ManageEngine offers two security add-ons for Endpoint Central that sound almost identical and address overlapping threats — Ransomware Protection Plus (RPP) and Malware Protection Plus (MPP). Both detect ransomware. Both use behavioral analysis. Both integrate with the same Endpoint Central agent. The names alone do not make the distinction obvious.
This article explains precisely what separates them, which capabilities exist only in MPP, why the price difference is nearly 3.5×, and how to decide which — or whether both — belongs in your environment.
The One-Sentence Answer
Ransomware Protection Plus is a specialized ransomware-only defense and recovery layer designed to coexist with your existing antivirus.
Malware Protection Plus is a full next-generation antivirus (NGAV) that replaces your existing antivirus and includes everything RPP does — plus substantially more.
ManageEngine itself frames the relationship explicitly: anti-ransomware is a subset of NGAV. RPP covers that subset. MPP covers the full set.
Current Versions
| Product | Current Version |
|---|---|
| Ransomware Protection Plus | 11.5 |
| Malware Protection Plus | 11.5 |
Both are add-ons to ManageEngine Endpoint Central. Neither requires a separate agent deployment if Endpoint Central is already running.
What Ransomware Protection Plus Covers
RPP is built around a single threat class — ransomware — and the full lifecycle of a ransomware incident:
Detection:
- Behavior-based detection of ransomware activity (mass file modification, bulk extension changes, entropy spikes in file content)
- Decoy file (canary file) monitoring — strategically placed bait files trigger an alert the moment ransomware begins its encryption sweep, catching it before significant real data is encrypted
- Memory and script-based detection — catches fileless ransomware delivered via PowerShell, WMI, or macro-enabled documents
- Shadow copy deletion monitoring — flags any process attempting to delete VSS snapshots (a standard ransomware pre-encryption step)
- Edge-based offline detection — works without cloud connectivity, effective in air-gapped environments
Containment:
- Automated endpoint isolation — severing network connections on confirmed or high-confidence infection
- Audit Mode and Kill Mode — configurable response aggressiveness
- Kernel-level anti-encryption — blocks unauthorized encryption at the OS level before the payload completes
Recovery:
- Tamper-protected VSS shadow copies every three hours — using a patented mechanism that prevents ransomware from deleting the backups (specifically addressing LockerGoga-style attacks that target shadow copies)
- One-click encrypted file recovery — selective restoration of only affected files, not full system reimaging
- RPO of approximately three hours; RTO measured in minutes for parallel endpoint recovery
Intelligence:
- Root cause analysis — full attack timeline from entry point through lateral movement
- MITRE ATT&CK mapping
- VirusTotal IoC enrichment (file hashes, malicious IPs and URLs)
What RPP does NOT cover:
- Trojans, spyware, adware, worms, rootkits, cryptominers — any malware that is not ransomware
- Signature-based detection of known malware
- Memory scanning for injected shellcode unrelated to ransomware
- LSASS credential theft protection
- Anti-exploit / anti-memory-corruption techniques
- Comprehensive threat intelligence beyond ransomware-specific IoCs
What Malware Protection Plus Adds
MPP includes everything RPP covers — the same ransomware detection engine, the same decoy files, the same VSS tamper-protected recovery — and then extends protection across the full malware spectrum.
Signature-Based Detection Layer
RPP is purely behavioral — it has no signature database. MPP adds traditional signature-based detection running alongside behavioral analysis. This means:
- Known malware with established signatures (including older trojans, worms, and established ransomware families) are caught at first contact by signature matching, before behavioral analysis even runs
- The combination of signature + behavior provides defense-in-depth: signatures catch fast, behavior catches novel
This is the most fundamental architectural difference. RPP cannot identify malware by signature. MPP can.
Full Malware Spectrum Coverage
MPP protects against the complete range of endpoint threats:
- Trojans — remote access trojans (RATs), banking trojans, backdoors
- Spyware and keyloggers — credential harvesting, screenshot capture, keystroke logging
- Adware — browser hijackers, unwanted software
- Worms — self-propagating malware that spreads across networks
- Rootkits — deep system persistence mechanisms
- Cryptominers — CPU/GPU hijacking for cryptocurrency mining
- APT components — stagers, loaders, and implants used in advanced persistent threats
RPP catches none of these unless they happen to also engage in ransomware-specific behavior (mass file encryption, shadow copy deletion).
Advanced Memory Scanning
MPP includes deep memory scanning capabilities that go beyond what RPP provides:
- Shellcode detection — identifying malicious code injected into process memory
- DLL injection detection — catching techniques like reflective DLL loading and process hollowing
- Memory scan on-demand or on-write — proactive scanning for hidden payloads in RAM
This matters because sophisticated malware — particularly APT-grade implants and fileless loaders — frequently operate entirely in memory. RPP’s memory detection is focused on ransomware delivery mechanisms (PowerShell, WMI scripts). MPP’s memory scanning is broader, covering the full range of in-memory threats.
