Are you guys using the ransomware protection now?
I know it had some rough edges when it first came out, but wondering if its safe yet to turn this on in 2018 without causing issues with other security software, false positives, etc. ? Any performance issues?
Thanks Steve for sharing your experience on this. I'm going to give it a try.
I have had not issues with my other security software, and have been running it as long as Steve, including beta and pre-release versions of ATI.
It does have issues with some software - bother printer/scanner utilities for example, but that as I understand it is related to the security certificate of that software being absent or out of date.
Ian
I have been running with AP in the 2018 beta and final release. I just looked at the activity and find a financial application has been prevented from accessing the registry, but the program runs just fine. I also had rundll32.exe prevented from accessing the registry at the same time as a bunch of ESENT information messages in the event log. I don't believe I even received a notification and it only happened once. And finally, FNPLicensingService64.exe was prevented from accessing the MBR, and this only happened once and coincided with running the financial app. I think I did receive a message about this.
That's all there is. I have not whitelisted anything and am not experiencing any service problems.
The key point of Active Protection is that it works via patterns. This means that known ransomware application patterns are defined in Active Protection. When other application processes exhibit these same patterns Active Protection may block the activity if it determines that the process causing the pattern is not trusted. Not trusted can be because of an invalid or absent digital signature or security certificate. It would behoove users that experience blocked application processes to investigate if updates exist for such applications that may remedy these issues. If there are no updates available then white listing the blocked file is an action the user can take if necessary to solve false positive issues.
As for rundll32.exe, this process is normally a part of windows however, malicious software has been known to hide behind this process. If the application that calls rundll32.exe is doing so and has a ransomware pattern match then the result will be a blocked process. White listing is again the option to resolve such issues.
In cases where the blocked process does not adversely effect the workings of the application then these can be ignored by the user but messages will continue to appear from AP about these processes in some cases. In viewing AP logs there are times when an application process may trigger a block a few times and then change to trusted status. I cannot explain this but I have seen it a few times.
Personally I have not had any adverse effects with using AP with any of the software I run so I continue to use it. To date AP has blocked only 2 processes on my machines which quite frankly I expected so for me I am happy to have it at my defense from a potential ransomware attack.
So the issue I've run into is that I use Robocopy to ship my local images off-site and AAP blocks Robocopy from messing with the TIB files even when Robocopy.exe is on the whitelist.
Phillip,
My suggestion would be that you temporarily turn AP off when you use Robocopy to perform that task then turn it back on when you are finished.
AP will block any process that attempts access to tib files outside of True Image as such behavior is a known ransomware pattern and is part of the self defense design of AP.
Thanks for the responses on this thread. Wanted to let you know that I've been able to address this issue but adjusting the parameters on Robocopy so that it does not attempt to change the archive attribute on the TIB files after copying. Doing this allows the script to run as the files are not actually being modified. Thought this might be useful for anybody else who uses this tool.
Best,
Philip.
Hi there
Acronis Active Protection also works extremely well on Acronis Backup 12.5 as well as Acronis Backup Cloud 7.5 (This is still in BETA). I have however extensively tested this in both LAB and PRODUCTION environments with dummy ransomware and on all occasions Acronis Active Protection stopped the service, deleted the affected files and restored them. One case where a customer actually was infected with ransomware on Acronis Backup 12.5 it performed the same.
My two cents it is a useful tool and will be safe to enable
Regards
Thanks Jays for sharing your experience on this!
I have the robocopy issue mentioned above but I don't see how to set the robocopy switch to avoid attempting to change the archive attribute on the TIB files after copying.
The other suggestion (turning off Acronis protection) temporarily is not practicle since I've use scripts to duplicate file contents (including TIB files) to external hard drives.
Setting robocopy to be "trusted" has no effect.
Dave G
David, this is the command line I use:
robocopy.exe "DRIVE:\SOURCE FOLDER" "\\NAS_NAME\DESTINATION FOLDER" /COPY:DT /FFT /PURGE /J /R:1 /NP /log+:DRIVE:\LOG FOLDER\acronis_offsite.txt
Hope this helps!
Philip
In risposta a Thanks for the responses on… di truwrikodrorow…
Thanks, Phillip, for posting this comment!! I, too, use Robocopy to copy my .TIB files to a secondary location as part of my disaster recovery policy. I haven't yet configured automated copying of my ATI 2018 .TIB files, but I suspected that Automatic Protection would interfere with Robocopy since a manual copy of my ATI 2018 .TIB files triggered an Automatic Protection warning on explorer.exe. I appreciate you sharing your knowledge about how to change Robobcopy's settings to work with Automatic Protection!
Bill, I did some testing in this area with my own NAS and found that AAP did not prevent me from using Robocopy to copy my .tib files to the NAS. This has been raised in other forum topics that AAP does not protect NAS .tib files and has been acknowledged as a limitation of AAP by Acronis in protecting only local file systems.
