Antivirus & Antimalware protection settings

To learn how to create a protection plan with the Antivirus & Antimalware protection module, refer to "Creating a protection plan".

The following settings can be specified for the Antivirus & Antimalware protection module.

Active Protection

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

In the Cyber Backup editions of Acronis Cyber Protect, Active Protection is a separate module in the protection plan. Thus, it can be configured separately and applied to different devices or group of devices. In the Protect editions of Acronis Cyber Protect, Active Protection is part of the Antivirus & Antimalware protection module.

Active Protection is available for machines running the following operating systems:

  • Desktop operating systems: Windows 7 Service Pack 1 and later

    On machines running Windows 7, ensure that Update for Windows 7 (KB2533623) is installed.

  • Server operating systems: Windows Server 2008 R2 and later.

Agent for Windows must be installed on the machine.

How it works

Active Protection monitors processes running on the protected machine. When a third-party process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and performs additional actions, if those are specified by the configuration.

In addition, Active Protection prevents unauthorized changes to the backup software's own processes, registry records, executable and configuration files, and backups located in local folders.

To identify malicious processes, Active Protection uses behavioral heuristics. Active Protection compares the chain of actions performed by a process with the chains of events recorded in the database of malicious behavior patterns. This approach enables Active Protection to detect new malware by its typical behavior.

Default setting: Enabled.

Active Protection settings

In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process.

  • Stop the process

    The software will generate an alert and stop the process.

  • Revert using cache

    The software will generate an alert, stop the process, and revert the file changes by using the service cache.

Default setting: Revert using cache.

Network folder protection

The Protect network folders mapped as local drives option defines whether Antivirus & Antimalware protection protects from local malicious processes network folders that are mapped as local drives.

This option applies to folders shared via SMB or NFS protocols.

If a file was originally located on a mapped drive, it cannot be saved to the original location when extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder specified in this option's settings. The default folder is C:\ProgramData\Acronis\Restored Network Files. If this folder does not exist, it will be created. If you want to change this path, specify a local folder. Network folders, including folders on mapped drives, are not supported.

Default setting: Enabled.

Server-side protection

This option defines whether Antivirus & Antimalware protection protects network folders that are shared by you from the external incoming connections from other servers in the network that may potentially bring threats.

Default setting: Disabled.

Setting trusted and blocked connections

On the Trusted tab, you can specify the connections that are allowed to modify any data. You must define the user name and IP address.

On the Blocked tab, you can specify the connections that will not be able to modify any data. You must define the user name and IP address.

Self-protection

Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, Secure Zone, and backups located in local folders. We do not recommend disabling this feature.

Default setting: Enabled.

Allowing processes to modify backups

The Allow specific processes to modify backups option is effective when Self-protection is enabled.

It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.

This option lets you specify the processes that are allowed to modify the backup files, even though these files are protected by self-protection. This is useful, for example, if you remove backup files or move them to a different location by using a script.

If this option is disabled, the backup files can be modified only by processes signed by the backup software vendor. This allows the software to apply retention rules and to remove backups when a user requests this from the web interface. Other processes, no matter suspicious or not, cannot modify the backups.

If this option is enabled, you can allow other processes to modify the backups. Specify the full path to the process executable, starting with the drive letter.

Default setting: Disabled.

Cryptomining process detection

This option defines whether Antivirus & Antimalware protection detects potential cryptomining malware.

Cryptomining malware degrades performance of useful applications, increases electricity bills, may cause system crashes and even hardware damage due to abuse. We recommend that you add cryptomining malware to the Harmful processes list to prevent it from running.

Default setting: Enabled.

Cryptomining process detection settings

Select the action that the software will perform when a cryptomining activity is detected, and then click Done. You can select one of the following:

  • Notify only

    The software generates an alert about the process suspected of cryptomining activities.

  • Stop the process

    The software generates an alert and stops the process suspected of cryptomining activities.

Default setting: Stop the process.

Quarantine

Quarantine is a folder where to keep suspicious (probably infected) or potentially dangerous files isolated.

Remove quarantined files after – Defines the period in days after which the quarantined files will be removed.

