Battle WinAntiRansom vs Anti-Exe Programs (AppGuard, NVT, etc)

[thecommissar]

I'm wondering if anyone could briefly explain the difference to me between two softwares users on the forums here have recommended me to defend against Ransomware.

One is WinAntiRansom and the other is an an anti-exe type program. I don't really want to use both, but I assume they operate a bit differently? I can't really figure out how WinAntiRansom is different from an anti-exe program though.

I was about to go with NVT ERP (I think its a good balance of usability/security and I like the GUI). But then I remembered I hadn't finished reading about WinAntiRansom... and so now I'm a bit confused again.

User @hjlbx posted this 'classification' schema below on a different post but I'm not 100% solid on the details here if this is correct. Further, I already use HitmanPro.Alert so if W.A.R. is the same mechanism (and indeed they do a comparison against HPA on their site) then maybe they conflict.

• Anti-Cryptor (HitmanPro.Alert, CryptoPrevent, WinAntiRansom)
• Anti-executable (NoVirusThanks Exe Radar Pro, SecureAPlus, VooDooShield)
• Software Restriction Policy (AppGuard)
• Virtualization (Shadow Defender, Sandboxie)

 

[Noxx]

I don't pretend to be an expert, so take what I have to say with a grain of salt. There's actually no harm in using an anti-executable AND anti-cryptor at the same time. The problem is when people have like 5, 6, even 7 real-time prots at the same time. If you pick the right software, you can reduce the amount of real-time protections down to like 3 or 4. You really don't even need an AV or Firewall, just a few select on-demand scanners. For instance, WinAntiRansom specifically targets ransomware -- that's its prime objective, and it's very good at it. But the buck really stops there. As such, it may be necessary to have an anti-executable, such as NVT, Voodooshield, Appguard, to prevent the execution of other processes that WinAntiRansom doesn't cover. Those two forms of protection will prevent most RANSOMWARE and MALWARE infections if you PAY ATTENTION AND READ BEFORE CLICKING.

Furthermore, you could logically also add HMPA, which covers most of your other bases: keyloggers, exploits, browser protection, solid real-time malware prot, some forms of ransomware, and more. Theoretically, that's all the protection you would ever need. It's really just a game of experimentation, and finding the right amount of protection that works for your personal needs. Virtualization (Shadow Defender, Sandboxie), IMO, are only necessary if you experiment with malware, visit questionable websites that have a history of infecting your PC with malware, or are paranoid about losing your data in the event that critical system files malfunction (infection, you accidentally did something stupid, etc) that would normally require a reformat. Hope that sheds a little bit of light on your concerns.

 

[shmu26]

NoVirusThanks Exe Radar Pro -- it is targeted more for advanced users. locks down your system pretty strong. Not being actively developed at present time, but still works good for a lot of people (not including me, unfortunately). There is a free version available.
SecureAPlus -- best choice for intermediate users, but does not totally lock down your system, at default settings.
VooDooShield -- lighter on system resources than SAP is, but makes more notifications and false positives, I think its default level of protection is in between that of NVT ERP and VS.

 

[jamescv7]

Well let's go on little logic.

You need a program that you can expand the protection, not only on specific threats but for as whole.

So which programs?

Then its from Anti-Exe like NVT Exe Radar Pro, SecureAplus (Whitelisting Technology) or Voodoshield.

The more features it contains then the more complexity goes; by default everything are in interactive mode which expect every pop-ups on programs you executed. So technical setup must require on how behavior goes.

Voodoshield and SecureAplus helps to reduce alerts powered by reference engines for accurate detection.

 

[_CyberGhosT_]

James has a point, choose based on your level of comfort, only you know your level of knowledge.
If your knowledge level is such that your comfortable selecting what, and what not to allow
go with the more complex software, if not you may want to steer clear of some of these.
VooDoo free is pre-configured and simple to use, while VooDoo paid requires more skill.
Only you can decide, all the software listed above is effective and does what it was designed to do.
PeAcE

 

[Alkajak]

@thecommissar When your question has been answered, Help Me Decide - Which Is Best Anti-Executable in your opinion?: AppGuard, NVT ERP or VooDooShield ? would be a good place to read next.

