ThreatLocker is NOT Spyware (EP 926)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, a show for IT professionals and managed service providers where we help you run your business better, smarter and faster. Well we are in between conferences folks, you just finished listening to several episodes from the ASCII Cup in Philadelphia and you're going to be hearing soon a whole bunch of podcasts from my time at IT Nation, but I wanted to give you a little something in between because I had something happen right as I was getting ready to leave my office on Tuesday afternoon to head up to Orlando and that was a software vendor that was trying to install software on one of my client's computers and of course I have ThreatLocker installed on that computer and they weren't able to install it and the only thing that the tech could say was, oh you've got some sort of spyware on here that you've got to get off and my client actually was able to say, oh it's probably not, it's my IT guy, he blocked stuff to help protect us, but regardless they had to call, obviously do the submit request for that and I did not talk directly with the tech, but I was a little bit annoyed at the way that he described ThreatLocker as spyware, but then I thought, you know I probably should give that technician a little grace because I have to imagine that there are probably a lot of people that have no idea what ThreatLocker is or how it works and I know that there's other software that also does this, but most of the time people that are doing installations and if they are doing, you know, level one support for a vendor or for a product, they have no idea what, you know, service providers do or even large organizations do. To give you a little bit of history on this, this was an auto body shop and they have estimating software where when they get a car in they have to, you know, go around and document all of the things that they intend to fix, they put it into the estimating software, it actually goes up to an insurance provider where they can approve the estimate or make changes to it and stuff like that and the auto body industry, like a lot of industries, have kind of been used to doing stuff on their own. 

So for a lot of smaller shops if they only have, you know, one, two or three estimators, they're used to just remoting in and doing stuff themselves. It has been that way for a long time and so I have a handful of shops that I still support. I did a ton of these back in the early 2000s and it was a whole different deal. 

They would have to be sent by CD and obviously recently with remote support they just, you know, do all downloads and stuff and anytime there's an issue they have their own tech support that remote in and do stuff. So it's only been in the past couple of years that they've run into this issue where they can't do stuff like they used to. One of the reasons is because I don't allow any of my customers to have admin access on their desktops. 

So that's one thing, they usually have to get admin access. Well now, even with admin access, if their software is not approved or if there's an update that is significantly different than what they had before, well, it's going to be blocked. So it's been something of a little bit of an education that I've had to do so I thought, you know what, let me throw this out there because I don't know how many others are dealing with this but I'm sure you guys are. 

And, you know, one of the things we have to do is put our clients in a position that one, they understand what ThreatLocker is, they know what it's doing, they know why we're putting it in there and that it's something that they can understand. They need to know that it's not spyware, it's not collecting their data or monitoring their screenshots, when in fact it's enforcing policies and it is deciding what apps can run, what files can access each other and where executables can go and it's helping to prevent things like ransomware and, you know, situations like that. So, you know, we have to think of it as like a bouncer, you know, just like a club where not anyone gets into the club and that's the same way we treat our software.

Not every software gets into our network. So having our customers understand that so the ones that are used to calling for support through, you know, business-class apps, they know what they're getting into. Now, hopefully we would really want the idea of anytime there needs to be something installed or anything done, they're going to contact us and let us talk with the vendor. 

However, there are a lot of situations where I know some of you out there, you don't want to support software, you don't want to handle that, you just want to support the computers, you want to do the projects and you won't let the customer contact the vendor. I try not to. I say, look, call me first and let's work it out. 

But in this case, this is a software that probably had not been updated in the two years that I had had ThreatLocker on their system and he had been used to just simply calling them whenever they had an issue. It's an estimating software. I know about the software. 

I don't really know it. I can help them install it. But if they run into an issue, I can't help them.

So it wasn't really, you know, far-fetched for them to call the vendor and then for the vendor to just simply say, hey, let me connect to your computer. In this case, it's funny because I have other clients where we have actually blocked remote support software. So, you know, things like TeamViewer and, you know, LogMeIn and stuff can't even be run because we've blocked it. 

So the technicians find out very early that they cannot do anything. But in some cases, you know, it's not blocked and they get on the computer and then try to run stuff. So that was just something that just stuck in my head during my drive to Orlando that the whole idea that, you know, ThreatLocker is not spyware. 

And not only do we need to educate our customers about it, but we also need to explain it to them in a way that they can explain it to other vendors, other techs, if for some reason they're trying to do stuff without us. And then, of course, we need to go a little beyond that because we probably need to help the rest of the tech industry outside of managed service providers. You know, I have to explain stuff to the juniors that I work with all the time that they're not going to run into these situations. 

They're not going to know all these software. So we have to help educate them so that they're not spreading misinformation because they don't understand a technology. So that way now, at least anybody that I work with, you know, when they see ThreatLocker in action, they understand that it's a shield and not a spy.

So I wanted to get that out there. The second thing I wanted to get out is I had somebody reach out to me and ask about a situation where another MSP, and we'll just say a previous MSP that had moved on, and this person was taking over managing the network, but the old provider had left their RMM agent behind. And it was an RMM agent and an EDR product.

And when they tried to uninstall it, they couldn't. They ran into some issues. And when they reached out to the previous provider, the previous provider was like, yeah, you're on your own, good luck, and don't call us again. 

So we've got multiple issues there. But one of the things that I had asked the person, I said, did you actually, you know, go in and document everything before you started working? Because that's probably the first thing to do is to give the customer a full inventory of, look, this software is on your network. This is from the previous provider. 

You need to make sure that they remove it. I know that with some of the products, yes, you can go in and find a removal tool. But I know that there are cases, and I've got one of those pieces of software where in order to uninstall that piece of software, there has to be a special code for each system, a unique code. 

So I can understand that if somebody tried to come in and take over one of my clients, they're not just going to be able to uninstall most of my stuff. Now, if I knew that was happening, I would just go in and remove it. I'm not going to be like this previous provider and say, you know, go suck it or something like that. 

But that's the one thing you should do. Obviously, if you're taking over a situation, you know, try to document everything ahead of time. That way, if you do run into problems, it's all documented for you and the client, and you can figure out what to do there.

The other side to that is we have several groups in our little circle here that are trying to raise the bar when it comes to professionalism in our industry. You know, how we act as a MSP and, you know, how you exit a client is just as much a professional notice as how you enter a client. So if you're having an attitude with the client, if you're having an attitude with the incoming company, well, that says just as much about you and our industry as it does about anything else. 

Now, obviously, I get it. You might be leaving under bad terms. The client never paid you. 

The client's, you know, is a jerk. You didn't get along. Whatever the reason, the bottom line is, you know, be professional in this situation and don't force the new MSP to have to deal with you in a negative way. 

It just sets a very bad precedent. Now, in Florida, I know that that is something that is really being looked at right now, and in fact, there is a legal provision, actually, I should say a Florida state statute that is known as the Offenses Against Computer User Statutes where you can actually be held legally accountable if you fail to remove your software, whether it's an RMM, an EDR agent, or anything that allows unauthorized access to somebody's computer. It falls under the Computer Fraud and Abuse Act, and again, this is in Florida. 

I don't know if it's anywhere else in this country. I'm going to assume that it is, and I'm going to assume that it's coming because MSPs are, you know, we're falling into a little gray area where we are, you know, not only responsible for protecting our clients, we're also responsible for the holes that we allow, especially if we are, you know, technically no longer supporting them, but we are leaving them at a disadvantage because of that. So, in Florida, clients can sue MSPs for breach of contract or for any damage arising from the continued presence of management software, and that includes cost of, you know, breaches, downtime, or anything like that. 

So, the way that it was explained to me, and I'm going to tell you, folks, this is not legal advice, but this is an interpretation by someone who I think may have had some experience with this, but the idea of downtime, I know that when I have seen this question in some of the groups and forums, you know, everybody says, well, you may have to reimage the system. So, what could happen is that the client could see that as downtime and then turn around and sue the previous MSP as part of that downtime, as part of that statute, because you are now causing undue harm to their business. So, you know, I don't know where that falls into the breach of contract stuff, but, you know, we as MSPs, we're liable for a lot of damages and losses suffered by clients. 

So, obviously, if you leave stuff on a network that they then have to remedy, causing them, you know, suffrage, that's something that we're going to be held to. So, yeah, so clients can sue, and if you intentionally, you know, maintain access or use, you know, software that, you know, what they call lingering software where you can still access, monitor, and manipulate their systems, you're doing it without authorization. And so, you can, again, be prosecuted for that under not just state, but also federal computer crime laws. 

So, these are things that can, you know, have significant fines and in some cases imprisonment. So, I have a couple of things out to some of our legal technology attorneys out there to talk more about this because, like I said, I've seen this. The statute in Florida that I've been studying, just so you guys don't know I'm making this up, is Florida Statute 815.06, and that is the one, as I said earlier, it's known as the Offenses Against Computer Users Statute, and it addresses computer-related crimes in Florida, and it outlines some serious penalties for improper access, disruption, or damage to computer networks and electronic devices. 

And that includes not only unauthorized access, but disruption and denial of service. So, excuse me, so that was something where I told that person to obviously document everything, and if they could not come up with a way to do that, have the client, you know, report this previous MSP. I don't like to do that because I hope that we can all get along, but listen, folks, we've got a reputation and we've got some etiquette that we've got to do as MSPs, and the whole idea of raising our standards and the whole idea that some people are suggesting that we need to be regulated, we need to be licensed, is because of situations like this. 

And, you know, being fined, you know, $5,000 per offense, or having the threat of going to prison for five years, listen, I don't want that. So if I have a situation where I've lost a customer for whatever reason, whether it's, you know, I fired them or they fired me, my software's coming off. Now, there's only one situation that I have done so far in my 28 years where I was an outgoing MSP and I told my client that I am not removing my software until the new provider is there to put theirs in because I did not want to be responsible for anything that happened, you know, from the time that I technically said I was done in the time that they were starting because I didn't know exactly when that other provider was going to be taken over. 

So I didn't want there to be any risk of, you know, virus or malware. Even backup, I was doing, I was doing a Datto BDR for them at the time, and we needed to go through the transfer of ownership of that Datto appliance. The other provider had not worked with Datto before, so they needed, I think it took two months for them to get signed up with Datto and get in a place where we could do a transfer there. 

So even though I was supposed to be done on one date, my software did not come off until two years, two months, not years, two months later because I was not going to leave it unprotected. And they were happy; they were okay with that. And the only thing we had to do was a technician had to call me, or the client had to call me to say, somebody is here to start installing software. 

And basically, as soon as I saw the first machine, you know, get installed, all of my stuff came off. And that was the only time that I had to do that. It was a fair compromise, at least in our minds at the time. 

They were not left unprotected, so if anything did happen, we didn't get into finger pointing of, well, you have a new provider, let them deal with it. Or the new provider saying, well, no, we haven't taken over yet, you're still responsible. So that was the way that we did that. 

So listen, folks, in most cases, it takes, what, just a few minutes to uninstall software, revoke your credentials. You do a runbook if you're using something like an IT glue, you send them all the necessary passwords they have, and then you're done. But what's really good about that is your reputation is intact.

Your client, your previous client, that MSP knows, you did your job in making sure that they were protected, you handed over everything as you were supposed to, you didn't leave anybody, you know, in a bad position. And the closest thing to a golden rule that I have when it comes to networks is you want to leave an environment better than when you found it, and you don't want to leave anything behind. So that's kind of what was on my mind here. 

The next time that you hear me, folks, it'll be with interviews and podcasts from IT Nation, but these were thoughts I wanted to get out into you and not come, you know, come back after I had, you know, lost my thoughts or things of that nature. But ThreatLocker is not spyware, and MSP etiquette is just as important on the way in as it is on the way out. That's it, folks. 

Thank you for tuning in. We'll see you soon. And until then, Holla!