Daxdi now accepts payments with Bitcoin

Heilig Defense RansomOff Review | Daxdi

Sure, ransomware is a headache for individuals—who wants to lose all your progress on the great american novel? But imagine how much worse it is for businesses, which may lose $100,000 per hour (or more) when ransomware locks up production.

High-end business security systems need powerful protection against ransomware, and occasionally the purveyors of such systems make that protection available at the personal level.

That's the case with the free Heilig Defense RansomOff, which uses technology borrowed from the high-end Hielig Defense Correlate.

Daxdi.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services.

Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.

In a similar fashion, Cybereason RansomFree encapsulates the ransomware protection found in Cybreason's enterprise-level products.

However, where RansomFree, RansomStopper, and most other free ransomware-specific tools reduce settings and user interaction to a bare minimum, RansomOff includes multiple modes and modules that confused even me at times.

RansomOff is a small download, and it installs quickly.

By default, it runs in Simple Mode, described as "hassle free protection." You can also choose Advanced Mode to "unleash RansomOff's full potential." I made use of both modes in testing, as you'll see below.

Simple Mode

In the default Simple Mode, RansomOff takes care of business entirely in the background, with no notification that it has terminated threats other than a brief animation of the notification area icon.

When you double-click the icon, it displays a small window with buttons to view alerts and to switch to Advanced Mode.

In this mode, RansomOff terminates the ransomware, but it doesn't attempt cleanup.

You can always see what it did by double-clicking the icon and then clicking View Alerts.

The list of alerts includes pending cleanup operations, which you can launch manually.

In testing, it detected and terminated all my real-world ransomware samples.

I watched for the animated icon, checked the alerts, and requested cleanup in each case.

However, less than half the samples triggered a Ransomware Detected alert.

For the rest, it reported HIPS-Lite Notification, telling me that the offending program attempted to configure itself for launch at startup.

As a sanity check, I ran several utilities from the collection I maintain for false positive testing, choosing ones whose functionality requires them to launch at startup.

In every case, RansomOff eliminated these totally legitimate programs.

I haven't observed this kind of behavior in other ransomware-specific utilities.

Given that the HPS-Lite feature eliminates both legitimate and malicious programs, I can hardly call that ransomware detection.

Advanced Mode

For further exploration, I switched RansomOff into Advanced Mode and repeated the test.

The program's behavior is very different in this mode.

On detecting ransomware, it takes over the screen with an impossible-to-ignore warning, asking your permission to deal with the problem.

You can click for more details before deciding.

If it detects modification of the startup sequence, or other suspicious actions, it pops up a less-strident HIPS-Lite notification and asks whether to allow or block the change.

I ran through the samples again, choosing Block at any HIPS-Lite warnings.

The results resembled what I saw in Simple Mode, with one glaring exception.

Perhaps due to the delay involved in displaying its notification, RansomOff allowed one sample to encrypt the files in the Documents folder before wiping it out.

I tried this several times, in case it was a fluke; it didn't happen every time, but it was definitely repeatable.

Next, I retried the samples that triggered HIPS-Lite warnings, choosing Allow this time.

That was a disaster.

Telling RansomOff to allow the startup modification also caused it to stop monitoring for ransomware activity.

"The way we view it is at that point the process was acknowledged doing something and the user made a choice one way or another," explained my contact at Heilig Defense.

"After all, the user should be smarter than the software or at the very least, makes them think a bit more before allowing it."

I can't agree.

Security software that puts critical decisions in the hands of the average user is a mistake, in my view.

It's like the old personal firewall model, which made the user responsible for all decisions about whether each program should be allowed to access the network.

Other ransomware protection tools do the job without involving user decisions.

Determined to get a clear view of the program's abilities, I turned off the HIPS-Lite feature and repeated my testing one more time.

This time around, the product detected and blocked ransomware behavior in all the samples, a very satisfactory result.

However, the one troublesome sample still managed to encrypt files before RansomOff whacked it.

