The consequences of antivirus missing a zero-day ransomware attack are calamitous enough that many individuals and businesses choose to supplement standard antivirus protection with a separate ransomware protection app. Some such apps work by preventing unauthorized changes to protected folders, while others apply behavioral analysis to detect encrypting ransomware. NeuShield Data Sentinel makes no attempt to detect ransomware! Instead, it focuses on reversing the effects of a ransomware attack. It did a fine job in our testing, though it does have some limitations.
How Much Does NeuShield Data Sentinel Cost?
At $23.99 per year, Data Sentinel is a little on the pricey side. Check Point ZoneAlarm Anti-Ransomware goes for $14.95 per year. CryptoPrevent costs almost the same, at $15 per year. You can get three Data Sentinel licenses for $59.99 per year, or five for $79.99. At that five-license level, its per-device price is about the same as the other two. Trend Micro RansomBuster remains free. The positive side of paying for protection is that NeuShield isn’t likely to vanish due to lack of income. Furthermore, its substantial online management console justifies the ongoing yearly subscription charge.
Data Sentinel’s main window is mostly white, with touches of grays and blue-greens. It defaults to an Overview page that displays what the company calls the Data Protection Matrix. This page is more window dressing than anything, but it’s attractive. Points on a circular matrix move based on disk activity, forming a big green blob that changes shape. If Data Sentinel detects activity related to boot-sector ransomware, the shape turns red for a while. That’s it.
Three menu items down the left open pages devoted to Anti-Ransomware, Anti-Wiperware, and Mirror Shielding. Clicking NeuShield Explorer brings up a special view of Windows Explorer that I’ll explain in detail below. One more menu item opens your NeuShield account online.
This review covers the Home edition, the one most suited to consumers. A free edition exists, but it lacks remote management and the all-important One-Click Restore feature. There’s also a Business edition, with business-oriented features like server protection and integration with the Kaseya VSA management framework. The what? Yeah, it’s not for the average consumer.
A Dwindling Field
Several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of those have since vanished, for one reason or another. For example, Acronis Ransomware Protection used to be a free standalone tool, but now it only appears as a component in the company’s backup software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page just says “RansomOff will be back at some point.”
In addition to the consumer security world, a few ransomware protection tools come from enterprise security companies that decided to do the world a service by offering just their ransomware component as a freebie for consumers. And quite a few of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer with us, and Cybereason RansomFree has likewise been discontinued.
Bitdefender Anti-Ransomware is gone for a more practical reason. While it existed, it took an unusual approach. A ransomware attacker that encrypted the same files twice would risk losing the ability to decrypt them, so many such programs leave some kind of marker to avoid double-dipping. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, “Move on! You’ve already been here!” This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished.
Getting Started With Data Sentinel
Unlike any other ransomware protection product I’ve seen, Data Sentinel includes a remote management console. That being the case, it makes sense that you start by signing up for an online account. Next, you purchase the product, or enter a license key, and download the installer.
The website generates an installer that’s specific to your account, so you don’t have to sign in after the quick installation. Once it’s installed, it starts protection immediately. Specifically, for each user it protects the files in these folders: 3D Objects, Contacts, Desktop, Documents, Music, Pictures, Saved Games, and Videos. Clicking Anti-Ransomware in the menu lets you see the list of protected folders. You can’t remove folders from that initial group, but you can add custom folders to the protection list.
Data Sentinel also protects the local folder manifestations of popular cloud services, if they’re present. Specifically, it protects Box, Dropbox, Google Drive, OneDrive, and OneDrive for Business.
Clicking Anti-Wiperware reveals Data Sentinel’s boot sector protection. It detects and kills apps that try to encrypt or corrupt your hard drive, as well as apps that try to infect the Master Boot Record. There’s no way to reverse those actions, which is why Data Sentinel needs to proactively prevent them. You can turn these protections off…but why would you do that?
NeuShield calls the feature that lets you recover clean versions of your files Mirror Shielding. Understandably, they don’t go into a lot of detail about precisely how it works. Though you can’t turn this feature off, it does have a dedicated page in the main window.
The Mirror Shielding page lists three types of threats neutralized by Data Sentinel: fileless malware, advanced persistent threats, and zero-day threats. Where you might expect an on-off switch, there is, instead, a link to learn more about each.
The gist of Mirror Shielding is that Data Sentinel gets between your files and all attempts to change them. In effect, it virtualizes your file system, so those changes aren’t permanent until committed. If ransomware encrypts your files, even that change is virtualized, and you can undo it by throwing away the changes that haven’t been committed.
Webroot SecureAnywhere AntiVirus also handles ransomware (and other malware) by virtualizing its actions. It eliminates known malware immediately, leaves known good software alone, and monitors unknowns, journaling all system changes. It also sends its observations to Webroot’s cloud for analysis. If the monitored program turns out to be malware, the local agent wipes it out and rolls back all its changes.
Data Sentinel commits files on a regular basis—every 24 hours by default. Here, committed means Data Sentinel applies the pending changes to the actual file. What happens if files get committed after encryption? Data Sentinel maintains previous file versions, which it calls Data Engrams. By default, it maintains up to seven Data Engrams for each file.
