69641: Acronis Cyber Protect: How to set up exclusion settings if processes have no exact path

use Google Translate

Last update: 20-01-2023

Symptoms

  • User receives a false positive alert about a suspicious process from Active Protection,
  • You want to exclude the process from Active Protection (add it to Trusted processes), but there is no exact path for exclusion: e.g. the process has a new name or a new location by each run. Exclusion of the whole folder where the process is located does not help.

Cause

Acronis  Active Protection is a zero-day technology that is based on highly effective behavioral heuristics. Active Protection constantly observes patterns in how data files are being changed on a system. One set of behaviors may be typical and expected. Another set of behaviors may signal a suspect process taking hostile action against files. The Acronis approach looks at these actions and compares them against malicious behavior patterns. This approach can be exceptionally powerful in identifying ransomware attacks, even from ransomware variants that are as-yet unreported.

Due to the specifics of Active Protection implementation, the exact path to the executable is required in order to exclude a specific process from monitoring. If there is a specific path to the executable, specify it in Exclusions. It is not possible to exclude all processes in a specific folder.

Solution

There are two possible workarounds in this case:

  1. Note that Active Protection always monitors processes that do not have a valid signature. If possible, update the software or contact the vendor to add a valid signature to process files,
  2. Instead of adding the process to the Trusted list, exclude the folder where the process performs valid changes: e.g. folders with databases that are being updated by affected "suspicious" processes.

More information

Please be aware that it is not possible to exclude a file or executable located on a network share from Active Protection monitoring. Adding to exclusions is supported only for local NTFS volumes.

Tags: