Active Protection

Important  Some of the features described in this section were introduced in version 12.5, which affects only on-premise deployments. These features are not yet available in cloud deployments. For more information, refer to "What's new in Acronis Backup".

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

Active Protection is available for machines running Windows 7 and later, Windows Server 2008 R2 and later. Agent for Windows must be installed on the machine.

How it works

Active Protection monitors processes running on the protected machine. When a third-party process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and performs additional actions, if those are specified by the configuration.

In addition, Active Protection prevents unauthorized changes to the backup software's own processes, registry records, executable and configuration files, and backups located in local folders.

To identify malicious processes, Active Protection uses behavioral heuristics. Active Protection compares the chain of actions performed by a process with the chains of events recorded in the database of malicious behavior patterns. This approach enables Active Protection to detect new malware by its typical behavior.

Active Protection settings

To minimize resources consumed by the heuristic analysis, and to eliminate so-called false positives, when a trusted program is considered as ransomware, you can define the following settings:

• Trusted processes that are never considered ransomware. Processes signed by Microsoft are always trusted.
• Harmful processes that are always considered ransomware. These processes will not be able to start as long as Active Protection is enabled on the machine.
• Folders where file changes will not be monitored.

Specify the full path to the process executable, starting with the drive letter. For example: C:\Windows\Temp\er76s7sdkh.exe.

For specifying folders, you can use the wildcard characters * and ?. The asterisk (*) substitutes for zero or more characters. The question mark (?) substitutes for exactly one character. Environment variables, such as %AppData%, cannot be used.

Active Protection plan

All settings of Active Protection are contained in the Active Protection plan. This plan can be applied to multiple machines.

There can be only one Active Protection plan in an organization. If the organization has units, unit administrators are not allowed to apply, edit, or revoke the plan.

Applying the Active Protection plan

1. Select the machines for which you want to enable Active Protection.
2. Click Active Protection.
3. [Optional] Click Edit to modify the following settings:
   • In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done. You can select one of the following:
     • Notify only (default)

       The software will generate an alert about the process.

     • Stop the process

       The software will generate an alert and stop the process.

     • Revert using cache

       The software will generate an alert, stop the process, and revert the file changes by using the service cache.

   • In Harmful processes, specify harmful processes that will always be considered ransomware, and then click Done.
   • In Trusted processes, specify trusted processes that will never be considered ransomware, and then click Done. Processes signed by Microsoft are always trusted.
   • In Folder exclusions, specify a list of folders where file changes will not be monitored, and then click Done.
   • Disable the Self-protection switch.

     Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, and backups located in local folders. We do not recommend disabling this feature.

   • Change Protection options.
4. If you modified the settings, click Save changes. The changes will be applied to all machines where Active Protection is enabled.
5. Click Apply.