Antivirus and Antimalware protection settings

To learn how to create a protection plan with the Antivirus and antimalware protection module, refer to "Creating a protection plan".

The following features can be configured for the Antivirus and antimalware protection module.

This section includes descriptions of the available settings for all supported operating systems. Check the table of Cyber Protect features supported by operating system for reference about the features applicable to your workloads: Supported Cyber Protect features by operating system.
Some features might require additional licensing, depending on the applied licensing model.

Active Protection

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

In Cyber Backup Standard edition, Active Protection is a separate module in the protection plan. Thus, it can be configured separately and applied to different devices or group of devices.

In all other editions of the Cyber Protection service, Active Protection is part of the Antivirus and Antimalware protection module.

Default setting: Enabled.

Active Protection settings

In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process.

  • Stop the process

    The software will generate an alert and stop the process.

  • Revert using cache

    The software will generate an alert, stop the process, and revert the file changes by using the service cache.

Default setting: Revert using cache.

Advanced antimalware

The availability of this feature depends on the license that you use.

The Advanced Antimalware switch enables local signature-based engine. This engine uses enhanced database of virus signatures to improve the efficiency of antimalware detection in both quick and full scans.

Real-time protection is available only with the local signature-based engine.

Antivirus and Antimalware protection for macOS and Linux also requires the local signature-based engine. For Windows, Antivirus and Antimalware protection is available with or without this engine.

Network folder protection

The Protect network folders mapped as local drives setting defines whether Active protection protects from local malicious processes network folders that are mapped as local drives.

This setting applies to folders shared via SMB or NFS protocols.

If a file was originally located on a mapped drive, it cannot be saved to the original location when extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder specified in this setting. The default folder is C:\ProgramData\Acronis\Restored Network Files. If this folder does not exist, it will be created. If you want to change this path, specify a local folder. Network folders, including folders on mapped drives, are not supported.

Default setting: Enabled.

Server-side protection

This setting defines whether Active protection protects network folders that are shared by you from the external incoming connections from other servers in the network that may potentially bring threats.

Default setting: Disabled.

Server-side protection is not supported for Linux.

Setting trusted and blocked connections

On the Trusted tab, you can specify the connections that are allowed to modify any data. You should define the user name and IP address.

On the Blocked tab, you can specify the connections that will not be able to modify any data. You should define the user name and IP address.

Self-protection

Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, and backups located in local folders. We do not recommend disabling this feature.

Default setting: Enabled.

Self-protection is not supported for Linux.

Password protection

Password protection prevents unauthorized users or software from uninstalling Agent for Windows or modifying its components. These actions are only possible with a password that an administrator can provide.

A password is never required for the following actions:

  • Updating the installation by running the setup program locally

  • Updating the installation by using the Cyber Protection web console

  • Repairing the installation

Default setting: Disabled

For more information about how to enable Password protection, refer to Preventing unauthorized uninstallation or modification of agents.

Cryptomining process detection

This setting defines whether Active protection detects potential cryptomining malware.

Cryptomining malware degrades the performance of useful applications, increases electricity bills, may cause system crashes and even hardware damage due to abuse. To protect your workloads, we recommend that you add cryptomining malware to the Harmful processes list.

Default setting: Enabled.

Cryptomining process detection is not supported for Linux.

Cryptomining process detection settings

In Action on detection, select the action that the software will perform when a cryptomining process is detected, and then click Done.

You can select one of the following:

  • Notify only

    The software generates an alert about the process suspected of cryptomining activities.

  • Stop the process

    The software generates an alert and stops the process suspected of cryptomining activities.

Default setting: Stop the process.

Quarantine

Quarantine is a folder for keeping suspicious (probably infected) or potentially dangerous files isolated.

Remove quarantined files after – Defines the period in days after which the quarantined files will be removed.

Default setting: 30 days.

For more information about this feature, refer to Quarantine.

Behavior detection

Acronis Cyber Protection protects your system by using behavioral heuristics to identify malicious processes: it compares the chain of actions performed by a process with the chains of actions recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its typical behavior.

Default setting: Enabled.

Behavior detection is not supported for Linux.

Behavior detection settings

In Action on detection, select the action that the software will perform when detecting a malware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

  • Quarantine

    The software will generate an alert, stop the process, and move the executable file to the quarantine folder.

Default setting: Quarantine.

Exploit prevention

The availability of this feature depends on the license that you use.

Exploit prevention detects and prevents infected processes from spreading and exploiting the software vulnerabilities on Windows systems. When an exploit is detected, the software can generate an alert and stop the process suspected of exploit activities.

Exploit prevention is available only with agent versions 20.08 or later.

Default setting: Enabled for newly created protection plans, and Disabled for existing protection plans, created with previous agent versions.

Exploit prevention is not supported for Linux.

Exploit prevention settings

You can select what should the program do when an exploit is detected, and which exploit prevention methods are applied by the program.

Under Enabled Action on detection, select what to do when an exploit is detected, and then click Done.

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

Default setting: Stop the process

Under Enabled exploit prevention techniques, enable or disable the methods that you want to be applied, and then click Done.

