When a brand-new virus, bot, or Trojan comes out, antivirus tools usually catch it through the use of heuristics, fuzzy detection, or behavioral techniques. Sometimes, though, this zero-day malware has free rein for a short while until the antivirus community catches up. Typically, an antivirus update wipes out the new threat within days, or even hours. But if the threat was ransomware, that’s too little, too late, as your files are already encrypted. For that reason, many individuals and businesses choose to supplement standard antivirus protection with a separate ransomware protection app. Some such apps work by preventing unauthorized changes to protected folders, while others apply behavioral analysis to detect encrypting ransomware. NeuShield Data Sentinel, on the other hand, makes no attempt to detect or prevent ransomware! Instead, it focuses on reversing the effects of a ransomware attack. It did a fine job in our testing, though it does have some limitations.
How Much Does NeuShield Data Sentinel Cost?
NeuShield’s pricing is multitiered, like that of Editors’ Choice Check Point ZoneAlarm Anti-Ransomware. Which costs more? It depends on how many devices you want to protect. A single-device license for NeuShield costs $23.99 per year, while ZoneAlarm goes for $34.95 per year. Choosing a three-license ZoneAlarm subscription brings that price up to $44.95; with three NeuShield licenses your cost jumps to $59.99. NeuShield’s Family Pack gives you five licenses for $79.99, while five ZoneAlarm licenses costs $54.95. To put it another way, a single NeuShield license costs roughly $10 less than ZoneAlarm, while, at each multi-device tier, it costs roughly $5 more per device.
Data Sentinel's main window is mostly white, with touches of grays and blue-greens. It defaults to an Overview page that displays what the company calls the Data Protection Matrix. This page is more window dressing than anything, but it's attractive. Points on a circular matrix move based on disk activity, forming a big green blob that changes shape based on disk activity. If Data Sentinel detects activity related to boot-sector ransomware, the shape turns red for a while. That's it.
Menu items down the left open pages devoted to Anti-Ransomware, Anti-Wiperware, and Mirror Shielding. Clicking NeuShield Explorer brings up a special view of Windows Explorer that I'll explain in detail below. One more menu item opens your NeuShield account online.
Similar Products
This review covers the Home edition, the one most suited to consumers. A free edition exists, but it lacks remote management and the all-important One-Click Restore feature. There’s also a Business edition, with business-oriented features like server protection and integration with the Kaseya VSA management framework. The what? Yeah, it’s not for the average consumer.
A Shrinking Field
Although ransomware attacks are on the rise, the field of products dedicated to ransomware defense is dwindling. Several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of these have since vanished, for one reason or another. For example, Acronis Ransomware Protection used to be a free standalone tool, but now it only appears as a component in the company’s backup software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page used to say “RansomOff will be back at some point,” but now there’s no page at all.
In addition to the consumer security arena, a few ransomware protection tools come from enterprise security companies that decided to do the world a service by offering just their ransomware component as a freebie for consumers. And all of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer with us, and Cybereason RansomFree has likewise been discontinued.
Bitdefender Anti-Ransomware is gone for a more practical reason. While it existed, it took an unusual approach. A ransomware attacker that encrypted the same files twice would risk losing the ability to decrypt them, so many such programs leave a marker to avoid double-dipping. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, "Move on! You've already been here!" This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished.
That leaves CryptoPrevent Premium and Data443 Ransomware Recovery Manager. Well, almost. After my review earlier this year, Data443 pulled their product from the market pending necessary improvements. And CryptoPrevent performed poorly enough in testing that it earned just two stars.
Getting Started With Data Sentinel
Unlike any other ransomware protection product I've seen, Data Sentinel includes a remote management console. That being the case, it makes sense that you start by signing up for an online account. Next, you purchase the product, or enter a license key, and download the installer.
The website generates an installer that's specific to your account, so you don't have to sign in after the quick installation. Once it's installed, it starts protection immediately. It makes a kind of snapshot of essential Windows files, the way System Restore does. And it applies special protection to the files in these folders: 3D Objects, Contacts, Desktop, Documents, Music, Pictures, Saved Games, and Videos. Clicking Anti-Ransomware in the menu lets you see the list of protected folders. You can't remove folders from that initial group, but you can add custom folders to the protection list. New since my last review, you can add whole drives (other than the boot drive) to the list.
Data Sentinel also protects the local folder manifestations of popular cloud services, if present. Specifically, it protects Box, Dropbox, Google Drive, OneDrive, and OneDrive for Business. If you’ve configured the storage service so it appears as a folder on your system, Data Sentinel can protect that folder.
