ThreatLocker Protect Reviews

We use it over our 31 clients, and twelve hundred devices. We use it over all of our Windows workstations and Mac workstations to prevent unauthorized installs and downloads of applications.

Allow Listing is great. The biggest improvement has been knowing that something unauthorized isn't going to get installed on anyone’s machines. Even if somebody did manage to get into their systems, they wouldn't be able to do anything without us knowing about it.

Definitely, the allowed listing and the Zero Trust platform are the most useful aspects of the solution.

It is very easy for an administrator to approve and deny requests. So easy in fact that I have given it to a majority of our client's main point of contact, where they are able to approve them, whether it's via their mobile cell phone or logging into the portal on their computers.

The overall visibility into software approval requests of end users is very good. We can see everything that we need to see including the application path, the user that requested it, and the computer host name. When it's approved on the workstation endpoint, it pops up with a text box saying, “Hey, this has been approved. Click here to install your application.”

We allow listing with the ring-fencing. We do implement that when needed. For example, for Word and Excel, there's no need for those to talk out to PowerShell and command prompt, so we do have those ring-fenced where they cannot speak to that.

Their combination for blocking unknown threats on attacks is good. If it's not something we've previously approved, it does get locked every time. Sometimes it even gets in the way of our day-to-day, which is good. It's what we wanted it to do. It does its job a little too well.

It is great for establishing trust for every access request no matter where it comes from. Whether the user is an admin or not, they all still have to get their software approved. Once it has been approved, it makes it easy for everyone as they're able to install it on their own without approval again.

It helped reduce our organization's help desk tickets. We haven't had nearly as many clients submitting tickets, say, for example, McAfee installing when they're trying to install Adobe. We approve Adobe and we don't install the McAfee install. That will get in the way a lot, and we have seen a major reduction in tickets such as those.

Being able to not have to worry about what everyone's installing all the time has definitely improved our ability to focus our attention on other projects.

The new portal that they just released took care of a whole lot of improvements. 

There are some times when applications get submitted, and the hashes don't really line up. It would be excellent if there was a way for the hashes to point to a known application. The biggest example I have is probably web browser plug-ins. Those come up and they look very gross and don't give you very much information at all so you have to go to Google and look up what they are.

I've used the solution since February of 2022. It's been about a year and eight months. 

The stability is very good. I have not seen any outages.

It is deployed to every single endpoint that we currently manage Windows-wise and then a majority that we manage Mac-wise. We currently have 712 computers being monitored.

They continue to grow. They produce Mac releases, Windows updates, and patches. 

Technical support is great, they get to the requests before we can go through them. 

Positive

We did not previously use a different solution.

The initial setup was pretty straightforward to the point where the documentation was good enough that I could have a level one brand new green tech to handle it and be confident.

Deploying it through DATTO RMM is probably the biggest way we deploy and then we might have a manual agent deployment if necessary.

We utilized two people for the deployment. 

It does require maintenance. We'll do monthly check-ins with Threat Locker and an account manager to go over just to see what we can improve. 

The deployment was handled in-house. 

We have seen an ROI via the amount of hours we save not having to worry about looking at different applications getting installed. We also don't have to worry about clients getting ransomware attacks and things like that, so that has helped us a lot.

Pricing is a little high, however, you get what you pay for.

We did look at other solutions before choosing this solution. 

We have noted time to value. It's easier than ever to approve very quickly rather than having to talk with clients to see what they are trying to install. The virtual deployment allows you to see what's going on super quick. The onboarding was pretty extensive. It took us a solid six to eight months before seeing time to value. 

I'd rate the solution eight out of ten. 

I'd advise others that if they use the product they have lots of peace of mind and sleep better knowing your clients are better protected. 

ThreatLocker is our standard security stack, with very few exceptions. We use it for all of our MSP clients, MSSP clients, and recently for IR response cases. We use ThreatLocker to control application installations and take advantage of its ring-fencing option, which prevents otherwise good applications from interacting maliciously.

