 80/90 days, you get a discount of reougly 3.50 per pc p/m.... still like 15 p/m tho
There are a lot of security software offerings. The question I always have is, how do I know if the software is not a Trojan horse? How do you know if the software I buy is legit? Is there a computer security consortium certifying these software offerings?
yes. As an example, Linux foundation. I doubt there are any similar for Windows, because it's a close source and proprietary. For open source there are communities and organizations that look at source code and report any problems they find
Windows community is totally different. It's about different companies that compete in the market and offer better protection. They may have a better history and public opinion, and in certain way the product might be better but you never know what's behind the code
app rating services like virus total or hatching io are the place to start with that. threatlocker does maintain a list of "known trusted" apps too fyi
WDAC is being retired :( AppLocker is good but when apps update, you have to manually update the hashes etc - where as threatlocker manages updates for you.
@@homelander-enjoyer Second, you can use signatures insted of hashes, so you don't need to update the policy every update (that is what I am doing right now). Besides, what is the point of using hashes if they auto update on changes? Might as well just use a path rule (I think)
@@tablettablete186 Ah I did confuse them - my bad! But signature is quite easy to get around/fake? there was even a legit microsoft sig that was rogue for years... path alone is a bit wide isn't it? path + signature is preffered but always hash is best for security...
According to copilot info first time use heuristic engine 2.0 is since 2010 years nowadays near end of 2024years but still didn’t study new heuristic engine,and Antivirus not a Anti-hacker
I don't like either/or questions, because the best answer is rarely just one or the other. As you pointed out, this tool wouldn't step in on a phishing attack. Also, as you noted, this tool can have a major (even if momentary) impact on system performance. It seems to me that this is a great second layer in a defense-in-depth strategy.
I like the idea of antivirus and whitelisting, but i'd rather not have a dashboard and just a local yes/no/sandbox option for allowing execution when it blocks something. Any way at all if I could have like the popup of SecureAPlus but just the whitelisting feature I would, along with an option to accept once, or allow all if i want to.
I love this product for advanced users, but not for your typical average user. It would probably work well, if you were to configure a single image that you then deployed to all of your end-user computers.
I've often wondered why something like did not exist. I'm definitely going to try it. For me as a home user, I have plenty of time to assess each process that want's to execute. I was unaware of it, so thanks for heads up. I was also unaware of your channel until past couple of weeks. I'm impressed. Much appreciated. Edit: I see its only for enterprise. Way over what I could afford. I will try to research the tech, perhaps I could emulate it's basic functionality. (been learning coding for a year or so) as a new project. Edit2: Actually I don't see why someone with the time and patience could not achieve what threatlocker does, with using windows alone. Searching for whitelisting brought up another of this channels videos. th-cam.com/video/7UWFJGeix_E/w-d-xo.html Thanks again
Honestly, even with stuff like this, be careful what you open and download. You can’t rely on only an AV all the time, it requires some human effort too! (Edited to make more sense as I haven’t watched the whole thing)
Thats why I got myself ESET + Malwarebytes + Voodoshield + NextDNS. Ocasionally scanning with NPE, KVRT, Hitmanpro and FARBAR. Not to mention I am planing to sometimes get a physical firewall with OPNsense. I am very confident nothing can penetrate my system, even if it is a targeted attack.
looks like a typical HIPS, but this one has bells and whistles, i.e. good for corpos. Isn't free, besides a 30 days trial. If so, should be compared to many similar packages included in SOPHOS, ESET, Kaspersky etc. The old good COMODO still looks at least not bad compared to this software, and COMODO firewall (internet security) is freemium
Ok, as an old senile man who likes to rant angrily into the clouds, I am going to "fart in church". First, the OS and BIOS should be locked down to a paranoid level. But the reality is that OS give permissions to almost anything by default. [Except non-commercial Linux and similar distributions where you have to OPT-IN to allow apps to be permissive. It is generally a shit idea to give an app direct kernel access, but this is routinely done in gaming, where a gain of a few FPS is more than offset with badly compromised security. Debian distros that conform to the full GPL make you have opt-in to install the latest video driver for example, like NVIDIA commercial drivers. The current design philosophy of Microsoft OS products is seems to be a permissive OS, which you then have to lock down if you want to. Security provisions should be customizable at all times, and especially at first installation. The amount of telemetry and connections that windows 11 does [home or professional] is absurdly high. So you have to make yourself an expert fining out which connections are actually essential and which are just crap. [Or for Microsoft's benefit and not necessarily yours]. You can easily go on the web and find cut-down versions of win10 or 11 [with names like "Tiny 11"], but that does not help much, because as well as taking out some of the bloatware, it will also disable MS's anti-virus. In short, you stand the risk of an OS that is even more insecure than the standard version. In theory, polices control in Win Pro should stop a lot of nonsense, but most of them are quite easy to bypass. "Hardening" win 11 needs an expert level of knowledge which most people don't have. I see that M$ has adopted the SUDO command but I have no idea how safe it is. In Linux it is great, but then Linux is much more orientated in keeping the user in user space, rather than let them swan around in kernel space.
