Some of the most notable examples of ransomware are CryptoLocker. Use an antivirus solution that is constantly updated and able to perform active scanning. 2 days ago - Malware consists of viruses, spyware and other malicious software. Office 365 includes protection mechanisms to prevent malware from being.
Why You Need Ransomware Protection
You've done your due diligence, installing antivirus protection on all of your computers. Now you can sit back and relax, confident that even if some rare zero-day attack gets past your layers of protection, the antivirus company will push out an update that clears up the problem in a day or two. Relax! Or maybe…don't. If the sneak attack that got through your defenses was ransomware, the damage is done. Your files are encrypted. Quarantining the culprit process after the fact can't do a thing about your inaccessible encrypted files. That's why it makes sense to supplement your antivirus with a partner app that's solely focused on ransomware. Ransomware-specific apps tend to be cheap, or free, so upping your protection game won't break the bank.
It's even worse when your business gets attacked by ransomware. Depending on the nature of the business, every hour of lost productivity might cost thousands of dollars, or even more. Fortunately, while ransomware attacks are on the rise, so are techniques for fighting those attacks. Here we look at anti-ransomware tools you can use to protect yourself from ransomware.
What Is Ransomware, and How Do You Get It?
The premise of ransomware is simple. The attacker finds a way to take something of yours, and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn't pose the same level of threat as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately this last type is uncommon.
If you're hit by a ransomware attack, you won't know it at first. It doesn't show the usual signs that you've got malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company's domain. That seems to be what happened with the WannaCry ransomware attack. If you have the slightest doubt as to the legitimacy of the email, don't click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.
CryptoLocker and Other Encrypting Malware
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.
Ransomware Removal
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there's a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that's a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.
Anti-Ransomware Strategies
A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection. And it only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can't bring back the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at ransomware behaviors is becoming more common.
Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company's tech support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.
Detecting Ransomware Behavior
Cybereason's free RansomFree utility has just one purpose: to detect and avert ransomware attacks. One very visible feature of this utility is its creation of 'bait' files in locations typically targeted by ransomware. Any attempt to modify these files triggers a ransomware takedown. It also relies on other forms of behavior-based detection, but its creators are naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid?
Malwarebytes Anti-Ransomware Beta, CryptoDrop Anti-Ransomware, and a few others also use behavior-based detection to take down any ransomware that gets past your regular antivirus. They don't use 'bait' files; rather they keep a close eye on how programs treat your actual documents. On detecting ransomware, they quarantine the threat.
Check Point ZoneAlarm Anti-Ransomware also used bait files, but they're not as visible as RansomFree's. And it clearly uses other layers of protection. It defeated all of our real-world ransomware samples in testing, fixing any affected files and even removing the spurious ransom notes that one sample displayed.
Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn't unlimited in size, and advises keeping all important files backed up.
If the free Trend Micro RansomBuster detects a suspicious process attempting file encryption, it backs up the file and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. In testing, this feature missed half of the real-world ransomware samples we inflicted on it. Trend Micro confirms that ransomware protection is better with the multi-layered protection of Trend Micro Antivirus+ Security.
The main purpose of Acronis True Image is backup, of course, but the Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
Now you can get that same Active Protection for free, in the form of Acronis Ransomware Protection. This utility works alongside your antivirus as another layer of protection against ransomware, and includes 5GB of storage for backups of your most important files. Acronis Ransomware Protection can restore files damaged by ransomware from a local cache; the online backup is yet another line of defense.
The Data Hjiacking Protection feature in Qihoo 360 Total Security watches for ransomware behavior. However, rather than terminate suspect processes, it simply prevents them from accessing files in specific protected locations such as the Documents folder. In testing, we couldn't goad it into action. Ransomware-specific detection in G Data Antivirus, on the other hand, visibly did its job. When we turned off the regular real-time antivirus and released some ransomware samples, it caught them red-handed. Quick Heal Internet Security also claims to detect ransomware by its behavior, but since it offered no way to disable antivirus protection without also disabling ransomware protection, we couldn't test it.
Preventing Unauthorized Access
If a brand-new ransomware program gets past Bitdefender Antivirus Plus, it won't be able to do much damage. Bitdefender blocks attempts by any unauthorized program to modify, delete, or create files in a protected folder. And the list of protected folders includes Documents, Desktop, Pictures, Music, and Videos, as well as folders on file-syncing services such as OneDrive, Dropbox, Box, and Google Drive. Avast has recently added a very similar feature to Avast Internet Security and Avast Premier.
In Trend Micro's antivirus, the Folder Shield feature protects files in Documents and Pictures, in local folders that represent online storage, and on USB drives. The free, standalone RansomBuster just protects two selected folders, and their subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. In addition, the company offers a ransomware hotline that's available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.
Panda Dome Essential and Panda Dome Complete offer a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file's data, so it balks>
Acronis Ransomware Protection can restore files damaged by ransomware from a local cache. Like its big brother True Image, it offers online backup as another option for recovery, but just 5GB of storage. CryptoDrop Anti-Ransomware maintains copies of your sensitive files in a secure folder that's not visible to any other processes.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that turn out to be ransomware.
In addition to behavior-based malware detection, Quick Heal also maintains a silent, encrypted backup of your document files. However, recovery of those files is not automatic. Once you get rid of the ransomware, you must contact tech support for help with recovery.
Ransomware Vaccination
Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include some kind of check to make sure they don't attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.
Bitdefender Anti-Ransomware very specifically prevents infestation by TeslaCrypt, BTC-Locker, Locky, and that first edition of Petya. It has no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly can't help against a brand-new strain, the way a behavior-based detection system can. This kind of protection has its limits, but it can be an effective part of a multi-layered strategy.
Testing Anti-Ransomware Tools
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.
In addition, ransomware samples are tough to deal with. For safety, we run them in a virtual machine with no connection to the internet or network. Some won't run at all in a virtual machine. Others do nothing without an internet connection. And they're just plain dangerous! When analyzing a new sample, determining whether to add it to the collection, we keep a link open to a log folder on the virtual machine host. Twice now we've had a ransomware sample reach out and start encrypting those logs.
KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but we don't treat a low score as a minus. Some behavior-based systems such as RansomFree don't detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.
What's Not Here
This article looks specifically at ransomware protection solutions that are available to consumers. There's no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.
CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. We can't recommend this tool in its current form.
The Kure isn't precisely a ransomware solution. It restores your PC to a clean, malware-free state every time you reboot, exempting areas like the Documents folder from this 'Groundhog Day' effect. Thus a reboot would wipe active ransomware but would leave your files encrypted. To get around this, The Kure maintains a hidden, encrypted copy of files in those exempted folders.
We've also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Bitdefender GravityZone Elite and Sophos Intercept X, for example, are beyond the scope of our reviews, worthy though these services may be.
Acronis True Image provides dandy ransomwware protection and recovery, but at heart it's a backup tool. We gave its place in the chart at top to its ransomware-focused sibling, Acronis Ransomware Protection.
An Ounce of Prevention
Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware and CyberSight RansomStopper are our top choices for ransomware-specific security protection. Both detected all of our ransomware samples, including the disk-encrypting Petya. ZoneAlarm repaired all files damaged by the ransomware, while RansomStopper completely prevented encryption.
You'll note that the blurbs below include a few more products than the chart at top. As more ransomware-specific products appear, they push general-purpose security products from the chart. All the products listed below earned at least three stars.