Administrators can easily approve or deny requests using the log listings.

The overall visibility into software approval requests of end users is very good.

ThreatLocker and ring-fencing are two of the main ways to prevent applications from interacting with each other, outside of application control. This means that we can take two otherwise non-malicious applications and prevent them from speaking to each other. A good example is Microsoft Word and Microsoft PowerShell. We wouldn't want Word to interact with PowerShell.

From a visibility standpoint, we like Allowlisting's ability to establish trust from every access request, regardless of its origin. However, there is nothing quite like the application control feature, even in an XDR or EDR solution. We are looking for the process path, CERT, and other information to identify the application.

Allowlisting has helped reduce the number of our help desk tickets. There was an initial spike in configuring trusted applications, but it has definitely cut down on supporting applications that should not be part of an organization anyway, such as PDF readers and browsers outside of the standard. Once we add an acceptable group of applications, we no longer support any deviations from that. Allowlisting has cut down on some of the ticketing there.

Allowlisting has helped us consolidate applications and tools. For example, we have standardized on a list of allowed browsers because those are the browsers that are patched regularly. We have also standardized PDF readers and Office suites, such as LibreOffice and Microsoft Office.

We saw the benefits of Allowlisting quickly. We observed that applications, such as PowerShell, were able to run freely within an environment, and that there was a high likelihood that one of these tools could be used maliciously without any effective deterrents. None of the EDR, XDR, logging, and forwarding SOX solutions were able to stop such an attack from proceeding.

Application control, ring-fencing, and storage control are the most important features, followed closely by elevation.

More visibility in the built-ins would be nice.

The learning curve is wide because there are a lot of things to learn. 

I have been using ThreatLocker Allowlisting for two years.

ThreatLocker Allowlisting has had minimal downtime, comparable to, if not exceeding, Microsoft's uptime standards.

ThreatLocker Allowlisting is easily scalable. We doubled our endpoint count in three days, and we know that we can scale.

The support team is the best we've had by far. I don't think I've ever waited more than a minute, They usually answer our call in about 30 seconds.

Positive

The initial setup was straightforward. We pushed ThreatLocker Allowlisting out from our RMM automation system. We have also pushed it out in other ways, and it is always straightforward.

Two of our people were involved in the deployment.

We used ThreatLocker's onboarding process support for the implementation.

The pricing is fair and there is no hard sell.

I would rate ThreatLocker Allowlisting ten out of ten.

The alert board for maintenance requires monitoring.

Potential users should expect to dedicate resources to ThreatLocker Allowlisting. It is not a set-and-forget solution. There is a learning curve, but Cyber Hero support is available to help users through it. Unlike some other products that onboard users and then leave them to the ticketing system, ThreatLocker provides continued support. It is important to note that ThreatLocker Allowlisting cannot be simply turned on and left alone. It requires in-house resources to properly manage at scale.

Users submit applications for installation, and I typically review them, granting or denying access as needed. While the volume isn't high, ThreatLocker Protect provides significant peace of mind knowing users aren't installing unauthorized or malicious software. Our biggest challenge has been user errors causing support requests. To address this, I've implemented rules for applications frequently used in daily operations. It's had a learning curve, but the effectiveness has been noticeable.

Making approval or denial decisions on requests is pretty straightforward for me. I haven't encountered any problems. However, I can see how it might be a bit confusing for less technical users. Things like allowing hashes and understanding all the terminology could be stumbling blocks. Still, I believe anyone with a few months to a year of IT experience would find it manageable. And of course, I was able to grasp it myself.

While allowlisting can help verify specific access requests, it doesn't guarantee overall trust as requests can still originate from compromised sources. In my experience, the zero trust model has proven the most effective approach. Its principle of "never trust, always verify" minimizes risk by scrutinizing every access, regardless of origin. We haven't encountered any security breaches with clients who implemented it, suggesting its efficacy. While antivirus remains a valuable layer of defense, I believe the zero trust framework, particularly in conjunction with ThreatLocker, offers the most robust security posture we've encountered. Thankfully, we haven't experienced any issues with this combination so far.

ThreatLocker Protect provides us with peace of mind. It's a game-changer. With it in place, we can be confident that employees are only using authorized applications, minimizing surprises and freeing up our time for other aspects of our work. We used to spend significant time dealing with malware, but that burden has been greatly reduced. Peace of mind is truly the main benefit.

Allowlisting has significantly reduced the number of tickets we receive from compromised accounts. It's eliminated them. However, we still get tickets from users who are confused about the new process, need things approved, or are feeling impatient. While the volume has decreased, these legitimate tickets related to access limitations are still present. Ultimately, we believe this trade-off is worth it for the sake of enhanced security. This is what we communicated to the team.

Implementing an allowlist has not only freed up our help desk staff for other projects but also aligns with my preference for approved application lists on both mobile devices and computers. This approach ensures smooth operation with minimal complications, and a positive outcome overall.

We utilize allowlisting alongside other security measures, with ThreatLocker as an additional layer. This choice stems from the absence of other comprehensive endpoint protection solutions, ensuring ThreatLocker doesn't overlap with existing safeguards. Therefore, it complements our antivirus for all users.

It initially took a couple of months for us to fully appreciate the benefits of ThreatLocker. While we put our people in learning mode for approximately a week to understand normal system processes, it wasn't until the lack of suspicious activity became evident that we truly recognized the impact. This doesn't diminish the importance of our existing security measures, including sound user guidance, phishing training, and other protocols that discourage risky behavior and minimize software installation needs. In essence, it took some time for the benefits of ThreatLocker to become fully apparent due to the effectiveness of our pre-existing security practices.

When new files arrive and people mention they've been tested twice in the virtual environment, I like to double-check for potential malware by scanning them on VirusTotal and other antivirus platforms. This adds an extra layer of security, which is especially helpful when I'm unsure about approving a file and research doesn't provide clear answers. The sandbox functionality is fantastic. It bolsters my confidence considerably, as it can reveal suspicious behavior like registry modifications even if initial scans are inconclusive. Overall, these features have been game-changers for me.

The current process for viewing software approval requests from end users has room for improvement. While it's generally functional, some users find it confusing. This can be due to either unfamiliarity with the process, unexpected appearance of the request window, or lack of clear instructions. Additionally, the notification box might not be sufficiently noticeable, as some users have reported missing it entirely.

Adding applications to the allowlist can sometimes feel overwhelming. The numerous fields, coupled with navigating the unfamiliar portal, can be daunting, especially on our first attempt. Even with explanations, recalling the necessary information and understanding the required actions for file inclusion can be tricky. I believe the initial learning curve for allowlisting is relatively steep. However, once mastered, it proves to be a valuable tool. My main concern lies with the initial learning hurdle.

I have been using ThreatLocker Protect for around four months.

ThreatLocker Protect has been mostly stable over the past six months. We did experience a single outage that lasted a day, which was disruptive due to pending approvals. However, this has been the only major incident in that timeframe, suggesting overall good stability.

ThreatLocker scales well and has been successfully deployed on all our required devices. We offer it as part of a premium package, but due to its higher cost, adoption among our clients is currently limited. Nevertheless, it meets our scalability needs effectively.

The implementation was relatively straightforward. We developed components or scripts for deployment to devices, avoiding major complications. Furthermore, we have a remote management tool in place for efficient installation.

Installing on everyone's machines is a fairly quick process, typically taking an hour with online devices. While it doesn't require much time, we recently spent two hours on calls with someone to guide us through it. This was because our previous setup, done by someone else in the company, had some errors. We've rectified them now, but it meant changing a few things. Overall, deployment should be smooth and swift, requiring two people and around an hour if all the devices are online.