the most fun thing in your comment is that you try to estimate security of Windows and compare it with a good OS like linux ) that OS is made not for security, it's for profit. Profit of making some apps including games, that will be sold. Well in some states they are now legally obliged to replace selling with licensing
it seems it the best solution to keep non tech savvy employees safe and make sure they're not doing something they're not suppose to do
It really is, worked a repair shop that had an enterprise cyber-security division for local businesses and it worked great at preventing damage and threats from clueless middle-aged employees.
We are happy to hear that!
I use and Love Threat locker. I use it in conjunction with S1. It's definitely not an EDR replacement. Just an extra layer to avoid stuff from even being executed in the first place. I really love the elevation features/polices. It has allowed me to completely remove all local admins and just allow elevation on certain apps automatically. (i.e. application updates, etc). IMO that a even bigger deal to me than the ring fencing. Because you limit your attack vectors even thay much more. It's relatively cheap too. But they definitely want to get you in a contract.
I'd say a combination of both would be ideal
We use this, and although initially it's a pain to setup and get everything that needs to be whitelisted; whitelisted I personally am happy with the product. Paring with an AV is also great as you get the best of both worlds.
thats what we use in our organization. Works pretty well
Your CISO must be a very well adjusted person then…😂😂
o hey, finally a solution that has any real chance of catching a 0 day. My personal go-to is always ida Pro and a VM/sandbox, this is basically that but on a company scale.
Have you tried AppLocker or WDAC?
We use threatlocker, and love it!
Don't be so sure of yourself. 😉
@@black_dragon274yes
@@black_dragon274 Can't they be sure they love it? What are you talking about?
Allowing you to run PowerShell as Admin is a gap in your configuration; a standard user should not be allowed to elevate PowerShell in the first place; that's what Elevation Control is for.
zero trust is definitely the way to got for an entreprise environment. 100% of the times any type of virus infects a company is because of user error, be it downloading and opening a file they received on an email or just poor security practices (Ie no firewalls or whatever). For a single home user though, this creates waaaay more problems and solutions. I installed "Simple Wall" the other day because of your video on "How to stop apps from spying on Windows" and omfg was it triggering. I couldn't open absolutely any program without having to add each individual .exe related to it on Simple Wall.
it seems promising concept, I'll use it as addition layer to detection product
I think both an allow listing and detection based system are necessary. As far as making sure execution is secure, allow listing is the way to go... It just can be difficult for some jobs.
Yeah and avoid clownst... I mean crowdstrike 😆
When Part 2 of "Best Antivirus/EDR vs Unknown Ransomware" with Kaspersky etc?
Soon (TM)
Thanks for the good video!
Could you make a video about Sandboxie-Plus and whether it makes sense to use it?
saw a case last week where fog ransomware encrypted the live server vms where threatlocker and S1 were installed. no events logged or no blocked files. absolute disaster.
Are you allowed to tell us/me about how this could be done and what was the initial vector? I am just learning and want to understand.
I would be curious to see you testing Kaseya/Datto AV + EDR + Ransomware solutions!
Can you use your knowledge to test how good Sandboxie Plus virtualization is and how it keeps spaces isolated from malware?
Great video!!! I like this approach (zero trust approach). What I want to know is will this perform better than UltraAV? :D lol Thanks for posting!!!
It would be better since it effectively gives you 100% block rate for unknown (or non standard) applications but of course it relies on manual accept/deny so it doesn't detect if it's safe or not itself.
@@SmilerRyanYT zero trust it self has default rules like forced all user use low root admin to what they want to do,when you try to open important thing need to users need prove identity,this rules decrease attacker steal super admin as securtiy layer
In practice software like this makes security worse because you can't update software.. Some help desk employee who knows nothing about security or your job installs the software and you hope it works and you can never apply security updates because they will be blocked. So, everyone is running two year old versions of everything on there computer. That's my experience at multiple companies.
Looks like TL automatically monitors applications updates, and matches the hash, and allow it including any new DLL's automatically, no need for human intervention, game changer since one of the downsides of allowlisting is precisely these constant application updates like quickbooks.
This is interesting, I have been working on zero-trust solutions and the idea is exactly the same, but like with all software there is definitely going to be some misses, especially if someone knows how these zero-trust solutions works.
Yeah,that why business cybersecurity companies provide more advanced solutions like EPR+XDR,Zero trust,NGFW,MDR,NDR,encryption solutions help for business cybersecurity team more effectively deal with incidents
So since it works in a different way than a typical Anti virus and firewall program, does that mean you can have both on your system without conflicts ?
Yes
TL can be used with other EDR 's/AV's, or just use its own EDR, ThreatLocker Detect.
I'd say it's a complement for anti viruses. Honestly, this tool has great potential since it allows what only an employee it's supposed to do in their duties. Now, the UI and the problem PC said can be solved by a QOL update
I use Threatlocker for my job, and while it's a good protector, you do have to put quite some work into it to properly configure applications so they're both protected, but still work.
@@ym5891 no pain no gain
Very informative! Seems kinda similar to Glasswire
Thats actually almost the same as Kaspersky's Intrusion Prevention, it literally does the same thing lol.
threatlocker is similar to applocker but more advanced.
@@josemmm11 I meant Kaspersky's Security Module in Anti Virus called "Intrusion Prevention", because its almost the same thing, it does many things the same way but in some ways better.
@@Zero-sm8oi ok I understand. Something new to learn .
no surprise. These or similar features are present in many security suits, including KAV, ESET, COMODO, SOPHOS
@@Zero-sm8oiHow do those compare to Komodo?
So whats is the price of this . they dont say anything on their site, which makes me suspicious
Its business focused and they have minimum endpoints type buy in. They also offer elevation control, storage control, MDR etc. The full suite is roughly 18$ per month; but the basic product is only like 5.50 per month per device.
@@homelander-enjoyer This is a huge gap between 5.50 and 18. You mean 18$ p.m. with MDR?
@@Cyber-1985 Yup - for the full package with MDR. BUt if you get 80% of your devices into lockdown mode within 80/90 days, you get a discount of reougly 3.50 per pc p/m.... still like 15 p/m tho
Oh man. would love that software for the house. But looks like its going to have enterprise pricing.
Leo, please make a new Norton test video. The old video that you have on this channel is 4 years old.
There are a lot of security software offerings. The question I always have is, how do I know if the software is not a Trojan horse? How do you know if the software I buy is legit? Is there a computer security consortium certifying these software offerings?
yes. As an example, Linux foundation. I doubt there are any similar for Windows, because it's a close source and proprietary. For open source there are communities and organizations that look at source code and report any problems they find
Windows community is totally different. It's about different companies that compete in the market and offer better protection. They may have a better history and public opinion, and in certain way the product might be better but you never know what's behind the code
app rating services like virus total or hatching io are the place to start with that.
threatlocker does maintain a list of "known trusted" apps too fyi
I do tend to go thr zero trust route these days, especially when i have non tech savy parents.
AppLocker/WDAC tests when?
Jokes aside, I hope you cover them as well
WDAC is being retired :(
AppLocker is good but when apps update, you have to manually update the hashes etc - where as threatlocker manages updates for you.
@@homelander-enjoyer No, it isn't. I think you confused WDAG (run apps in VMs) with WDAC (app allowlisting)
@@homelander-enjoyer Second, you can use signatures insted of hashes, so you don't need to update the policy every update (that is what I am doing right now).
Besides, what is the point of using hashes if they auto update on changes? Might as well just use a path rule (I think)
@@tablettablete186 Ah I did confuse them - my bad!
But signature is quite easy to get around/fake? there was even a legit microsoft sig that was rogue for years...
path alone is a bit wide isn't it? path + signature is preffered but always hash is best for security...
Should the average user use this or would it be overkill.
@@Robertganca overkill, but if you sail the 7 seas, it could help avoid the kraken
average user cannot even get a price without writing a request. It's for corporation business. You can get only 30 days trial
Its a business focused solution tbh
Excelente Gracias.
Is Threatlocker compatible with AV+EDR on same system?
It is, yes. They even offer a Managed EDR service too. We run them with webroot + windows defender with no problem.
imo it's complimentary to NGAV/EPP and other layers of protection
bitdefender vs kaspersky pliz
Nowadays Cybersecurity companies All solutions difficult to deal with attacker because attacker always very like find high value
According to copilot info first time use heuristic engine 2.0 is since 2010 years nowadays near end of 2024years but still didn’t study new heuristic engine,and Antivirus not a Anti-hacker
I don't like either/or questions, because the best answer is rarely just one or the other. As you pointed out, this tool wouldn't step in on a phishing attack. Also, as you noted, this tool can have a major (even if momentary) impact on system performance. It seems to me that this is a great second layer in a defense-in-depth strategy.
I like the idea of antivirus and whitelisting, but i'd rather not have a dashboard and just a local yes/no/sandbox option for allowing execution when it blocks something.
Any way at all if I could have like the popup of SecureAPlus but just the whitelisting feature I would, along with an option to accept once, or allow all if i want to.
