We get this question regularly: "I'm already using Deep Freeze. Do I really need Anti-Executable too? Isn't that overkill?"
It's a fair question. Both products protect endpoints. Both prevent malware from causing lasting damage. If Deep Freeze wipes everything on reboot anyway, why bother blocking executables in the first place?
The short answer: they protect against different things at different times. Deep Freeze handles what happens after a reboot. Anti-Executable handles what happens during a session. Together, they close gaps that neither addresses alone.
Whether that's "overkill" depends on your environment. This guide explains what each product protects, why they complement each other, and where the combination makes sense - and where Deep Freeze alone might be sufficient.
What Each Product Actually Protects
To understand why they're complementary rather than redundant, let's be precise about what each tool does:
Deep Freeze: Persistence protection.
Deep Freeze guarantees that any changes to the frozen drive are wiped on reboot. Malware installed during a session? Gone after reboot. Configuration changes? Gone. Corrupted files? Gone. The system returns to its baseline state, every time.
What Deep Freeze doesn't do: It doesn't prevent anything from happening during a session. Malware can execute, encrypt files, exfiltrate data, spread across the network, and cause damage - all before the next reboot. Deep Freeze fixes the local machine afterwards, but it doesn't prevent the active threat.
Anti-Executable: Execution protection.
Anti-Executable prevents unauthorised software from running in the first place. Malware that arrives on the system can't execute. Ransomware can't launch. Unauthorised applications can't run. The threat is stopped before it can cause any damage.
What Anti-Executable doesn't do: It doesn't undo damage caused by threats that don't involve new executables (like macro-based attacks in documents using existing tools), and it doesn't restore system state if something does go wrong. If a whitelisted application is exploited, or if configuration was changed through legitimate tools, Anti-Executable doesn't fix it.
The gap each leaves:
• Deep Freeze alone: Threats can operate freely during sessions
• Anti-Executable alone: No recovery if something slips through or if approved software is compromised
Why They Complement Each Other: Live Protection + Reboot Recovery
Think of it as two lines of defence operating at different moments:
During the session (Anti-Executable). A user clicks a malicious email attachment. The attachment tries to launch a ransomware executable. Anti-Executable blocks it - the executable isn't on the whitelist. Threat neutralised. The user sees a "blocked" notification; IT sees a log entry. No encryption happens. No data exfiltrates. No damage occurs.
After the session (Deep Freeze). The machine reboots. Even if something did happen during the session - a configuration change, a file modification, something that slipped through - Deep Freeze wipes it. The system returns to baseline. Clean slate for the next user.
Real-world scenarios where the combination matters:
Scenario 1: Zero-day ransomware. With Deep Freeze only, the ransomware executes, encrypts files on local and possibly network drives, and spreads to other machines. The local frozen drive recovers on reboot, but network shares might be encrypted and other machines might be infected. With Anti-Executable added, the ransomware never executes. No encryption. No spread. No damage.
Scenario 2: Data exfiltration. Malware executes and starts uploading sensitive data to external servers. With Deep Freeze only, the upload completes before the next reboot - the data is gone. Deep Freeze can't undo exfiltration. With Anti-Executable, the malware never runs. No exfiltration occurs.
Scenario 3: Cryptomining. Unauthorised mining software runs continuously during sessions, consuming resources and electricity. Deep Freeze removes it on reboot, but it reinstalls (or is re-downloaded) each session. With Anti-Executable, it can't run at all - even if it arrives on the system repeatedly.
Scenario 4: Lateral movement. Malware on one machine uses it as a launching point to attack others on the network. Deep Freeze protects the originating machine on reboot but doesn't prevent the attack on other systems. Anti-Executable stops the malware from running in the first place, protecting both the local machine and the network.
Scenario 5: Configuration drift. An approved application is misconfigured, or a user changes settings using legitimate Windows tools. Anti-Executable doesn't prevent this (no new executables involved). Deep Freeze restores proper configuration on reboot. Each tool handles what the other can't.
Ideal Environments for Running Both
The combination makes most sense in environments where:
Public-access computers. Libraries, hotel business centres, airport workstations, government service centres. Unknown users with unknown intentions accessing machines throughout the day. You want to prevent threats from running (Anti-Executable) and ensure complete restoration between users (Deep Freeze). Maximum protection for maximum risk.
School computer labs. Students will try to install games, run downloaded software, and experiment with anything they can. Anti-Executable blocks the experimentation. Deep Freeze ensures every class starts with clean machines. Teachers don't deal with "this computer has something wrong with it" - both prevention and recovery are automatic.
High-security environments. Financial services, healthcare, government, critical infrastructure. The cost of a breach is high. Defence in depth is required. Using both tools provides layered protection that satisfies security requirements and reduces actual risk.