Clicking Anti-Wiperware reveals Data Sentinel's boot sector protection. It detects and kills apps that try to encrypt or corrupt your hard drive, as well as apps that try to infect the Master Boot Record. There's no way to reverse those actions, which is why Data Sentinel needs to proactively prevent them. You can turn these protections off…but please don’t. Protection against data wipers as well as ransomware is all the more important now that we’ve seen the effect of data-wiper campaigns in Ukraine.
Mirror Shielding
Data Sentinel calls the feature that lets you recover clean versions of your protected files Mirror Shielding. Understandably, they don't go into detail about precisely how it works. Though you can't turn this feature off, it does have a dedicated page in the main window.
The Mirror Shielding page lists three types of threats neutralized by Data Sentinel: file-less malware, advanced persistent threats, and zero-day threats. Where you might expect an on-off switch, there is, instead, a link to learn more about each.
The gist of Mirror Shielding is that Data Sentinel gets between your files and all attempts to change them. In effect, it virtualizes your file system, so any changes aren't permanent until committed. If ransomware encrypts your files, even that change is virtualized, and you can undo it by throwing away the changes that haven't been committed. New since my last review, NeuShield can even roll back a Windows 11 installation to Windows 10, though I didn’t test this feature.
Webroot SecureAnywhere AntiVirus also handles ransomware (and other malware) by virtualizing its actions. It eliminates known malware immediately, leaves known good software alone, and monitors unknowns, journaling all system changes. It also sends its observations to Webroot’s cloud for analysis. If the cloud comes back with a verdict that the monitored program is malware, the local agent wipes it out and rolls back all its changes.
Data Sentinel commits files on a regular basis—every 24 hours by default. Here, committed means Data Sentinel applies the pending changes to the actual file. What happens if files get committed after encryption? Data Sentinel maintains previous file versions, which it calls Data Engrams. By default, it maintains up to seven Data Engrams for each file. In addition, Data Sentinel will now pause the commit schedule if it detects possible malware activity. You use the online console to re-enable the schedule after cleanup.
Data Sentinel doesn't automatically commit files over the weekend, because ransomware attacks often target end-of-day Friday for their dirty deeds. If you're sure the files in a protected folder are all fine, you can manually commit them at any time.
It’s worth noting that Data443’s product also functions by virtualizing changes to the file system and Registry. However, it virtualizes all changes, so on every reboot your PC reverts entirely to a previous state, except for documents in protected folders. To install a new program, update existing programs, or perform Windows updates, you must turn off protection, reboot, perform the installation, turn on protection, and reboot again. In addition, its recovery system for protected files only acts when it detects ransomware, which it did only half the time in testing. There’s no way to trigger it manually. These were among the reasons Data443 temporarily pulled the product from distribution.
NeuShield Explorer
With Data Sentinel installed, Windows Explorer gets a few changes in its handling of files and folders. When you right-click a protected folder, you'll find a NeuShield menu item, with submenus to revert or commit changes to that folder. Right-click a file and you get a Revision History menu item. That’s an improvement—last time I looked the revision history existed as a page in each file’s Properties dialog.
Clicking NeuShield Explorer in the main window brings up a Windows Explorer view that only displays protected folders, making them easier to find. This is also where you invoke One-Click Restore—more about that shortly.
How Data Sentinel Works
Some kinds of malware hide in the background, exfiltrating your personal data, forcing your computer to participate in a bot army, or using your resources to mine cryptocurrency. The longer they can go undetected, the better.
Ransomware is totally different. Once it has done its nefarious work, it needs to get your attention, explain what happened, and tell you how to pay the ransom. Ransomware announces itself, so there's no need to detect it…provided that you're prepared to undo its damage.
When ransomware gets in your face, demanding money, you can just ignore its demands if you have Data Sentinel installed. Waving the magic wand of One-Click Restore eliminates the ransomware itself by reverting all executable files and other monitored programs to their previous state. And you can right-click any protected folder and choose to revert its files back to their clean, unencrypted state.
In the earliest editions, One-Click Restore relied on the System Restore function built into Windows to restore your system to the way it was yesterday, without touching your documents and settings. Later versions stopped relying on the unreliable System Restore. The current version promises changes that can “significantly increase the speed at which NeuShield can revert the operating system.” In testing, this speedup proved to be significant indeed.
