Antivirus and antimalware protection settings

To learn how to create a protection plan with the Antivirus & Antimalware protection module, refer to "Creating a protection plan".

The following features can be configured for the Antivirus & Antimalware protection module.

This section includes descriptions of the available settings for all supported operating systems. Check the table of Cyber Protect features supported by operating system for reference about the features applicable to your workloads: Supported Cyber Protect features by operating system.
Some features might require additional licensing, depending on the applied licensing model.

Active Protection

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

Default setting: Enabled.

For Windows, Active Protection is available for machines running the following operating systems:

  • Desktop operating systems: Windows 7 Service Pack 1 and later

    On machines running Windows 7, ensure that Update for Windows 7 (KB2533623) is installed.

  • Server operating systems: Windows Server 2008 R2 and later

Agent for Windows must be installed on the protected machine. The agent version must be 12.0.4290 (released in October 2017) or later. For more information on how to update an agent, refer to Updating agents.

For Linux, Active Protection is available for machines running:

  • CentOS 6.10, 7.8 and later minor versions

  • CloudLinux 6.10, 7.8 and later minor versions

  • Ubuntu 16.04.7 and later minor versions

Agent for Linux must be installed on the protected machine. The agent version must be 15.0.26077 (released in December 2020) or later. For a list of supported Linux kernel versions, see https://kb.acronis.com/acronis-cyber-protect-cloud-active-protection-for-linux-kernel-versions.

Active Protection settings

In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process.

  • Stop the process

    The software will generate an alert and stop the process.

  • Revert using cache

    The software will generate an alert, stop the process, and revert the file changes by using the service cache.

Default setting: Revert using cache.

Advanced antimalware

The availability of this feature depends on the service quotas that are enabled for your account.

The Advanced Antimalware switch enables local signature-based engine. This engine uses enhanced database of virus signatures to improve the efficiency of antimalware detection in both quick and full scans.

Real-time protection is available only with the local signature-based engine.

Antivirus and Antimalware protection for macOS and Linux also requires the local signature-based engine. For Windows, Antivirus and Antimalware protection is available with or without this engine.

Network folder protection

The Protect network folders mapped as local drives setting defines whether Active protection protects from local malicious processes network folders that are mapped as local drives.

This setting applies to folders shared via SMB or NFS protocols.

If a file was originally located on a mapped drive, it cannot be saved to the original location when extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder specified in this setting. The default folder is C:\ProgramData\Acronis\Restored Network Files. If this folder does not exist, it will be created. If you want to change this path, specify a local folder. Network folders, including folders on mapped drives, are not supported.

Default setting: Enabled.

Server-side protection

This setting defines whether Active protection protects network folders that are shared by you from the external incoming connections from other servers in the network that may potentially bring threats.

Default setting: Disabled.

Server-side protection is not supported for Linux.

Setting trusted and blocked connections

To configure a trusted or blocked connection:

  1. In the Server-side protection dialog, select a tab:
    • To specify connections that are allowed to modify any data, select the Trusted tab.
    • To specify connections that are not allowed to modify any data, select the Blocked tab.
  2. Enter the following data:
    • Computer name and Account of the machine where the protection agent is installed.

      For example, MyComputer\TestUser.

    • Host name of the machine that is allowed to connect to the machine with the agent.
  3. Click the check mark to the right to save the connection definition.
  4. To add more connections, click the Add button.

 

Self-protection

Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, and backups located in local folders. We do not recommend disabling this feature.

Default setting: Enabled.

Self-protection is not supported for Linux.

Password protection

Password protection prevents unauthorized users or software from uninstalling Agent for Windows or modifying its components. These actions are only possible with a password that an administrator can provide.

A password is never required for the following actions:

  • Updating the installation by running the setup program locally

  • Updating the installation by using the Cyber Protection web console

  • Repairing the installation

Default setting: Disabled

For more information about how to enable Password protection, refer to Preventing unauthorized uninstallation or modification of agents.

Cryptomining process detection

This setting defines whether Active protection detects potential cryptomining malware.

Cryptomining malware degrades the performance of useful applications, increases electricity bills, may cause system crashes and even hardware damage due to abuse. To protect your workloads, we recommend that you add cryptomining malware to the Harmful processes list.

Default setting: Enabled.

Cryptomining process detection is not supported for Linux.

Cryptomining process detection settings

In Action on detection, select the action that the software will perform when a cryptomining process is detected, and then click Done.

You can select one of the following:

  • Notify only

    The software generates an alert about the process suspected of cryptomining activities.

  • Stop the process

    The software generates an alert and stops the process suspected of cryptomining activities.

Default setting: Stop the process.

Quarantine

Quarantine is a folder for keeping suspicious (probably infected) or potentially dangerous files isolated.

Remove quarantined files after – Defines the period in days after which the quarantined files will be removed.

Default setting: 30 days.

For more information about this feature, refer to Quarantine.

Behavior engine

Acronis Cyber Protection protects your system by using behavioral heuristics to identify malicious processes: it compares the chain of actions performed by a process with the chains of actions recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its typical behavior.

Default setting: Enabled.

Behavior engine is not supported for Linux.

For macOS, behavioral engine is not supported on Apple silicon processors, such as Apple M1.

Behavior engine settings

In Action on detection, select the action that the software will perform when detecting a malware activity, and then click Done.

You can select one of the following:

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

  • Quarantine

    The software will generate an alert, stop the process, and move the executable file to the quarantine folder.

Default setting: Quarantine.

Exploit prevention

The availability of this feature depends on the service quotas that are enabled for your account.

Exploit prevention detects and prevents infected processes from spreading and exploiting the software vulnerabilities on Windows systems. When an exploit is detected, the software can generate an alert and stop the process suspected of exploit activities.

Exploit prevention is available only with agent versions 12.5.23130 (21.08, released in August 2020) or later.

Default setting: Enabled for newly created protection plans, and Disabled for existing protection plans, created with previous agent versions.

Exploit prevention is not supported for Linux.

Exploit prevention settings

You can select what should the program do when an exploit is detected, and which exploit prevention methods are applied by the program.

Under Enabled Action on detection, select what to do when an exploit is detected, and then click Done.

  • Notify only

    The software will generate an alert about the process suspected of malware activity.

  • Stop the process

    The software will generate an alert and stop the process suspected of malware activity.

Default setting: Stop the process

Under Enabled exploit prevention techniques, enable or disable the methods that you want to be applied, and then click Done.

You can select one of the following:

  • Memory protection

    Detects and prevents suspicious modifications of the execution rights on memory pages. Malicious processes apply such modifications to page properties, to enable the execution of shell codes from non-executable memory areas like stack and heaps.

  • Return-oriented programming (ROP) protection

    Detects and prevents attempts the ROP exploit technique that allows an attacker to execute code in the presence of security defenses, such as executable space protection and code signing. The attacker takes control over the call stack, and then hijacks the program control flow and executes malicious code.

  • Privilege escalation protection

    Detects and prevents attempts for elevation of privileges made by an unauthorized code or application. Privilege escalation is used by malicious code to gain full access of the attacked machine, and then perform critical and sensitive tasks. Unauthorized code is not allowed to access critical system resources or modify system settings.

  • Code injection protection

    Detects and prevents malicious code injection into remote processes. Code injection is used to hide malicious intent of an application behind clean or benign processes, to evade detection by antimalware products.

Default setting: All methods are enabled.

Processes that are listed as trusted processes in the Exclusions list will not be scanned for exploits.

Allowing processes to modify backups

The Allow specific processes to modify backups setting is only available when the Self-protection setting is enabled.

It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.

This setting lets you specify the processes that are allowed to modify the backup files, even though these files are protected by self-protection. This is useful, for example, if you remove backup files or move them to a different location by using a script.

If this setting is disabled, the backup files can be modified only by processes signed by the backup software vendor. This allows the software to apply retention rules and to remove backups when a user requests this from the web interface. Other processes, no matter suspicious or not, cannot modify the backups.

If this setting is enabled, you can allow other processes to modify the backups. Specify the full path to the process executable, starting with the drive letter.

Default setting: Disabled.

Real-time protection

The availability of this feature depends on the service quotas that are enabled for your account.

Real-time protection constantly checks your machine system for viruses and other threats for the entire time that you system is powered on.

Default setting: Enabled.

Real-time protection is available only when the local signature-based engine is turned on. For real-time protection, you need to enable both the Real-time protection switch and the Advanced Antimalware switch.

Configuring the action on detection for real-time protection

In Action on detection, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Block and notify

    The software blocks the process and generates an alert about the process suspected of malware activities.

  • Quarantine

    The software generates an alert, stops the process, and moves the executable file to the quarantine folder.

Default setting: Quarantine.

Configuring the scan mode for real-time protection

In Scan mode, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

  • Smart on-access – Monitors all system activities and automatically scans files when they are accessed for reading or writing, or whenever a program is launched.
  • On-execution – Automatically scans only executable files when they are launched to ensure that they are clean and will not cause any damage to your computer or data.

Default setting: Smart on-access.

Schedule scan

You can define schedule according to which your machine will be checked for malware, by enabling the Schedule scan setting.

Action on detection:

  • Quarantine

    The software generates an alert and moves the executable file to the quarantine folder.

  • Notify only

    The software generates an alert about the process that is suspected to be malware.

Default setting: Quarantine.

Scan mode:

  • Full

    The full scan takes much longer to finish in comparison to the quick scan because every file will be checked.

  • Quick

    The quick scan only scans the common areas where malware normally resides on the machine.

You can schedule both Quick and Full scan in one protection plan.

Default setting: Quick and Full scan are scheduled.

Schedule the task run using the following events:

  • Schedule by time – The task will run according to the specified time.
  • When user logs in to the system – By default, a login of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

  • When user logs off the system – By default, a logoff of any user will start the task. You can modify this setting so that only a specific user account can trigger the task.

    The task will not run at system shutdown. Shutting down and logging off are different events in the scheduling configuration.

  • On the system startup – The task will run when the operating system starts.
  • On the system shutdown – The task will run when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

  • Monthly – Select the months and the weeks or days of the month when the task will run.
  • Daily – Select the days of the week when the task will run.
  • Hourly – Select the days of the week, repetition number, and the time interval in which the task will run.

Default setting: Daily.

Start at – Select the exact time when the task will run.

Run within a date range – Set a range in which the configured schedule will be effective.

Start conditions – Define all conditions that must be met simultaneously for the task to run.

Start conditions for antimalware scans are similar to the start conditions for the Backup module that are described in "Start conditions". You can define the following additional start conditions:

  • Distribute task start time within a time window – This option allows you to set the time frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the task will start between 10:00 AM and 11:00 AM.
  • If the machine is turned off, run missed tasks at the machine startup
  • Prevent the sleep or hibernate mode during task running – This option is effective only for machines running Windows.
  • If start conditions are not met, run the task anyway after – Specify the period after which the task will run, regardless of the other start conditions.
Start conditions are not supported for Linux.

Scan only new and changed files – only newly created and modified files will be scanned.

Default setting: Enabled.

When scheduling a Full scan, you have two additional options:

Scan archive files

Default setting: Enabled.

  • Max recursion depth

    How many levels of embedded archives can be scanned. For example, MIME document > ZIP archive > Office archive > document content.

    Default setting: 16.

  • Max size

    Maximum size of an archive file to be scanned.

    Default setting: Unlimited.

Scan removable drives

Default setting: Disabled.

  • Mapped (remote) network drives
  • USB storage devices (such as pens and external hard drives)
  • CDs/DVDs
Scan removable drives is not supported for Linux.

Exclusions

To minimize the resources used by the heuristic analysis and to eliminate the so-called false positives when a trusted program is considered a ransomware or other malware, you can define the following settings:

On the Trusted tab, you can specify:

  • Processes that will never be considered as malware. Processes signed by Microsoft are always trusted.
  • Folders in which file changes will not be monitored.
  • Files and folders in which the scheduled scan will not be performed.

On the Blocked tab, you can specify:

  • Processes that will always be blocked. These processes will not be able to start as long as Active Protection or Antimalware Protection is enabled on the machine.
  • Folders in which any processes will be blocked

Default setting: No exclusions are defined by default.

You can use a wildcard (*) to add items to the exclusion lists.

You can also use variables to add items to the exclusion lists. Note the following limitations:

  • For Windows, only SYSTEM variables are supported. User specific variables, for example, %USERNAME%, %APPDATA% are not supported. Variables with {username} are not supported. For more information, see https://ss64.com/nt/syntax-variables.html.
  • For macOS, environment variables are not supported.
  • For Linux, environment variables are not supported.

Examples of supported formats:

  • %WINDIR%\Media
  • %public%
  • %CommonProgramFiles%\Acronis\ *