Almost all the antivirus programs in my reviews are just updates of products I’ve examined many times over the years. I rarely see anything new, which is why I was excited to check out WinPatrol WinAntiRansom. Despite the name, this product aims to protect against all forms of malware, not just ransomware. Because it analyzes program behavior rather than relying on signatures, it should in theory be equally effective against all malware, including brand-new zero-day attacks. In practice, however, it both missed some malware and falsely identified many good programs as malicious.
At $19.95 per year, or $24.95 for three licenses, WinAntiRansom is decidedly less expensive than most. Looking strictly at the list price, Bitdefender Antivirus Plus 2017, Kaspersky, Norton, and Webroot all cost twice as much for a single license. McAfee runs three times the price of WinAntiRansom, but permits unlimited installations. On the other hand, paying a bit more gets you a lot more in the way of protection in this case.
WinAntiRansom is unusual in that it doesn’t have a home screen or main window. At launch, it displays the settings page, with a ribbon across the top allowing access to logs, configuration, help, and so on. A set of icons at top right expands into a screen that lets you select from nearly four dozen skins, including several devoted to specific seasons or holidays. I can’t quite fathom why an anti-malware program needs so many skins, though.
Immediately after installation, WinAntiRansom runs a scan to identify and list known good programs present on the system. Clicking the Programs icon displays this list, which flags digitally signed programs and Windows components with special icons. Once this scan finishes, WinAntiMalware is on the job.
Malware Blocking on Launch
The independent antivirus testing labs around the world have more resources than I do for putting security programs to the test. The fact that they test a program at all says that they consider it important enough, and that the vendor is up for participation. Good scores? Even better! Kaspersky Anti-Virus in particular earns excellent scores from all the labs that I follow.
Unfortunately, none of the labs include WinAntiRansom in testing. That doesn’t mean it’s bad, but it doesn’t inspire confidence.
With no test results from the independent labs, I had to rely entirely on my hands-on testing of this utility’s efficacy. Unlike most antivirus apps, WinAntiRansom looks only at program behavior, so there’s no on-access scan. That made testing simple. I just launched each malware sample in my collection and recorded the app’s reaction.
The antivirus detected 97 percent of my samples, the same as Norton, Trend Micro Antivirus+ Security, and a few others. In each case, it popped up a notification window with the title “PreEmptive Strike Block!” and a line stating “Performed a Ransomware/Malware like action” followed by a number in parentheses. The popup offered two choices, Allow Next Time and Quarantine. WinAntiRansom detected some of the samples immediately on launch, others after a little time had passed.
Those numbers intrigued me. During my testing, I encountered 15 different numbers, ranging from one to 3001. My contact at the company explained that the numbers represent the final action that pushed the program’s aggregate behavior score over the top. “We’ve never made them public because we don’t want to help the malware authors find a way to avoid detection, or competitors to improve their products,” he explained.
WinAntiRansom’s quarantine prevented most of the malware sample from installing anything at all. However, in a few cases I found a malware process not only installed but running. It’s possible that the behavior-based detection system quarantined one process but missed another. This brought WinAntiRansom’s overall score down to 9.2 points. Symantec Norton AntiVirus Basic and Trend Micro earned 9.7 points because they completely blocked every detected malware attack. Webroot ranks at the top in this test, with a perfect 10 points.
Many False Positives
I could write an antivirus program that absolutely blocks every malicious program. The only problem is, it would also block every non-malicious program. In the real world, antivirus utilities have two goals—to block all malicious programs, and to leave all valid programs alone. False positives, flagging valid programs as malicious, break down the user’s trust in the accuracy of the antivirus.
For a false-positive sanity check, I tested WinAntiRansom’s reaction to a collection of utility programs once published in PC Magazine. I keep these utilities in the same folder as the malware samples, going through the list alphabetically, and launching both good and bad programs.
The results were dismal. Only five of the 20 programs escaped WinAntiRansom’s preemptive strike block. Yes, the user could choose to allow the program next time, and launch it again. But I’m not a fan of security programs that leave that sort of decision to the user. The fact that the popup notification doesn’t identify its reason for classifying the program as malware makes that decision extra tough.