Further Testing

I've occasionally encountered security programs that fail when ransomware launches at startup.

I'm please to say RansomOff is not one of those.

When I manually set a couple samples to launch at Windows startup, it blocked them effectively.

For a very basic sanity check, I've written a small program that encrypts all text files in the Documents folder using reversible XOR encryption.

Many ransomware protection utilities don't detect this program, because no actual ransomware would encrypt in this simple-minded fashion.

But RansomOff caught it.

I also loaded up the RanSim ransomware simulator from KnowBe4.

This tool simulates 10 techniques used by actual ransomware, along with two harmless encryption activities.

In Simple Mode, I couldn't even install it, as RansomOff wiped it out.

Trying again in Advanced Mode with HIPS-Lite turned off, I managed a successful installation.

While the test utility ran through its scenarios, I responded to 11 detection warnings by RansomOff.

At conclusion of the test, RanSim reported successful prevention of all 10 simulated ransomware activities, along with one of the innocuous scenarios.

Acronis Ransomware Protection scored precisely the same.

Blocking all 10 simulated attacks is a big plus; one false positive is a small minus.

Fancy Ransomware Protection Features

I'm accustomed to ransomware protection tools that are so unobtrusive they barely have a main window, and sometimes have no configuration settings at all.

RansomOff in Advanced Mode is quite a departure, with several fancy features that I could only fathom by digging into the documentation.

App Lockdown

App Lockdown is a whitelist-based protection system, disabled by default, with several modes of operation.

In the strict All Processes mode, you'll have to OK every process that launches unless it's already been exempted.

Loosening up to New Process mode, RansomOff only asks for verification the first time a process runs during the Windows session.

You can cut down on popups by exempting Windows processes, digitally signed program files, or both.

I turned on App Lockdown in All processes mode and launched Chrome.

I had to OK five distinct processes, but on a subsequent launch those processes were exempt.

Tech-savvy users can configure App Lockdown to activate automatically when a specified process loads, and optionally deactivate when that process closes.

The Web Lockdown preset configures App Lockdown to activate when a browser window is active, much like the way VoodooSoft VoodooShield($19.99 at VoodooShield) works.

Backup and Restore

The Backup and Restore feature, enabled by default, aims to back up threatened files and, if necessary, restore them after ransomware activity.

According to the documentation, "RansomOff will make a copy of a file based on certain actions and save it away in protected space." It offers multiple restore methods, among them selecting a process to restore changes it made and searching for files that need restoration, as well as an option to undelete files RansomOff may have deleted in error.

In my testing, I never did see this feature in action; it didn't help with that one pesky ransomware sample that encrypted my documents.

The restore feature in Check Point ZoneAlarm Anti-Ransomware($39.95 Billed Annually at ZoneAlarm) proved both simpler and more effective.

In every case, it offered to restore any encrypted files, and did so successfully.

Its only error in testing involved reporting failure once when it actually succeeded.

Acronis Ransomware Protection takes a different approach to backup.

It creates an encrypted cloud backup of the files in your protected folders, up to 5GB worth, and recovers any files damaged by ransomware after eliminating the threat.

Folder Protection

Clicking Folders brings up RansomOff's permission-based protection for folders you specify.

Like Bitdefender Antivirus Plus, Trend Micro, and a few others, it can prevent unauthorized programs from modifying files, but it offers several other options.

You can have it deny all access to files in the protected folder, hide the existence of those files, or block launching of executable files from the protected location.

This last is useful against threats such as TeslaCrypt, which drops a random-named executable file in the Documents folder and launches it.

Confusingly, you manage protection by adding folders to one of five different lists: Deny, Deceive, Hide, Read Only, and No Execution.

A folder can only occupy one of these lists at a time.

To start, I added the Documents folder to the Deny list.

This should deny both read and write access to protected files, like the similar feature in Panda Internet Security.

However, it didn't do anything to prevent a tiny editor that I wrote myself from reading and modifying files.

It turns out I wasn't paying close enough attention.