MacOS does this
I love this product for advanced users, but not for your typical average user. It would probably work well, if you were to configure a single image that you then deployed to all of your end-user computers.
I like this, it has possibilities. ZT FTW.
great bit of kit. if only it were a bit more lightweight.
is this similar to appguard ?
Unfortunately we'd need the benefits of both.
Best Antivirus would be the combination of Bitdefender , Malwarebytes and Kaspersky i would name it ShadowAV
Ik
I still like antivirus better but this has some good features that should be implemented in av
I've often wondered why something like did not exist.
I'm definitely going to try it.
For me as a home user, I have plenty of time to assess each process that want's to execute.
I was unaware of it, so thanks for heads up. I was also unaware of your channel until past couple of weeks. I'm impressed.
Much appreciated.
Edit: I see its only for enterprise. Way over what I could afford.
I will try to research the tech, perhaps I could emulate it's basic functionality. (been learning coding for a year or so) as a new project.
Edit2: Actually I don't see why someone with the time and patience could not achieve what threatlocker does, with using windows alone. Searching for whitelisting brought up another of this channels videos.
th-cam.com/video/7UWFJGeix_E/w-d-xo.html
Thanks again
Explain how to use Garuda Linux?
Honestly, even with stuff like this, be careful what you open and download.
You can’t rely on only an AV all the time, it requires some human effort too!
(Edited to make more sense as I haven’t watched the whole thing)
Thats why I got myself ESET + Malwarebytes + Voodoshield + NextDNS.
Ocasionally scanning with NPE, KVRT, Hitmanpro and FARBAR.
Not to mention I am planing to sometimes get a physical firewall with OPNsense.
I am very confident nothing can penetrate my system, even if it is a targeted attack.
looks like a typical HIPS, but this one has bells and whistles, i.e. good for corpos. Isn't free, besides a 30 days trial. If so, should be compared to many similar packages included in SOPHOS, ESET, Kaspersky etc. The old good COMODO still looks at least not bad compared to this software, and COMODO firewall (internet security) is freemium
Zero trust is the ONLY answer in today's day and age.
Does it run a vpn profile like glasswire?
Cyberlock? From voodoo lock? No OSS alt currently, anyone know any?
best product i like it
Do kaspersky vs bitdefender 😊
I believe detection is the best due too the trouble of allowing new programs
You need zero trust AND good detection
could you do a review on TotalAV please?
totalshit
Try Going to Computer solutions on youtube and search the term in their search box you will probably find a bunch of tests of total av
Why it is rubbish & a scam as it auto-renews @ 10 times the price.
@@zetectic7968 exactly. because there is tons of bot/fake reviews on it
Test Anti-Executable by Faronics
Ok, as an old senile man who likes to rant angrily into the clouds, I am going to "fart in church". First, the OS and BIOS should be locked down to a paranoid level. But the reality is that OS give permissions to almost anything by default. [Except non-commercial Linux and similar distributions where you have to OPT-IN to allow apps to be permissive. It is generally a shit idea to give an app direct kernel access, but this is routinely done in gaming, where a gain of a few FPS is more than offset with badly compromised security. Debian distros that conform to the full GPL make you have opt-in to install the latest video driver for example, like NVIDIA commercial drivers.
The current design philosophy of Microsoft OS products is seems to be a permissive OS, which you then have to lock down if you want to. Security provisions should be customizable at all times, and especially at first installation. The amount of telemetry and connections that windows 11 does [home or professional] is absurdly high. So you have to make yourself an expert fining out which connections are actually essential and which are just crap. [Or for Microsoft's benefit and not necessarily yours].
You can easily go on the web and find cut-down versions of win10 or 11 [with names like "Tiny 11"], but that does not help much, because as well as taking out some of the bloatware, it will also disable MS's anti-virus. In short, you stand the risk of an OS that is even more insecure than the standard version.
In theory, polices control in Win Pro should stop a lot of nonsense, but most of them are quite easy to bypass. "Hardening" win 11 needs an expert level of knowledge which most people don't have.
I see that M$ has adopted the SUDO command but I have no idea how safe it is. In Linux it is great, but then Linux is much more orientated in keeping the user in user space, rather than let them swan around in kernel space.
the most fun thing in your comment is that you try to estimate security of Windows and compare it with a good OS like linux ) that OS is made not for security, it's for profit. Profit of making some apps including games, that will be sold. Well in some states they are now legally obliged to replace selling with licensing
So it's basically SELinux but less secure
These random cuts in the video makes it seem illegitimate. I notice in every video..
Please stop the whooshing sounds!
Would love to see a vid on how to permanently remove MS Copilate in win 10?
Hello im second
This is a very good video
Comodo but more weaker
Bravo nice one