J
Jon Sale
I would like Huntress to add a ringfencing-style feature similar to ThreatLocker. The goal would be to allow trusted tools, programs, and scripts to run, but still limit what they can access or do.
## Why
RMM agents, PowerShell, CMD, batch files, installers, remote support tools, and automation platforms are extremely powerful. They can install software, change settings, run commands, and reach the internet. Even when legitimate, they create major risk if abused, misconfigured, or compromised.
Ringfencing would help Huntress limit a trusted tool to only the actions it actually needs instead of giving it full system access.
## Huntress Known-Good Profiles
A major benefit would be if Huntress could use historical data across all Huntress-protected environments to help build known-good profiles for common programs, scripts, and tools.
For example, Huntress could identify commonly used legitimate applications and their normal behavior, such as:
  • Expected child processes
  • Normal file paths
  • Normal script behavior
  • Common install/update behavior
  • Approved publishers
  • Expected internet destinations
  • Typical command-line activity
  • Whether the tool is commonly seen across other Huntress-protected devices
Huntress could then offer recommended ringfencing templates or known-good policies for trusted software and scripts. MSPs could enable these Huntress-recommended profiles and still customize them per organization, group, or device.
This would make deployment much easier because every MSP would not have to build ringfencing rules from scratch.
## Suggested Controls
Huntress could support policies that:
  • Block scripts from accessing the internet unless allowed
  • Allow internet access only to approved domains/URLs
  • Limit scripts to approved folders or working directories
  • Prevent access to sensitive folders, credential stores, browser data, backups, and security tools
  • Prevent scripts from disabling or modifying endpoint protection
  • Block unexpected child processes
  • Block downloaded files from being executed automatically
  • Prevent trusted tools from launching untrusted apps
  • Detect when an approved script starts behaving differently
  • Use Huntress historical telemetry to recommend known-good applications, scripts, and behavior
  • Require approval when a trusted tool performs a new or risky action
## Example
A technician runs an approved PowerShell script. Huntress could still check:
  • Is it downloading files?
  • Is it launching another process?
  • Is it touching credentials or browser data?
  • Is it changing security settings?
  • Is this behavior normal for this script?
  • Does this match Huntress-known-good behavior seen across other environments?
If the script does something outside its approved behavior, Huntress could alert, block, or pause for approval.
## Benefit
This would help protect against script abuse, PowerShell abuse, RMM misuse, malicious child processes, security tool tampering, credential theft attempts, unauthorized downloads, lateral movement, and supply chain-style attacks.
The main value is that approved tools would no longer have unlimited access by default. Huntress could also make this easier to manage by using its own historical data to recommend safe, known-good programs, scripts, and behaviors.
```