The screen clearly showed "Protection not Enabled" below my selected folder.

You must also add at least one exempt application before RansomOff will start its protection.

I added Windows Explorer to the exempt list, to enable protection.

After that, the Documents folder didn't even show up in my tiny editor's open-file dialog.

I selected Change Protection and moved my protected folder into the Read Only list.

This time my tiny editor successfully loaded a text file from the protected folder, but an attempt to save a modified version got a message saying "Stream write error." That's disappointing.

Trend Micro RansomBuster and several other similar programs report the attempted access and give you a chance to whitelist the application.

When you've just installed a new document or photo editor, you can easily whitelist it at this point.

In the process of trying out my tiny editor, I discovered many files in the Documents folder that simply did not appear in Windows Explorer.

Indeed, like RansomFree and CyberSight RansomStopper, RansomOff uses "bait" files to aid in its detection.

It generally hides them from view, like RansomStopper, but they do show up in some situations.

Needs Tuning

Most ransomware-specific protection utilities are super-streamlined, doing their jobs quietly, with little need for user interaction or configuration.

Installing such a tool alongside your existing antivirus protection gives you a simple secondary protection layer.

RansomOff is vastly more complex than any of its competitors, with advanced settings and features that are baffling without a thorough read of the docs.

In testing, it detected all ransomware samples, but let one of them encrypt files despite detection.

Techies may enjoy it, but at present, it's just too complex for the average user.

On the rosy side, the developers are quick to fix any problems, even updating the program to fix a couple issues during my review.

I look forward to a version that doesn't demand as much of the average user.

With a simpler interface and excellent recovery, Check Point ZoneAlarm Anti-Ransomware is an Editors' Choice for ransomware protection.

If paying for yet another security tool isn't what you had in mind, CyberSight RansomStopper is free, and it's also an Editors Choice in this area.

Sure, ransomware is a headache for individuals—who wants to lose all your progress on the great american novel? But imagine how much worse it is for businesses, which may lose $100,000 per hour (or more) when ransomware locks up production.

High-end business security systems need powerful protection against ransomware, and occasionally the purveyors of such systems make that protection available at the personal level.

That's the case with the free Heilig Defense RansomOff, which uses technology borrowed from the high-end Hielig Defense Correlate.

Daxdi.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services.

Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.

In a similar fashion, Cybereason RansomFree encapsulates the ransomware protection found in Cybreason's enterprise-level products.

However, where RansomFree, RansomStopper, and most other free ransomware-specific tools reduce settings and user interaction to a bare minimum, RansomOff includes multiple modes and modules that confused even me at times.

RansomOff is a small download, and it installs quickly.

By default, it runs in Simple Mode, described as "hassle free protection." You can also choose Advanced Mode to "unleash RansomOff's full potential." I made use of both modes in testing, as you'll see below.

Simple Mode

In the default Simple Mode, RansomOff takes care of business entirely in the background, with no notification that it has terminated threats other than a brief animation of the notification area icon.

When you double-click the icon, it displays a small window with buttons to view alerts and to switch to Advanced Mode.

In this mode, RansomOff terminates the ransomware, but it doesn't attempt cleanup.

You can always see what it did by double-clicking the icon and then clicking View Alerts.

The list of alerts includes pending cleanup operations, which you can launch manually.

In testing, it detected and terminated all my real-world ransomware samples.

I watched for the animated icon, checked the alerts, and requested cleanup in each case.

However, less than half the samples triggered a Ransomware Detected alert.

For the rest, it reported HIPS-Lite Notification, telling me that the offending program attempted to configure itself for launch at startup.

As a sanity check, I ran several utilities from the collection I maintain for false positive testing, choosing ones whose functionality requires them to launch at startup.

In every case, RansomOff eliminated these totally legitimate programs.

I haven't observed this kind of behavior in other ransomware-specific utilities.

Given that the HPS-Lite feature eliminates both legitimate and malicious programs, I can hardly call that ransomware detection.

