Acronis Active Protection vs. security software
I have always heard that I should not run multiple security software products on the same computer because they can step on each others feet or sometimes mess up the operating system by setting multiple hooks in the same operating system code.
Given that, how well does Acronis Active Protection play with security packages? I run Kaspersky Internet Security and don't want to do anything that would get in it's way. I notice that the AAP blurb contains the line "... according to our partner Kaspersky Lab ...", but that paragraph was about ransomware statistics, not code interaction.
Is there documentation on how AAP works and how it interacts with security products?
Active Protection works differently then Malware apps in that Active Protection uses a Pattern Detection method of Ransomware discovery. Some patterns are known ransomware while others are suspect or suspicious. Active protection uses a Self Defense mechanism to protect the Acronis product itself as well as all backup files to prevent modification and or deletion.
If your Security Suite has issue with AP or vice versa you can add that Security suite to the AP whitelist and vice-versa.
For more on Active Protection look Here
For more on working with whitelists look Here
Just a thought...
Besides Avast Premier and Malwarebytes, I now have Acronis Active Protection. I think it may be a bit of overkill.
Two annoyances, one minor and one major:
1. The try icon says that the "Self-protection is turned off" but, according to the main screen, AAP is definitely on.
2. Since activating AAP, I have noticed a big slow-down when launching programs.
Any thoughts on this?
I just turned AAP off, and the tray tooltip changed to "Acronis Active Protection is off". When I turned it on again, it changed back to "Self-protection is turned off". Obviously, these must be two different things, I guess.
" 2. Since activating AAP, I have noticed a big slow-down when launching programs. "
Did this slow-down change when you turned AAP off? Is the launching of all programs slowed down or are some more impacted than others?
Rob, please see the following KB documents: 60190: Acronis True Image 2018: how to disable Active Protection in Windows and 60193: Acronis True Image 2018: Active Protection blocks legitimate applications
See also KB documents: 36429: Acronis Software: exclude program folders and executables from antivirus and other security programs and 46430: Acronis Software: Making Acronis Products Compatible with Antivirus Software
These documents will help when you need to turn off AAP for any reason, plus will help you to understand the need to whitelist your applications in AAP and to do the same for AAP and other Acronis executables for your security programs.
In reply to " 2. Since activating AAP, I… by truwrikodrorow…
2. Oh,yes. Big-time. Mostly graphics programs - anything to do with photo editing. Others not quite as noticeable. Turning it off made a difference.
In reply to Rob, please see the… by truwrikodrorow…
Thanks for that. AAP wouldn't let my email client work until I okayed it. That was a bit surprising. Let's see what I can find out.
In reply to Thanks for that. AAP wouldn… by truwrikodrorow…
I had a problem with a recent build of Office 365 - traced to an invalid certificate. Microsoft fixed it quickly.
Active protection has been 'in my face' since 2018 was released, primarily 2 ways:
- during a scan by a security product (AVG), but only selected files. To clarify, a system wide backup by partitions generates around 352Gb in 23 .tib files, each highly compressed and a max of 25Gb. Only the files associated with the system drive or the textual data drive seem to be affected, ie generate the alerts. Possibly because they were the first ones so detected and alerted . . . .
- when copying any backup file, eg from the 'backed-up location' to an external drive which will be the 'off PC' copy.
My normal response to the alert was to "allow for one hour", but that did not apply to the 2nd file, which also required an allow action.
I became concerned when I actually read the detail of the alert message (same in each case above) - a program (AVG or windows explorer) was attempting to modify the backup file. One would not expect explorer to change a data file during copy, but it seemed very likely that scanning a large (25gb) compressed backup data file may yield a match with virus pattern and if allowed the file would be modified - effectively invalidating the backup file.
IMHO that alert message is irresponsibly vague - basically poor design. One would assume that
1- good design in this space would expect backup files would be copied and allow for that, including a suitable text in the message. But 'allowed' for would probably not generate the message
2 - coordination with the security vendors should enable some degree of change prevention. For example, the message is only generated if the a virus pattern matched and before any change actually occurs.
