You should use an Anti-Exploit program to help protect your computer from zero-day attacks
and rely on behavior detection programs
rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.
I keep an updated list of ransomware prevention tools (Post #2) in this topic
. Be sure to read the Important Note
below the list.
To protect against ransomware, I use the following:CryptoPrevent
is a supplemental security tool that writes 4000+ group policy object rules (Software Restriction Policies) into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection
by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry
in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, %userprofile%, %programdata%, Recycle Bin, Startup Folder) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection
.AppCheck Anti-Ransomware Free
runs in the background and reacts when ransomware attempts to make changes to your computer. It includes the following features:
- Proactive Protection from ransomware and file damaging behavior...it eecognizes file modification and blocks file damage.
- Ransom Shelter backs up original files in real-time before they get encrypted by ransomware and protect the backup.
- Self Protection to protect AppCheck related process and files from malware attack.
- Protection from ransomware modifying both the MBR (Master Boot Record) and the GPT (GUID Partition Table).
- Exploit Guard provides blocking protection against both known and zero-day exploits against programs which execute malicious code.
runs in the background and scans the processes for any suspicious activity. It comes preloaded with more than 30 security policies that help in distinguishing between the normal and bad behavior of a process and includes the following features:
Malwarebytes Anti-Exploit (MBAE)
- Basic Anti-Exploit Protection.
- Block Process Execution.
- Block System Process.
- Protect Microsoft Office Applications against exploits.
- Monitor Applications and block any suspicious process started by these applications
is an action level security application (behavior based) that continuously monitors popular applications, preventing vulnerabilities in software and browsers from being exploited, blocks unknown and known exploit kits, proactively preventing the exploit from installing its payload before it can do damage
. More specifically, Malwarebytes Anti-Exploit provides four layers of exploit protection
to include protection against Operating System security bypasses, memory caller protection, application hardening
, and application behavior protection...meaning it will protect against code execution that uses a certain vulnerability in an application, stop memory calls, sandbox escapes, prevent script-based drive-by downloads, and memory mitigation bypasses. Malwarebytes Anti-Exploit runs in the background as a standard Windows Service providing realtime protection against the malicious action of exploiting software vulnerabilities. Malwarebytes Anti-Exploit blocks the malicious action of exploiting software vulnerabilities, blocks exploits of a software, blocks zero-day
exploits that target browser and application vulnerabilities, blocks exploit kits
and defends against script-based drive-by download
attacks. Malwarebytes Anti-Exploit is primarily for protection against software exploitation...it does not protect against social engineering
, the human exploit often resulting from faud, trickery, spam and phishing emails.Noscript.exe
is a simple (but older) stand-alone utility by Symantec which disables the Windows Scripting Host (WSH)
, preventing all script based programs (including malicious files) from executing automatically on the system. Disabling the WSH can help with stopping Poweliks
and similar malware known to download ransomware and other infections.
Using Noscript could also cause interference with some legitimate programs keeping them from working properly but you can always quickly and easily revert the changes with the same tool if necessary.
I also use Emsisoft Anti-Malware
which includes exploit protection. Emsisoft's Behavior Blocker
is effective against unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. With the release of v2017.5, Emsisoft now has a separate Anti-Ransomware module