Advanced Mode

For further exploration, I switched RansomOff into Advanced Mode and repeated the test.

The program's behavior is very different in this mode.

On detecting ransomware, it takes over the screen with an impossible-to-ignore warning, asking your permission to deal with the problem.

You can click for more details before deciding.

If it detects modification of the startup sequence, or other suspicious actions, it pops up a less-strident HIPS-Lite notification and asks whether to allow or block the change.

I ran through the samples again, choosing Block at any HIPS-Lite warnings.

The results resembled what I saw in Simple Mode, with one glaring exception.

Perhaps due to the delay involved in displaying its notification, RansomOff allowed one sample to encrypt the files in the Documents folder before wiping it out.

I tried this several times, in case it was a fluke; it didn't happen every time, but it was definitely repeatable.

Next, I retried the samples that triggered HIPS-Lite warnings, choosing Allow this time.

That was a disaster.

Telling RansomOff to allow the startup modification also caused it to stop monitoring for ransomware activity.

"The way we view it is at that point the process was acknowledged doing something and the user made a choice one way or another," explained my contact at Heilig Defense.

"After all, the user should be smarter than the software or at the very least, makes them think a bit more before allowing it."

I can't agree.

Security software that puts critical decisions in the hands of the average user is a mistake, in my view.

It's like the old personal firewall model, which made the user responsible for all decisions about whether each program should be allowed to access the network.

Other ransomware protection tools do the job without involving user decisions.

Determined to get a clear view of the program's abilities, I turned off the HIPS-Lite feature and repeated my testing one more time.

This time around, the product detected and blocked ransomware behavior in all the samples, a very satisfactory result.

However, the one troublesome sample still managed to encrypt files before RansomOff whacked it.

Further Testing

I've occasionally encountered security programs that fail when ransomware launches at startup.

I'm please to say RansomOff is not one of those.

When I manually set a couple samples to launch at Windows startup, it blocked them effectively.

For a very basic sanity check, I've written a small program that encrypts all text files in the Documents folder using reversible XOR encryption.

Many ransomware protection utilities don't detect this program, because no actual ransomware would encrypt in this simple-minded fashion.

But RansomOff caught it.

I also loaded up the RanSim ransomware simulator from KnowBe4.

This tool simulates 10 techniques used by actual ransomware, along with two harmless encryption activities.

In Simple Mode, I couldn't even install it, as RansomOff wiped it out.

Trying again in Advanced Mode with HIPS-Lite turned off, I managed a successful installation.

While the test utility ran through its scenarios, I responded to 11 detection warnings by RansomOff.

At conclusion of the test, RanSim reported successful prevention of all 10 simulated ransomware activities, along with one of the innocuous scenarios.

Acronis Ransomware Protection scored precisely the same.

Blocking all 10 simulated attacks is a big plus; one false positive is a small minus.

Fancy Ransomware Protection Features

I'm accustomed to ransomware protection tools that are so unobtrusive they barely have a main window, and sometimes have no configuration settings at all.

RansomOff in Advanced Mode is quite a departure, with several fancy features that I could only fathom by digging into the documentation.

App Lockdown

App Lockdown is a whitelist-based protection system, disabled by default, with several modes of operation.

In the strict All Processes mode, you'll have to OK every process that launches unless it's already been exempted.

Loosening up to New Process mode, RansomOff only asks for verification the first time a process runs during the Windows session.

You can cut down on popups by exempting Windows processes, digitally signed program files, or both.

I turned on App Lockdown in All processes mode and launched Chrome.

I had to OK five distinct processes, but on a subsequent launch those processes were exempt.

Tech-savvy users can configure App Lockdown to activate automatically when a specified process loads, and optionally deactivate when that process closes.

The Web Lockdown preset configures App Lockdown to activate when a browser window is active, much like the way VoodooSoft VoodooShield($19.99 at VoodooShield) works.