 

[thecommissar]

I don't pretend to be an expert, so take what I have to say with a grain of salt. There's actually no harm in using an anti-executable AND anti-cryptor at the same time. The problem is when people have like 5, 6, even 7 real-time prots at the same time. If you pick the right software, you can reduce the amount of real-time protections down to like 3 or 4. You really don't even need an AV or Firewall, just a few select on-demand scanners. For instance, WinAntiRansom specifically targets ransomware -- that's its prime objective.......

Hey thanks for the reply - my question was specifically about WAR vs anti-Exe programs... I think other responses confused my question with the more common 'which anti-exe' question.

But that's in line with what I had thought. Anti-exes should in theory stop ransomware (all things equal), but supposedly WAR is completely designed with ransomware alone in mind, and doesn't worry about other executable threats. So in theory, perhaps both could be run...

I think I'm going to have to choose one in this case though, as I already run (IMO) a bit of a heavy security software footprint (to me) (BitDefender TS, Webroot AV, HitmanProAlert) So I'm looking to add one more program. I suppose it will be either WAR or NVT ERP; I guess in theory, system resources/too many programs running at once would be my main concern with running both.

I'm going to be using Sandboxie for (some) browsing, but not email as I find it too annoying to do email work inside it. So it's not perhaps great security, but adding the anti-Ransom program is a major goal of mine.

Also I saw this which perhaps is more salient to my question:

Help Me Decide - Anti-Ransom Tools comparison (CryptoPrevent v7x and WinAntiRansom v2016x)

 

[_CyberGhosT_]

In that case, choosing between WAR & NVT, my choice would be
WAR hands down.
But like I said, do your homework my friend and choose one your comfortable with.
Both are solid programs.
PeAcE

 

[shmu26]

If you want something you can set up and just let it run, so go with WAR.
If you want something that demands a little more input on your part, so go with NVT ERP. It will protect you against any unwanted executable, not just ransomware alone. It's a pretty powerful tool, and is not limited to presently known types of malware. It simply won't let anything execute, unless you want it to. It's better than anything, if you know how to use it right.

But you can try running them both. You might find that it doesn't slow your computer down. No one can know how smooth it will work on your system, because you have a pretty unique security config, plus the general rule that no two systems are the same.

 

[Duotone]

I'm no expert so take my comment with a grain(probably a lot) of salt, comments based on my knowledge, testing, and difference of WaR and AG:

WinAntiransom ~ monitors ransomware like behaviors in order to proactively stop an attack, its also possible to block any programs of your "choice" from running its dedicated more on ransomware, that's its limitation.

AppGuard(Voodooshield, NVTERP) ~ As it stop any executable from running ,it will prevent not only ransomware but other forms of malware. Its a good protection for a static system its only weakness is when testing software. My system is always on static when I do test a software or open a document its withing SBIE protection.

When running both Appguard blocks the test sample before WaR so decided to remove WaR, its basically up to you I suggest you try it both(WAR and Anti-exe) see which one your comfortable with.

 

[CMLew]

WinAntiRansom = u got Bitdefender TS cover with Ransomware Protection

Anti-Exe = need to configure to suite your usage and preference.

IMO, Bitdefender TS + Webroot AV + HMP.A + Sandboxie seems a very solid security for you. To some extent it's too much solid, as Bitdefender TS has the comprehensive coverage that overlaps some of them you listed here.

So I believe, not really necessary. Plus I'm not sure if your system is going to cope with so much security software inside. Just a thought.

Cheers!

 

[shmu26]

WinAntiRansom = u got Bitdefender TS cover with Ransomware Protection

Anti-Exe = need to configure to suite your usage and preference.

IMO, Bitdefender TS + Webroot AV + HMP.A + Sandboxie seems a very solid security for you. To some extent it's too much solid, as Bitdefender TS has the comprehensive coverage that overlaps some of them you listed here.

So I believe, not really necessary. Plus I'm not sure if your system is going to cope with so much security software inside. Just a thought.

Cheers!

I would uninstall webroot, I don't think it's needed, in light of all the other security softs.

The Bitdefender TS anti-ransomware only protects certain user-defined folders, it doesn't protect against things like petya, or an attack of that type on parts of the operating system.

 

[Deleted member 178]

Anti-ransomware apps are just buzz softs surfing on the current over-exaggerated threats ransomwares are , why ?

Think about it, what are the attack vectors of ransomwares ? browser exploitation and user exploitation.

