Acronis Active Protection

Acronis True Image 2018: collecting file_protector debug logs in Windows

This article explains how to enable and gather kernel-mode logs of the file_protector.sys driver, also called file protector's debug logs. Usually they are only needed to troubleshoot a problem with the Active Protection feature of Acronis True Image 2018, when the usual logs do not allow to determine the root cause of the problem and to resolve it.

To get more detailed logs of the file_protector driver, please follow the steps below. To stop writing debug mode logs, simply reboot or shut down the computer.

Acronis True Image 2018: Active Protection logs in Windows

Introduction

This article explains where to find logs of Active Protection service and driver in Windows.

Description

Acronis Active Protection service's logs

Acronis Active Protection service executable anti_ransomware_service.exe has the following location:

Windows 64-bit: "C:\Program Files (x86)\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

Windows 32-bit: "C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

Acronis True Image 2018: Active Protection toggle turns off automatically if an empty card reader is connected

This article describes a known issue with Acronis Active Protection when all four conditions, listed below, are met:

1) An external or built-in card reader for memory cards (SD, MMC, SM, XD, MS, MS-Pro and others) is connected and enabled.

OR

any other kind of removable storage device without a mounted file system is connected, e.g. a removable storage device that appears after certain printer software is installed.

2) Acronis Active Protection service is shown as "Running" in the services list (open Windows Start menu, type services.msc and press Enter to access the list). If the service's status is "Stopped", the present KB article does not apply - please follow troubleshooting instructions from that article instead.

3) "Active Protection is off" status is displayed under "Active Protection" tab.

4) When you try to turn on Active Protection by clicking on the toggle switch, it changes to a three dots ("in progress"-like picture), and then returns back to the OFF position. The status message remains "Active Protection is off".

Acronis True Image 2018: how to enable Active Protection in Windows

Introduction

This article explains how to enable Active Protection if the tray icon is grayed out and the message says "Acronis Active Protection is turned off" when moving the mouse cursor over it:

Solution

Active Protection can be enabled either from the tray icon menu or from Acronis True Image main program's interface.

Acronis True Image: "Acronis Active Protection is inactive" and "Service is unavailable" messages

Symptom

"Service is unavailable" message is shown in the right bottom part of the screen when Acronis tray monitor is unable to connect to Acronis Active Protection background service.

The message "Acronis Active Protection is inactive" is displayed when placing the mouse cursor over the grayed out tray icon:

Acronis Software: Acronis Active Protection creates files with .ENCRYPTED extension

Symptoms

Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files may be related to custom or hand-written programs on the computer.

Cause

When programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly. 

Acronis Active Protection: Frequently Asked Questions

Meeting Acronis Active Protection

Q: What is Acronis Active Protection?

A: Acronis Active Protection is an anti-ransomware technology developed by Acronis to bring peace of mind to its users, in addition to its world's leading backup, data protection and disaster recovery technologies.

Q: What is ransomware?

Acronis True Image 2021: Advanced Antimalware Protection FAQ

Acronis True Image 2021 combines reliable backups with advanced security features - integrated anti-ransomware, cryptomining protection and antivirus - to protect you against today's threats.

This article contains frequently asked questions about new Advanced Antimalware Protection features of Acronis True Image 2021.

Acronis True Image: cannot enable Active Protection on Windows 7

Symptoms

You are using Acronis True Image 2020 or later on Windows 7.

It is not possible to activate Acronis Active Protection: the option is grayed out. No error message appears.

This article applies only to Windows 7. If you face this issue on a different operating system, the issue is not covered in this article and requires investigation.

Cause

Windows update KB2533623 is required for Active Protection on Windows 7.