Data Sentinel doesn’t automatically commit files over the weekend, because ransomware attacks often target end-of-day Friday for their dirty deeds. If you’re sure the files in a protected folder are all fine, you can manually commit them at any time.
With Data Sentinel installed, Windows Explorer gets a few changes in its handling of files and folders. When you right-click a protected folder, you’ll find a NeuShield menu item, with submenus to revert or commit changes to that folder. In the Properties menu for a protected file, a NeuShield page lists all that file’s Data Engrams, with the option to restore to previous versions. Note that restoring an earlier version discards all later versions. Use this ability carefully.
Clicking NeuShield Explorer in the main window brings up a Windows Explorer view that only displays protected folders, making them easier to find. This is also where you invoke One-Click Restore—more about that shortly.
How Data Sentinel Works
Some kinds of malware hide in the background, exfiltrating your personal data, forcing your computer to participate in a bot army, or using your resources to mine cryptocurrency. The longer they can go undetected, the better.
Ransomware is totally different. Once it has done its nefarious work, it needs to get your attention, explain what happened, and tell you how to pay the ransom. Ransomware announces itself, so there’s no need to detect it… as long as you’re prepared to undo its damage.
When ransomware gets in your face, demanding money, you can just ignore it—if you have Data Sentinel installed. You can right-click any protected folder and choose to revert its files back to their clean, unencrypted state. If the ransomware process is still active, you can put the recovered files in lockdown for a specified period—15 minutes by default. In lockdown, the files are protected from any change by any process.
As for the ransomware itself, you handle that with a feature called One-Click Restore. In earlier editions, this feature relied on the System Restore function built into Windows to restore your system to the way it was yesterday, without touching your documents and settings. The current version no longer depends on System Restore. According to NeuShield, this makes the restoration process as much as 10 times faster.
Hands On With Data Sentinel
I installed Data Sentinel on a virtual machine for testing. No way would I release actual ransomware on a physical computer! Once it was up and running, I hit it with a collection of real-world file-encrypting ransomware, one at a time. After finishing with each sample, I reverted the virtual machine to a safe state.
As always, a few of the ransomware samples just didn’t perform. Perhaps they recognized the presence of Data Sentinel. Those that did function did so completely, encrypting files in many locations. Most, but not all, displayed a ransom note, or changed the desktop background into a ransom note. Data Sentinel did nothing to stop them, as expected.
I used NeuShield Explorer to check which folders were affected, and then I reverted each folder’s contents to their saved state. I accepted the offer to put the folders on lockdown for the default 15 minutes. You can cancel all active lockdowns from the notification area icon menu.
I observed that reverting folders did not get rid of the ransom notes. In addition, I could see in Task Manager that many of the ransomware processes remained active. Good thing I used lockdown! My NeuShield contact explained that it’s safer to use One-Click Restore first and revert the files with no danger of ransomware encrypting them again.
To fully cleanse the system, I invoked One-Click Restore. This feature promised to remove all changes made since the specified time and that documents, pictures, and other personal data would not be affected. A small notification let me know that One-Click Restore was starting, followed by a banner warning that the system would restart.
Upon restart, NeuShield visibly took over the system, restoring changed documents as well as Windows files and settings. The previous method, based on System Restore, took about 20 minutes. The new method doesn’t rely on the unreliable System Restore and is intended to run faster, but in my testing the restore process actually took 30 minutes or more.
In every case, Data Sentinel succeeded in eliminating the ransomware and recovering the encrypted files. That being the case, I didn’t begrudge it the time that was required. My NeuShield contact pointed out that System Restore isn’t always reliable, and that the new restoration method, entirely controlled by Data Sentinel, does a more thorough job.
Data Sentinel did warn that the process of reverting changes puts all your files back to their state as of yesterday. Any edits and deliberate changes made today vanished, along with the nasty changes made by ransomware. And the One-Click Restore eliminated all programs installed today, not just the ransomware. Those lost edits and minor changes are a small price to pay, compared with losing all your files, or paying the ransom.
In every case, One-Click Restore combined with reverting the uncommitted files undid all the damage done by the ransomware. It did leave behind a few encrypted copies of recovered files, but those proved harmless.
Most ransomware attacks hold your essential documents for ransom, leaving the rest of the computer alone. Disabling the computer would take away your ability to pay the ransom, after all. However, you do occasionally find ransomware that encrypts the whole disk, and I keep one of those in my collection.
This ransomware program simulates a crash, pretends to collect data about the crash, and then reboots, claiming it’s recovering your drive. In truth, it’s encrypting the whole drive. When it’s done, it flashes a garish ransom demand. Protection utilities that focus on file-encrypting ransomware often miss this one.
When I launched the sample on my test system, it had no chance to do anything nasty, because Data Sentinel caught it immediately. As promised, its protection matrix display turned red for a while, and a small popup announced that Data Sentinel protected against an attack on the boot sector. Crisis averted!
Screen Lockers and Online Management
Screen locker ransomware is much more common on mobile devices, but it exists for PCs as well. A screen locker, as the name implies, takes over your screen, displaying its ransom note and preventing all other activity. These often pretend to be warnings from law enforcement, calling the required payment a fine rather than a ransom.
One-Click Restore could easily handle this problem—except that the screen locker prevents you from invoking that feature. Kaspersky Internet Security includes a special keystroke to break the hold of screen lockers. Data Sentinel’s handling is more sophisticated.
The Data Sentinel online console lists all your protected devices (just one in my case) and offers access to detailed logs of client activity and account activity. It also lets you remotely control the local copy of Data Sentinel.
To recover from the screen locker, I first clicked the Device Details button. This revealed a multi-page collection of important details about the device’s hardware, network, and security, as well as the settings of the local Data Sentinel client. It also changed the Device Details button into a Restore/Revert button.
Clicking that button gave me a choice of One-Click Restore or Revert Files. For this case, no files were at stake, so I chose the first option. Unlike the local client, the online console gave me a choice of which Data Engram to use (more about those below).
Data Sentinel doesn’t just wildly perform a remote restore on the computer without consulting the local user. By default, it shows a confirmation message for 30 seconds, and the user can choose to allow it or not. You can set your own message and increase the message time up to five minutes. You can also choose to force the restore after confirmation timeout. I needed that last option, since the test system’s screen was locked. The remote restore totally did the job.
The online console also gives you more control over how you revert files after an encrypting ransomware attack. From online, you can choose multiple folders at once and revert them. Locally, you must manage one folder at a time. Business owners take note—by changing settings in the console you can put your IT department in charge of Data Sentinel installations, removing the local user’s control entirely.
Limitations and Engrams
By default, Data Sentinel commits changes once a day. That means that when you revert files, you lose changes you made after the most recent commit. But losing those changes on a handful of files is vastly less impactful than losing all your documents to ransomware.
It’s conceivable that you might miss evidence of a ransomware attack at first. Some don’t display a message, but rather embed an email address in the names of modified files, for example. In that case, Data Sentinel might commit the ransomware’s changes, making a simple revert action useless.
Don’t despair; you can still recover your files, though it will take time. For each affected file, you right-click it, choose Properties, and open the NeuShield tab. Here you can revert to previous Data Engrams, up to seven of them by default.
Keeping the data necessary for recovering files takes disk space, naturally. It’s hard to say exactly how much, but the product’s FAQ says it averages about a 10 percent increase in disk space used. You shouldn’t use Data Sentinel on a drive that has limited free space. But then, your life will be better in many ways if you ensure your drives have plenty of free space.
Other Ransomware Protection Techniques
ZoneAlarm Anti-Ransomware does its best to detect ransomware behavior and terminate the attack before it can do harm. It also does its best to restore any files that were encrypted before the takedown. ZoneAlarm’s protected backups exist locally, and the company quite reasonably doesn’t go into detail about how they’re stored. In testing it proved effective.
Trend Micro RansomBuster throws a slew of techniques into the ring. Its Folder Shield component prevents all unauthorized changes to files in protected folders, for starters. Its behavioral component detects ransomware activity in any folder. It also recovers files that got encrypted before behavioral detection kicked in. However, it didn’t fare well in testing.
The technique of preventing unauthorized changes can be quite effective, and it’s used by many general-purpose antivirus programs. As with Data Sentinel’s approach, this works without requiring detection of ransomware as such, provided the user doesn’t blindly authorize the wrong program.
Panda Dome Advanced takes that last concept a step further. It prevents unauthorized programs from all access, even read-only access. In addition to balking ransomware attacks, this technique could foil a data-stealing Trojan.
You install ransomware protection to handle a case where your main antivirus lets a zero-day attack slip past. A slick new attack like that just might elude behavior-based detection as well. With Data Sentinel, that attacker will encrypt your files, but you’ll almost certainly get them back.
Does Exactly What It Promises
Data Sentinel costs a bit more than the competition—in fact, some competitors are free. But its price gets you features not found anywhere else, in particular a high-powered online management console. In testing, it handled file-encrypting, disk-encrypting, and screen-locking ransomware. You do risk losing the current day’s changes, but that’s better than losing all your files. If you’re willing to pay for ransomware peace of mind, especially in a business setting, Data Sentinel can be an excellent choice.
At present, our Editors’ Choice ransomware protector is Check Point ZoneAlarm Anti-Ransomware. Yes, Data Sentinel reversed the effects of all the ransomware attacks we tried, but ZoneAlarm prevented those attacks from taking effect in the first place. Even so, Data Sentinel is a very good choice.
The Bottom Line
Any ransomware detection technique can fail, so NeuShield Data Sentinel doesn’t attempt detection. Instead, it offers multiple techniques to recover from ransomware—techniques that perform well in testing.
NeuShield Data Sentinel Specs
|Protection Type||Ransomware Protection|
|Ransomware Behavior Detection||No|
|Prevent File Modification||No|
|Prevent All File Access||No|