Additional Protection from Ransomware Attacks

You shouldn't see anti virus as adequate measure. If you see how fast malware evolves nowadays, it's safe to say "the days for AV are over". AV is still "an extra layer", but please rather consider to look into application whitelisting like software restriction polices and applocker. Those are built-into windows and are by far more effective.

We use Kaspersky Endpoint Security for our servers, scan all servers per 2 weeks with Nessus to check the vulnerabilities and update the latest patches involved. Also, create an ACL in router to block the IP addresses of Ransomware servers.

PS: Attached file is our ACL created based on recommendation of government.
WannaCry-ACL.txt

Anti Virus won't help a lot. By the time AV has seen the newer strains, the damage is done.

You need to stop the malware from coming in. If comes in emails from strangers and you need top notch spam filters to stop it.

Thank you for your replies.

I also have Kaspersky Endpoint Security on my Servers and Clients and I would say that I am satisfied till now.
Malwarebytes is not just an AV as it includes Anti-Exploit, Anti-Malware and Anti-Ransomware.
From the other side Panda Adaptive Defense has an Applock feature that blocks unknown software.

Ofcourse you should have a next-gen Firewall, Anti-Virus and Anti-Malware engine enabled on the Anti-Spam.  

The above question is based on the Windows Client perspective:
 - All Clients should have the latest update on Windows, Java etc.
 - An Antivirus
 - And maybe a software such as Malwarebytes or Panda Adaptive Defence or Cisco AMP for Clients (which is very expensive)

 Please advise if you have personal experience from using the Malwarebytes or Panda Adaptive Defence or Cisco AMP for Clients.

Just for the records, both Malwarebytes and Panda have released screenshots proving that they have successfully blocked the WannaCry Ransomware.

There is nothing to block if patches are installed.
So the question is, what are you really looking for? WC is something that would never happen in maintained (patched) environments. Also: those ports would never be open apart from file servers.

@McKnife: what if your environment have mix types of PC. For example: File Server is 2012R2, but clients are winXP, win7, 8.1, 10? smbv1 still has to be opened in this type of environment, am I right?

There are patches for xp/2003/08/08R2/...anything. Only win10 v1703 got no patch since it is so new, the fix was aleady incorporated.

Yes, I knew all patches are available, but I mean smbv1 still need to be opened so that winXP can access File server

Please understand: SMB ports need to be opened on the target, not on the source. the file server is the target.

Correct, for the WannaCry ransomeware if the clients were patched there was "nothing" to afraid of (since the KB was released in March).

But in case of a Zero Day attack you need an extra protection.

In case that an intruder is using an vulnerability of which there is no patch yet then the Anti-Virus and software like Panda and Malwarebytes MAY save your day.

So, once again does anyone from the Community has such software, if yes, how satisfied you are with this product?

Mamelas, as "proactive approach", consider application whitelisting - that's the best approach.

There was already a 0-day for that vulnerability.  The NSA was using it before it was leaked to the public and someone else made use of it in a different way after the patch release.

Antivirus comes after the virus is discovered, not before.  Same with Spam filtering.  Security is a process, not a product.  You need to have all you bases covered, but even then something may get through.  Even the patches can come after a discovery.  You need to keep up to date on all of them to protect yourself.

Thomas, you should link MBAM. Normally, admins think of Microsoft's MBAM (Microsoft Bitlocker administration and monitoring).