Monitored Files, Protected Folders
One-Click Restore doesn’t restore absolutely everything. Like System Restore, it monitors and recovers files matching a lengthy set of file extension types. Files can be monitored or not; folders can be protected or not. Data Sentinel treats each combination separately when remediating a ransomware attack.
For a monitored file in a protected folder, One-Click Restore recovers the original, unencrypted version. A subsequent Revert action tries to do the same, but the filename is already taken. So, it reverts the original file contents while retaining the name imposed by ransomware. You wind up with two identical files, which is way better than none.
Most files in protected folders are unmonitored types such as documents, pictures, and videos. One-Click Restore has no effect on these, while Revert brings back the originals. Most monitored files don’t reside in protected folders. One-Click Restore totally recovers these files, while Revert has no effect. These are the most common recovery scenarios.
That leaves unmonitored files in unprotected folders, things like .cab, .dat, and .log files. If ransomware chooses to encrypt such files, Data Sentinel doesn’t bring them back. In testing, I found a few instances where the cleanup process left behind as many as 10,000 ancillary files encrypted. To be fair, I didn’t notice any problems as a result, and the same thing happens with ZoneAlarm.
Hands On With Data Sentinel
I installed Data Sentinel on a virtual machine for testing. No way would I release actual ransomware on a physical computer! Once it was up and running, I hit it with a collection of real-world file-encrypting ransomware, one at a time. After finishing with each sample, I reverted the virtual machine to the same safe state.
In such a test I typically find that a few of the ransomware samples fail to perform, perhaps recognizing the presence of anti-ransomware software. This time around, all my samples functioned as expected, encrypting files in many locations. Most, but not all, displayed a ransom note, or changed the desktop background into a ransom note. Data Sentinel did nothing to stop them, as expected.
The last time I tested this product, I first reverted the affected files and used the Lockdown feature to prevent all changes to the restored files for 15 minutes. After that, I ran One-Click Restore to eliminate the ransomware itself. My company contact pointed out that it’s smarter to run One-Click Restore first, so that’s what I did this time. In each case, One-Click Restore finished in about three minutes, vastly better than the half-hour required during my last test.
There are two ways to revert protected files back to their unencrypted versions. First, you can use NeuShield Explorer to fix each folder. You right-click the folder in NeuShield Explorer, choose NeuShield from the menu, and select Revert. Once you confirm, Data Sentinel restores files in that folder. Second, you can open the online console, choose the folders you want to revert, and send a single command to revert them all. I used both methods in testing.
Data Sentinel did warn that the process of reverting changes puts all your files back to their state as of yesterday. Any edits and deliberate changes made today vanish, along with the nasty changes made by ransomware. And the One-Click Restore eliminates all programs installed today, not just the ransomware. Those lost edits and minor changes are a small price to pay, compared with losing all your files, or paying the ransom. In every case, One-Click Restore combined with reverting the uncommitted files undid the damage done by the ransomware.
Disk-Encrypting Ransomware
Most ransomware attacks hold your essential documents for ransom, leaving the rest of the computer alone. Disabling the computer would take away your ability to pay the ransom, after all. However, you do occasionally find ransomware that encrypts the whole disk, and I keep one of those in my test collection.
This ransomware program simulates a crash, pretends to collect data about the crash, and then reboots, claiming it's recovering your drive. In truth, it's encrypting the whole drive. When it's done, it flashes a garish ransom demand. Protection utilities that focus on file-encrypting ransomware often miss this one.
When I launched the sample on my test system, it had no chance to do anything nasty, because Data Sentinel caught it immediately. As promised, its protection matrix display turned red for a while, and a small popup announced that Data Sentinel protected against an attack on the boot sector. Crisis averted!
Screen Lockers and Online Management
Screen locker ransomware is much more common on mobile devices, but it exists for PCs as well. A screen locker, as the name implies, takes over your screen, displaying its ransom note and preventing all other activity. These often pretend to be warnings from law enforcement, calling the required payment a fine rather than a ransom.
One-Click Restore could easily handle this problem—except that the screen locker prevents you from invoking that feature. Ransomware protection in Kaspersky Internet Security includes a special keystroke to break the hold of screen lockers. Data Sentinel's handling is more sophisticated.
The Data Sentinel online console lists all your protected devices (just one in my case) and offers access to detailed logs of client activity and account activity. It also lets you remotely control the local copy of Data Sentinel.
To negate the screen locker’s hold on my protected virtual PC, I first clicked the Device Details button. This revealed a multipage collection of important details about the device's hardware, network, and security, as well as the settings of the local Data Sentinel client. It also changed the Device Details button into a Restore/Revert button.
