Active protection

To protect your computer from malicious software in real-time, Acronis Cyber Protect Home Office uses the Acronis Active Protection technology.

Active Protection constantly checks your computer while you continue working as usual. In addition to your files, Acronis Active Protection protects the Acronis Cyber Protect Home Office application files, your backups, and the Master Boot Records of your hard drives.

Active protection consists of several protection levels that you can enable independently from each other:

  • Anti-ransomware protection
  • Real-time protection
  • Web filtering

Anti-ransomware protection

Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic of your machine.

When the Anti-ransomware Protection service is on, it monitors in real time the processes running on your computer. When it detects a third-party process that tries to encrypt your files or mine cryptocurrency, the service informs you about it and asks if you want to allow the process to continue or to block the process.

To allow the process to continue the activity, click Trust. If you are not sure if the process is safe and legal, we recommend that you click Quarantine. After this, the process will be added to Quarantine and blocked from any activities.

After blocking a process, we recommend that you check if your files have been encrypted or corrupted in any way. If they are, click Recover modified files. Acronis Cyber Protect Home Office will search the following locations for the latest file versions to recover.

  • Temporary file copies that were preliminarily created during the process verification
  • Local backups
  • Cloud backups

If Acronis Cyber Protect Home Office finds a good temporary copy, the file is restored from that copy. If temporary file copies are not suitable for restore, Acronis Cyber Protect Home Office searches for backup copies locally and in the cloud, compares the creation dates of the copies found in both locations, and restores your file from the latest available non-corrupt copy.

Acronis Cyber Protect Home Office does not support file recovery from password-protected backups.

To configure Acronis Cyber Protect Home Office to automatically recover files after blocking a process, select the Automatically recover files after blocking a process check box in the Active Protection settings. See Configuring Active Protection.

Real-time Protection

When Real-time Protection is enabled, it constantly checks the files you interact with to protect your machine from suspicious activity, viruses, and other malicious threats in real time.

Real-time Protection comes with the following additional protection options:

  • Behavior analysis – to identify malicious processes, Active Protection uses behavioral heuristics. It compares the chain of actions performed by a process with the chains of events recorded in the database of malicious behavior patterns. This approach enables Active Protection to detect new malware by its typical behavior.

  • Exploit prevention – Active Protection analyzes the behavior of processes running on the machine and detects abnormal activity. It prevents infected processes from spreading and exploiting the vulnerabilities of other software installed on the system. Active Protection employs several exploit prevention methods:

    • Memory protection detects and prevents suspicious modifications of the execution rights on memory pages. Malicious processes apply such modifications to page properties, to enable the execution of shellcodes from non-executable memory areas like stack and heaps.
    • Privilege escalation protection detects and prevents attempts for elevation of privileges made by an unauthorized code or application. Privilege escalation is used by malicious code to gain full access of the attacked machine, and then perform critical and sensitive tasks. Unauthorized code is not allowed to access critical system resources or modify system settings.
    • Code injection protection detects and prevents malicious code injection into remote processes. Code injection is used to hide malicious intent of an application behind clean or benign processes, to evade detection by anti-malware products.

You can choose one of the following types of scanning:

  • Smart on-access detection means that the program runs in the background and actively and constantly scans your machine system for viruses and other malicious threats for the entire duration that your system is powered on. Malware will be detected in both cases when a file is being executed and during various operations with the file such as opening it for reading/editing.
  • On execution detection means that only executable files will be scanned at the moment they are run to ensure they are clean and will not cause any damage to your machine or data. Copying of an infected file will remain unnoticed.

You can view the results of real-time protection checks in the Activity tab of the Protection dashboard.

Web filtering

Malware is often distributed by malicious or infected sites and uses the so called "Drive-by download" method of infection.

Web filtering helps to protect you from potentially harmful websites and untrusted web resources by blocking the access when you try to open them. To determine which websites are potentially harmful, Web filtering uses the Protection updates database. The Web filtering database also includes information about websites that contain scam and phishing URLs. You can modify the rules defined in the database by configuring exceptions to the Web filtering list.

Web filtering has two modes of operation:

  • Complete block—the access to the website will be completely blocked.
  • Notify only—a notification will be displayed, but users will be able to access the website.