Ringfencing Application Interaction
Ringfencing enables you to decide what Applications a program can or cannot interact with. This will help eliminate the possibility that a threat actor can use a good Application in a malicious way. It is a good idea to block interaction with the powerful built-in Windows tools that you know an Application doesn't need access to.
The following screenshot is from the ThreatLocker default Microsoft Office Policy. You can see it is denying Office access to PowerShell, Command Prompt, CScript, RegSVR32, Forfiles, and Scheduled Tasks.
Fileless malware is malware that runs strictly in memory. It is often a PowerShell script that has been hidden in a legitimate-looking file, like a Word document for example. If you were to receive a Word document that tried to call on PowerShell to carry out malicious activity, it would not be able to access PowerShell because this Ringfencing Policy blocks Microsoft Office from interacting with PowerShell.
ThreatLocker recommends implementing our suggested Ringfencing Policies for any Application you use that we provide suggested Ringfencing Policies for.
Navigate to Application Control > Policies. Select the 'Add Suggested Policies' button at the top of the page.
Select the checkbox next to any Application you are currently using and then click the 'Add Suggested Policies' button at the top of the page.
If there is no suggested Policy and you are unsure of what your Application may need to interact with, we suggest setting your Ringfencing policy in a 'monitor' status for a week to allow you the opportunity to observe the Application's behavior and add in any exclusions you will need to this Policy without causing work blocks for you users.
Monitor the activity in the Unified Audit for a week or so to see what exclusions you need to add to your Ringfenced Policy before you switch it to 'Secured' status. Set the start and end date for your specified time period. Then, input the name of the Policy you are observing the Ringfencing on in the 'Policy Name' text box, and select 'Ringfenced' in the 'Action' dropdown before clicking the 'Search' button. This will quickly show you all the Ringfenced activity for that specific Policy.
When you are applying Ringfencing to an Application that has previously not had Ringfencing applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.
Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations.
Ringfencing -Registry Activity