I've bitched (for weeks) at both Acronis and AVG about cooperatively solving this (case numbers available if any one is actually interested), but essentially all I got was finger pointing. I've read the threads about it in this forum, and my conclusion is that this feature in TI really isn't effective based on CURRENT heuristic rules, because those rules clearly don't include common predictable and easily checked on PC events.
My solution to the security scan problem was to exclude the Acronis software and any .tib backup files from scan - by folders, included in the excluded list: not scanned = no alert. I don't have a solution to alerts from copying by explorer, have to live with it for the moment, but Acronis can surely work out an effective interaction with a basic tool of the OS in conditions when they recommend making off-system copies of all backups; the tool to do that being self evident.
David, whilst I and other users / MVP's will understand the concerns that you have raised above, the reality is that there is very little that any of us can do to change or resolve these concerns - we are all just users the same as yourself.
Personally, I would prefer to be notified and asked to verify certain actions on my computers than face the possibility of malware being able to successfully masquerade as a valid, approved program or service and get away with encrypting any of my files.
The act of copying your backup files to an external drive will be challenged by AAP because this could be a part of a malware attack where the file is encrypted during the copy operation and then the original file is deleted to prevent recovery.
With regards to AVG, then I would direct you to review KB documents: 60190: Acronis True Image 2018: how to disable Active Protection in Windows and 60193: Acronis True Image 2018: Active Protection blocks legitimate applications
See also KB documents: 36429: Acronis Software: exclude program folders and executables from antivirus and other security programs and 46430: Acronis Software: Making Acronis Products Compatible with Antivirus Software
Steve said: The act of copying your backup files to an external drive will be challenged by AAP because this could be a part of a malware attack where the file is encrypted during the copy operation and then the original file is deleted to prevent recovery.
This does not seem to be the case if the external drive is a NAS. I can copy .tib files to a NAS drive with no comment from AAP. I suspect the "protection" is involved with the writing of the file onto an AAP-protected target rather than with reading the file.
Patrick, quite correct! Sorry, had forgotten the loop hole of copying to a NAS which AAP does not protect!
I do appreciate the feedback, and I know forum specialists are volunteers - is why I raised this with both AVG and Acronis. In the past, I've had a problem with an Acronis file being binned by AVG and was able to get it resolved at the developer level (basically, a pattern fix) - but it took insistence on escalation to get there. This time, despite some heated discussions, neither was interested in escalation - contact the other party was the message I got.
In this case however, there's no positivity about it - the active protection rules are all heuristic - that is, an attacker might do this, rather than an attacker 'identified' is doing it, and some pretty basic expectations do not seem to be part of those rules.
As to copying to an external drive, actually it alerted when copying from an external drive (the disconnected except during backup HDD) to an internal hard drive! a local drive that has backups of the system drive and some basic data - to speed up the process of recovery using the boot disk.
Steve made the point about knowing, but the a scenario of malware masquerading as 'good' software doesn't change anything: the AAP message doesn't identify which program is doing it, only the path and .tib file involved, and you really don't know. Given the allow function, if you want the action to proceed eg copy or scan, allow is the only option. OTOH, if the action program was identified in the AAP message and wasn't what was expected, eg, something NOT the windows explorer in the registry was trying to copy the backup file then cancel would be my action. If that is too hard, simply don't allow the original backup file to be deleted unless a password action is satisfied (at some point deletion of old backup files has to be allowed).
I mentioned this here because the developers do read forums even tho it may not seem like it.
David wrote " As to copying to an external drive, actually it alerted when copying from an external drive (the disconnected except during backup HDD) to an internal hard drive! a local drive that has backups of the system drive and some basic data - to speed up the process of recovery using the boot disk."
Actually, that is AAP doing just what it is supposed to do. It detected a non-Acronis program writing a .tib file to an AAP-protected drive. That is suspicious activity. It happens to be just what you wanted but you can't expect ATI to know that.
An option might be to have a separate ATI backup task with that drive as destination. It's an extra backup task but it might let you build that drive as you want without running afoul of AAP.
