Direkt zum Inhalt

active protection for ransomware

Thread needs solution
Beginner
Beiträge: 2
Kommentare: 0

I recently updated to true image 2017 and allowed active protection to be active.

Several times I have received a message that acronis has been protected against an attempt to change the acronis file. But it does not tell me what program, service, web site etc made the effort. Is this just a false positive and would a real attempt provide a source of the problem. Antivirus and malware programs do not id anything.

Also, when I shut down the computer. there is not longer a message from acornis at the blue screen that it is saving data. Is this to be expected with the update.

0 Users found this helpful
Legend
Beiträge: 110
Kommentare: 28583

Joseph, I think that you would need to look at what messages are being written to the logs for any active protection messages that are posted, but be prepared for the log files to be very large at time!

The logs are located at C:\ProgramData\Acronis\Active Protection\Logs and will be seen as anti_ransomware_££££_2017-02-05-HH-MM-SS.log named files, where ££££ = 4 digits.

You would probably have to search for either the time of the event or for the name of the file protected etc.  These types of message are mostly informational rather than necessarily a definite indication of malware activity.

The current Log File Viewer (link in my signature) hasn't been updated for these new logs in the New Generation product version but this is work in progress and the current new log file viewer is being tested by the MVP's and is looking good, so should be making an appearance soon.

Frequent Poster
Beiträge: 4
Kommentare: 566

Hello Joseph,

You are seeing messages from the self-defence module that watches over Acronis own settings and files. In its first version, introduced in the current release, it does not display the name of the process that attempted to modify files or settings of Acronis software. It is possible to find that information in the log files. Logs are very detailed and are made primarily for issues investigation and troubleshooting purposes, not for daily monitoring.

The other part of Active Protection, the main one actually, that protects your files and documents, does show a window telling you what process attempted to encrypt your data, as well as what documents have become the target of the attack.

It is totally correct behavior that you do not see messages from Acronis at system shutdown. It was the scheduler component that was producing them, we made an effort to make it work less noticeably than before.

Regards,

Slava

Beginner
Beiträge: 0
Kommentare: 1

Here's an example:

2017-05-11 13:00:07:397 2496 I00000000: Process [21 (internal), 1992 (system-wide), "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"] granted access to path 'C:\ProgramData\Acronis\TrueImageHome\Database\NotaryStorage'
2017-05-11 13:00:07:402 2496 I00000000: [driver] Process  [21 (internal), 1992 (system-wide), "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"] is trying to access path 'C:\ProgramData\Acronis\TrueImageHome\Database\NotaryStorage-wal' with access mask = 0x12019f [ READ_CONTROL SYNCHRONIZE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_CREATE_PIPE_INSTANCE FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA ]
2017-05-11 13:00:07:402 2496 I00000000: "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe" can be trusted (cache)
2017-05-11 13:00:07:402 2496 I00000000: "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe" can be trusted (cache)
2017-05-11 13:00:07:402 2496 I00000000: Process [21 (internal), 1992 (system-wide), "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"] granted access to path 'C:\ProgramData\Acronis\TrueImageHome\Database\NotaryStorage-wal'
2017-05-11 13:00:07:406 2496 I00000000: [driver] Process  [21 (internal), 1992 (system-wide), "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"] is trying to access path 'C:\ProgramData\Acronis\TrueImageHome\Database\NotaryStorage-shm' with access mask = 0x12019f [ READ_CONTROL SYNCHRONIZE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_CREATE_PIPE_INSTANCE FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA ]
2017-05-11 13:00:07:406 2496 I00000000: "C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe" can be trusted (cache)

So, basically, Acronis is catching itself accessing its own files and gives itself permission! Great. Maybe this is nice to log. But do I, the user, really need to get pops-ups telling me all about it?

This is the problem:

The event throws up a dialog box that grabs focus, then sits there until it's dismissed. So, for example, if you're in the middle of typing something, suddendly your keystrokes vanish. This is annoying.

Actually, it's *very* annoying, especially since this keeps happening quite frequently. Maybe Acronis is capturing these keystrokes for a reason? Maybe I was typing in a password at the time.

This is bad design. Or maybe it's simply a bug? Can this get fixed asap?

 

 

Forum Moderator
Beiträge: 239
Kommentare: 6973

Hello Alexander,

thank you for your posting! We haven't got similar reports from other users so far. Would you mind sharing a couple of screenshots that show the displayed popup-window with details and the time when it's appeared. Could you also send us Acronis system report from the affected PC via the Feedback option, so that we can check the log files. 

Thank you for cooperation in advance!

Beginner
Beiträge: 1
Kommentare: 2

I had an active protection post a message on possible ransomeware and answered to correct the files. I should not have done this . How do I correct and go back to my original files?

Forum Hero
Beiträge: 207
Kommentare: 5029

Good question; the ATI 2017 user guide (at least the one I have) does not discuss active protection, however it is discussed in the ATI user guide in section 11.6.4. It contains a link to an instruction video (click here). which may be of assistance. You can download the ATI 2018 user guide here. That is for Windows, for MAC here.

Ian