The implementation was completed internally by our team. Given our extensive experience deploying vulnerability scanners for assessments, this process was relatively straightforward.

I would rate ThreatLocker Protect a seven out of ten. The learning curve is quite steep, especially for those without extensive IT experience. I found it challenging to master and had to rely on my team for guidance on several occasions. Even my manager isn't completely comfortable with it yet. However, once we overcome the initial hurdle, it truly shines.

ThreatLocker requires minimal maintenance, except for one recent instance where we reviewed its configuration. While it's designed to automatically update on user machines, I noticed some devices hadn't yet received the latest version. I manually initiated the update for these devices. The cause of the delay is unclear, though the devices are online, so it might be a network issue.

Ensure all future ThreatLocker users are thoroughly briefed on its functionality. We've encountered surprises among some users regarding the approval requirement for new activities. To avoid such issues, we recommend comprehensive pre-deployment communication, outlining ThreatLocker's purpose, features, and approval process.

We use ThreatLocker Allowlisting to control inventory and manage software. We want to make sure that we know which software is being used on our client computers and that we are only allowing approved software to run. This is in line with the principle of least privilege, which ensures that users are only allowed to do the things they need to do and not the things they don't. This is especially important for shared-use computers and different environments where users on the same computer may have different access levels.

The visibility into software approval requests of end users is easy. We not only have approval requests pushed directly into the platform, but we also have a ticket opened in our ticketing system. As the manager, I can run reports to see what requests are coming in from client organizations and how my technicians are handling them. This makes my life easier from a managerial perspective.

The combination of ThreatLocker and Ringfencing is excellent for blocking unknown threats and attacks. For example, we can ensure that all software stays within its designated sandbox. This means that I can run the PowerShell scripts from our RMM software, but nothing else can run the PowerShell scripts. With Ringfencing, we can say, "Allow this to run, but not that," or "Allow this website to be accessed to download an installer, but don't allow other websites to be accessed." Other use cases for Ringfencing include selective elevation of a process. For example, if a user needs to run QuickBooks and is elevated to an administrator to do so, then all privileged processes will also be elevated. However, with Ringfencing, we can prevent QuickBooks from opening PowerShell or anything else that it is not supposed to open. This helps to keep us safe and prevents unknown threats from exploiting compromised privileged processes.

In line with the textbook definition of a zero-trust model, every request must be approved. This can create some tension with clients, so it is important to get their buy-in on the process. With ThreatLocker's learning mode, we can make the approval process invisible to clients for the most part. We manually select which requests to approve and which to deny. By the time we set ThreatLocker to enforce everything, we have a good baseline of what is allowed and what is not. We have also communicated everything to the clients and found procedural ways to reduce friction.

ThreatLocker Allowlisting can help to reduce helpdesk tickets. On the one hand, we do receive approval requests with some regularity. However, on the other hand, overall tickets are reduced because we no longer have everyone trying to install iTunes or wondering why they're getting pop-ups in their browser because they have three different browser add-ons for coupon clippers that are laced with malware. After all, with ThreatLocker, users are not allowed to install these programs, to begin with, which reduces the tickets we would get after they've been installed because they're unpublished installations that any standard user could complete. The net result is an overall reduction in tickets, although there are some tickets required to manage the approvals.

ThreatLocker Allowlisting has saved our helpdesk around a 15 percent reduction in overall tickets. With the average handle time for a ticket being 14 minutes, if I have 100 tickets in a month, each one will take 14 minutes, for a total of 1,400 minutes per month.

The most valuable feature is selective elevation, which allows elevating an individual process to admin privilege without granting admin privilege to that user, which has been by far the most useful feature outside of the overall solution itself.

Approving or denying requests using the software can be more difficult to do correctly. Overall, it is easy to use, but it is not the easiest in the world to get right. There are some nuances and things that we need to understand.