Best Ransomware Protection Featured in This Roundup:
Bitdefender Antivirus Plus Review
MSRP: $39.99
Pros: Outstanding scores in independent lab tests and our web protection tests. Multi-layered ransomware protection. Password manager. Banking protection. Offers a virtual private network, or VPN. Many security-centered bonus features.Cons: Unlimited VPN access requires separate subscription. With antivirus disabled, ransomware-specific features missed one uncommon sample.Bottom Line: With outstanding antivirus test results and a collection of features that puts some security suites to shame, Bitdefender Antivirus Plus is a top choice.Read ReviewCheck Point ZoneAlarm Anti-Ransomware Review
MSRP: $1.99
Pros: Successfully protects against real-world ransomware samples. Cleans up all ransomware traces in testing. Very easy to use.Cons: Not free like some competing products. Routinely allows (and then reverses) file encryption.Bottom Line: Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. After a false start, it showed complete success against all our real-world samples.Read ReviewCyberSight RansomStopper Review
MSRP: $0.00
Pros: Detected and blocked all real-world ransomware samples, including samples launched at startup. Doesn't permit encryption of files. Free.Cons: Installation not complete until after reboot.Bottom Line: CyberSight RansomStopper offers free, dedicated ransomware protection, and it now handles ransomware that launches at Windows startup. It's a winner, and free.Read ReviewWebroot SecureAnywhere AntiVirus Review
MSRP: $39.99
Pros: Perfect score in our malware protection test. Very good antiphishing score. Ransomware protection. Light on system resources. Fast scan, tiny size. Advanced features.Cons: Limited lab test results due to unusual detection techniques. Missed one unique hand-modified ransomware sample in testing.Bottom Line: Tiny, speedy Webroot SecureAnywhere AntiVirus keeps a light touch on your system's resources. It aces our hands-on malware protection test, and can even roll back ransomware activity.Read ReviewAcronis Ransomware Protection Review
MSRP: $0.00
Pros: Protects against most ransomware samples, including Petya. Recovers affected files. Detected 10 simulated ransomware attacks in our tests. Includes 5GB of hosted online backup. Free.Cons: Missed one real-world sample in our testing.Bottom Line: If your antivirus misses a zero-day ransomware attack, you're in big trouble. The free Acronis Ransomware Protection offers another layer of protection, plus 5GB of online backup storage.Read ReviewAcronis True Image Review
MSRP: $49.99
Pros: Excellent desktop interface. Fast upload speeds in testing. Local and cloud backup. Full disk image backup and restore. File syncing. Ransomware Protection.Cons: Expensive. Slow web interface and mobile apps. Lacks password protection for shared files. Bottom Line: Acronis True Image's full disk backups, fast performance, and useful extras such as active file protection, make it well worth the cost.Read ReviewCybereason RansomFree Review
MSRP: $0.00
Pros: Prevents ransomware attacks by detecting ransomware-specific behaviors. Fended off virulent, real-world ransomware in testing. Quick, simple installation. Free.Cons: In testing, did not detect disk-encryption ransomware.Bottom Line: The consequences of a ransomware attack are dire, so supplementing your antivirus with a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install it.Read ReviewMalwarebytes Anti-Ransomware Beta Review
MSRP: $0.00
Pros: Detects and quarantines ransomware based strictly on behavior. Performed well in hands-on testing. Lightweight. Free.Cons: Ransomware may encrypt a few files before detection.Bottom Line: Malwarebytes Anti-Ransomware Beta watches program behavior to thwart any ransomware that gets past your existing antivirus. This lightweight, free utility makes a great addition to your security arsenal.Read ReviewSophos Home Premium Review
MSRP: $60.00
Pros: Good scores in our hands-on tests. Protects against ransomware, keyloggers, and exploits. Remote management for up to 10 PCs or Macs. Inexpensive.Cons: No test results from independent labs. Advanced features require uncommon tech expertise. Parental control and webcam protection limited.Bottom Line: Sophos Home Premium expands on basic antivirus with protection technology forged in the company's Enterprise-level products, but doesn't have lab results to verify its efficacy.Read ReviewThe Kure Review
MSRP: $19.99
Pros: On reboot, restores your PC to a clean, malware-free state. Exempts personal folders from being wiped. Ransomware recovery proved effective in testing. Live-chat tech support built in.Cons: Malware can act freely until eliminated by reboot. Doesn't offer 24-hour tech support.Bottom Line: When your PC has The Kure installed, you can wipe out malware just by rebooting. Your own documents aren't affected, and it even has the ability to reverse the effects of encrypting ransomware.Read ReviewTrend Micro Antivirus+ Security Review
