Company logoHelp Center
Visit www.threatlocker.com

Ringfencing File Access

2 min. readlast update: 07.22.2025

Note: For information regarding Monitored Paths, please consult the following article:

Configuring the Monitoring of Storage Locations | ThreatLocker Help Center

Ringfencing can be used with Allowlisting policies to block file access.

When you enable the "Restrict this application from accessing files?" option, the application(s) in the policy will be prevented from accessing any files, file paths, or file extensions.

undefined

File access Ringfencing restrictions will only be enforced against "monitored" files, file paths, and file extensions. "Monitoring" is achieved by specifying the targeted files, file paths, or file extensions as Monitored Paths or configuring them as targets within an enabled Storage Control or ThreatLocker Detect policy. File access Ringfencing restrictions will no longer be enforced if the targeted files, paths, or extensions are removed from the ThreatLocker object's Monitored Paths list, and any related Storage Control or Detect policies are disabled or deleted.

To add a file path, type it into the 'Path' textbox, choose to permit or deny, read or read & write permission, and then click 'Add'. If you have permitted c:\users\*\Documents\* but you want to deny c:\users\*\Documents\accounting, type in c:\users\*\Documents\accounting\* and choose 'deny' as the action, and then you will be permitting access to all of the documents folder except the accounting subfolder, and that will be denied.  

undefined

Note: Exceptions to file access Ringfencing restrictions must also be specifed as or nested within existing Monitored Paths, or otherwise configured as targets in enabled Storage Control or Detect policies.

Note: Exceptions are hierarchized in a top-down order.

Notice the use of wildcards in the path. You have the ability to use multiple wildcards if needed when specifying a specific file path to incorporate entire folders, and/or any username. If you wanted to allow an application to only access a specific file type, you can specify that with a wildcard. (e.g. *.pdf) You can even specify that an application can access only certain file types in a specific folder. (e.g., c:\users\*\Documents\*.pdf)

When you are applying Ringfencing to an application that has previously not had Ringfencing applied, it is very important to place that specific policy into a Monitor Only status for about a week.  

Failure to place a new Ringfencing policy into a Monitor Only status for a week may impact your day-to-day business operations. 

Ringfencing - Application Interaction

Ringfencing- Internet Access

Ringfencing - Registry Activity

Ringfencing a New Application

Was this article helpful?