Clicking that button gave me a choice of One-Click Restore, Revert Files, or Restore Overlay (this last item lets you reenable a paused commit schedule). For this case, no files were at stake, so I chose the first option. Unlike the local client, the online console gave me a choice of which Data Engram to use (more about those below).
Data Sentinel doesn't just wildly perform a remote restore on the computer without consulting the local user. By default, it shows a confirmation message for 30 seconds, and the user can choose to allow it or not. You can set your own message and increase the message time up to five minutes. You can also choose to force the restore after confirmation timeout. I needed that last option, since the test system's screen was locked. The remote restore totally did the job.
The online console also gives you more control over how you revert files after an encrypting ransomware attack. From online, you can choose multiple folders at once and revert them. Locally, you must manage one folder at a time.
Business owners take note—by changing settings in the console you can put your IT department in charge of Data Sentinel installations, removing the local user's control entirely. In a home setting, you could protect your child’s computer while keeping all control over settings and activities to yourself. If you want to make very sure nobody can change these settings, you can enable multi-factor authentication for your online NeuShield account.
Commitment and Engrams
By default, Data Sentinel commits changes once a day. You can change that commit interval to as short as four hours or as long as four days, but the default daily commit is probably fine. When you revert files, you lose the changes you made after the most recent commit. Again, losing those changes on a handful of files is vastly less impactful than losing all your documents to ransomware.
It's conceivable that you might miss evidence of a ransomware attack at first. Some don't display a message, but rather embed an email address in the names of modified files, for example. In that case, Data Sentinel might commit the ransomware's changes, making a simple revert action useless. New since my last review, Data Sentinel potentially avoids this problem by pausing the commit schedule if it detects anomalous behavior that suggests malware.
Even if encrypted versions of your files get committed, you can still recover, though it will take time. You right-click each affected file and choose Revision History. Here you can choose and revert to a previous file version, up to seven of them by default. You can also save a copy of any revision level, leaving the original unchanged.
Keeping the data necessary for recovering files takes disk space, naturally. It's hard to say exactly how much, but the product's FAQ says it averages about a 10 percent increase in disk space used for protected files, plus up to 10GB to support One-Click Restore. You shouldn't use Data Sentinel on a drive that has limited free space. But then, your life will be better in many ways if you ensure your drives have plenty of free space.
Other Ransomware Protection Techniques
ZoneAlarm Anti-Ransomware does its best to detect ransomware behavior and terminate the attack before it can do harm. It also does its best to restore any files that were encrypted before the takedown. ZoneAlarm's protected backups exist locally, and the company quite reasonably doesn't go into detail about how they're stored. In testing, it proved effective.
Trend Micro Maximum Security throws a slew of techniques into the ring. Its Folder Shield component prevents all unauthorized changes to files in protected folders, for starters. Its behavioral component detects ransomware activity in any folder. It also recovers files that got encrypted before behavioral detection kicked in. However, when I tested this feature as a standalone it didn't fare well.
The technique of preventing unauthorized changes can be quite effective, and it's used by many general-purpose antivirus programs. As with Data Sentinel's approach, this works without requiring detection of ransomware as such, provided the user doesn't blindly authorize the wrong program. Even Microsoft Defender Antivirus includes a form of this protection style.
Panda Dome Advanced takes that last concept a step further. It prevents unauthorized programs from all access, even read-only access. In addition to balking ransomware attacks, this technique could foil a data-stealing Trojan.
You install ransomware protection to handle a case where your main antivirus lets a zero-day attack slip past. A slick new attack like that just might elude behavior-based detection as well. With Data Sentinel, that attacker will encrypt your files, but you'll almost certainly get them back.
Does Exactly What It Promises
Rather than try to detect and avert ransomware attacks, Data Sentinel focuses on recovering from such an attack, and it offers features not found anywhere else, including a high-powered online management console. In testing, it handled file-encrypting, disk-encrypting, and screen-locking ransomware. You do risk losing the current day's file changes, but that's better than losing all your files.
At present, our Editors' Choice ransomware protector is Check Point ZoneAlarm Anti-Ransomware. Yes, Data Sentinel reversed the effects of all the ransomware attacks we tried, but ZoneAlarm prevented those attacks from taking effect in the first place. Even so, Data Sentinel is an excellent choice.
NeuShield Data Sentinel doesn't attempt ransomware detection, which can fail. Instead, it offers techniques for recovering from ransomware. It performs well in testing.
Like What You're Reading?
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters