ATI 2018 slows down programs. Active Protection Service does that !
Hi.
Running on W10-x64 v 1703
Yesterday I installed ATI 2018.
What I notice is that a lot of programs I use, get very slow.
It mostly is at startup programs, opening other parts of the program, opening database etc.
When It has opened or started up, then it functions quite normally.
When I uninstall ATI 2018 all is good.
Update: when I stop the service from Active Protection Service it is good also.
Anyone?
Regards,
Kees
Kees...I am sure that hardware also makes a difference. An old computer with slow spinning HDDs would be impacted more than a new, top of the line computer, running SSDs.
Personally, I consider malware and in particular ransomware, to be the primary threat. In the event of a ransomware attack, those who hate Marmite will be glad they ate it. Just yesterday, I deleted an e-mail that I am sure was ransomware. I think I will undelete the e-mail and post a screen capture.
I am running a top of the line Asus gaming laptop with 2 SSDs. I can't tell if AAP is running or not.
FtrPilot
I too do not notice any impact, even on a rather ancient i7 3770K system (with Samsung EVO SSD for OS).
However, during beta testing of Active Protection I found many app ground to a halt. Even with the current build some CPU intensive apps with slow when Active Protection is enabled. These are mainly video editing programs, and by adding them to the white list the problem is avoided. With each build of ATI Active Protection seems to be coping better with CPU intensive apps that pose little risk of malware attack.
Update: Just checked my list of exclusions and I no longer have video editing apps in the list of exceptions (I did a clean install with cleanup some months back).
Ian
Kees,
Same here. I run a Photoshop action that coverts RAW files into high-res JPGs. Before Acronis Protection Services, I can do 129 NEF to JPG conversions is 4min 30sec. With Acronis Protection Services turned on, it takes over 13min to do the same job. Thats a 400% slow down.
WTF!
I'm glad I singled it out to this one particular service. The question now is do I uninstall Acronis or just turn this service off when I'm doing Photoshop.
I'm glad it is not a problem with my other software or my computer rig.
Cheers,
Joel
Joel, welcome to these User Forums.
Please see KB 60190: Acronis True Image 2018: how to disable Active Protection in Windows and also KB 60193: Acronis True Image 2018: Active Protection blocks legitimate applications
These documents should help you to first try whitelisting your Photoshop application to see if that will give you back the performance you expect with AAP still enabled, otherwise, you can follow the steps shown in the other document to disable AAP either temporarily or permanently.
Finally, I would recommend that both you and Kees submit a support case directly with Acronis if you cannot gain your performance after whitelisting applications without having to disable AAP. I am sure the developers would want to investigate why this is the case for you.
With the update 2 it has not been solved.
It maybe a bit less slow, but still slowing down very very much.
Technical support acknowledged the problem and is still busy.
Still working without the protection, which is OK, but a shame it is not working correctly after such time....
Kees, I can only advise patience in the face of frustration here if you have an open Support Case with Acronis for this issue. Every user computer is different so it can take some time to identify all the components that contribute to this type of performance issue / conflict.
Users need to understand that Active Protection uses Pattern based threat detection. What this means is that the app is designed to monitor known ransomware pattern activity on a computer. One such pattern of ransomware is file modification. Converting files is one such pattern. Active Protection is doing it's job to check such activity as a potential threat.
Ransomware, Virus, and other Malware are now being delivered as a Run in Memory package which means these threats no longer require the download or execution of a file to infect your machine. In fact this new breed of malware can be designed to use Windows own Powershell to launch and run. Active Protection being pattern based is the best defense against this new breed. It is the only protection do date that can stop such activity and recover any modified files.
The best way to address issues with valid programs is to add such programs to the Active Protection Whitelist so as to exclude them from Active Protection monitoring. Active Protection will do machine learning so that over time processes run on a machine become an expected behavior. That in turn will lessen the impact Active Protection has on computer performance.
As for myself I enjoy having the protection provided by Active Protection. It works and works well in the detection of known ransomware pattern detection. I run other anti-virus and malware apps as well and I have no problem with them getting along with each other. There of course will be issues for some users, other apps, etc. but the protection is well worth the bother in my opinion.
Enchantech e.o.