ThreatLocker Allowlisting needs to improve its user interface and overall workflow. The UI looks very dated and is challenging to navigate, and we spent more time training technicians on how to interact with ThreatLocker than on what to do with it. The user experience needs a lot of work, but their beta portal is solving a lot of that. If I had to pick any lingering difficulty, it would be the learning curve to grasp how ThreatLocker manages what is allowed and the details around that.

I have been using ThreatLocker Allowlisting for almost two years.

We experienced some delays with our cloud agent. For example, when we changed a policy, it would take five minutes for the agent to receive the change. Or, we would tell the agent to enter a specific mode, and it would take five minutes for the agent to comply. This caused some delays in our ability to deliver services. However, the cloud provider has eliminated this issue. We now typically wait no more than thirty seconds for the agent to respond to our requests. This was a problem when we first started using the cloud agent, but it hasn't been a problem for about six months now.

We have had no scalability issues whatsoever, even though our largest environment is only about 75 endpoints. We are not working at the same scale as much larger companies, but for our size, ThreatLocker has been perfectly scalable. Whether I am deploying to one person or ten people, the same script is pushed out by the RMM and everything loads up in ThreatLocker within a matter of minutes.

The technical support team at ThreatLocker is incredibly experienced and knowledgeable. I especially value two things about interacting with them. I never have to wait long for a response. As chief operating officer, if a problem reaches my desk, it means that everyone below me has already tried and failed to solve it, or they simply didn't want to get ThreatLocker support involved. Since I have the most experience in-house, I'm usually the one who engages with ThreatLocker support. When I do, I never have to wait long to speak to someone who knows what they're doing. I always get escalated to the right level technician, even if I'm initially connected with more junior tech. ThreatLocker doesn't waste time walking me through scripts, procedures, and processes. Instead, they escalate my issue to the right person immediately so that they can help me solve whatever creative problem we're facing.

Positive

We had some experience with Microsoft's AppLocker, but managing it required too much manual effort for our small team that required a dedicated full-time employee. ThreatLocker Allowlisting is much easier to manage.

The initial deployment was straightforward. ThreatLocker provided the script to use in our RMM software. To deploy the software, we made some tweaks to accommodate our environment. We were then able to push out the agent in an entirely automated fashion. We had three people involved on our end, but it could have been done by a single person. We divided responsibilities to bring the product to market faster.

The implementation was completed in-house with the support of the ThreatLocker team.

In addition to the overall time savings, there are also quantifiable costs associated with the number of malware attacks that have been stopped by ThreatLocker. I can think of at least four or five instances where an executable file was blocked by ThreatLocker before it could be detected by SentinelOne or any of the other security solutions on the machine. It is difficult to say definitively whether SentinelOne would have detected these files after execution, but I do know that ThreatLocker has helped to improve our productivity and our clients' productivity by preventing users from installing unauthorized software, such as iTunes on work computers or Spotify on protected machines. By limiting users to only approved software, ThreatLocker has also made our jobs easier as IT service providers, as we no longer have to spend time hunting down unauthorized software, uninstalling things, or remediating malware, bloatware, adware, etc. As a result, we are dealing with far fewer rogue browser extensions, which has led to a reduction in tickets and overall management overhead.

We realized the benefits of ThreatLocker Allowlisting after six months of use. This was because we needed to become familiar with the product, build our baselines, and understand how it worked. We also needed to establish routines, build workflows, train our technicians, and educate our clients on how to interact with the software. By the six-month mark, we began to see a return on investment, and it was fully realized by the one-year mark.

The price of ThreatLocker Allowlisting is reasonable in the market, but it is not fantastic. It is also much less expensive than some other products we use.

