Successfully protected against real-world ransomware samples and cleaned up all traces of ransomware in testing. Very easy to use.
Not free like some competing products. In one test, it reported failure even though it succeeded.
- Bottom Line
Check Point ZoneAlarm Anti-Ransomware is the most effective ransomware-specific security tool we've seen. In testing, it showed complete success against all of our real-world samples.
The best antivirus utilities use many different layers of protection, from the matching of malware signatures to heuristic analysis to behavior-based detection. Every now and then, though, some new attacker makes it through all the layers and plants something nasty on your PC. In most cases, an antivirus update wipes out the malware infestation within a few days, or even hours. That ex post facto removal can be a hollow victory, however, if the attack involves ransomware. Sure, the malware itself is gone, but your files remain encrypted and inaccessible. Because of that potential for lasting damage, you'd be wise to install an additional layer of protection aimed specifically at defeating ransomware—something like Check Point ZoneAlarm Anti-Ransomware.
//Compare Similar Products
This utility's code base comes from a larger, enterprise-level protection system, Check Point's Enterprise Forensics. Cybereason RansomFree also relies on code from a business-level security system. The code for Malwarebytes Anti-Ransomware goes in the opposite direction, however. After the latest technology has kicked around in the consumer realm for a while, the company uses it to enhance Malwarebytes Anti-Ransom for Business.
Both Ransomfree and Malwarebytes Anti-Ransomware Beta are totally free. ZoneAlarm isn't free, but at $2.99 per month after a free 30-day trial, it's hardly expensive. As you'll see below, it also proved extremely effective in testing.
Techniques for Ransomware Protection
Malwarebytes, RansomFree, and ZoneAlarm all work by watching active processes for behaviors suggesting ransomware activity. Webroot SecureAnywhere AntiVirus adds behavior-based ransomware detection on top of its other protective layers, and its journal-and-rollback management of activity should let it reverse any chicanery that a ransomware threat perpetrated before its discovery.
However, behavior-based detection is just one technique. There are a number of other ways for security products to implement ransomware protection.
The point of encrypting ransomware is not to disable your computer. You'll need that computer working to pay the ransom, after all. The most vulnerable files are your documents, images, and other personal files, so some products thwart ransomware by banning unauthorized modification of these files. Bitdefender Antivirus Plus, Trend Micro Antivirus+ Security, and Panda Internet Security are among the products that use this type of protection. When there's an attempt at unauthorized access, you get a notification. If your new image-editing utility triggered the warning, you simply add it to the trusted list. But if the warning doesn't match anything you're doing, block it!
Panda Internet Security goes one step further, block even read-only access by unauthorized programs. In addition to keeping ransomware out, this level of protection can also serve to foil data-stealing Trojans.
Before a security solution can analyze a program's behavior for telltale signs of ransomware, that program might well encrypt a few files, or even a lot of files. Acronis True Image 2017 New Generation includes behavior-based detection along with its central backup functionality, but it can also automatically restore any encrypted files from secure online backup. ZoneAlarm also aims to restore any files hit by ransomware, and it does an impressive job.
Getting Started With ZoneAlarm Anti-Ransomware
While the product is free for 30 days, you do have to create or log in to your Check Point account online, and you do have to provide credit card information. You can cancel with no charge right up to the 30-day deadline, but after that you'll start paying $2.99 per month.
Installation is quick and simple. Within minutes, you see the big, super-simple main window. All it says is that your files are protected from ransomware. There are no settings, no logs, nothing but that simple screen of information. You can minimize the program to its icon in the notification area and never think about it again…until ransomware attacks.
Real-World Ransomware Protection
How do you test a behavior-based ransomware protection tool? Truly, the only way to do it is to use live, real-world ransomware. Simulation tools can be useful, but any simulator that fully and truly emulated ransomware behavior would itself be ransomware. To check ZoneAlarm's protection, I used a half-dozen ransomware samples found in the wild. Naturally I perform this testing in an isolated virtual machine that gets wiped after each test.
Shortly after I launched the first sample, the main ZoneAlarm window appeared with a big warning that it had detected a ransomware attack. A toaster-style transitory popup also announced this discovery. My Check Point contacts pointed out that this popup isn't redundant—if you're enmeshed in a modern UI application you'll see the popup, not the main window.
After a short while, the app announced that it quarantined the ransomware. It warned that the attack changed some files, but offered to repair them. Naturally I chose the repair option. On the page that lists affected files, there's a big Not Ransomware link. In the rare event that ZoneAlarm accidentally identifies a valid program as ransomware, clicking this link is your chance to rescue the program from quarantine. I didn't see any false positives, so in each case I chose to repair the files and checked status of those files afterward.
ZoneAlarm handled four of the six samples just as simply as I've described. For one sample, it reported a failure to repair the encrypted files, but direct observation showed that in fact it had succeeded. On checking the logs, my Check Point contacts explained that the files in question belonged to ZoneAlarm itself, and had been protected against encryption. Repair failed because there was nothing to repair. I can see this as possibly confusing, but it's certainly better than erroneously reporting success.
With the last sample, I almost thought ZoneAlarm had met its match. It reported discovery of ransomware activity multiple times, and spent five minutes at the analysis phase. During this time, the ransomware changed the desktop to a ransom demand, and displayed its ransom demand in the browser. However, the repair process not only fixed all the files, it also wiped out the ransom notes!
This is a truly impressive showing. RansomFree detected my samples, but didn't clean up things like ransom notes. Malwarebytes let the ransomware encrypt a few files before managing to stop the process. Acronis totally missed one of my samples. And CryptoPrevent Premium missed most of my samples, despite overwhelming the desktop with a plethora of bait files.
Simulated ransomware isn't entirely without value. A ransomware solution can demonstrate success by blocking the simulations. I just don't take failure to block simulated attacks as an actual failure. I tried to test ZoneAlarm using the RanSim ransomware simulator from KnowBe4. However, ZoneAlarm detected and eliminated the program's helper processes, leaving a score of zero successes and zero failures.
The Best Ransomware Protection
Ransomware protection is still a new field, with new products turning up all the time. Among the ransomware-specific tools I've evaluated so far, ZoneAlarm Anti-Ransomware is a clear winner. It successfully handled all my real-life ransomware samples (even when it didn't think it had succeeded). It fixed all changes made by the ransomware processes, including wiping out ransom notes that some other products leave behind. If ransomware is a big concern for you, the $2.99 per month price tag shouldn't be too much of a burden.
Even if you are not worried enough to spend the price of a cup of coffee for a month's protection, you should probably still run a ransomware protection tool. Since earlier this year, I've been running both Cybereason RansomFree and Malwarebytes Anti-Ransomware alongside my main Symantec Norton Security Premium, with no compatibility problems.
Other Check Point Antivirus Software
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips… More »
More Stories by Neil J.
- Check Point ZoneAlarm Anti-Ransomware
- Bitdefender Antivirus Plus
- The Best Spyware Protection Security Software of 2017
Any effective antivirus utility should protect you against all types of malware, including spyware. … More »