MSRP: $39.95
Pros: Excellent scores in our antiphishing and malicious URL blocking tests. Many good scores from antivirus labs. Multi-layered ransomware protection. New Pay Guard protects online transactions. Many bonus features.Cons: Poor score in our hands-on malware protection test. Slow full scan. Ransomware protection uneven. Banking protection doesn't kick in automatically. Spam filter works only with Outlook. No multi-device licensing.Bottom Line: In addition to effective malware protection, Trend Micro Antivirus+ Security offers layered protection against ransomware, a firewall booster, protection for online banking, and more.Read ReviewAvast Internet Security Review
MSRP: $59.99
Pros: Antivirus received high scores in testing. Robust firewall. Simple spam filter. Password manager. Ransomware protection. Bonus features enhance security.Cons: Password manager is limited in features. Many bonus features require separate purchase.Bottom Line: Avast Internet Security is a full-scale suite, with an antivirus, a robust firewall, a simple spam filter, and a wealth of bonus features. Depending upon your needs, though, the company's free antivirus might be more cost effective.Read ReviewCryptoDrop Anti-Ransomware Review
MSRP: $29.99
Pros: Detects real-world ransomware in testing. Can recover files encrypted before detection.Cons: Failed to suspend one detected threat in testing. Only protects files in specified folders. Recovery operation can produce multiple redundant files. Minor rough spots in user interface.Bottom Line: CryptoDrop Anti-Ransomware successfully blocks real-world ransomware and recovers damaged files. Unlike competing products, it only protects files in folders you specify.Read ReviewG Data Antivirus Review
MSRP: $39.95
Pros: Excellent score in our hands-on malware protection test. Protects against banking Trojans, keyloggers, ransomware, and exploits. Includes spam filter.Cons: So-so scores in our malicious URL blocking and phishing protection tests. Very slow full scan.Bottom Line: G Data Antivirus gets decent marks from the independent testing labs, and it includes components designed to fight ransomware and other specific malware types. However, it gets mixed scores in our hands-on tests. Read ReviewBitdefender Anti-Ransomware Review
MSRP: $0.00
Pros: Prevents infection by specific ransomware families using vaccination technique. Lightweight. Free for personal or business use.Cons: Does nothing against other ransomware families.Bottom Line: Bitdefender Anti-Ransomware vaccinates your PC against infection by four specific ransomware families, and testing shows that it does the job. But you'll need some other kind of protection to handle other ransomware families, and other malware in general. Read ReviewPanda Dome Advanced Review
MSRP: $70.99
Pros: Slick, attractive user interface. Parental content filter. Effective ransomware protection. Includes firewall, VPN, USB vaccination. Supports Windows, macOS, Android.Cons: Dismal protection against dangerous and fraudulent websites. So-so score in our malware protection test. Expensive, especially on macOS and Android.Bottom Line: Panda Dome Advanced adds parental control and ransomware protection to the features of Panda Dome Essential. It handles ransomware that slips past the entry-level product, but still has some of the lowest test scores.Read ReviewTrend Micro RansomBuster Review
MSRP: $0.00
Pros: Folder Shield blocks unauthorized access to protected documents. Detects encrypting ransomware behavior in any folder. Recovers any files that were encrypted before detection. Free.Cons: Folder Shield limited to two folders. In testing, behavior-based detection only caught half of the real-world ransomware samples.Bottom Line: It's very good of Trend Micro to make RansomBuster available for free, and its Folder Shield successfully prevents unauthorized changes to your documents. However, the behavior-based detection system needs work.Read Review
-->Best Ransomware Protection Featured in This Roundup:
Bitdefender Antivirus Plus Review
MSRP: $39.99Pros: Outstanding scores in independent lab tests and our web protection tests. Multi-layered ransomware protection. Password manager. Banking protection. Offers a virtual private network, or VPN. Many security-centered bonus features.Cons: Unlimited VPN access requires separate subscription. With antivirus disabled, ransomware-specific features missed one uncommon sample.Bottom Line: With outstanding antivirus test results and a collection of features that puts some security suites to shame, Bitdefender Antivirus Plus is a top choice.Read ReviewCheck Point ZoneAlarm Anti-Ransomware Review
