Acronis Active Protection

This article explains how to enable and gather kernel-mode logs of the file_protector.sys driver, also called file protector's debug logs. Usually they are only needed to troubleshoot a problem with the Active Protection feature of Acronis True Image 2018, when the usual logs do not allow to determine the root cause of the problem and to resolve it.

To get more detailed logs of the file_protector driver, please follow the steps below. To stop writing debug mode logs, simply reboot or shut down the computer.

Introduction

This article explains where to find logs of Active Protection service and driver in Windows.

Description

Acronis Active Protection service's logs

Acronis Active Protection service executable anti_ransomware_service.exe has the following location:

Windows 64-bit: "C:\Program Files (x86)\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

Windows 32-bit: "C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

This article describes a known issue with Acronis Active Protection when all four conditions, listed below, are met:

1) An external or built-in card reader for memory cards (SD, MMC, SM, XD, MS, MS-Pro and others) is connected and enabled.

OR

any other kind of removable storage device without a mounted file system is connected, e.g. a removable storage device that appears after certain printer software is installed.

2) Acronis Active Protection service is shown as "Running" in the services list (open Windows Start menu, type services.msc and press Enter to access the list). If the service's status is "Stopped", the present KB article does not apply - please follow troubleshooting instructions from that article instead.

3) "Active Protection is off" status is displayed under "Active Protection" tab.

4) When you try to turn on Active Protection by clicking on the toggle switch, it changes to a three dots ("in progress"-like picture), and then returns back to the OFF position. The status message remains "Active Protection is off".

Introduction

This article explains how to enable Active Protection if the tray icon is grayed out and the message says "Acronis Active Protection is turned off" when moving the mouse cursor over it:

Solution

Active Protection can be enabled either from the tray icon menu or from Acronis True Image main program's interface.

Symptom

"Service is unavailable" message is shown in the right bottom part of the screen when Acronis tray monitor is unable to connect to Acronis Active Protection background service.

The message "Acronis Active Protection is inactive" is displayed when placing the mouse cursor over the grayed out tray icon:

This article instructs how to approach common issues with Active Protection in Acronis True Image 2018:

  • "Acronis Active Protection service is turned off" notification
  • "Service is unavailable" and "Acronis Active Protection service is inactive" messages
  • Toggle switch does not work when trying to enable Active Protection. "Active Protection is off" status
  • Legitimate applications are blocked
  • Computer becomes completely unresponsive
  • Operating system crashes (also known as BSOD, fatal system error, bug check)
  • Operating system becomes unbootable

Meeting Acronis Active Protection

Q: What is Acronis Active Protection?

A: Acronis Active Protection is an anti-ransomware technology developed by Acronis to bring peace of mind to its users, in addition to its world's leading backup, data protection and disaster recovery technologies.

Q: What is ransomware?

Symptoms

Acronis Active Protection stops on its own.

"Application error" event about anti_ransomware_service.exe is recorded in Windows Application event log (open Windows Start menu, type eventvwr.msc, press Enter, navigate to Windows Logs - Application).

Cause

Known issue with the software. The application crash occurs when the software is unable to parse configuration files.

Symptoms

You installed Acronis Cyber Protect Agent on a Linux or Mac system

 The following alert is shown for the machine with the agent for Linux or Mac:

Cyber Protection (or Active Protection) service is not responding

Active Protection Service is not responding. Please restart the machine or contact your administrator/

Cause

Issue in the product. It will be fixed in the nearest product updates.

Answers to frequent questions

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Question: why a ransomware attack was not stopped by Acronis Active Protection? What happened?

Answer: there are many possible reasons, an investigation is required to determine the cause.

Symptoms

Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files may be related to custom or hand-written programs on the computer.

Cause

When programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly.