To answer the earlier question regarding cryptoprevent, given it seems it was originally delivered by email payload binary, the answer is maybe. Since cryptoprevent only uses blacklisting, it depends if the filename matched any of the masks configured by cryptoprevent.
I think the NHS really shouldnt be allowing their staff to get emails delivered with binary attachments, but this may be harsh given still dont know 100% of the specifics.
Regarding sophos, the problem they had and what most of the AV industry has is that they protect via blacklist definitions which always lose against 0 day. These vendors work on how to detect compromises that have already entered the system instead of preventing in the first place. Ironically sophos owns hit man pro alert which is a product that aims to prevent malware via memory exploits prior to even hitting the disk. But hit man pro alert started suffering when they started only reacting to malware after it was already in the wild instead of a preventative system.
The best type of protections tend to be whitelist focused and some examples are.
Reputation based systems, deny by default unless good reputation.
Anti exe, deny by default, needs whitelisting.
HIPS (behaviour analysis), HIPS is very powerful but also not consumer friendly, since security vendors aim for set and forget solutions HIPS is not very popular, emsisoft has a dumbed down HIPS with their behaviour blocker.
Memory exploits is where malware does its work all in memory and as such not needing to write to disk to run a payload, certian software such as EMET (free), hit man pro alert and malware bytes anti exploit aim to prevent that type of malware, some a/v like nod32 have exploit protection built in as well.
Before memory exploits it was quite easy to make a immune windows box.
Setup applocker/SRP and deny execution rights to all user writeable folders such as %temp%, %userprofile%, and document folders. Whilst at the same time make sure any unpriveledged application cannot write to any executable folders like program files. Browsers such as chrome and IE will auto sandbox and run at low privilege levels and become immune in such a configuration, firefox would need to be sandboxed by something like sandboxie. Not even a/v would have any use in such a configuration. Finally making sure to use a limited user account for everyday tasks.
But now we have memory exploits, things are a bit harder but still not overly diffilcult, the issue is the way microsoft ships the operating system and how the consumer security vendors choose to apply their protections.
Microsoft introduced UAC with vista as a stop gap, the intention was for eventually for LUA to be the default privilege level, but instead what happened is UAC got watered down in windows 7 and admin accounts remained the default. They also have wrappers like svchost and rundll32 which can make auditing very difficult, e.g. I get windows firewall requests to allow rundll32 to have access to some random ip, I have no idea of the originator of that request.
On linux there is no such wrappers, and in addition linux users are well used to running with restricted accounts and if they need to do maintenance they will su to root or use sudo. Again windows has no mac restrictions system akin to selinux, the closest to it is 3rd party HIPS solutions.
Microsoft have applocker which they have decided is only suitable for enterprise when it would clearly be very useful to help consumers if enabled and had some automated configuration templates.
This is why windows has so many issues with security time and time again.
I only still use windows because of PC gaming, all my other tasks could be done in a linux/freebsd environment.