I did mention the size of a system backup: the latest one is 352 Gb using maximally compressed files. I setup the backups manually - just a personal quirk, but it enables separation of the various active and logical drives by function and data type: recovery only needs to do the affected drive, not the whole machine. And, ignoring the 30 seconds or so for each drive being backed-up for config, on a core i3 3.7ghz dual core cpu with 8Gb RAM ie fast, by 30% or more over prior computers, just creating the backups takes (literally) hours. If I try to use the machine during the period of backup, there's an issue of data currency in the backup, but also that just extends to time backup takes, considerably. So, once a month for a whole morning the PC's do backup and nothing else. Copying a completed backup is so much faster than doing it again I don't bother with any second actions - just copy the tib files to where I want them to be.
An alternative, of course, is to just turn off AAP when you are about to do the copy or let AAP prompt you to allow for an hour. Neither is practical if you want to automate the process ... unless you turn of AAP and leave it off. (Permanently turning off AAP is not a wise choice IMO but people do it.) I'm not sure what happens if you tell AAP to allow an action for an hour and the copy takes longer than an hour. I assume AAP checks only at the start of the copy.
David said: "To clarify, a system wide backup by partitions generates around 352Gb in 23 .tib files ...".
This is off-topic, but I'm puzzled by that. I, too, take a backup that produces about 350GB of data but ATI creates only one .tib file for the full backup. (Incremental files are extra, of course, but I assume you are not referring to them.) Are each of those 23 files the same size - 22 16GB files plus a bit left over? (I think there is a 4GB file size limit in a FAT32 file system but I don't recall a 16GB limit in anything.) Are you telling ATI to split your backup into 16TB chunks?
Hi Patrick,
Would you store everything in an office in the top drawer of a filing cabinet? Which is basically what most people do with windows - everything in C;.
As an old IT person, I don't do that. I've organised the drives on my main system (and the laptops similarly, but on those there's only one internal HDD) to store data by function and data type. See the attached DD12 screenshot. And you will note that I have one HDD only for C:. Doing it this way has performance benefits, especially for programs doing things like scan (security) or compress and save (ATI). It takes my laptop (320Gb HDD) longer to backup than my desktop (about 4Tb of HDD attached) even doing the latter manually. The processor cpu speed is different by about 30%, but they both have the same OS and the same RAM. Mainly, this way the drive latency number is reduced to near zero. By my very rough estimate, more than 30x faster. Individual seek functions are so small it seems not worth attention, but on something doing the whole disk there are so many of them the time saving is huge.
And I backup the drive partitions individually, so I have individual backup files for C, and E etc. As I said, this makes restoration for just the drive affected easy and relatively (compared to restoring everything) quick.
And you can set the size of the backup files: after setting up the backup parameters (which drive, where to), the options/advanced page allows splitting the file into specific sized chunks. The default is 25gb Blu-ray, but you can go as low as 650mb on a CD - there are 9 choices, including custom. And for each drive that exceeds that limit, there are usually some left-over sizes. For example, in the DD12 screenshot, the video drive is all video data (the apps that manipulate it are in the applications drive). I choose to take the default and about once a year I'll burn those files to a blu-ray disk (in addition to having electronic copies in several places. The last backup I did took 6 full-size (6x25Gb) files and one 'left over' of about 23gb. The naming convention Acronis uses by default numbers these in succession. See the explorer screenshot of my backup NAS store for Feb 2018.
Fiddly? Yep. But on occasion (once in eight or none years) it's been worth it's weight in gold.
David,
Very nice backup plan there. I practice something very similar myself and can vouch for the performance increase.
I think you might have some misunderstandings of Active Protection, I would encourage you to have a look at the article
Rasomware Protection and Recovery
This knowledge base article is worth the read too.
Acronis Ransomware Protection FAQ
I am with you on clarifying alert messages, making them more informative and direct. I suppose that some would find that alarming as well. I guess the trade off is a compromise of some sort.
I have found that AP is very effective. It has saved me twice now from drive by attacks. In both cases I was able to recover effected files! In my book that makes it worth any hassle or quirks it has. I expect that as the feature matures it will continue to get better, improving with age!