Skip to main content

WinAntiRansom Review

WinAntiRansom is a commercial program for the Windows operating system that is been designed to protect PCs against ransomware attacks.

Ransomware comes in two main flavors: programs that lock the PC down, and programs that encrypt files. Both have in common that they ask you to pay a ransom, usually in form of Bitcoin, to regain access to the PC or the files (with no guarantee whatsoever that you will get an unlock code after making the payment).

WinAntiRansom is one of the few programs available currently designed to deal with all ransomware threats on PCs running Windows.

This sets it apart from the majority of anti-ransomware tools out there that may protect you against specific types of ransomware only.

WinAntiRansom

winantiransom plus

Installation of the program should not raise any issues on 32-bit or 64-bit versions of Windows. Please note that the program requires the Microsoft .NET Framework 4.0, and that it is compatible with all versions of Windows starting with Windows XP SP3.

It will start to discover programs on the system on first start to add those to a whitelist. Whitelisting plays a major part in defending the system against ransomware. Naturally, you may review the list of programs discovered and remove them from being added to the whitelist.

New programs that you run on the system are picked up by WinAntiRansom automatically, and depending on how you have set up the program, added to the whitelist automatically if they were not blocked by the program's defense systems.

You may change the default behavior to get more control over the process but you will spend time whitelisting programs manually then. Whitelisted programs are allowed to access content protected by the program's defense layers.

Advanced mode enables you to define the layers a program has access to. You may for instance allow a program to access the SafeZone folder and its files, but not the Windows Registry.

You find an option in the system tray menu of the program to run any program as whitelisted, without whitelisting it. This can be useful to run a seldom used program once with whitelisting privileges.

The developers have integrated Virustotal checks in the program which you can make use of to have a program scanned and analyzed by the online service.

winantiransom virustotal

Other helpful tools allow you to open a program's properties dialog and to display details about it.

The details provided include MD5 and SHA256 hash values, signature and Windows Protected file information, and customer statistics which highlights how many WinAntiRansom customers are allowing or blocking the file. In addition, there is a "is allowed" suggestion displayed as well.

winantiransom details

The main program view lists some of the information directly, for instance if a program listed there is signed or a Windows Protected file.

You may block any program from running on the system using the block feature, and check the access history which lists the last 500 times files or folders were accessed, and by which program.

WinAntiRansom: The layered approach

WinAntiRansom uses a layered approach in its fight to keep the PC clean from ransomware. There are four main layers of protection that the program uses to keep the PC clean:

  1. PreEmptive Actions: This layer attempts to identify ransomware directly by blocking programs from running on the system if they show signs of malware or ransomware behavior.
  2. SafeZone Actions: WinAntiRansom allows you to select a folder on your system that you want protected specifically. The program blocks program access to the folder except for applications that you whitelist specifically. The feature is a bit limited, as you may select only one folder, and cannot select a root folder of a drive.
  3. Network Lockdown Actions: The layer prevents programs from accessing the computer network if they are not whitelisted.
  4. Protected Registry Actions: The fourth and final layer protects important Registry keys from being altered by programs that are not whitelisted. You may add custom Registry keys to the program.

Layers two to four are designed to detect ransomware that slips by the preemptive layer. They increase the chance that ransomware will be stopped in its tracks depending on its actions on the system. For instance, a program that is not whitelisted may attempt to encrypt files protected by the SafeZone, or may alter important Registry keys.

If that is the case, it is stopped from doing so as it is not whitelisted. You can then review the access, and either whitelist it, or block it.

Some demos

So how good is the program and how does it stack up against other anti-ransomware programs?

Here are a couple of YouTube videos that demonstrate the program's capabilities:

Winlock Ransomware

Petya MBR Encryption

Verdict

WinAntiRansom is an excellent program that provides better protection against ransomware than any of the other programs designed for that purpose.

With better functionality comes more complexity often, but this is not the case here as everything is handled automatically for the user. This does not mean that you have to give up control though, as you can monitor and manage the activity at any time, and enable advanced mode for more control.

The program has been designed to block ransomware, but there is little reason why it won't stop other malware as well dead in its tracks, especially those malicious programs that share similarities with ransomware.

It is a complementary security tool all in all that runs well alongside traditional antivirus software.

The price is more than fair, considering that you can run the program on five of your own devices and pay once for lifetime access.

 

This article was first seen on ComTek's "TekBits" Technology News

HOME