Antivirus and Antimalware protection settings

To learn how to create a protection plan with the Antivirus and antimalware protection module, refer to "Creating a protection plan".

The following settings can be specified for the Antivirus and antimalware protection module.

Active Protection

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

Active Protection is available for machines running Windows 7 and later, Windows Server 2008 R2 and later. Agent for Windows must be installed on the machine.

Active Protection is available for agents starting with version 12.0.4290. To update an agent, follow the instructions in "Updating agents".

How it works

Active Protection monitors processes running on the protected machine. When a third-party process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and performs additional actions, if those are specified by the configuration.

In addition, Active Protection prevents unauthorized changes to the backup software's own processes, registry records, executable and configuration files, and backups located in local folders.

To identify malicious processes, Active Protection uses behavioral heuristics. Active Protection compares the chain of actions performed by a process with the chains of events recorded in the database of malicious behavior patterns. This approach enables Active Protection to detect new malware by its typical behavior.

Default setting: Enabled.

Active Protection settings

In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process.

  • Stop the process

    The software will generate an alert and stop the process.

  • Revert using cache

    The software will generate an alert, stop the process, and revert the file changes by using the service cache.

Default setting: Revert using cache.

Behavior detection

Acronis Cyber Protection protects your system by using behavioral heuristics to identify malicious processes: it compares the chain of actions performed by a process with the chains of actions recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its typical behavior.

Default setting: Enabled.

Behavior detection settings

In Action on detection, select the action that the software will perform when detecting a malware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

  • Quarantine

    The software will generate an alert, stop the process, and move the executable file to the quarantine folder.

Default setting: Quarantine.

Exploit prevention

Exploit prevention detects and prevents infected processes from spreading and exploiting the software vulnerabilities on Windows systems. When an exploit is detected, the software can generate an alert and stop the process suspected of exploit activities.

Exploit prevention is available only with agent versions 20.08 or later.

Default setting: Enabled for newly created protection plans, and Disabled for existing protection plans, created with previous agent versions.

Exploit prevention settings

You can select what should the program do when an exploit is detected, and which exploit prevention methods are applied by the program.

Under Enabled Action on detection, select what to do when an exploit is detected, and then click Done.

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

Default setting: Stop the process

Under Enabled exploit prevention techniques, enable or disable the methods that you want to be applied, and then click Done.

You can select one of the following:

  • Memory protection

    Detects and prevents suspicious modifications of the execution rights on memory pages. Malicious processes apply such modifications to page properties, to enable the execution of shellcodes from non-executable memory areas like stack and heaps.

  • Privilege escalation protection

    Detects and prevents attempts for elevation of privileges made by an unauthorized code or application. Privilege escalation is used by malicious code to gain full access of the attacked machine, and then perform critical and sensitive tasks. Unauthorized code is not allowed to access critical system resources or modify system settings.

  • Code injection protection

    Detects and prevents malicious code injection into remote processes. Code injection is used to hide malicious intent of an application behind clean or benign processes, to evade detection by antimalware products.

Default setting: All methods are enabled.

Processes that are listed as trusted processes in the Exclusions list will not be scanned for exploits.

Self-protection

Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, and backups located in local folders. We do not recommend disabling this feature.

Default setting: Enabled.

Allowing processes to modify backups

The Allow specific processes to modify backups option is effective when Self-protection is enabled.

It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.

This option lets you specify the processes that are allowed to modify the backup files, even though these files are protected by self-protection. This is useful, for example, if you remove backup files or move them to a different location by using a script.

If this option is disabled, the backup files can be modified only by processes signed by the backup software vendor. This allows the software to apply retention rules and to remove backups when a user requests this from the web interface. Other processes, no matter suspicious or not, cannot modify the backups.

If this option is enabled, you can allow other processes to modify the backups. Specify the full path to the process executable, starting with the drive letter.

Default setting: Disabled.

Network folder protection

The Protect network folders mapped as local drives option defines whether Active protection protects from local malicious processes network folders that are mapped as local drives.

This option applies to folders shared via SMB or NFS protocols.

If a file was originally located on a mapped drive, it cannot be saved to the original location when extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder specified in this option's settings. The default folder is C:\ProgramData\Acronis\Restored Network Files. If this folder does not exist, it will be created. If you want to change this path, specify a local folder. Network folders, including folders on mapped drives, are not supported.

Default setting: Enabled.