Compliance-driven environments. Security frameworks often recommend both application whitelisting and system recovery capabilities. Running both demonstrates multiple compensating controls to auditors.
Kiosks and single-purpose machines. These should only run specific software, and any deviation is suspicious. Anti-Executable ensures only approved applications run. Deep Freeze ensures the kiosk returns to its configured state after any anomaly.
Environments with long sessions between reboots. If machines run for extended periods without rebooting - perhaps a full school day or an entire work shift - Deep Freeze's protection is delayed. Anti-Executable provides continuous protection during those long sessions.
When Deep Freeze Alone Might Be Sufficient
We're not going to pretend everyone needs both. Deep Freeze alone may be sufficient if:
• Machines reboot very frequently (after every session or every few hours)
• Sessions are short with limited user activity
• Network isolation prevents threats from spreading to other systems
• No sensitive data is accessible from the frozen machines
• Strong perimeter security (web filtering, email filtering) reduces threat volume
• Budget constraints require prioritisation
In these environments, the window for damage is small, the blast radius is contained, and Deep Freeze's reboot recovery addresses most concerns. Anti-Executable adds value, but it might not be essential.
The honest assessment: Deep Freeze alone provides excellent protection for many environments. Anti-Executable adds another layer for environments where session-time threats are a significant concern. It's not overkill in high-risk environments; it might be unnecessary in lower-risk ones.
Does Running Both Increase Admin Work?
A legitimate concern. Here's the reality:
Unified management. Manage both from a single interface. Deploy configurations together. Monitor both tools in one place. The management overhead isn't doubled - it's a single console managing two capabilities.
Coordinated maintenance. During maintenance windows, both tools can be managed together. Thaw Deep Freeze, put Anti-Executable in maintenance mode, apply updates, whitelist new software, then re-enable both. One maintenance window handles both tools.
Reduced troubleshooting. Paradoxically, running both can reduce admin work. Anti-Executable prevents users from running problematic software that would otherwise cause support calls (even if Deep Freeze fixes it on reboot). Fewer "something's wrong with this computer" tickets because fewer things go wrong in the first place.
Stable environments are low-maintenance. Once configured, both tools require minimal ongoing attention in static environments. The whitelist rarely changes. The frozen baseline rarely changes. Day-to-day management is light.
Frequently Asked Questions
Is this combination too restrictive for users?
For environments where it's appropriate - shared PCs, labs, kiosks - the restrictions are the point. Users should only run approved software; they shouldn't expect changes to persist. For personal workstations where users need flexibility, neither tool is typically the right fit. Match the tools to environments where restrictions are acceptable.
Does running both tools impact system performance?
Both tools have minimal performance overhead. Deep Freeze operates at the disk level with negligible impact. Anti-Executable checks executables at launch - a fast operation. Running both doesn't create noticeable slowdowns. Users won't perceive any difference compared to running either tool alone.
What about cost - is paying for both justified?
Depends on your risk profile. For public-access and high-security environments, the additional protection justifies the cost. Preventing a single ransomware incident or data breach typically costs far more than licensing both tools. For lower-risk environments, Deep Freeze alone may be sufficient. We'd rather you buy what you need than pay for protection you don't.
Can I trial both together before deciding?
Yes. Both products offer 30-day free trials. Deploy them together on representative machines, see how they work in your environment, and evaluate whether the combination adds value. Real-world testing is the best way to decide.
Do they ever conflict with each other?
No. They're designed to work together and operate at different levels. Deep Freeze manages disk state; Anti-Executable manages execution permissions. There's no conflict or overlap in their operation. Faronics specifically designs these products to be complementary.
Should I add antivirus as well, or is that definitely overkill?
We recommend keeping antivirus. Anti-Executable blocks unknown executables; antivirus catches known threats before they attempt to execute and protects against non-executable threats (malicious documents, browser exploits). Deep Freeze recovers from anything that slips through. Three layers, three different protection mechanisms, comprehensive coverage.
The Bottom Line: Complementary, Not Redundant
Deep Freeze and Anti-Executable protect against different threats at different times. Deep Freeze guarantees recovery after reboot. Anti-Executable prevents damage during sessions. Together, they provide continuous protection that neither offers alone.
Is it overkill? For a personal workstation, probably yes - neither tool is right for that environment anyway. For public-access computers, high-security systems, and compliance-driven environments, the combination is exactly what defence in depth looks like.
The question isn't whether the combination provides value - it clearly does. The question is whether your environment's risk profile justifies the additional layer. For many shared-access environments, it does.
Want to See How They Work Together?
Try Deep Freeze and Anti-Executable together, free for 30 days. See layered endpoint protection in action.