Blocking the Latest Threats
I couldn’t apply my usual malicious URL blocking test to WinAntiRansom, because it doesn’t attempt to block access to malware-hosting URLs and doesn’t scan downloads until they run. I value this test, however, because the malware samples in the feed supplied by MRG-Effitas are very current, and the URLs themselves no more than a day old. So, I devised a modified test for WinAntiRansom.
Usually I use 100 samples, but for this more labor-intensive test I stopped once I had downloaded 50 of them. Then I simply went down the line, launching each and noting the application’s response. The results were disappointing. WinAntiRansom only offered to quarantine 78 percent of the samples. Norton blocked 98 percent, mostly by wiping out the downloaded malware. Avira Antivirus Pro managed 95 percent protection, almost all by steering the browser away from the malware-hosting URL.
Just for a sanity check, I ran the MD5 hash of each sample through VirusTotal. VirusTotal checks each sample against more than 50 antivirus engines and reports how many deemed it malicious. I recorded the percentage that flagged each sample as malicious. For files that WinAntiRansom detected, the average VirusTotal detection rate was 59 percent. For those that it missed, the average was 53 percent, which isn’t much of a difference.
To be fair, it’s possible that some of those missed files simply hadn’t started their malicious behaviors. That’s a hazard of strict behavior-based detection—it can’t identify a program that’s just lurking in the background, waiting for an opportunity to misbehave. But Webroot SecureAnywhere AntiVirus also uses behavior-based detection, and it scored much better in all of my tests.
See How We Test Security Software
Other Features, and Flaws
WinAntiRansom has numerous additional layers to prevent damage by a malicious program that gets past its behavior-based detection. Network Lockdown works like a firewall’s program control, blocking network connections by programs not on the trusted list. Registry protection prevents unknown programs from making changes to critical Registry areas. The company deliberately doesn’t list the critical Registry areas, so as not to make things easy for hackers.
As a further bulwark against ransomware, WinAntiRansom denies unknown programs access to files in the SafeZone, which, by default, is a subfolder of your Documents folder. I thought it would make more sense to put the entire Documents folder in the SafeZone, but the app wouldn’t let me. From the ribbon, you can click icons to view all recent actions by Registry protection, Network Lockdown, and SafeZone.
I tried to test Network Lockdown by surfing the Internet with my hand-coded tiny browser. However, WinAntiRansom identified it as malicious. The only way I could run it was to mark it as trusted, at which point it was no longer subject to Network Lockdown. Likewise, I thought I could test SafeZone using a tiny text editor that I wrote myself, but WinAntiRansom quarantined it. All three of my lists remained empty, just as they are in the help system’s screenshots.
During my testing, the program froze several times, triggering a query from Windows about whether I wanted to just close it, or seek a solution first. It also crashed with an unhandled exception error message a couple times.
I also encountered a very bizarre behavior related to the skins feature. First, I selected the Valentine’s Day skin, which turns the background pink, with little hearts scattered around. Then I resized the window. At this point, the background started cycling through three views, each one sweeping down slowly from the top. One was the correct pink-heart background, one was a window-filling grid of little gear icons, and one was just black. The peculiar display stopped after a while, but started again if I resized the window. This behavior was completely repeatable, and happened with some, but not all, of the other skins. I mentioned earlier that I’m baffled by the huge amount of design attention given to supplying dozens of skins, and the weird skin behavior just makes it more puzzling.
WinPatrol WinAntiRansom aims to keep you safe from known and unknown malware by basing its detection on behavior, not on predefined signatures. It’s a noble goal, but as far as I could see in testing, the program has a long way to go. It missed some malicious programs, blocked many valid programs, and exhibited oddly buggy behavior in testing.
Out of the huge number of antivirus products out there, we’ve identified five as Editors’ Choice: Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, Symantec Norton AntiVirus Basic, and Webroot SecureAnywhere Antivirus. Each has its own virtues; for example, McAfee offers unlimited installations, and Webroot uses behavior-based detection successfully. You pay more for one of these antivirus utilities, but you get significantly better protection.