MSRP: $1.99Pros: Successfully protects against real-world ransomware samples. Cleans up all ransomware traces in testing. Very easy to use.Cons: Not free like some competing products. Routinely allows (and then reverses) file encryption.Bottom Line: Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. After a false start, it showed complete success against all our real-world samples.Read ReviewCyberSight RansomStopper Review
MSRP: $0.00Pros: Detected and blocked all real-world ransomware samples, including samples launched at startup. Doesn't permit encryption of files. Free.Cons: Installation not complete until after reboot.Bottom Line: CyberSight RansomStopper offers free, dedicated ransomware protection, and it now handles ransomware that launches at Windows startup. It's a winner, and free.Read ReviewWebroot SecureAnywhere AntiVirus Review
MSRP: $39.99Pros: Perfect score in our malware protection test. Very good antiphishing score. Ransomware protection. Light on system resources. Fast scan, tiny size. Advanced features.Cons: Limited lab test results due to unusual detection techniques. Missed one unique hand-modified ransomware sample in testing.Bottom Line: Tiny, speedy Webroot SecureAnywhere AntiVirus keeps a light touch on your system's resources. It aces our hands-on malware protection test, and can even roll back ransomware activity.Read ReviewAcronis Ransomware Protection Review
MSRP: $0.00Pros: Protects against most ransomware samples, including Petya. Recovers affected files. Detected 10 simulated ransomware attacks in our tests. Includes 5GB of hosted online backup. Free.Cons: Missed one real-world sample in our testing.Bottom Line: If your antivirus misses a zero-day ransomware attack, you're in big trouble. The free Acronis Ransomware Protection offers another layer of protection, plus 5GB of online backup storage.Read ReviewAcronis True Image Review
MSRP: $49.99Pros: Excellent desktop interface. Fast upload speeds in testing. Local and cloud backup. Full disk image backup and restore. File syncing. Ransomware Protection.Cons: Expensive. Slow web interface and mobile apps. Lacks password protection for shared files.Bottom Line: Acronis True Image's full disk backups, fast performance, and useful extras such as active file protection, make it well worth the cost.Read ReviewCybereason RansomFree Review
MSRP: $0.00Pros: Prevents ransomware attacks by detecting ransomware-specific behaviors. Fended off virulent, real-world ransomware in testing. Quick, simple installation. Free.Cons: In testing, did not detect disk-encryption ransomware.Bottom Line: The consequences of a ransomware attack are dire, so supplementing your antivirus with a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install it.Read ReviewMalwarebytes Anti-Ransomware Beta Review
MSRP: $0.00Pros: Detects and quarantines ransomware based strictly on behavior. Performed well in hands-on testing. Lightweight. Free.Cons: Ransomware may encrypt a few files before detection.Bottom Line: Malwarebytes Anti-Ransomware Beta watches program behavior to thwart any ransomware that gets past your existing antivirus. This lightweight, free utility makes a great addition to your security arsenal.Read ReviewSophos Home Premium Review
MSRP: $60.00Pros: Good scores in our hands-on tests. Protects against ransomware, keyloggers, and exploits. Remote management for up to 10 PCs or Macs. Inexpensive.Cons: No test results from independent labs. Advanced features require uncommon tech expertise. Parental control and webcam protection limited.Bottom Line: Sophos Home Premium expands on basic antivirus with protection technology forged in the company's Enterprise-level products, but doesn't have lab results to verify its efficacy.Read ReviewThe Kure Review
MSRP: $19.99Pros: On reboot, restores your PC to a clean, malware-free state. Exempts personal folders from being wiped. Ransomware recovery proved effective in testing. Live-chat tech support built in.Cons: Malware can act freely until eliminated by reboot. Doesn't offer 24-hour tech support.Bottom Line: When your PC has The Kure installed, you can wipe out malware just by rebooting. Your own documents aren't affected, and it even has the ability to reverse the effects of encrypting ransomware.Read ReviewTrend Micro Antivirus+ Security Review
MSRP: $39.95Pros: Excellent scores in our antiphishing and malicious URL blocking tests. Many good scores from antivirus labs. Multi-layered ransomware protection. New Pay Guard protects online transactions. Many bonus features.Cons: Poor score in our hands-on malware protection test. Slow full scan. Ransomware protection uneven. Banking protection doesn't kick in automatically. Spam filter works only with Outlook. No multi-device licensing.Bottom Line: In addition to effective malware protection, Trend Micro Antivirus+ Security offers layered protection against ransomware, a firewall booster, protection for online banking, and more.Read ReviewAvast Internet Security Review
MSRP: $59.99Pros: Antivirus received high scores in testing. Robust firewall. Simple spam filter. Password manager. Ransomware protection. Bonus features enhance security.Cons: Password manager is limited in features. Many bonus features require separate purchase.Bottom Line: Avast Internet Security is a full-scale suite, with an antivirus, a robust firewall, a simple spam filter, and a wealth of bonus features. Depending upon your needs, though, the company's free antivirus might be more cost effective.Read ReviewCryptoDrop Anti-Ransomware Review
MSRP: $29.99Pros: Detects real-world ransomware in testing. Can recover files encrypted before detection.Cons: Failed to suspend one detected threat in testing. Only protects files in specified folders. Recovery operation can produce multiple redundant files. Minor rough spots in user interface.Bottom Line: CryptoDrop Anti-Ransomware successfully blocks real-world ransomware and recovers damaged files. Unlike competing products, it only protects files in folders you specify.Read ReviewG Data Antivirus Review
MSRP: $39.95Pros: Excellent score in our hands-on malware protection test. Protects against banking Trojans, keyloggers, ransomware, and exploits. Includes spam filter.Cons: So-so scores in our malicious URL blocking and phishing protection tests. Very slow full scan.Bottom Line: G Data Antivirus gets decent marks from the independent testing labs, and it includes components designed to fight ransomware and other specific malware types. However, it gets mixed scores in our hands-on tests.Read ReviewBitdefender Anti-Ransomware Review
MSRP: $0.00Pros: Prevents infection by specific ransomware families using vaccination technique. Lightweight. Free for personal or business use.Cons: Does nothing against other ransomware families.Bottom Line: Bitdefender Anti-Ransomware vaccinates your PC against infection by four specific ransomware families, and testing shows that it does the job. But you'll need some other kind of protection to handle other ransomware families, and other malware in general.Read ReviewPanda Dome Advanced Review
MSRP: $70.99Pros: Slick, attractive user interface. Parental content filter. Effective ransomware protection. Includes firewall, VPN, USB vaccination. Supports Windows, macOS, Android.Cons: Dismal protection against dangerous and fraudulent websites. So-so score in our malware protection test. Expensive, especially on macOS and Android.Bottom Line: Panda Dome Advanced adds parental control and ransomware protection to the features of Panda Dome Essential. It handles ransomware that slips past the entry-level product, but still has some of the lowest test scores.Read ReviewTrend Micro RansomBuster Review
MSRP: $0.00Pros: Folder Shield blocks unauthorized access to protected documents. Detects encrypting ransomware behavior in any folder. Recovers any files that were encrypted before detection. Free.Cons: Folder Shield limited to two folders. In testing, behavior-based detection only caught half of the real-world ransomware samples.Bottom Line: It's very good of Trend Micro to make RansomBuster available for free, and its Folder Shield successfully prevents unauthorized changes to your documents. However, the behavior-based detection system needs work.Read Review
Protecting Customer Data from Malware
Malware consists of viruses, spyware and other malicious software. Office 365 includes protection mechanisms to prevent malware from being introduced into Office 365 by a client or by an Office 365 server. The use of anti-malware software is a principal mechanism for protection of Office 365 assets from malicious software. The anti-malware software detects and prevents computer viruses, malware, rootkits, worms, and other malicious software from being introduced into any service systems. Anti-malware software provides both preventive and detective control over malicious software.
Each anti-malware solution in place tracks the version of the software and what signatures are running. The automatic download and application of signature updates at least daily from the vendor's virus definition site is centrally managed by the appropriate anti-malware tool for each service team.
The following functions are centrally managed by the appropriate anti-malware tool on each endpoint for each service team:
- Automatic scans of the environment
- Periodic scans of the file system (at least weekly)
- Real-time scans of files as they are downloaded, opened, or executed
- Automatic download and application of signature updates at least daily from the vendor's virus definition site
- Alerting, cleaning, and mitigation of detected malware
When anti-malware tools detect malware, they block the malware and generate an alert to Office 365 service team personnel, Office 365 Security, and/or the security and compliance team of the Microsoft organization that operates our datacenters. The receiving personnel initiate the incident response process. Incidents are tracked and resolved, and post-mortem analysis is performed.
