Antivirus & Antimalware protection settings

To learn how to create a protection plan with the Antivirus & Antimalware protection module, refer to "Creating a protection plan".

The following settings can be specified for the Antivirus & Antimalware protection module.

Active Protection

Active Protection protects a system from ransomware and cryptocurrency mining malware. Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware performs mathematical calculations in the background, thus stealing the processing power and network traffic.

Active Protection is available for machines running Windows 7 and later, Windows Server 2008 R2 and later. Agent for Windows must be installed on the machine.

Active Protection is available for agents starting with version 12.0.4290. To update an agent, follow the instructions in "Updating agents".

How it works

Active Protection monitors processes running on the protected machine. When a third-party process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and performs additional actions, if those are specified by the configuration.

In addition, Active Protection prevents unauthorized changes to the backup software's own processes, registry records, executable and configuration files, and backups located in local folders.

To identify malicious processes, Active Protection uses behavioral heuristics. Active Protection compares the chain of actions performed by a process with the chains of events recorded in the database of malicious behavior patterns. This approach enables Active Protection to detect new malware by its typical behavior.

Default setting: Enabled.

Active Protection settings

In Action on detection, select the action that the software will perform when detecting a ransomware activity, and then click Done.

You can select one of the following:

• Notify only

  The software will generate an alert about the process.

• Stop the process

  The software will generate an alert and stop the process.

• Revert using cache

  The software will generate an alert, stop the process, and revert the file changes by using the service cache.

Default setting: Revert using cache.

Behavior engine

Behavior engine protects a system from malware.

Default setting: Enabled.

Behavior engine settings

In Action on detection, select the action that the software will perform when detecting a malware activity, and then click Done.

You can select one of the following:

• Notify only

  The software will generate an alert about the process suspected of malware activity.

• Stop the process

  The software will generate an alert and stop the process suspected of malware activity.

• Quarantine

  The software will generate an alert, stop the process, and move the executable file to the quarantine folder.

Default setting: Quarantine.

Self-protection

Self-protection prevents unauthorized changes to the software's own processes, registry records, executable and configuration files, and backups located in local folders. We do not recommend disabling this feature.

Default setting: Enabled.

Allowing processes to modify backups

The Allow specific processes to modify backups option is effective when Self-protection is enabled.

It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.

This option lets you specify the processes that are allowed to modify the backup files, even though these files are protected by self-protection. This is useful, for example, if you remove backup files or move them to a different location by using a script.

If this option is disabled, the backup files can be modified only by processes signed by the backup software vendor. This allows the software to apply retention rules and to remove backups when a user requests this from the web interface. Other processes, no matter suspicious or not, cannot modify the backups.

If this option is enabled, you can allow other processes to modify the backups. Specify the full path to the process executable, starting with the drive letter.

Default setting: Disabled.

Network folder protection

The Protect network folders mapped as local drives option defines whether Antivirus & Antimalware protection protects network folders that are mapped as local drives from the local malicious processes.

This option applies to folders shared via SMB or NFS.

If a file was originally located on a mapped drive, it cannot be saved to the original location when extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder specified in this option's settings. The default folder is C:\ProgramData\Acronis\Restored Network Files. If this folder does not exist, it will be created. If you want to change this path, be sure to specify a local folder. Network folders, including folders on mapped drives, are not supported.

Default setting: Enabled.

Server-side protection

This option defines whether Antivirus & Antimalware protection protects network folders that are shared by you from the external incoming connections from other servers in the network that may potentially bring threats.

Default setting: Disabled.

Setting trusted and blocked connections

On the Trusted tab, you can specify the connections that are allowed to modify any data. You should define the user name and IP address.

On the Blocked tab, you can specify the connections that will not be able to modify any data. You should define the user name and IP address.

Cryptomining process detection

This option defines whether Antivirus & Antimalware protection detects potential cryptomining malware.

Cryptomining malware degrades performance of useful applications, increases electricity bills, may cause system crashes and even hardware damage due to abuse. We recommend that you add cryptomining malware to the Harmful processes list to prevent it from running.

Default setting: Enabled.