We considered Auto Elevate from Cyberfox and Microsoft's AppLocker, but managing Microsoft's AppLocker would have required too much manual effort for our small team which would require a dedicated full-time employee. ThreatLocker Allowlisting is much easier to manage. ThreatLocker Allowlisting is a more comprehensive solution, and we liked the way that ThreatLocker said they would support us better than the other companies. With the other companies, it was more of a traditional support model, but with ThreatLocker, we have an average wait time of 30 seconds on our support chat. In the year and a half, almost two years, that we've been with ThreatLocker, this has always been the case. We've never had to wait more than 30 minutes to get a live human being who is an expert on ThreatLocker. If they can't solve the problem, they'll escalate it to someone who can. Beyond that, they stand behind their product. Because it's such a complicated product, and we're a small company, this was all the difference to us. We knew that if we had problems, we would have their team to lean on for help, and they've stood behind their product.

I would rate ThreatLocker Allowlisting nine out of ten. ThreatLocker Allowlisting is not a perfect product, but they do a fantastic job of continuing to improve it and make it more approachable.

There are management and overhead costs, as well as maintenance costs associated with changing or updating the lists. There is also some limited maintenance required as programs and hashes change. Additionally, we need to make some updates to properly maintain the lists, consolidate policies, and so on.

Try ThreatLocker risk-free and work with their team. They can make their complex product more approachable so that users can see its benefits and capabilities.

It's a solution for software whitelisting. It blocks applications from running. If there is any DLL or something else running on your computer, the admin or admins of the service get an alert. If an end-user is trying to install something that has been blocked by the organization, the admins get alerted.

We can sleep easier knowing viruses aren't installing things, employees aren't installing things, and nothing is running without someone getting an alert and having eyes on it and approving it.

Ringfencing is a great feature. There is grainy clarity. You can get down into the Ringfencing where you can either completely ring-fence something or you can manually choose what you want it to reach out to. The combination of Allowlisting with Ringfencing for blocking unknown threats and attacks is a great combination because you want to allow the software, but then you, as an admin, are not aware of what every piece of software does. So, you wanna start off being strict and just allow the application, but you would want to ring-fence it in case it beacons out to the internet or goes over ports that you don't think it should be traversing across. That's ringfencing, and it blocks that, but then when the end-user reaches back and says that a part of this software isn't working as it should be, then you can get into that granularity where you can look at the ringfencing policy. You can adjust the ringfencing policy from the strictest to allowing certain parts.

Establishing trust for every access request, no matter where it comes from, is a wonderful thing, and it's needed, but it can hinder and slow down. It adds steps for the end-users because they can't just go wild and install whatever they want, but ultimately, that's one of the main reasons why we invested in ThreatLocker and why we love it because it actually works as they say it should.

In terms of Allowlisting helping us reduce our organization’s help desk tickets, it's twofold because if we didn't have this, we would be getting tons of help desk tickets about bad things happening in the company because people are allowed to install whatever they want. They could be watching Twitch, YouTube, etc. They could be installing video games, which in itself would then create tons of help desk tickets for us. On the other hand, anytime someone wants to install something, we would get a help desk ticket for it. So, either way, we'd be getting help desk tickets, but at least the help desk tickets that we're getting for ThreatLocker are the type we want because now we know we're safe and secure and we're ahead of the curve for safety. Instead of being a reactive help desk ticket where you install something, and your computer is broken, now it's more proactive where you raise a ticket to install something, and your computer is not infected. We don't have to spend hours reimaging, tracking things down, being a victim of ransomware, etc.

Allowlisting has helped to free up help desk staff for other projects because now, we can allow elevation, and we can allow the approvals from an admin through it. We don't have to send people physically to go to a person's desk to do installations or set up online meetings with them to share out where we can assist with the installs. It has freed up time for the help desk staff.

Allowlisting has helped to consolidate applications and tools. We now get to see what everyone is trying to install, and we can find out why people are installing a particular application when another one has already been approved to do the same type of thing. Previously, we didn't know about that. One of the big ones would be SolidWorks. A lot of people have looked at three applications for drawing, and when we see that coming through for a request, we can suggest and ask them what about SolidWorks, and then they use that.

