Acronis Active Protection

This article explains how to enable and gather kernel-mode logs of the file_protector.sys driver, also called file protector's debug logs. Usually they are only needed to troubleshoot a problem with the Active Protection feature of Acronis True Image 2018, when the usual logs do not allow to determine the root cause of the problem and to resolve it.

To get more detailed logs of the file_protector driver, please follow the steps below. To stop writing debug mode logs, simply reboot or shut down the computer.

Introduction

This article explains where to find logs of Active Protection service and driver in Windows.

Description

Acronis Active Protection service's logs

Acronis Active Protection service executable anti_ransomware_service.exe has the following location:

Windows 64-bit: "C:\Program Files (x86)\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

Windows 32-bit: "C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

This article describes a known issue with Acronis Active Protection when all four conditions, listed below, are met:

1) An external or built-in card reader for memory cards (SD, MMC, SM, XD, MS, MS-Pro and others) is connected and enabled.

OR

any other kind of removable storage device without a mounted file system is connected, e.g. a removable storage device that appears after certain printer software is installed.

2) Acronis Active Protection service is shown as "Running" in the services list (open Windows Start menu, type services.msc and press Enter to access the list). If the service's status is "Stopped", the present KB article does not apply - please follow troubleshooting instructions from that article instead.

3) "Active Protection is off" status is displayed under "Active Protection" tab.

4) When you try to turn on Active Protection by clicking on the toggle switch, it changes to a three dots ("in progress"-like picture), and then returns back to the OFF position. The status message remains "Active Protection is off".

Introduction

This article explains how to enable Active Protection if the tray icon is grayed out and the message says "Acronis Active Protection is turned off" when moving the mouse cursor over it:

Solution

Active Protection can be enabled either from the tray icon menu or from Acronis True Image main program's interface.

Symptom

"Service is unavailable" message is shown in the right bottom part of the screen when Acronis tray monitor is unable to connect to Acronis Active Protection background service.

The message "Acronis Active Protection is inactive" is displayed when placing the mouse cursor over the grayed out tray icon:

Symptoms

Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files may be related to custom or hand-written programs on the computer.

Cause

When programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly. 

Meeting Acronis Active Protection

Q: What is Acronis Active Protection?

A: Acronis Active Protection is an anti-ransomware technology developed by Acronis to bring peace of mind to its users, in addition to its world's leading backup, data protection and disaster recovery technologies.

Q: What is ransomware?

Acronis True Image 2021 combines reliable backups with advanced security features - integrated anti-ransomware, cryptomining protection and antivirus - to protect you against today's threats.

This article contains frequently asked questions about new Advanced Antimalware Protection features of Acronis True Image 2021.

Symptoms

You are using Acronis True Image 2020 or later on Windows 7.

It is not possible to activate Acronis Active Protection: the option is grayed out. No error message appears.

This article applies only to Windows 7. If you face this issue on a different operating system, the issue is not covered in this article and requires investigation.

Cause

Windows update KB2533623 is required for Active Protection on Windows 7.

This article instructs how to approach common issues with Active Protection in Acronis True Image 2018:

  • "Acronis Active Protection service is turned off" notification
  • "Service is unavailable" and "Acronis Active Protection service is inactive" messages
  • Toggle switch does not work when trying to enable Active Protection. "Active Protection is off" status
  • Legitimate applications are blocked
  • Computer becomes completely unresponsive
  • Operating system crashes (also known as BSOD, fatal system error, bug check)
  • Operating system becomes unbootable

Symptoms

Acronis Active Protection stops on its own.

"Application error" event about anti_ransomware_service.exe is recorded in Windows Application event log (open Windows Start menu, type eventvwr.msc, press Enter, navigate to Windows Logs - Application).

Cause

Known issue with the software. The application crash occurs when the software is unable to parse configuration files.

Symptoms

After Update 5 (build 16180) installation, self-protection detects Acronis processes – mms.exe, managementserver.exe, service_process.exe – as suspicious:

Self-protection detected suspicious process 'C:\Program Files\Acronis\...'

Cause

Issue in the product.

Solution

This issue has been fixed in Build 16318, please update to the latest build.

Answers to frequent questions

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Question: why a ransomware attack was not stopped by Acronis Active Protection? What happened?

Answer: there are many possible reasons, an investigation is required to determine the cause.

Starting with C21.05 (agent version 15.0.26986), Acronis Cyber Protect Cloud allows dynamic installation and uninstallation of Antimalware components (please see this page for more information).

Dynamic installation of antimalware components translates into the following services being installed/uninstalled :

Introduction

This article describes various alerts that appear in cases when Acronis Antivirus & Real-time protection conflicts with a third-party antivirus or Windows Defender.

Alert 1 – Windows defender is blocked by a third-party antivirus software: Windows defender is blocked because Acronis cyber protect is installed on machine

In this case, both Windows defender and Acronis real-time protection are enabled. It is not possible to run two antiviruses in one machine as they will conflict with each other. 

Symptoms

  1. Machine is running Dentrix software,
  2. You receive false-positive alerts from Acronis Active Protection:

    Suspicious activity is detected
    On machine 'machine name', injection process within program '...\DENTRIX\...' modified file. The process has been stopped, and the file changes have been reverted.

Cause

The behavior is by design. 

Dentrix software is being monitored by Active Protection because it does not have a valid signature.

Symptoms

  • User receives a false positive alert about a suspicious process from Active Protection,
  • You want to exclude the process from Active Protection (add it to Trusted processes), but there is no exact path for exclusion: e.g. the process has a new name or a new location by each run. Exclusion of the whole folder where the process is located does not help.

Cause

Symptoms

You receive the following alert:

Cyber Protection (or Active Protection) service is not responding

Cause

Alert is raised when Acronis Active Protection service or Acronis Cyber Protection service has been enabled for this machine, but is not started or does not respond.