Cryptomining process detection settings

In Action on detection, select the action that the software will perform when a cryptomining activity is detected, and then click Done.

You can select one of the following:

• Notify only

  The software generates an alert about the process suspected of cryptomining activities

• Stop the process

  The software generates an alert and stops the process suspected of cryptomining activities

Default setting: Stop the process.

Real-time protection

Real-time protection constantly checks your machine system for viruses and other malicious threats for the entire time that you system is powered on unless paused by the computer user.

Default setting: Enabled.

Configuring the action on detection for real-time protection

In Action on detection, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

• Block and notify

  The software blocks the process and generates an alert about the process suspected of malware activities

• Quarantine

  The software generates an alert, stops the process, and moves the executable file to the quarantine folder

Default setting: Quarantine.

Configuring the scan mode for real-time protection

In Scan mode, select the action that the software will perform when a virus or other malicious threat is detected, and then click Done.

You can select one of the following:

• Smart on-access – monitors all system activities and automatically scans files when they are accessed for reading or writing, or whenever a program is launched.
• On-execution – automatically scans only executable files when they are launched to ensure that they are clean and will not cause any damage to your computer or data.

Default setting: Smart on-access.

Schedule scan

You can define schedule according to which your machine system will be checked for malware. Enable the Schedule scan option.

Default setting: Enabled.

Action on detection:

• Quarantine

  The software generates an alert, stops the process, and move the executable file to the quarantine folder

• Notify only

  The software generates an alert about the process suspected of malware activities

Default setting: Quarantine.

Scan mode:

• Full

  It takes much longer time to finish in comparison to the quick scan because every file will be checked

• Quick

  Quick scan only scans the common areas where malware normally resides on the machine

Default setting: Quick.

Schedule the task run using the following events:

• Schedule by time – run a task according to the specified time.
• When user logs in to the system – by default, login of any user will initiate a task run. You can change any user to a specific user account.
• When user logs off the system – by default, logout of any user will initiate a task run. You can change any user to a specific user account.

  Note  The task will not run at a system shutdown because shutting down is not the same as logging out.

• On the system startup – run a task when the operating system starts.
• On the system shutdown – run a task when the operating system shuts down.

Default setting: Schedule by time.

Schedule type:

• Monthly – select in what months on what days to perform the task run.
• Daily – select on which days of a week to run a task.
• Hourly – select on which days of a week and how often to run a task in an hour.

Default setting: Daily.

Start at – you can select at what time to perform the task run.

Default setting: 2PM (on the machine where the software is installed).

Run within a date range – set a date range for when the schedule is effective.

Start conditions define all the conditions that should be simultaneously met to start the task. They are similar to the start conditions for the Backup module which are described in "Start conditions".

The following additional start conditions can be defined:

• If the machine is turned off, run missed tasks at the machine startup
• Prevent the sleep or hibernate mode during task running – this option is effective only for machines running Windows.
• If start conditions are not met, run the task anyway after – specify the period in hours after which the task will be launched anyway.

Scan archive files

Default setting: Enabled.

• Max recursion depth

  How many levels of embedded archives can be scanned. For example, MIME document > ZIP archive > Office archive > document content.

  Default setting: 16.

• Max size

  Maximum size of an archive file to be scanned.

  Default setting: Unlimited.

Scan removable drives

Default setting: Disabled.

• Mapped (remote) network drives
• USB storage devices (such as flash pens and external hard-drives)
• CDs/DVDs

Scan only new and modified files – only newly created and modified files will be scanned.

Default setting: Enabled.

Quarantine

Quarantine is a folder for keeping suspicious (probably infected) or potentially dangerous files in the isolated place.

Remove quarantined files after – defines the period in days after which the quarantined files will be removed.

Default setting: 30 days.

Exclusions

You can configure exceptions to the protection rules that you set.

On the Trusted tab, you can specify:

• Processes that will never be considered as malware
• Folders where file changes will not be monitored
• Files and folders where scheduled scanning will not be executed

On the Blocked tab, you can specify:

• Processes that will always be blocked
• Folders where any processes will be blocked

Default setting: no exclusions are defined by default.