I've been attempting to use Robocopy for the past two nights to copy my nightly True Image 2018 backup .TIB file to another hard disk on the same computer. Both times Active Protection caused the copy job to fail. Here are the two night's Robocopy command lines:
1st Night: robocopy "F:\Source Folder" "D:\Destination Folder" /COPY:DT /J /MIR
Last Night: robocopy "F:\Source Folder" "D:\Destination Folder" /COPY:DT /PURGE /J
Any ideas why both of these command statements trigger Active Protection?
Bill, as Enchantech stated in one of the earlier replies in this topic:
AP will block any process that attempts access to tib files outside of True Image as such behavior is a known ransomware pattern and is part of the self defense design of AP.
What I have found is that if the target of a Robocopy is an external or remote drive, then it doesn't object, but if the target is a local drive, then AAP kicks in with a pop-up box asking for a decision on how to handle the request.
This is shown in the following snippet from the log produced by Robocopy..
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : 23 March 2018 15:33:04
Source : H:\Test\
Dest : J:\Test\
Files : *.*
Options : *.* /S /E /DCOPY:DA /COPY:DAT /PURGE /MIR /R:1000000 /W:30
------------------------------------------------------------------------------
17 H:\Test\
New File 124.0 m (1)Camera Uploads_full_b1_s1_v1.tib
2018/03/23 15:33:04 ERROR 5 (0x00000005) Copying File H:\Test\(1)Camera Uploads_full_b1_s1_v1.tib
Access is denied.
Waiting 30 seconds... Retrying...
New File 124.0 m (1)Camera Uploads_full_b1_s1_v1.tib
2018/03/23 15:33:34 ERROR 5 (0x00000005) Copying File H:\Test\(1)Camera Uploads_full_b1_s1_v1.tib
Access is denied.
Waiting 30 seconds... Retrying...
New File 124.0 m (1)Camera Uploads_full_b1_s1_v1.tib 0.0% 0.8% 1.6%
The copy only went ahead when I took the option to allow this for 1 hour!
Running the same copy to an external USB drive didn't produce an AAP prompt message.
Thanks, Steve, for the quick reply. That explains why I'm having the problem - I'm copying to a local internal hard drive. That makes perfect sense because I get the same warning from Active Protection when I manually attempt to copy the .TIB backup using Windows Explorer to the same internal drive. I really appreciate you taking the time to test this out!
Regards,
Bill Vallance
I too have this problem and have tried different Robocopy commands. The bottom line is that Acronis protection kicks in when I use the /MIR robocopy command which deletes obsolete local .tib files (which is the desired action). Attempting to configure Acronis to trust robocopy does no good.
As a workaround I manually turn off Acronis protection while running the robocopy action copying new files to an external drive and deleting obsolete local files.
This is problematic because I have to remember to turn Acronis protection back on afterwards and typically I forget.
Since I run robocopy from a script anyway, it would really help if Acronis created a command line function to turn the additional protection off and on.
Regards,
Dave Gray
Dave, please submit Feedback using the tool provided in the ATI GUI for the suggestion / requirement for a method of turning off/on AAP via a script or command.
I finally have the answer why .TIB files can't be copied using Robocopy.exe from where they were originally created to another location on the local computer. I have had a ticket open with Acronis Support for some time now about this problem. Their answer to the question as to why this happens is:
C:\Windows\System32\Robocopy.exe is a Microsoft-signed executable and not an Acronis-signed one; as such it's not granted mutable access to Acronis files. The permission list is only applicable to file-protection and not self-defense and therefore adding it to the white-list has no effect.
"Self-defense" means doing anything with a .TIB file - moving, copying, or deleting on the local computer. That's why Active Protection is always triggered anytime you attempt to do anything with a .TIB file on the local computer. You can, however, copy the file to a remote computer, as many have mentioned on this forum, without triggering Active Protection.
So, how does this problem get solved? Acronis Support gave me the solution. It is to use the built-in Windows Service Control tool (SC.exe) to stop and restart the Acronis Active Protection Service. After the service is stopped you can do anything with .TIB files and Active Protection won't be triggered. When the service is restarted Active Protection is once again triggered when anything is attempted on a .TIB file on the local computer.
Running SC.exe requires administrative rights. If UAC is enabled and a standard logged-in user attempts to run SC.exe in a non-elevated command window, SC.exe won't run. SC.exe requires an elevated command window in order to execute - period, no exceptions. If no users are logged in to the local computer SC.exe still requires an elevated command window to run.
In my scenario I need to copy each nightly .TIB file to another drive located on the local computer. Active Protection was always being triggered. I created a .CMD file with SC.exe commands to stop Active Protection, copy the nightly .TIB file, then restart Active Protection again. I called this .CMD file as a Post Command from the True Image 2018 backup job configuration. Because True Image 2018 requires administrative privileges to run, the Pre/Post Commands also run with elevated privileges. That means that any .CMD file launched as a Pre/Post Command from a True Image 2018 backup job will execute in an elevated command window. For more on how this works you can refer to the following forum post:
The syntax to stop and restart Active Protection using SC.exe are as follows:
To STOP Active Protection -
SC STOP AcronisActiveProtectionService
To START Active Protection -
SC START AcronisActiveProtectionService
I hope this post helps someone else who faces this problem.
Enjoy!