SharePoint Online and OneDrive for Business Protection Against Malware
To further protect the service against malicious files, SharePoint Online (which includes OneDrive for Business) prohibits certain file types from being uploaded and prevents content from being executed directly in the service. This prohibits the potential spread of malware from within the service. Anti-malware software is installed both as part of the initial build on all systems, and on all SharePoint Online servers, enabling further protection by actively scanning document repositories and code within SharePoint Online sites and libraries.
Exchange Online Protection Against Malware
All email messages for Exchange Online travel through Exchange Online Protection (EOP), which quarantines and scans in real time all email and email attachments both entering and leaving the system for viruses and other malware. Administrators do not need to set up or maintain the filtering technologies; they are enabled by default. However, administrators can make company-specific filtering customizations using the Exchange admin center.
Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (including viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or administrators when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.
The following helps provide anti-malware protection:
- Layered Defenses Against Malware - Multiple anti-malware scan engines used in EOP help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
- Real-time Threat Response - During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat even before a definition is available from any of the engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
- Fast Anti-Malware Definition Deployment - The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they are publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
Advanced Threat Protection
Advanced Threat Protection (ATP) is an email filtering service that provides additional protection against specific types of advanced threats, including malware and viruses. Exchange Online Protection currently uses a robust and layered anti-virus protection powered by multiple engines against known malware and viruses. ATP extends this protection through a feature called Safe Attachments, which protects against unknown malware and viruses, and provides better zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special hypervisor environment, where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.
Exchange Online Protection also scans each message in transit in Office 365 and provides time of delivery protection, blocking any malicious hyperlinks in a message. Attackers sometimes try to hide malicious URLs with seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. Safe Links proactively protects your users if they click such a link. That protection remains every time they click the link, and malicious links are dynamically blocked while good links are accessible.
ATP also offers rich reporting and tracking capabilities, so you can gain critical insights into who is getting targeted in your organization and the category of attacks you are facing. Reporting and message tracing allows you to investigate messages that have been blocked due to an unknown virus or malware, while the URL trace capability allows you to track individual malicious links in the messages that have been clicked.
For more information about ATP, see Exchange Online Protection and Office 365 Advanced Threat Protection.
SharePoint Online and OneDrive for Business Protection Against Ransomware
There are many forms of ransomware attacks, but one of the most common forms is where a malicious individual encrypts a user's important files and then demands something from the user, such as money or information, in exchange for the key to decrypt them. Ransomware attacks are on the rise, particularly those that encrypt files that are stored in the user's cloud storage. For more information about ransomware, see the Windows Defender Security Intelligence site.
Versioning helps to protect SharePoint Online lists and SharePoint Online and OneDrive for Business libraries from some, but not all, of these types of ransomware attacks. Versioning is enabled by default in OneDrive for Business and SharePoint Online. Since versioning is enabled in SharePoint Online site lists, you can look at earlier versions and recover them, if necessary. That enables you to recover versions of items that pre-date their encryption by the ransomware. Some organizations also retain multiple versions of items in their lists for legal reasons or audit purposes.
SharePoint Online and OneDrive for Business Recycle Bins
SharePoint Online administrators can restore a deleted site collection by using the SharePoint Online admin center. SharePoint Online users have a Recycle Bin where deleted content is stored. They can access the Recycle Bin to recover deleted documents and lists, if they need to. Items in the Recycle Bin are retained for 90 days. The following data types are captured by the Recycle Bin:
- Site collections
- Sites
- Lists
- Libraries
- Folders
- List items
- Documents
- Web Part pages
Site customizations made through SharePoint Designer are not captured by the Recycle Bin. For more information, see Manage the Recycle Bin of a SharePoint site collection. See also, Restore a deleted site collection.
Versioning does not protect against ransomware attacks that copy files, encrypt them, and then delete the original files. However, end-users can leverage the Recycle Bin to recover OneDrive for Business files after a ransomware attack occurs.