Backup and Restore

The Backup and Restore feature, enabled by default, aims to back up threatened files and, if necessary, restore them after ransomware activity.

According to the documentation, "RansomOff will make a copy of a file based on certain actions and save it away in protected space." It offers multiple restore methods, among them selecting a process to restore changes it made and searching for files that need restoration, as well as an option to undelete files RansomOff may have deleted in error.

In my testing, I never did see this feature in action; it didn't help with that one pesky ransomware sample that encrypted my documents.

The restore feature in Check Point ZoneAlarm Anti-Ransomware($39.95 Billed Annually at ZoneAlarm) proved both simpler and more effective.

In every case, it offered to restore any encrypted files, and did so successfully.

Its only error in testing involved reporting failure once when it actually succeeded.

Acronis Ransomware Protection takes a different approach to backup.

It creates an encrypted cloud backup of the files in your protected folders, up to 5GB worth, and recovers any files damaged by ransomware after eliminating the threat.

Folder Protection

Clicking Folders brings up RansomOff's permission-based protection for folders you specify.

Like Bitdefender Antivirus Plus, Trend Micro, and a few others, it can prevent unauthorized programs from modifying files, but it offers several other options.

You can have it deny all access to files in the protected folder, hide the existence of those files, or block launching of executable files from the protected location.

This last is useful against threats such as TeslaCrypt, which drops a random-named executable file in the Documents folder and launches it.

Confusingly, you manage protection by adding folders to one of five different lists: Deny, Deceive, Hide, Read Only, and No Execution.

A folder can only occupy one of these lists at a time.

To start, I added the Documents folder to the Deny list.

This should deny both read and write access to protected files, like the similar feature in Panda Internet Security.

However, it didn't do anything to prevent a tiny editor that I wrote myself from reading and modifying files.

It turns out I wasn't paying close enough attention.

The screen clearly showed "Protection not Enabled" below my selected folder.

You must also add at least one exempt application before RansomOff will start its protection.

I added Windows Explorer to the exempt list, to enable protection.

After that, the Documents folder didn't even show up in my tiny editor's open-file dialog.

I selected Change Protection and moved my protected folder into the Read Only list.

This time my tiny editor successfully loaded a text file from the protected folder, but an attempt to save a modified version got a message saying "Stream write error." That's disappointing.

Trend Micro RansomBuster and several other similar programs report the attempted access and give you a chance to whitelist the application.

When you've just installed a new document or photo editor, you can easily whitelist it at this point.

In the process of trying out my tiny editor, I discovered many files in the Documents folder that simply did not appear in Windows Explorer.

Indeed, like RansomFree and CyberSight RansomStopper, RansomOff uses "bait" files to aid in its detection.

It generally hides them from view, like RansomStopper, but they do show up in some situations.

Needs Tuning

Most ransomware-specific protection utilities are super-streamlined, doing their jobs quietly, with little need for user interaction or configuration.

Installing such a tool alongside your existing antivirus protection gives you a simple secondary protection layer.

RansomOff is vastly more complex than any of its competitors, with advanced settings and features that are baffling without a thorough read of the docs.

In testing, it detected all ransomware samples, but let one of them encrypt files despite detection.

Techies may enjoy it, but at present, it's just too complex for the average user.

On the rosy side, the developers are quick to fix any problems, even updating the program to fix a couple issues during my review.

I look forward to a version that doesn't demand as much of the average user.

With a simpler interface and excellent recovery, Check Point ZoneAlarm Anti-Ransomware is an Editors' Choice for ransomware protection.

If paying for yet another security tool isn't what you had in mind, CyberSight RansomStopper is free, and it's also an Editors Choice in this area.

Daxdi

pakapuka.com Cookies

At pakapuka.com we use cookies (technical and profile cookies, both our own and third-party) to provide you with a better online experience and to send you personalized online commercial messages according to your preferences. If you select continue or access any content on our website without customizing your choices, you agree to the use of cookies.

For more information about our cookie policy and how to reject cookies

access here.

Preferences

Continue