Windows_Security

Level 21
Content Creator
Trusted
Verified
Hi all, I played with some anti-ransomware protection programs from performance and ease of use perspective. Feel Free to add your experience and free anti-ransomware program tips.

For performance I monitored the program launch time of the first and four consecutive starts of Chrome (Woolyss Chromium) on Pentium dual core (G3240@3.2Ghz) and first generation SSD (OCZ-Sata2). All programs did not affect download speed (as expected since their behavioral component will most likely monitor disk and process activity).


1. Kaspersky Anti-Ransomwate Tool for Business

Pro's: Easy to use, set and forget, does well in both formal tests as MalwareTips member tests.
Con: Does not auto update. So behavioral detection rules will age and reduce in effectiveness.

C:\Program Files\Chromium\chrome.exe - 5 executions Kaspersky Free business V1
0.8266
0.2659
0.2495
0.2914
0.2814

C:\Program Files\Chromium\chrome.exe - 5 executions Kaspersky Anti-Ransomware V2
0.6864
0.3538
0.3151
0.3487
0.3439

V2 has both a performance and useability improvement. V2 de-installs without the need to disable auto protection (therefore this setting has disappeared in console).

2. AppCheck by CheckMal

Pro's: Easy to use, set and forget, does well in MalwareTips member tests.
Con: Free version has a predefined set of file extensions it protects, which is missing some formats.

Tweak tip: change something in paid autobackup feature. Disable AppCheck protection. Open Regedit and look for AppCheck in HKLM/Software. Browse through it's registry keys settings and you will see a string with a lot of file extensions. Double click on that key and add the format you need to protect (e.g. AVI). Enable protection again and your are done. A wrongly edited key might lower protection, Therefor I explicitly give only directions, no screen prints, so only people knowing what they are doing are able to do this trick (for as long as CheckMal allows this tweak).

C:\Program Files\Chromium\chrome.exe - 5 executions AppCheck
0.7798
0.2373
0.2401
0.2594
0.2687

3. Secure Folders

Pro's: Easy to use, Has a GUI to define which folders to protect and which programs to allow
Con: Free because it is abondonware. Works on my machines with Windows 7, 8.1 and 10

C:\Program Files\Chromium\chrome.exe - 5 executions SecureFolders
0.6858
0.2654
0.3114
0.2958
0.2334

4. Pumpernickel by Execubits

Pro's: Mini-kernel driver with Secure Folders on steroids granularity.
Con: Free version needs ini-file (only suitable for power users) and is valid for on year (needs manual update om 1-4-2018).

C:\Program Files\Chromium\chrome.exe - 5 executions Pmpernickel
0.6391
0.2490
0.2648
0.2509
0.3215

5. RansomOff by Heilig Defense

Pro's: Offers Folder protection which has PumperNickel granularity with SecureFolders like graphical user interface. It also has some other goodies like MBR protection and Behavioral monitoring (called Policy protection). Experienced members like CruelSister like the concept and developer is open to improvement suggestions.
Con: Is still a Release Candidate. configuration is a breeze for power users, but user interface is not directed to guiding average PC users. The UI-design is from the late 90's so some might find it very ugly.

C:\Program Files\Chromium\chrome.exe - 5 executions RansomOff
0.5922
0.2520
0.2490
0.2176
0.2025

6. RansomFree by Cyberreason

Pro's: Really set and forget easy to use program with minimal performance impact. Protection can be disabled for one hour (e.g. when you want to do an image backup or data recovery). A lot can be said about the communication of Cyberreason (Israelian elite), but the bottom line fact is that this extra line of defense is very suitable for novice users and has minimal system impact.
Con: Canary approach is post-infection protection to minimize the damage.Cyberreason has released udates after new ransomware appears. Some people may dislike damage control security and use of canary files, but in professional world it is just one of the options of contingency management. Benefit of canary files is that it has low false positives and high compatibility with other security apps. Here is a video explaining canary file approach (link).

C:\Program Files\Chromium\chrome.exe - 5 executions RansomFree
0.4833
0.1870
0.1564
0.1575
0.1892

7.Document Protector by 360 Total Security

Pro's: Set and forget, easy to use program with an option to customize file extensions to be protected.
Con: You need another backup solution when you only protect documents changed in last 30 days. When you use eternal mode, it would suite as only protection, but files are backup on date, not on folder structure, so it is not easy to restore all files of a specific folder.

C:\Program Files\Chromium\chrome.exe - 5 executions 360 Document Protector
0.6235
0.2768
0.2500
0.2646
0.3283

8. Easy File Locker
Pro's: Set and forget, has same granularity as PumperNickel and Folder protection of RansomOff (you select which programs to exclude per folder).
Con's: Non really

C:\Program Files\Chromium\chrome.exe - 5 executions Easy FileLocker
0.5454
0.1713
0.1869
0.1712
0.1554
 
Last edited:

Windows_Security

Level 21
Content Creator
Trusted
Verified
All tested AR-tools in previous post don't impact download speed. Download is 150Mbps. At my home I have over 15 overlapping and colliding wireless networks from the neighbours, so actual speed is around 100 - 110 Mbps on WLcards having 450 Mbps max, 80-90 on WLcards with 300 Mbps max and 40-50 on WLcards with 150 Mpbs). Weak modem/router of IDS is only used as modem (bridge mode), with two routers (one for 5GHz and one for 2.4Ghz) placed at ground and first floor to out shout my neighbours ;)

upload_2017-7-14_12-18-12.png
 
Last edited:

broughie

Level 2
Although an anti-exe /script program Voodooshield free does better in tests against ransomware than practically all anti ransomware products and should perhaps be included as being free for this purpose ? ( albeit does require some user interaction)
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
@broughie, You are right. The same could be said for Comodo free (Cruel Sister config) and Avast Free (in hardened aggressive mode). I limited this overview to free programs communicating they are special developed to tackle ransomware threats, just because there only 24 hours in a day. That is why invited other members, to share experiences and tips, like you did with VS ;)
 

mekelek

Level 28
what do you exactly mean by KAR "doesn't update"?
it's using KSN for sigs, so what does it need update for?
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
Easy File Locker download link: XOSLAB.COM and screenprint (only deny write and delete for ransomware protection). I only use E for quick backups during the day (nighyly NAS backup) and allow only SyncBackFree access to E:\BackupDocumenten and E:\BackupMail. When I replaced the HD in my wife's laptop with a Hybrid, I put her old HD in my Desktop. It uses very little electricity and spins down when not used (so also quiet) and with a little ducktape it is easy to mount :)

upload_2017-7-14_16-12-40.png
 
Last edited:

Windows_Security

Level 21
Content Creator
Trusted
Verified
@ozone I am not a Shadow Defender user and am somewhat mystified about Tony's disappearance and the appearance of Yang Ping, so did not know whether this was a good thing or bad (therefore checked the installer at VT :oops: just to be sure).
 

ozone

Level 3
Those apps are somehow "related". On home page there is link to SD and if you in Easy File Locker click on Advanced > Protect My OS it will open browser with SD site.
 

EASTER

Level 3
Verified
I prefer RansomOff over Pumpernickel, better ugly UI from 90's than no UI at all, it's 2017. I didn't know that Kaspersky Anti-Ransomware Tool doesn't auto-update itself, that's really bad, what's the point of using it then? Thanks for the great thread @Windows_Security :)
Am firmly in this camp with Ransom0ff. I have extensively tested it time and again each beta and submitted finds for improvements/bugfix too, and also even EMSI @Fabian Wosar felt compelled to weigh in on it at one point in the Wilder's Thread with the developer to expose a weakness. Developers helping developers, ya gotta admire that out of EMSI land. EMSI EAM is very tempting to me all the time to give in and set that puppy in system too. I can never forget A2 Squared!

In spite of the fact Ransom0ff also employs their version of a secure folders nature, I would not run a system without this little abandonware jewel.
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
@davisd

David Heilig of RansomOff has planned some GUI improvements, but first focus is to deliver a stable final product.

He has some short term improvements planned, like exclude/excempt folder for the Backup feature and besides automatic enable of Lockdown, also an automatic disable of the lockdown. The latter would give RansomOff on the fly anti-execution options (e.g. when starting a browser or email program).

On long term he is planning an UI overhaul which still would give power users access to all individual options, but would also have a slider for less experienced users in which correlated settings would be given preset values (e.g. from a loose compatible mode to a strict 'Fort Knox' mode) to protect your precious data against ransomware.
 
Last edited:

kamla5abi

Level 4
what do you exactly mean by KAR "doesn't update"?
it's using KSN for sigs, so what does it need update for?
It definitely does some updates sometimes
I've seen it use disk read/write and use the network many times (as simple as watching task manager when logging into computer)
it needs updates for system watcher/BB rules

v1 doesn't automatically update to v2
i just noticed theres a v2 update for KAR, been out a couple weeks or so i think. And no longer in Beta.
I have v1.1.31.0 installed on 1 computer and it definitely did not auto update to v2. Maybe cuz it went beta --> official release? Guess we will find out if v2 gets updates over time
Update - Kaspersky Anti-Ransomware Tool for Business v2 Download (Beta Finished)
 
Reactions: mekelek

mekelek

Level 28
It definitely does some updates sometimes
I've seen it use disk read/write and use the network many times (as simple as watching task manager when logging into computer)

i just noticed theres a v2 update for KAR, been out a couple weeks or so i think. And no longer in Beta.
I have v1.1.31.0 installed on 1 computer and it definitely did not auto update to v2. Maybe cuz it went beta --> official release? Guess we will find out if v2 gets updates over time
Update - Kaspersky Anti-Ransomware Tool for Business v2 Download (Beta Finished)
well since it's aimed towards businesses maybe they don't want it to auto update to a new version to avoid incompatibility but it updates everything else necessary?
 
Reactions: kamla5abi

kamla5abi

Level 4
well since it's aimed towards businesses maybe they don't want it to auto update to a new version to avoid incompatibility but it updates everything else necessary?
yes this is what i figured as well (says "for business" in the name haha)
but i think they should at least have sent notification of some sort for the update to let the admin know they updated the tool so to download/test the update, then deploy it.
KART has a cloud whitelist/blacklist so it should access the internet, not for updated but for checking whether a program is whitelisted/blackisted. Signed whitelisted are written to a local cache (that is the disk activity). I asked Kaspersky and they confirmed that it did not auto-update.
thank you for the confirmation from K :)
I just manually updated the tool to v2 (v 2.0.0.176 to be exact) and it was painless process for me
I did uncheck "protect this process" in settings of old version tool before i went to settings > system > Apps & Features to uninstall the older version
interestingly enough, there is no "protect this process" option in settings for the new version o_O maybe it is now auto protected and doesn't give option to protect it or not anymore ?