I understand the technique in that and what the purpose is of the AAP.
But I wonder why this option is in a backup app? I think to make a difference with the concurring vendors?
I think that such a functionality belongs to Security things like antivirus and internet security packages (Kaspersky, Eset, etc).
And because that race for the customer can emerge to an immature product.
Maybe that's what we are dealing with and the consumers are the beta-testers.....
Regards,
Kees
P.S. I hope it's allowed to have critical opinion
AAP is a nice fit for backup. By design True Image and AAP work together to protect user data. This is done by True Image ability to recover changed or even deleted files by ransomware. AAP stops the process once detected and True Image can then recover the effected files.
I get your point here. My point is that AAP adds value to True Image.
I noticed the same problem and opened a ticket. Chrome and Opera became very sluggish. Disabling the Active Protection service in Win 10 System Configuration fixed that problem. Didn't affect Firefox or MS Edge. They worked fine all along.
Michael, welcome to these User Forums.
Please keep us informed on how your support case goes for this issue. I use Chrome as my default browser and haven't seen any sluggish performance at all with have AAP enabled and active, but would guess that there a whole lot of potential differences in hardware & software involved here too.
Like Steve I use Chrome as my default browser and have not noticed any deterioration in responsiveness. Are you running a clean Chrome installation or to you have any add-ins? They may be the cause of the slow-down.
Before I figured out Acronis was the issue, I tried uninstalling, cleaning residual files and registry entries, and reinstalling Chrome and before logging in (clean) , it was still very sluggish, so the plugins were not the issue. Also tried it in incognito mode and there it was also sluggish.
So far no response at all to the ticket.
OS Name Microsoft Windows 10 Home
Version 10.0.16299 Build 16299
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name EDIT
System Manufacturer Gigabyte Technology Co., Ltd.
System Model P55M-UD2
System Type x64-based PC
System SKU
Processor Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz, 2926 Mhz, 4 Core(s), 8 Logical Processor(s)
BIOS Version/Date Award Software International, Inc. F3, 7/31/2009
SMBIOS Version 2.4
Embedded Controller Version 255.255
BIOS Mode Legacy
BaseBoard Manufacturer Gigabyte Technology Co., Ltd.
BaseBoard Model Not Available
BaseBoard Name Base Board
Platform Role Desktop
Secure Boot State Unsupported
PCR7 Configuration Binding Not Possible
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume3
Locale United States
Hardware Abstraction Layer Version = "10.0.16299.15"
User Name Edit\Mike
Time Zone Pacific Standard Time
Installed Physical Memory (RAM) 8.00 GB
Total Physical Memory 8.00 GB
Available Physical Memory 4.04 GB
Total Virtual Memory 16.0 GB
Available Virtual Memory 11.0 GB
Page File Space 8.00 GB
Page File C:\pagefile.sys
Device Encryption Support Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not InstantGo, Un-allowed DMA capable bus/device(s) detected, Disabled by policy, TPM is not usable
Hyper-V - VM Monitor Mode Extensions Yes
Hyper-V - Second Level Address Translation Extensions Yes
Hyper-V - Virtualization Enabled in Firmware Yes
Hyper-V - Data Execution Protection Yes
Looks to me like you are running low on memory resources by what you posted. Have you considered trimming down some of the apps that run at startup to see if that helps?
At the time I took the System Config snapshot above I had several programs open. The problem existed on a fresh reboot running a clean install of Chrome, prior to disabling the Active Protection service.
With the computer in the condition you see above Chrome runs fine because the APS is disabled.
Hi Michael,
It seems to me that reading is an art :-)
You clearly stated that the other programs work well and with AAP disabled all works well; the same here.
I guess there are a lot of other users out there who are wondering why their systems are very slow at times, and breaking their minds about it.
For me it is clear that Acronis cannot get this right yet. But it would serve them in acknowledging the error.
Opened a ticket 3 weeks ago, got mails from 5 different people. Got 1 build that I could (beta) test, and that wouldn't even start properly. I answered to that and reminded the support to it 2 times, still no answer. Shame on Acronis !!
I eventually paid for the whole functionality, not for just the backup part, so considering to disband the agreement, ask my money back and go for another product with better communication with costumers......
Not being harsh, just my experiences with Acronis.
Regards,
Kees
Michael,
I understand you are having issue here, not disputing that. May well be that Active Protection is at cause of the issue on yours and others computers. The issue is not present on every installation making it hard to narrow down.
Normally what is recommended for cases in which the issue is not widespread is for users to try to narrow down what triggers the problem. I understand that disabling the Active Protection feature on your machine resolves the issue for you but that in itself is hardly definitive.
The process of discovery is to perform selective Windows startup passes to determine if in fact Active Protection is solely at fault. There are many sites on the net that discuss selective startup in detail. If I were in your position I would start there. Disable the apps that you can that run at Windows startup leaving Acronis True and Active Protection to run at startup . Does the problem exist in that scenario. If no then add apps one at a time until you get to the point of the issue happening. It is likely the last app added is at issue. Question is why?
Enchantech,
I can tell you why:
Because Acronis AP treats that last app as suspicious.
That's what happening here: the apps that AAP notes as suspicious, are slooowed down.
The question on my turn is : why ?
If that is the case here it is because such apps (maybe plugins in the case of browsers) are running processes that are known behaviors that ransomware does too.
The way to correct that issue is to add apps to the Exclusion list in Active Protection.
Good idea.........maybe........., but a good idea for makers of ransomware!!
When you put it in the exclusion list (and it won't take much time to learn which popular ones are these)
then the makers of the ransomware can make their stuff with these names.
Solving it that way would not be a good idea.....
It is not the names of the apps or files that create the security holes. It is the behavior of the services and processes run by apps that create the triggers that Active Protection looks for and are detected as possible ransomware.
How about such apps updating or changing these behaviors so as not to trigger detection?
The bottom line for me is that my system worked fine until I installed 2018, then browsers ran like crap. After spending a fair amount of time troubleshooting it was determined by myself and an PC expert that AP was the only cause. They need to fix it.
Unless they want to remote in or send someone to my office to do more troubleshooting, I am done wasting my time to correct their problems as my PC is back to working fine.
I do like the idea of requesting a refund on the 2018 upgrade or disputing the credit card charge if they dont get it solved in a short time.
Good enough for me. Anyone having these issues and find the same true are encouraged to open a support case. Reference this thread in that case. The squeaky wheel gets the grease!
"It is not the names of the apps or files that create the security holes. It is the behavior of the services and processes run by apps that create the triggers that Active Protection looks for and are detected as possible ransomware. "
That's avoiding my comment.
It doesn't matter how it's acting. Putting the apps in an exclusion list is just a very bad advise.
The reason is simple: spoofing the name of the app that's in the list........
I still stand my point in this: AAP is not mature and should not have implemented yet.
Mmmm, I do not get the connection between behavior pattern based detection, which is how Active Protection works, and name spoofing!
When an app is put in the exclusion list, it is put there with a name (wordpad.exe) or you can exclude a whole folder (even worse).
It is done to "correct false positives" according to the website (Acronis)
When a ransomware attack hides its payload in a spoofed wordpad.exe (same name with a malicious payload), then
it won't be detected by AAP.
source:
Kees,
You are misinterpreting how Active protection works. If a ransomware were to spoof itself as a whitelisted legitimate app then subsequently behave in a known ransomware pattern that process would be halted and the user would be notified of the action taken. So lets say here that you whitelist Wordpad.exe because Active Protection warns that Wordpad behavior was found to be suspicious. You then add Wordpad to the whtelist which tells Active Protection that Wordpad is trusted. All that means is that even though the behavior of Wordpad is suspicious Active protection will not notify you the user of that fact. Now if Wordpad is taken over by ransomware and begins encrypting files or attempts to modify the boot record of your computer that behavior would trigger Active Protection to halt that process. You the user would be notified of the event and options would be presented to you to address the occurrence.
It works this way because Active Protection is triggered by patterned behaviors. So even though Wordpad processes trigger a suspicious activity that activity was not halted because the real work of true ransomware never occurred and as a result no further action was taken by Active Protection. When you whitelist Wordpad Active Protection then still detects the behavior that resulted in the suspicious warning but marks it as a trusted by user behavior. Attempts to encrypt files and or modify the boot record will trigger Active Protection to stop these processes.
So think of it as a two tier protection. Suspicious behavior is detected and the user is notified of that fact so that the user can either trust the app or process that triggered suspicion or the user can take other action such as uninstalling the app or disabling the process. If ransomware does gain entry to a system and file encryption or boot record modification is detected these actions are stopped, the user notified and options presented for the user to address the situation.
The real threat currently in the malware world is that these malicious apps are now appearing that run solely in computer RAM meaning that no installation or files need be performed on the machine for the malicious code to run. Active Protection, because it IS behavior pattern based is perfectly poised to stop such threats whereas other security apps that rely solely on whitelist for detection purposes are not.
.
Hi Enchantech, Thanks for your explanation.
I am testing your claim above, but when I use bitlocker it doesn't even see it when I bitlock a drive
And then nothing is in the exclusion list and AAP is on.
How can that be?
Regards,
Kees
Enchantech...excellent explanation. I would recommend starting a new topic with the information and requesting Ekaterina to make it a sticky.
Kees, bitlocking a drive is not a pattern that AAP would monitor. It would be expected behavior.
Accessing Acronis keys in the Windows registry is a pattern. However, if you access the Acronis keys using Regedit with Admin privileges, then AAP may or may not generate an error message.
Prior to AAP, the log viewer gathered some information from the Acronis keys. During the first beta testing of AAP (2016), AAP would keep the Log viewer from reading the Acronis keys until the Log viewer was white listed.
Any program that tries to modify the Acronis keys should generate warning messages, regardless of whether they are white listed or not.
You could try deleting to see what happens:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\FileProtector
Ftrpilot,
I agree it's a good explanation:-)
But I always want to test claims..... That bitlocker would be an expected behaviour, is strange to me.
At least it could ask if the action is wanted or not. I get even AAP-halts on renaming of some file names....
I think it would rather easy to use the bitlock routine by some ransomware. Doing this with admin priviliges shouldn't matter. In hacking, getting admin privs is quite easy.
Well, I tested a Ransomware simulation, with a simple exclusion in the Exclusion List (whitelisting),
I opened a new topic for it, because this topic doesn't cover this.
Regards,
Kees
Kees, I saw the other post.
FTRPilot made a lot of comments to it that I have to echo and am curious to read the responses when posted. Simply making a whitelist exclusion for *.* and running a simulator to determine what could be encrypted, doesn't prove that Ransomeware would be able to encrypt, nor if it could, that Acronis could not detect and stop it or even role any impacted files back.
If I can find the time, I plan to build a new, simple VM with nothing more than Acronis 2018 and Windows Defender and then run real ransomware against it. Assuming it is protected by Acronis, I would then add the *.* whitelist and test again to see what happens.
That's the only way to be 100% sure, but it should be done in a safe and segretated environment away from real data.
Hi Bobbo,
Well, that is just what i did. A VM with Windows 10, Eset and Ati2018.
Except for a real ransomware I used the simulator.
WITHOUT *.* exclusion Acronis blocks it. WITH THE EXCLUSION Acronis makes it vulnerable just like the report says.
I think it's quite simple. The claim made is not correct.
Back to the topic.
I delivered new logs, which is a lot of work.
Asked confirmation of receiving it, and had a remark made on one log.
A week later, not even the confirmation. Shame on Acronis Support for that.
So my advise to do first, if you experience slowness of any kind after installing ATI 2018, suspect the Active Protection and switch it off.
I still think Acronis is a great backup/restore product, but they should have stayed with that. Let security be the job of Kaspersky, Eset, e.a.
Still no answer. Not a confirmation. Nothing.
Ill send them an email to remind.....
Back off-topic for a moment:
"... So think of it as a two tier protection. Suspicious behavior is detected and the user is notified of that fact so that the user can either trust the app or process that triggered suspicion or the user can take other action such as uninstalling the app or disabling the process. If ransomware does gain entry to a system and file encryption or boot record modification is detected these actions are stopped, the user notified and options presented for the user to address the situation. ..."
So does that imply that even if AAP does not actively protect .tib files on a NAS it would notice and block ransomware behavior so that the remote .tib files would, in effect, be protected anyway? I'm assuming that ransomware would attack local files before it start scrounging around on NAS drives. (Possibly a bad assumption.)