Default setting: 30 days.

Behavior detection

Acronis Cyber Protect protects your system by using behavioral heuristics to identify malicious processes: it compares the chain of actions performed by a process with the chains of actions recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its typical behavior.

Default setting: Enabled.

Behavior detection settings

In Action on detection, select the action that the software will perform when detecting a malware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

  • Quarantine

    The software will generate an alert, stop the process, and move the executable file to the quarantine folder.

Default setting: Quarantine.

Real-time protection

Real-time protection constantly checks your machine system for viruses and other threats for the entire time that your system is powered on.

Default setting: Enabled.

Configuring the action on detection for Real-time protection

In Action on detection, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Block and notify

    The software blocks the process and generates an alert about the process suspected of malware activities.

  • Quarantine

    The software generates an alert, stops the process, and moves the executable file to the quarantine folder.

Default setting: Quarantine.

Configuring the scan mode for Real-time protection

In Scan mode, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Smart on-access – Monitors all system activities and automatically scans files when they are accessed for reading or writing, or whenever a program is launched.
  • On-execution – Automatically scans only executable files when they are launched to ensure that they are clean and will not cause any damage to your computer or data.

Default setting: Smart on-access.

Schedule scan

You can define schedule according to which your machine will be checked for malware, by enabling the Schedule scan setting.

Action on detection:

  • Quarantine

    The software generates an alert and moves the executable file to the quarantine folder.

  • Notify only

    The software generates an alert about the process that is suspected to be malware.

Default setting: Quarantine.

Scan type:

  • Full

    The full scan takes much longer to finish in comparison to the quick scan because every file will be checked.

  • Quick

    The quick scan only scans the common areas where malware normally resides on the machine.

  • Custom

    The custom scan checks the files/folders that were selected by the administrator to the Protection plan.

You can schedule all three scans Quick, Full, and Custom scan in one protection plan.

Default settings:

  • Quick and Full scan are scheduled.

  • Custom scan is disabled by default.

Schedule the task run using the following events:

  • Schedule by time – The task will run according to the specified time.
  • When user logs in to the system – By default, a login of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

  • When user logs off the system – By default, a logoff of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different events in the scheduling configuration.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.

Default setting: Daily.

Start at – Select the exact time when the task will run.

Run within a date range – Set a range in which the configured schedule will be effective.

Start conditions – Define all conditions that must be met simultaneously for the task to run.

Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in Start conditions. You can define the following additional start conditions:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.

Scan only new and changed files – Only newly created and modified files will be scanned.

Default setting: Enabled.

When scheduling a Full scan, you have two additional options:

  • Scan archive files

    Default setting: Enabled.

    • Max recursion depth

      How many levels of embedded archives can be scanned. For example, MIME document > ZIP archive > Office archive > document content.

      Default setting: 16.

    • Max size

      Maximum size of an archive file to be scanned.

      Default setting: Unlimited.

  • Scan removable drives

    Default setting: Disabled.

    • Mapped (remote) network drives
    • USB storage devices (such as flash drives and external hard drives)
    • CDs/DVDs

Exclusions

To minimize the resources used by the heuristic analysis and to eliminate the so-called false positives when a trusted program is considered as ransomware, you can define the following settings:

On the Trusted tab, you can specify:

  • Processes that will never be considered as malware. Processes signed by Microsoft are always trusted.
  • Folders in which file changes will not be monitored.
  • Files and folders in which the scheduled scan will not be performed.

On the Blocked tab, you can specify:

  • Processes that will always be blocked. These processes will not be able to start as long as Active Protection is enabled on the machine.
  • Folders in which any processes will be blocked.

Specify the full path to the process executable, starting with the drive letter. For example: C:\Windows\Temp\er76s7sdkh.exe.

For specifying folders, you can use the wildcard characters * and ?. The asterisk (*) substitutes for zero or more characters. The question mark (?) substitutes for exactly one character. Environment variables, such as %AppData%, cannot be used.

Default setting: No exclusions are defined by default.

URL Filtering

Please see URL Filtering for detailed description.