Server-side protection

This option defines whether Active protection protects network folders that are shared by you from the external incoming connections from other servers in the network that may potentially bring threats.

Default setting: Disabled.

Setting trusted and blocked connections

On the Trusted tab, you can specify the connections that are allowed to modify any data. You should define the user name and IP address.

On the Blocked tab, you can specify the connections that will not be able to modify any data. You should define the user name and IP address.

Cryptomining process detection

This option defines whether Active protection detects potential cryptomining malware.

Cryptomining malware degrades performance of useful applications, increases electricity bills, may cause system crashes and even hardware damage due to abuse. We recommend that you add cryptomining malware to the Harmful processes list to prevent it from running.

Default setting: Enabled.

Cryptomining process detection settings

In Action on detection, select the action that the software will perform when a cryptomining activity is detected, and then click Done.

You can select one of the following:

  • Notify only

    The software generates an alert about the process suspected of cryptomining activities.

  • Stop the process

    The software generates an alert and stops the process suspected of cryptomining activities.

Default setting: Stop the process.

Real-time protection scan

Real-time protection scan constantly checks your machine system for viruses and other threats for the entire time that you system is powered on.

Default setting: Enabled.

Configuring the action on detection for real-time protection

In Action on detection, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Block and notify

    The software blocks the process and generates an alert about the process suspected of malware activities.

  • Quarantine

    The software generates an alert, stops the process, and moves the executable file to the quarantine folder.

Default setting: Quarantine.

Configuring the scan mode for real-time protection

In Scan mode, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Smart on-access – Monitors all system activities and automatically scans files when they are accessed for reading or writing, or whenever a program is launched.
  • On-execution – Automatically scans only executable files when they are launched to ensure that they are clean and will not cause any damage to your computer or data.

Default setting: Smart on-access.

Schedule scan

You can define schedule according to which your machine will be checked for malware. Enable the Schedule scan option.

Default setting: Enabled.

Action on detection:

  • Quarantine

    The software generates an alert and moves the executable file to the quarantine folder.

  • Notify only

    The software generates an alert about the process that is suspected to be malware.

Default setting: Quarantine.

Scan mode:

  • Full

    The full scan takes much longer to finish in comparison to the quick scan because every file will be checked.

  • Quick

    The quick scan only scans the common areas where malware normally resides on the machine.

You can schedule both Quick and Full scan in one protection plan.

Default setting: Quick and Full scan are scheduled.

Schedule the task run using the following events:

  • Schedule by time – The task will run according to the specified time.
  • When user logs in to the system – By default, login of any user will initiate a task run. You can this setting so that only a specific user account can trigger the task.

  • When user logs off the system – By default, logoff of any user will make the task run. You can this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different actions.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.

Default setting: Daily.

Start at – Select the exact time when the task will run.

Run within a date range – Set a range in which the configured schedule will be effective.

Start conditions – Define all the conditions that must be simultaneously met for the task to run. They are similar to the start conditions for the Backup module that are described in "Start conditions". Also, the following additional start conditions can be defined:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.

Scan only new and changed files – only newly created and modified files will be scanned.

Default setting: Enabled.

When scheduling a Full scan, you have two additional options:

Scan archive files

Default setting: Enabled.

  • Max recursion depth

    How many levels of embedded archives can be scanned. For example, MIME document > ZIP archive > Office archive > document content.

    Default setting: 16.

  • Max size

    Maximum size of an archive file to be scanned.

    Default setting: Unlimited.

Scan removable drives

Default setting: Disabled.

  • Mapped (remote) network drives
  • USB storage devices (such as pens and external hard-drives)
  • CDs/DVDs

Quarantine

Quarantine is a folder for keeping suspicious (probably infected) or potentially dangerous files isolated.

Remove quarantined files after – Defines the period in days after which the quarantined files will be removed.

Default setting: 30 days.

Exclusions

To minimize the resources used by the heuristic analysis and to eliminate the so-called false positives when a trusted program is considered as ransomware, you can define the following settings:

On the Trusted tab, you can specify:

  • Processes that will never be considered as malware. Processes signed by Microsoft are always trusted.
  • Folders in which file changes will not be monitored.
  • Files and folders in which the scheduled scan will not be performed.

On the Blocked tab, you can specify:

  • Processes that will always be blocked. These processes will not be able to start as long as Active Protection is enabled on the machine.
  • Folders in which any processes will be blocked

Default setting: No exclusions are defined by default.