LSASS Protection — Credential Theft Defense
Local Security Authority Subsystem Service (LSASS) is the Windows process that handles authentication. It is the primary target for credential theft tools like Mimikatz, which dump password hashes from LSASS memory for use in pass-the-hash attacks or lateral movement.
MPP monitors and protects LSASS from memory dumping attempts — catching credential theft at the source. RPP has no LSASS protection capability. This is significant: credential theft is often the step that enables ransomware to spread across an organization, yet RPP does nothing about that precursor step.
Anti-Exploit and Memory Hardening
MPP applies exploit mitigation techniques at the kernel and process level:
- Buffer overflow protection
- Return-Oriented Programming (ROP) chain detection
- Heap spray protection
- Process memory integrity enforcement
These techniques prevent attackers from leveraging software vulnerabilities — unpatched CVEs, zero-day exploits — to gain initial code execution. RPP has no exploit mitigation capability.
AV-Comparatives Certification
MPP (as part of ManageEngine’s Malware Protection suite) has been certified by AV-Comparatives for Business Security — an independent third-party lab evaluation that validates detection efficacy. RPP has not undergone this specific independent certification as a standalone product.
For organizations where compliance frameworks or security audits require verified third-party AV certification, MPP’s AV-Comparatives certification matters.
Free Tier (Up to 25 Endpoints)
MPP includes a free tier for up to 25 endpoints with full feature access — a genuinely useful entry point for small IT teams evaluating the product or protecting a limited number of critical systems. RPP has no comparable free tier; it is priced as an add-on from the first endpoint.
Feature Comparison Matrix
| Capability | RPP 11.5 | MPP 11.4 |
|---|---|---|
| Primary scope | Ransomware only | Full malware spectrum |
| Ransomware behavior detection | ✅✅ | ✅✅ |
| Decoy / canary file monitoring | ✅✅ | ✅✅ |
| VSS shadow copy recovery | ✅✅ Tamper-protected | ✅✅ Tamper-protected |
| One-click encrypted file recovery | ✅✅ | ✅✅ |
| Kernel-level anti-encryption | ✅✅ | ✅✅ |
| Memory/script-based detection | ✅ (ransomware delivery) | ✅✅ (full scope) |
| Endpoint isolation | ✅✅ | ✅✅ |
| MITRE ATT&CK mapping | ✅✅ | ✅✅ |
| Root cause analysis | ✅✅ | ✅✅ |
| VirusTotal IoC integration | ✅✅ | ✅✅ |
| Audit Mode / Kill Mode | ✅✅ | ✅✅ |
| Edge-based offline detection | ✅✅ | ✅✅ |
| Signature-based detection | ❌ | ✅✅ |
| Trojans, spyware, adware, worms | ❌ | ✅✅ |
| Rootkit detection | ❌ | ✅✅ |
| Cryptominer detection | ❌ | ✅✅ |
| Deep memory scanning (shellcode, DLL injection) | ❌ | ✅✅ |
| LSASS credential theft protection | ❌ | ✅✅ |
| Anti-exploit / memory hardening | ❌ | ✅✅ |
| AV-Comparatives certified | ❌ | ✅✅ |
| Free tier (≤25 endpoints) | ❌ | ✅✅ |
| Requires existing AV | Yes | No (replaces AV) |
| Price | ~$145/year | ~$495/year |
The Pricing Reality
| Product | Price | What it replaces |
|---|---|---|
| Ransomware Protection Plus | ~$145/year | Nothing — adds a layer to existing AV |
| Malware Protection Plus | ~$495/year | Replaces existing AV entirely |
| Both together | ~$640/year | Replaces AV + maximum coverage |
| Free (MPP, ≤25 endpoints) | $0 | Replaces AV for small deployments |
The math on MPP vs RPP: MPP costs ~3.4× more than RPP. If your organization is paying ~$15–50/endpoint/year for CrowdStrike, SentinelOne, or another commercial AV, replacing it with MPP may actually reduce total security spend while gaining Endpoint Central integration. If you’re running Windows Defender (free), MPP adds paid NGAV with a ~$495 starting price.
Four Decision Scenarios
Scenario 1: We have a capable antivirus and just need better ransomware resilience
→ Choose Ransomware Protection Plus (~$145/year)
Your existing AV handles trojans, spyware, and general malware. What it may lack is tamper-protected VSS recovery, decoy file early warning, and ransomware-specific behavioral containment. RPP layers on top of any AV — CrowdStrike, SentinelOne, Symantec, Windows Defender — without conflict. It adds the recovery resilience that general AV cannot provide.
Scenario 2: We need to replace our antivirus
→ Choose Malware Protection Plus (~$495/year)
If your AV contract is expiring, you’re consolidating tools, or you’re building security for a new environment, MPP is the correct product. It covers the full malware spectrum — signature + behavioral + memory scanning — replacing what your current AV does, plus adding NGAV capabilities it probably lacks.
Scenario 3: We want maximum protection from a single vendor
→ Run both RPP + MPP (~$640/year combined)
MPP covers the broad threat landscape. RPP adds its specialized ransomware recovery layer — tamper-protected VSS, decoy file monitoring optimized for ransomware, kernel-level anti-encryption — on top. The two are designed to work simultaneously without conflicts. For organizations in high-risk industries (healthcare, finance, critical infrastructure) where ransomware is the primary existential threat but the full malware spectrum still needs coverage, running both gives the deepest defense-in-depth.
Scenario 4: Small team, limited budget, ≤25 endpoints
→ Start with Malware Protection Plus free tier
The MPP free tier covers up to 25 endpoints with full feature access. For a small IT team protecting a handful of servers or critical workstations, this provides full NGAV — including ransomware coverage — at zero additional cost. As the environment grows beyond 25 endpoints, paid licensing kicks in.
Can You Run Both Simultaneously?
Yes. RPP and MPP are designed to operate together without conflict. They share the same Endpoint Central agent, use separate detection engines, and do not compete for system resources in a meaningful way.
When both are deployed:
- MPP handles the broad malware detection sweep (signatures + AI/ML behavioral analysis across all threat categories)
- RPP’s ransomware-specific detection runs alongside — particularly its decoy file layer and tamper-protected VSS, which operate below the level where MPP intervenes
The most practically significant reason to run both: MPP’s ransomware protection covers detection and containment, but RPP’s tamper-proof VSS mechanism is a distinct backup resilience layer. Even if MPP detects and kills ransomware, RPP’s protected shadow copies provide a recovery safety net if any encryption occurred before containment.
Frequently Asked Questions
Does MPP include everything RPP does? Yes. MPP’s anti-ransomware component includes the same behavior detection, decoy files, VSS recovery, endpoint isolation, and MITRE ATT&CK mapping that RPP provides — plus the broader NGAV capabilities. If you purchase MPP, you do not also need RPP for ransomware coverage unless you specifically want RPP’s tamper-protected VSS as an independent backup resilience layer.
If I buy MPP, can I cancel my existing antivirus? Yes. MPP is designed to replace your existing antivirus entirely. ManageEngine positions it as an NGAV — a full substitute for traditional AV — with broader coverage through AI/ML behavioral detection alongside signature-based detection.
Does RPP work without Endpoint Central? Both RPP and MPP are technically structured as Endpoint Central add-ons. The Endpoint Central agent must be deployed first. However, ManageEngine supports standalone deployment scenarios where Endpoint Central functions primarily as the delivery vehicle for the security module.
Which product has independent third-party certification? MPP (as part of ManageEngine’s Malware Protection suite) has been certified by AV-Comparatives for Business Security. RPP has not been independently certified by a third-party testing lab as a standalone product.
Is there a free trial for either product? Endpoint Central offers a 30-day free trial for unlimited endpoints. MPP additionally offers a permanent free tier for up to 25 endpoints. RPP does not have a permanent free tier.
Summary
Ransomware Protection Plus (11.5.2611.02) is the right choice when you have existing antivirus coverage and specifically need to add: tamper-protected VSS shadow copy recovery, decoy file early warning, ransomware-specific behavioral containment, and MITRE ATT&CK-mapped incident analysis. At ~$145/year it is the lowest-cost way to add dedicated ransomware resilience to any existing security stack.
Malware Protection Plus (11.4.2540.04) is the right choice when you need a complete NGAV solution — one that replaces your existing antivirus and covers the full threat spectrum: ransomware, trojans, spyware, rootkits, cryptominers, credential theft, exploit-based attacks, and advanced memory-resident threats. At ~$495/year it delivers substantially more than RPP and can replace the cost of a separate AV license.
Running both provides the most complete coverage from within the ManageEngine ecosystem: MPP as the broad NGAV layer across all threat categories, RPP’s tamper-protected VSS as an independent recovery safety net specifically hardened against ransomware’s backup-deletion tactics.
For licensing assistance with either product, contact via Telegram: t.me/DoCrackMe
Also see: ManageEngine Ransomware Protection Plus 11.5 — Complete Guide | ManageEngine Malware Protection Plus 11.4 — Complete Guide | ManageEngine Endpoint Central Security Edition — Complete Guide