1- browser exploitation (very few): the users is oriented to a page or to click an ad or whatever which execute the payload. countermeasure ? any sandboxing or anti-exploit apps (ex: sandboxie free or MBAE free).
2- user exploitation: the user unknowingly download and execute the ransomware. countermeasure? any anti-exe/BB/HIPS will stop it before it even start encrypting.

so basically dedicated anti-ransomware will not do better than what exist already. they are just easy money , because afraid people will pay.

 

[jerzy601]

I totally agree with the opinion of Umbra.

 

[shmu26]

I don't get it. any behavior blocker will stop ransomware? So any decent AV will stop it, but that's not the case. I thought the behavior of encrypting is innocuous enough to escape regular BB, unless you crank up the BB and make it really paranoid.
the anti-ransomwares I have tried have a problem of FPs, because they are too paranoid.

 

[Deleted member 178]

I don't get it. any behavior blocker will stop ransomware? So any decent AV will stop it, but that's not the case. I thought the behavior of encrypting is innocuous enough to escape regular BB, unless you crank up the BB and make it really paranoid.
the anti-ransomwares I have tried have a problem of FPs, because they are too paranoid.

Any security apps , should never be left at default. How a ransomware start encrypting if when the user click on it, the soft block the execution?

 

[shmu26]

Any security apps , should never be left at default. How a ransomware start encrypting if when the user click on it, the soft block the execution?

okay, I understand you now. Properly tweaked security software will block ransomware, without a need for a specialized program to do it.

 

[thecommissar]

Thanks for all the replies:

1. I think mentioning that I use the much beloved SBIE for (some) browsing may have altered my actual picture - I don't use it sufficiently for it to be 'secure' (so perhaps I shouldn't have mentioned it at all); I have 1 of 4 browsers inside the sandbox, mainly where I download things, but even then I don't follow that protocol strictly. So While I could see if someone virtualized ALL browsing it might be very good security, I don't do that, hence the desire for some kind of exe killer or WAR. (I don't virtualize all browsing for performance issues, and also because I run a lot of browser addons and the like that dont play well with it).

2. As for BD + WebRoot I actually find them very synergistic and no performance issues. WebRoot finds things BD doesn't (or perhaps its just a difference of reporting), and BD firewall, in my limited testing, is the most friendly firewall I've ever used. But I also just like the idea that they operate under very different (signature vs logging) paradigms. And in my opinion part of security is about psychology; I just think they're both cool programs and as long as they play nice together I'm ok with them.

3. I take the point that I probably already have good anti-ransomware since technically all 3 of those programs watch for it and attempt to kill it early. SBIE of course makes it moot for the most part, but only if its being used, which for me is maybe a 30% chance. So I definitely like the idea of having an extra anti-ransomware. I definitely hear @Umbra on superfluous software, but I'm absolutely paranoid about ransomware given my previous attack and overall opinions about that type of malware - I definitely don't think the threat is over-exaggerated for most users who aren't really prepared or don't know anything about computer security (which would be the exact people who tend to get ransomware). So I'm completely one of those people who will pay lol.

That said at least I've got it down to 2 specific programs to pick from so it'll just be a matter of preference I think in picking between NVT ERP or WAR.

It seems from the comments that either should provide the anti-ransom functionality I'm looking for.

Thanks again everyone!

 

[Deleted member 178]

@shmu26 Exactly

I definitely hear @Umbra on superfluous software, but I'm absolutely paranoid about ransomware given my previous attack and overall opinions about that type of malware - I definitely don't think the threat is over-exaggerated for most users who aren't really prepared or don't know anything about computer security (which would be the exact people who tend to get ransomware). So I'm completely one of those people who will pay lol.

that is understandable; just take in account that once you master properly your favorite security soft, you aren't a beginner anymore; and then you can ditch superfluous softs.

That said at least I've got it down to 2 specific programs to pick from so it'll just be a matter of preference I think in picking between NVT ERP or WAR.

ERP latest beta is free and will cover almost all malwares attack's vectors, set on lockdown it is hard to bypass. However it development has slowed.

 

[conceptualclarity]

Further, I already use HitmanPro.Alert so if W.A.R. is the same mechanism (and indeed they do a comparison against HPA on their site) then maybe they conflict.

For what it's worth, the developer of WinAntiRansom told me it is compatible with HitmanPro.Alert. He would know how popular HPA is and therefore have an incentive to ensure the compatibility, I believe.