#CyberFit Academy

Cyber Protect Cloud

Cloud Tech Associate Advanced
Security

#CyberFit Academy

Milan, Italy
English and Italian
Francisco.Amadi@acronis.com
#CyberFit Academy
Meet your Instructor
Francisco Amadi
Partner Technology Evangelist EMEA
Francisco has been working in Acronis for over 14 years
and he has over 19 years of experience in the IT industry
in training, presales, support and system administration
areas. He was previously a Teacher of mathematics,
physics and computer sciences in High School. He has
obtained multiple certifications from VMware, Microsoft
and CompTIA Security+.
.
Learning Objectives

• Understand technical aspects of the

Advanced Security Pack
• Understand the features (core security
versus Advanced Security Pack), what
they mean and how they are utilized
• Support and maintain clients on
Advanced Security Pack

#CyberFit Academy
Course Modules

1. Case Study
2. High Level Overview and Benefits
3. Core Solution - Security Components
4. Advanced Security - Technical
Discussion Part 1, 2, 3
5. Scenarios and Examples

#CyberFit Academy
Cyber Protect Cloud
Case Study

#CyberFit Academy
 Meet Emma
(IT Manager of a SMB Company)

Manages IT, Security and internal Support

15 servers and about 120 clients

Using Acronis for local and Cloud Backup,

another Vendor for Security

After a visit from her Service Provider, started

trying Acronis Advanced Security features

#CyberFit Academy
 The Disaster and the Opportunity

One of her managed She discovered that

Applications crashed there was an infected
and got corrupted file in a backup
In hurry, she selected She was able to clean
the Cloud location the infected file and
and enabled Safe complete the Recovery
Recovery process

#CyberFit Academy
 Signing up

Acronis Cyber Protect Cloud

✓ Avoided reinfection thanks to Safe Recovery
✓ Switched all his workloads to Advanced
Security
✓ Now she manages Backups and Security
operations from one single console

#CyberFit Academy
Cyber Protect Cloud
High Level Overview and Benefits

#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs

#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs

Security

Base Security Advanced Security

▪ #Cyberfit Score
▪ Vulnerability Assessment
▪ Anti-ransomware protection
▪ AV and Anti-malware
protection
▪ Device control
▪ Anti-spam & Anti-malware w/
local Signature-based
protection
▪ URL filtering
▪ Exploit prevention
▪ Forensic Backups
▪ Smart Protection Plans

Technicians

Owner

#CyberFit Academy
Cyber Protect Cloud
Core Solution
Security Components

#CyberFit Academy
Core Solution – Security Components

1. #CyberFit Score
2. Vulnerability Assessment
3. Device Control
4. Quarantine
5. Active Protection
6. Antimalware (without local signature-
based engine)

#CyberFit Academy
Cyber Protect Cloud
#CyberFit Score

#CyberFit Academy
Acronis #CyberFit Score
Simplify MSP operations and
service upselling
Assess the level of protection
of any machine:

Is backup enabled?
Is antimalware installed?
Is the firewall in place?
Are HDDs encrypted?
Is a VPN in use?

Suggests remediation options

based on assessment
#CyberFit Academy
#CyberFit Score for machines

Based on security assessment of a machine #CyberFit scoring mechanism (max 850)

▪ Supported OS: Windows 7, Windows Server 2008 R2 ▪ Antimalware protection: 0-275

and above ▪ Backup protection: 0-175
▪ Firewall: 0-175
▪ Recalculated: Protection Plan applied or any module ▪ Encryption 0-125
in Protection Plan is run
▪ VPN: 0-75
▪ NTLM Traffic 0-25

#CyberFit Academy
#CyberFit Score

Following ratings apply to

machine:

0-579: Poor
580-669: Fair
670-739: Good
740-799: Very Good
800-850: Excellent

#CyberFit Academy
#CyberFit Score

#CyberFit
#CyberFit Academy Score
#CyberFit Score

#CyberFit
Score

#CyberFit Academy
#CyberFit Score

Help and
options

#CyberFit Academy
Cyber Protect Cloud
Vulnerability Assessment

#CyberFit Academy
Vulnerability Assessment
Discover a potential issue
before it happens
Information from NVD (National
Vulnerability Database)
CPOC sends information via
agent
Another vulnerability
assessment tool
• Great way to validate patching
Loss leader Opportunity
• Patching service opportunity

