ZeroLock® Capabilities Overview

Overview of the core capabilities the ZeroLock® solution provides.

Built for zero trust environments and requiring minimal system overhead, ZeroLock provides protection that stops zero-day, file-based, and fileless attacks. Our advanced technology provides low-impact monitoring which, coupled with proof-based AI/ML-driven detection, not only stops attacks at machine speed, but provides automatic remediation and restoration for Linux systems. ZeroLock supports both containerization (e.g., Docker) and virtualization (e.g., VMWare) of any Linux version and any variant (e.g., Red Hat, Ubuntu) running on kernel version 3.5 or later.

Architecture: Fast System Call Intercept vs. Kernel Module 

ZeroLock uses a patent-pending method to capture system calls. This method creates a "micro-perimeter" that allows us to monitor the system calls – network access, file access, and privileged process access – used by all applications, including those with malicious intent. Our approach is to focus on monitoring the processes and system calls that matter. Though CPU overhead may momentarily increase as much as 10-20% during an attack, it will generally be less than 1%. 

The ZeroLock approach does not modify the kernel so overall stability of the defended system is maintained. Our approach focuses on monitoring vulnerable processes and "attack surface" processes which  can create malicious processes, on a protected system. ZeroLock also monitors processes spawned by the attack surface to catch elusive malware that abuses process creation methods. Our unique methodology allows us to monitor and protect the original process we discover, and all child processes created by either regular process forking or those created with malicious intent. This approach allows us to minimize the footprint and overhead required to protect a system and reduce the potential for malicious code interfering with or obfuscating our detection algorithms.

Unlike generic solutions that try to be all things to all threats, ZeroLock is focused on protecting against the specific threats of ransomware, cryptojacking, and unauthorized data exfiltration. This threat-specific approach gives us an advantage in understanding the techniques employed and reduces the monitoring overhead required to protect systems against these specific threats.  

Distributed AI & Machine Learning Architecture 

ZeroLock's detection and protection methodologies are architected to be highly efficient with real-time effectiveness, yet able to continually learn and adapt from our ever-expanding malware analysis ecosystem. 

Our team of programmers and advisors specializing in AI and machine learning, has built a system based on the  analysis of millions of attacks.  Additionally, this system  is continually training in new tactics, techniques, and procedures used in file-based and fileless attacks. We have consolidated those capabilities into a continuously learning algorithm that operates in real-time on the host. It receives updates as new training sets are completed and compiled into ZeroLock update modules. We look at advanced behavioral markers of processes on a protected system to determine if an attack is active.

Benefits of using an algorithm as opposed to a traditional vendor's data file include:

  1. Faster detection,
  2. Lower overhead on the protected system,
  3. Fewer false positive/false negative determinations, and
  4. Increased difficulty in circumvention using deceptive techniques.

An additional benefit is that as deployments grow, opt-in partners will expand the ability to profile behaviors that will add to the AI-based training. 

Having learned the types of behavior and actions exhibited by ransomware during an attack, i.e., searching for files, reading files, creating encrypted copies, and deleting files, our proprietary algorithm is able to provide highly effective and efficient protection against ransomware. By understanding the behavior of ransomware through extensive research, iterative development, and extensive testing, we can determine if a process is operating within the system as it is supposed to be and not a compromised process executing an attack. 


Threats are constantly evolving, with threat actors continuously improving and refining their attacks. Because of this, no solution is complete without the ability to remediate damage when a threat is not stopped immediately. To protect against the unknowns, ZeroLock copies all deleted or written files (encryption is considered a write operation) to a protected cache area while the suspect actions and process(es) involved are evaluated. This approach allows us to automatically restore files that have been compromised, deleted, or encrypted by malicious code. 

To ensure that the file copies are protected and not altered, any process we are monitoring cannot access the folders where the copies are stored.  


The ZeroLock Agent has self-protection functionality that prevents malicious code from disabling/removing the agent from the system. Some of the protections the agent utilizes are: 

  • The agent is loaded early in system startup so that it can monitor processes as they start. 
  • The agent prevents monitored processes from killing critical security processes. 

Additional protections include restricting access to the cache folder so that no monitored process can access the cache area and a heartbeat function sent to the management console that gives near real-time health status of the agent on any given protected system. 

ZeroLock provides a fast, effective, scalable, fully automated solution to protect organizations from the growing threat of ransomware. Using a targeted solution without kernel modules, ZeroLock provides the same high level of security across an organization's entire Linux infrastructure without the worry of version-specific testing and certification. By using our proprietary, behavior-based, machine learning algorithms, ZeroLock's solution is faster, less resource-intensive, more effective, and produces fewer false positives than our competitors. We are the only solution on Linux that provides seamless, automated recovery of any compromised files during an attack, minimizing the chances of an extended outage.