You can select one of the following:

  • Memory protection

    Detects and prevents suspicious modifications of the execution rights on memory pages. Malicious processes apply such modifications to page properties, to enable the execution of shellcodes from non-executable memory areas like stack and heaps.

  • Privilege escalation protection

    Detects and prevents attempts for elevation of privileges made by an unauthorized code or application. Privilege escalation is used by malicious code to gain full access of the attacked machine, and then perform critical and sensitive tasks. Unauthorized code is not allowed to access critical system resources or modify system settings.

  • Code injection protection

    Detects and prevents malicious code injection into remote processes. Code injection is used to hide malicious intent of an application behind clean or benign processes, to evade detection by antimalware products.

Default setting: All methods are enabled.

Processes that are listed as trusted processes in the Exclusions list will not be scanned for exploits.

Allowing processes to modify backups

The Allow specific processes to modify backups setting is only available when the Self-protection setting is enabled.

It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.

This setting lets you specify the processes that are allowed to modify the backup files, even though these files are protected by self-protection. This is useful, for example, if you remove backup files or move them to a different location by using a script.

If this setting is disabled, the backup files can be modified only by processes signed by the backup software vendor. This allows the software to apply retention rules and to remove backups when a user requests this from the web interface. Other processes, no matter suspicious or not, cannot modify the backups.

If this setting is enabled, you can allow other processes to modify the backups. Specify the full path to the process executable, starting with the drive letter.

Default setting: Disabled.

Real-time protection

The availability of this feature depends on the license that you use.

Real-time protection constantly checks your machine system for viruses and other threats for the entire time that you system is powered on.

Default setting: Enabled.

Real-time protection is available only when the local signature-based engine is turned on. For real-time protection, you need to enable both the Real-time protection switch and the Advanced Antimalware switch.

Configuring the action on detection for real-time protection

In Action on detection, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Block and notify

    The software blocks the process and generates an alert about the process suspected of malware activities.

  • Quarantine

    The software generates an alert, stops the process, and moves the executable file to the quarantine folder.

Default setting: Quarantine.

Configuring the scan mode for real-time protection

In Scan mode, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Smart on-access – Monitors all system activities and automatically scans files when they are accessed for reading or writing, or whenever a program is launched.
  • On-execution – Automatically scans only executable files when they are launched to ensure that they are clean and will not cause any damage to your computer or data.

Default setting: Smart on-access.

Schedule scan

You can define schedule according to which your machine will be checked for malware, by enabling the Schedule scan setting.

Action on detection:

  • Quarantine

    The software generates an alert and moves the executable file to the quarantine folder.

  • Notify only

    The software generates an alert about the process that is suspected to be malware.

Default setting: Quarantine.

Scan mode:

  • Full

    The full scan takes much longer to finish in comparison to the quick scan because every file will be checked.

  • Quick

    The quick scan only scans the common areas where malware normally resides on the machine.

You can schedule both Quick and Full scan in one protection plan.

Default setting: Quick and Full scan are scheduled.

Schedule the task run using the following events:

  • Schedule by time – The task will run according to the specified time.
  • When user logs in to the system – By default, a login of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

  • When user logs off the system – By default, a logoff of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different events in the scheduling configuration.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.

Default setting: Daily.

Start at – Select the exact time when the task will run.

Run within a date range – Set a range in which the configured schedule will be effective.

Start conditions – Define all conditions that must be met simultaneously for the task to run.

Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions". You can define the following additional start conditions:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.
Start conditions are not supported for Linux.

Scan only new and changed files – only newly created and modified files will be scanned.

Default setting: Enabled.

When scheduling a Full scan, you have two additional options:

Scan archive files

Default setting: Enabled.

  • Max recursion depth

    How many levels of embedded archives can be scanned. For example, MIME document > ZIP archive > Office archive > document content.

    Default setting: 16.

  • Max size

    Maximum size of an archive file to be scanned.

    Default setting: Unlimited.

Scan removable drives

Default setting: Disabled.

  • Mapped (remote) network drives
  • USB storage devices (such as pens and external hard drives)
  • CDs/DVDs
Scan removable drives is not supported for Linux.

Exclusions

To minimize the resources used by the heuristic analysis and to eliminate the so-called false positives when a trusted program is considered a ransomware or other malware, you can define the following settings:

On the Trusted tab, you can specify:

  • Processes that will never be considered as malware. Processes signed by Microsoft are always trusted.
  • Folders in which file changes will not be monitored.
  • Files and folders in which the scheduled scan will not be performed.

On the Blocked tab, you can specify:

  • Processes that will always be blocked. These processes will not be able to start as long as Active Protection or Antimalware Protection is enabled on the machine.
  • Folders in which any processes will be blocked

Default setting: No exclusions are defined by default.

You can use a wildcard (*) to add items to the exclusion lists.

You can also use variables to add items to the exclusion lists. Note the following limitations:

  • For Windows, only SYSTEM variables are supported. User specific variables, for example, %USERNAME%, %APPDATA% are not supported. Variables with {username} are not supported. For more information, see https://ss64.com/nt/syntax-variables.html.
  • For macOS, environment variables are not supported.
  • For Linux, environment variables are not supported.

Examples of supported formats:

  • %WINDIR%\Media
  • %public%
  • %CommonProgramFiles%\Acronis\ *