Acronis True Image: troubleshooting issues with Acronis Active Protection

This article instructs how to approach common issues with Active Protection in Acronis True Image 2018:

  • "Acronis Active Protection service is turned off" notification
  • "Service is unavailable" and "Acronis Active Protection service is inactive" messages
  • Toggle switch does not work when trying to enable Active Protection. "Active Protection is off" status
  • Legitimate applications are blocked
  • Computer becomes completely unresponsive
  • Operating system crashes (also known as BSOD, fatal system error, bug check)
  • Operating system becomes unbootable
Acronis True Image 2018, 2019 and 2020: Active Protection blocks legitimate applications

Active Protection blocks legitimate applications

Acronis True Image: Acronis Active Protection service stops due to an issue with configuration files

Symptoms

Acronis Active Protection stops on its own.

"Application error" event about anti_ransomware_service.exe is recorded in Windows Application event log (open Windows Start menu, type eventvwr.msc, press Enter, navigate to Windows Logs - Application).

Cause

Known issue with the software. The application crash occurs when the software is unable to parse configuration files.

Acronis Cyber Backup 12.5: Self-protection detects Acronis processes as suspicious in Build 16180

Symptoms

After Update 5 (build 16180) installation, self-protection detects Acronis processes – mms.exe, managementserver.exe, service_process.exe – as suspicious:

Self-protection detected suspicious process 'C:\Program Files\Acronis\...'

Cause

Issue in the product.

Solution

This issue has been fixed in Build 16318, please update to the latest build.

Acronis Active Protection: FAQ on missed ransomware attacks

Answers to frequent questions

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Question: why a ransomware attack was not stopped by Acronis Active Protection? What happened?

Answer: there are many possible reasons, an investigation is required to determine the cause.

Acronis Cyber Protect Cloud: services installed with dynamic installation of Antimalware components

Starting with C21.05 (agent version 15.0.26986), Acronis Cyber Protect Cloud allows dynamic installation and uninstallation of Antimalware components (please see this page for more information).

Dynamic installation of antimalware components translates into the following services being installed/uninstalled :

Acronis Cyber Protect: Dentrix software is flagged as suspicious by Active Protection

Symptoms

  1. Machine is running Dentrix software,
  2. You receive false-positive alerts from Acronis Active Protection:

    Suspicious activity is detected
    On machine 'machine name', injection process within program '...\DENTRIX\...' modified file. The process has been stopped, and the file changes have been reverted.

Cause

The behavior is by design. 

Dentrix software is being monitored by Active Protection because it does not have a valid signature.

Acronis Cyber Protect Cloud: security products conflict alerts

Introduction

This article describes various alerts that appear in cases when Acronis Antivirus & Real-time protection conflicts with a third-party antivirus or Windows Defender.

Alert 1 – Windows defender is blocked by a third-party antivirus software: Windows defender is blocked because Acronis cyber protect is installed on machine

In this case, both Windows defender and Acronis real-time protection are enabled. It is not possible to run two antiviruses in one machine as they will conflict with each other. 

Acronis Cyber Protect Home Office, Acronis True Image: how to disable Active Protection in Windows

Introduction

Acronis Cyber Protect Cloud: Troubleshooting "Cyber Protection (or Active Protection) service is not responding" and "Active Protection service is not running" alerts

Symptoms

You receive the following alert:

Cyber Protection (or Active Protection) service is not responding

OR

Active Protection service is not running

Cause

Alert is raised when Acronis Active Protection service or Acronis Cyber Protection service has been enabled for this machine, but is not started or does not respond.

Acronis Cyber Protect: How to set up exclusion settings if processes have no exact path

Symptoms

  • User receives a false positive alert about a suspicious process from Active Protection,
  • You want to exclude the process from Active Protection (add it to Trusted processes), but there is no exact path for exclusion: e.g. the process has a new name or a new location by each run. Exclusion of the whole folder where the process is located does not help.

Cause

Acronis Cyber Protect Cloud : Acronis Active Protection and Acronis Cyber Protection service fail to start due to Error 577

Symptoms

Acronis Active Protection service and Acronis Cyber Protection service (CPS) fail to start due to the Error 577.

Solution

Please install the recent Windows security update.