Kees,
I think you are right to a degree here. The SMB protocol itself should provide protection of files on network shares. The flaw in that assumption is two fold. One is that SMB version 1.0 has known vulnerabilities and is recommended to be disabled on a network. SMB versions 2.0 and 3.0 offer protection built into the protocol in that to even establish a connection the protocol must exchange Secure Dialect Negotiation with Server/Client. This is to prevent MITM attacks.
The second flaw is that this negotiation cannot prevent a downgrade SMB from 3.0/2.0 to SMB 1.0 which would allow such an attack. Therefore the recommendation to disable SMB 1.0. For more on SMB security see the link below:
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx
Still no solution for this problem........
In reply to Still no solution for this… by truwrikodrorow…
According to my ticket, no. Still no fix.
Same slowdown issue here. ATI2018 Active Protection was causing issues even when just watching a youtube video.
Once I disabled it, things went back to normal.
Mitchell, welcome to these User Forums.
Please raise this as a Support Case directly with Acronis so that they can investigate why this does this on your computer but not on others. The more people who do this then the better the Acronis developers can determine the reason why and produce a remedy.
I have found a problem with the "Acronis Active Protection Service" as well. My opinions about it being something that belongs in a backup program to begin with (it DOESN'T!) aside, I've found that a couple of my applications hang-up and freeze when saving the open file or trying to exit the program itself. A particular application I can use as an example is a prototyping app called Justinmind. It's used for UI development and has been a favorite of mine for years. My business actually depends upon it for 6 months out of the year.
I installed Acronis 2018 about three or so weeks ago. Win10 Pro 64 bit on an i7 7700HQ w/16 gigs RAM. For the first time in over a month, I launched this prototyping application. Upon saving, it froze. Looking in Task Manager, the application "Status" was listed as "Suspended". I ended the task/service and re-launched the app. After it loaded, I tried exiting the program. Froze again.
In the end, the resolution was as follows: I ran MSCONFIG from the Run line and disabled "Acronis Active Protection (TM) Service" (from the "Services" tab). Rebooted - now everything with this prototyping application works as designed.
It took me an hour to go through each and every suspect service in MSCONFIG until I finally landed on the culprit (that being AAPS). In retrospect, I should have just gone in alphabetical order.
But nonetheless...
Active protection will stop apps that do things that it associates with malware. This involves some types of file manipulation. I have several "unusual" apps that are picked up by Active Protection, which I have added to the white list and everything returned to normal.
Active protection has two setting, the most restrictive protects *.tib files and Acronis app files from attack by malware, and the wider application protects other files as well. The former is a legitimate and proper thing for a backup program such as Acronis to do, the latter is more problematic and opinions differ. I find the added level of protection useful but some others do not do so.
Unfortunately the installation routine does not explain what is being done and allow the user to make informed decisions about the settings that are available.
Ian
" Upon saving, it froze. Looking in Task Manager, the application "Status" was listed as "Suspended". I ended the task/service and re-launched the app. After it loaded, I tried exiting the program. Froze again. "
Did you open a case with Acronis support? Suspending a program without issuing a message and giving the user some option to unsuspend the program (even if the only action is to cancel it) is surely unintended behavior. Acronis support needs to be made aware of this so they can fix it.
Yes, there should be a pop-up an the bottom right hand side of the screen - not sure how long it stays. My recollection is that you have to dismiss it.
Ian
The absence of the pop-up makes me think Jeffrey may be running into a bug rather than experiencing normal behavior. There is no way the Acronis can test how AAP interacts with every available piece of software. If Justinmind does something really unusual I suppose AAP could stumble. I don't know what a "prototyping application" does, but I can envision it setting up a "protected" environment that looks suspicious to AAP but maybe an environment AAP does not know how to handle.
KB 60193: Acronis True Image 2018: Active Protection blocks legitimate applications should be a starting point here and if this does not resolve the performance impact then a support case should be opened to let Acronis support investigate why the behaviour of this application is being mishandled by AAP.
To date I've had several interactions with support in regard to my original complaint. They are aware of the problem and don't have a solution yet.
Michael, thanks for your update.