#CyberFit Academy
Vulnerability Assessment
CVE: Common Vulnerabilities and Exposures
CVSS Score (Common Vulnerability Scoring
System)
• Assigns severity scores: prioritize
responses/resources
• Low, Medium and High Severity Levels
a) Low: CVSS score of 0.1 – 3.9
b) Medium: CVSS score of 4.0 – 6.9
c) High:0 CVSS score of 7.0 – 10.0
d) None: 0

Example: Log4j December 2021

(CVE-2021-44228)
• Score: 10.0 Critical
Search: https://nvd.nist.gov/vuln/search

#CyberFit Academy
Vulnerability Assessment

What can be
scanned

Scheduling
options

#CyberFit Academy
Cyber Protect Cloud
Device Control

#CyberFit Academy
Device Control

Protection / Allowed/Read Option: let end USB or Choose

Prevention on -only/Denied user know Firewire Port devices
Data Leakage options trying to utilize options and regardless of
a port blocked redirected permissions
type devices (exclusion
type list)

#CyberFit Academy
Device Control

Device Control
settings

#CyberFit Academy
Device Control

Access settings
devices list
permission

#CyberFit Academy
Device Control

USB and FireWire

ports

Redirected
devices

#CyberFit Academy
Device Control

Device types
allowlist

#CyberFit Academy
Cyber Protect Cloud
Quarantine

#CyberFit Academy
Quarantine

Special isolated folder on a machine's

hard disk where the suspicious files
detected by Antivirus and Antimalware
protection are placed to prevent further
spread of threats

Quarantine locations on machines:

• Windows: %ProgramData%\%product_name%\Quarantine
• Mac: /Library/Application Support/Acronis/Quarantine
• Linux: /opt/Acronis/Quarantine
To view, go to Protection > Anti-malware > Quarantine tab

#CyberFit Academy
Actions with Quarantined Files

Deleted Restored Added to whitelist

1. Non-malicious – add file to whitelist and restore

2. One-time action (antimalware added specific file: example keygen) – use restore
3. Restore malicious file: detected during next scan and quarantined

Files automatically deleted after time period defined in Antimalware module

(default 30 days)

#CyberFit Academy
Quarantine

Quarantined files

#CyberFit Academy
Quarantine

Actions with
quarantined files

#CyberFit Academy
Cyber Protect Cloud
Active Protection

#CyberFit Academy
Active Protection
Backup industry’s most advanced David Walkiewicz,
anti-ransomware technology Director Test Research,
av-test.org

Persistently guards files Relentlessly defends

Acronis provided excellent
including local backups backups from alteration performance, is easy to use
from unauthorized by hardening the Acronis and has a rich feature set. On
modification and/or agent application from top of that it is
encryption attacks the only solution in the test to
provide dedicated protection
Instantly restores files Actively future-proofs from ransomware attacks. This
to the most recently your data protection earned Acronis the first ever
backed up version because approved backup & data
should ransomware it is based on a behavioral
security certificate of AV-TEST.
manage to get through heuristic approach
the defense and white-listing

#CyberFit Academy
Active Protection

Protects against:

• Ransomware (AI-based and process behavior)

• Process injection and crypto mining
• Malicious intent against Acronis backup files and software
• External drive attacks
• Network folder and server side attacks

#CyberFit Academy
Active Protection

Trusted or blocked processes and folders

• Specify certain processes never considered malware

• Example: home grown application
• Microsoft processes always trusted
• Specify certain processes to always be blocked

#CyberFit Academy
Active Protection

#CyberFit Academy
Active Protection
Protects collaboration and communications
applications (self-protection selection):

• Zoom, Cisco WebEx, Microsoft Teams, Citrix

Workspace
• Protect application processes from code
injections
• Preventing suspicious operations by application
processes
• Protecting “hosts” file from adding domains
related to application
• Supported OS: Windows

#CyberFit Academy
Active Protection

Monitoring processes:

• Third party process tries to encrypt files (or mine

cryptocurrency): goes into action
• Prevents unauthorized changes to Acronis
processes, registry, configuration files,
executables and backups located in local
folders
• Utilizes behavioral heuristics

#CyberFit Academy
Active Protection

Ransomware blocks access to data

• Unless ransom paid, threatens to delete or make

public
• Double extortion: not just encrypting but
threatening to publicize data
• Different ways:
✓ Open attachment: downloads malicious payload
and encrypts
✓ Utilize software exploits, flaws or other
vulnerabilities to gain access
• Internet facing servers or remote desktop
logins.
• Hunt network until they control as much as
they can before encrypting.

#CyberFit Academy
Active Protection

Process Injection

• Used for legitimate uses

• Debuggers hook to application
• Antivirus services inject into browsers to
investigate browser behavior, website content,
and Internet traffic
• Used for malicious purposes
• Hiding true nature of actions (hide existence)
• Mask to look like ok processes
• DLL injection most common to appear
• Others like Portable Execution (PE) injection,
process hollowing, and registry modification

#CyberFit Academy
Active Protection
Things to help

Active Protection Manage access control and Whitelisting inside

running privileges Cyber Protect
Actively monitors local Grant minimal privileges to users Help prevent unvetted
drives and prevent software running
No elevation of privileges without
backup files from being
administrators consent
modified by malicious
means Process launched by standard user:
inherits permissions and limited to
system level changes.
Prevent malware turning off firewall or
modifying registry settings

#CyberFit Academy
Active Protection
Behavior and how we respond
In place overwrite, rename or new file behavior

Opens and modifies in place, renames or creates new file

(copies original, modifies new file and deletes older)

Driver provides file access notification to service with

heuristics data. Performs copy-on-write of suspicious
activities.
Service detects case: suspend ransomware and driver
rolls back file from cache

#CyberFit Academy
Active Protection
Behavior and how we respond
Master boot record (MBR) overwrite

Then system rebooted after overview and encrypted on

reboot (chkdsk disguised)

Drives watches WRITE/SCSI operations to MBR via Raw

FS and notifies service. Service verifies process and
makes decision

#CyberFit Academy
Active Protection
Behavior and how we respond
In place, rename or new file with injection into known
good process

Ransomware injects into good and well known process.

Performs malicious action like above.

Driver provides injection attempt notification to service.

Service tells driver to watch process without performing
copy-on-write. Suspicious pattern detected, user
instructed to recover files from the cloud

#CyberFit Academy
Active Protection
Threat actors ways

Monitors local drives and prevents backup files being

modified maliciously.

End to end encryption: restricts access to file

modification activities to signed and authorized Acronis
agent software.
a) Criminals going after and attacking backup files.
Attack the agent on devices which acts as gateway to
data in the cloud
b) Many ways to inject malicious code in a local agents
and compromise backup data in the cloud.

#CyberFit Academy
Cyber Protect Cloud
Antimalware
(without local signature-based engine)

#CyberFit Academy
Antimalware – Core Solution
Supports Windows,
Linux and macOS
3rd party antivirus present
when applying Protection
Plan Antimalware module:
alert generated and on-
access protection
stopped to prevent
conflicts
• To enable full
functionality:
disable/uninstall 3rd
party antivirus
#CyberFit Academy
Quick / Full scans
configurable
• Full scan: checks all files
on machine
• Quick scan: checks only
machine system files
• Detected threats
quarantined and
automatically deleted
after 30 days (default)
Exclusions can be
configured
• Trust certain files,
folders and processes
• Block specific
processes
Antimalware – Core Solution

Cloud Based Signature Detection

(File Reputation Services (FRS))

• Working specific hash-based small signatures

• Cloud look-up can help for an on-demand scan when something is not
executed
• If executed we can look it up but it might have already started
• FRS is hash only: not much data sent to look up
• No sandbox analyst at this time and no files sent
• Our own FRS being used
• FRS determined if file is good or bad
• Using (among other things) VirusTotal: doing hash checking against
cloud database
• Update our list for the FRS (expanding in future other services)

#CyberFit Academy
Antimalware – Core Solution

Cloud Based Signature Detection

(File Reputation Services (FRS))

• Example: VirusTotal says 10 other AV Vendors detected the file

1. Some plausibility checking and add to our list for blocking with
FRS right away
2. 10 not the magic number
3. Taking statistic guess on VirusTotal so not a fixed number
(Symantec and McAfee can have higher weights on this)
• One concern: may take awhile until first “victim” uploads a file. Benefit
to Advanced Pack.
• Behavior-based detection and other layers might help but not
guaranteed

#CyberFit Academy
Antimalware
Not part of the
core solution

Quarantined files

#CyberFit Academy
Behavior Engine

Protects workloads using behavioral

heuristics to identify malicious
processes.
Compares chain of actions performed
by a process with chains of actions
recorded in database of malicious
behavior patterns.
Additionally supports Macs Apple
M1/M2 CPUs (July 2022).
Go to Protection plans > Antivirus and
Antimalware protection > Behavior
engine.