Feature-wise, the learning mode and the fact that it's blocking everything are the most valuable. I don't see why more companies don't use the type of product.

I like how it blocks everything. The learning mode is another feature that I like. It operates in the learning mode in the beginning. When you first get it set up in your environment, you don't want every computer to not be able to work and not be able to run the normal fresh install of Windows or other operating systems, so when we first got it set up, we were able to put it into learning mode, which was wonderful. The learning mode is a great feature they have where the computer allows everything and just learns about your typical environment and then makes a good baseline from there.

The idea that it can block everything is wonderful because, in our company, we have to follow the cybersecurity requirements of the Department of Defense. They have very strict guidelines. This software helps us meet and cross off the many cybersecurity checklists for the environment, especially for software installs and what's allowed to run in our environment. That's one of the greatest features.

Its graphical user interface is very intuitive. It's very well laid out and detailed, and it's very easy to find things. I don't have anything to suggest to them in that regard. I've made other suggestions to their company for some features, but for the way its interface is or for proving things or how to use it, I've had no suggestions.

A great thing is that you have to be their customer, but with no extra add-on, you can have access to their ThreatLocker university, where you can learn and watch videos on how to do everything.

Another great thing is that they have online cyber heroes, and I have never created a ticket and waited more than five minutes until a live person was on my check. They're immediately able to get into my tenant. They can set up a Zoom call and share their screen and show me exactly what I'm missing or where to go.

You need to have ThreatLocker agent software on every client or every computer that you want to be protected by the ThreatLocker Allowlisting application. If you have a thousand computers with ThreatLocker agents on them, when you approve or create a new policy saying that Adobe Reader that matches this hashtag and meets certain criteria is allowed to be installed, it applies at the top level or the organization level. It applies to every computer in the company. When you make that new policy and push it out and it goes out and updates all of the clients. Unfortunately, at this time, it does not look like they stagger the push-out. If your company only has a 100-megabytes internet line and you send out that update of 1 megabyte to a thousand computers, because it's sending that out to a thousand at the same time, you're using up a thousand megabytes right there. So, you could saturate your network. We have suggested they stagger it. If the system sees that there are a thousand computers, it should just try to send out to a hundred, and after that's completed, send out to the next hundred. That way, it's not saturating your network.

Other than that, feature-wise, it's a great solid product. I have not come up with anything that they should do. Even when I thought I had an issue, they showed me that I have to look here to adjust that setting. For example, when you first join a computer, it automatically puts that computer in learning mode. You can set the time for how long it automatically stays in the mode. I believe the default setting was a month or something like that, and we thought that was too long. Their cyber heroes helped me find the area to adjust that. They already had the solution for that. I just wasn't aware of it.

We have been using it since September 2021.

The part that can cause bandwidth issues is one of the only things where I see companies not going with them, but they probably wouldn't know that until they finally get to use the product. That would be the only downfall to it.

It grows with your company, and it learns with your company. It's very good with scalability. They're always pushing updates. It's learning all the newest software that comes out. It's picking up. I'd rate it a 10 out of 10 in terms of scalability.

It's required on every computer and every server in our company nationwide. We're pretty small. Our computer count is 225. We have 120 users, but we have servers. Some people have multiple computers. We have lab computers. We have computers that are just stationary set up to 3D printers. Every computer has to have it. That's why we have more computers than employees.

Their support is phenomenal. I rarely say that about customer support. We all have had our nightmares with certain customer support scenarios, but I've not run into any issues with ThreatLocker. They are one of the best. I've been in this industry for over eighteen years. Not just in this industry, but also as a person, you deal with customer service everywhere you go, such as McDonald's, Target, Comcast, Verizon, etc. ThreatLocker support is one of the best I've ever experienced. I'd rate them a 10 out of 10.

Positive

We didn't use a similar solution before. The closest solution we ever used was to whitelist the internet. So, you cannot go out to any website unless you've requested it, and it has been approved. Once we approve it, anyone can go to that website. We used a proxy for our internet traffic.

I personally don't physically deploy it. It gets pushed out by our software center. Any new computer gets the client installed, and then that client with API package and everything else reaches back to and joins our tenant, and then we see it in the dashboard. My role is to make sure that every new machine has it. I am the admin for our company for ThreatLocker. I do audits on what the system sees as how many computers we have connected to ThreatLocker, and make sure that I'm deleting any computer that was removed from our domain. If any new computer joins, I have to make sure that it does register in ThreatLocker because sometimes, because of an internal networking error or something else, computers get the client, but it doesn't beacon out and get associated with our tenant. So, I have to do that.

Its implementation was very quick. Once we got it, it took maybe a week to work with the team to get everything staged. When it was first introduced, we left our computers in learning mode for several months, which is highly recommended. That's how we worked with ThreatLocker support and how they helped us get it all set up. After six months of learning our environment in terms of what's normal, what's allowed, and what they shouldn't block, the keys were handed over. We were told that this is our baseline and to go from there.

Its maintenance includes receiving updates on a new package. I also audit it because even though employees see a request pop up, not every employee would click on it because they won't know. So, I still need to audit. For example, a bad virus wants to run on Bill's computer. Bill will see a ThreatLocker popup saying this thing is trying to run. A lot of times, end-users think that they didn't run anything, so they just hit cancel, and I won't get alerted for that. So, I do have to physically go into the audit. Often, I look and just pull up an audit since the last time to see everything that got blocked. I go through it, and I still look for anything that was malicious because we still have to be aware of that so that we can take action.

The other part that I have to do maintenance on is just making sure that the license count is correct, and that the number of computers that the user interface says are registered is similar to what we have. I go in there and make sure that there are truly that many.

We have seen an ROI. Knowing that ransomware or viruses have been stopped and can't process, the savings pay for it.

Its time to value was within one week. In the first week, we got to see what was getting blocked. It was very eye-opening to see what was happening on all the computers with the processes that we were trying to run or install. It was definitely within the first week.

Considering what this product does, ThreatLocker is very well-priced, if not too nicely priced for the customer.

I know my manager did evaluate other options. I don't recall which products were looked at, but their features were very similar. Their price was extremely high, especially compared to ThreatLocker. 

Before you buy, you need to educate your employees and let them know this is adding a safety step to the process of installing software. You also need to be prepared because if the admin isn't around, then you're going to slow down. The person is not going to be able to install the software. That is something you do need to be aware of.

It's extremely easy for an admin to approve or deny requests using Allowlisting. The only caveat to that is that because of the way that ThreatLocker is set up and how minutely you can dive down into a software install, there could be issues with some pieces of software. For example, I approve of you installing Adobe Reader. If you run that install from your desktop, and I approve it, there's a certain way to say I want it to approve this exact installation. What that means is that I approve it for that one person. If someone else tries to run that exact same install package, but it, for example, is not from the desktop and is from a shared drive or from a USB, because of that one tiny change, it will technically get blocked. To some people, it's a little confusing. If you understand how the system works, it's easy. You can use a wildcard to say this install package can be installed from any location. So, when you learn those little tips and tricks, it gets a whole lot easier, but in the very beginning, if you're fresh getting into this, or it was thrown in your lap and you were told that you're the administrator for ThreatLocker, it can be a little confusing. The great thing is that ThreatLocker has something called the install mode. Basically, you're putting a computer in a mode for a temporary amount of time, which the admin can control. When a computer is put into the install mode, ThreatLocker won't block anything. You can go ahead and run any executable. It'll allow the installation, and it'll apply it to that application or policy name that you wanna apply it to. If you're doing it for Adobe, you could add it to the Adobe Reader policy. So, it's very easy. Even if you had any issues, their support is phenomenal.

Overall, I'd rate ThreatLocker Allowlisting a 9 out of 10.