#CyberFit Academy
Stacktrace AI Analyzer
ML based malware detection
technology
Recognize legitimate/malicious
injections
Analysis of 25B+ processes
100M+ unique stacktrace
database
Advantages:
• Trusted processes monitoring
• Lightweight GBM ML model
• Fast response time: ~10 ms

#CyberFit Academy
 Section Summary

1 #CyberFit Score: security posture of a machine

Vulnerability assessment: scanning to determine

2 vulnerabilities existing for applications. Loss leader
to introduce patch management and validation tool
after patching

Device control: assist preventing data leakage

3 information / intellectual property. Fine tune abilities
(lock down USB port but allow webcam to be used).

#CyberFit Academy
 Section Summary
Malicious items (or reported as malicious) enter
4 system, quarantine allows to review what was
triggered. Determine what to do: delete, restore or
add to allowlist.

Active Protection helps with ransomware attacks,

5 video conferencing attacks, external drive
protection, network folder and server side
protection. Can do trusted or blocked processes
and folders (help with home grown applications).

#CyberFit Academy
 Section Summary
AI-based behavior heuristics: protects against
6 unauthorized changes to Acronis processes,
alteration to back up agent, registry, configuration
files, executables and backups located in local
folders.

Antimalware protection (core solution) provides:

7 • Behavior based protection
• Cloud based file reputation services
• Quick and full scans

#CyberFit Academy
 Section Summary

Trust certain files, folders and processes and block

8 certain processes to reduce false positives

3rd party anti-virus present and apply in protection

9 plan: alert generated and on-access protection is
disabled (stop system conflicts).

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion – Part 1

#CyberFit Academy
Advanced Security Components Part 1

1. Forensic Backup
2. URL Filtering
3. Corporate Allowlist (automatic and
manual)
4. Backup Scanning (scanning cloud
backups for malware)

#CyberFit Academy
Forensic Backup

#CyberFit Academy
Forensic Backup
What is it?
US-CERT (Computer Emergency Readiness Team) Main Goal:

Identify Collect Preserve Analyze

Preserve integrity of evidence collected to be used in legal cases

#CyberFit Academy
Forensic Backup
What is it?
Capture original data in unaltered state

IMAGE CLONE

▪ Not for working copy (evidence ▪ Working copies for analysis (could
preservation purpose) be for preservation purposes)
▪ Bit by bit copy is an image VS

#CyberFit Academy
Hash
Hash signature
Cryptographically secure checksum to prove
byte stream did not change
Difference in hash value between original and
a copy? Confirms not exact copies
Hash applied to entire image

Used to establish chain of custody

Evidence preservation: chain of custody fulfills
this
Evidence collected: need to be protect against
tampering

#CyberFit Academy
Forensic Backup

Supports Windows 8.1, Windows

Server 2012 R2 and above
• Backup destinations: Cloud, external drive,
network folders
• Entire machine backup only
• Snapshot of unused disk space and running
processes along with full memory dump1
• Automatically notarized
• Protection Plan with forensic data enabled
cannot be disabled

Recovery:
• Recovered as entire machine

1 Full memory dump may contain sensitive data such as passwords

#CyberFit Academy
Forensic Backup Process

.DMP

1. Collects raw memory 2. Reboots machine 3. Creates backup 4. Notarizes backup 5. Reboots into OS
dump and then list of into bootable (occupied and and continue plan
running processes environment unoccupied space) execution

Data can be selected for recovery:

• CSV file of processes, threads and modules and DMP file of memory dump can be downloaded

#CyberFit Academy
Forensic Backup
Notarization certificate
download:
• Entire machine recovery task from
forensic backup
• Select Get certificate from Disk
mapping view1

tibxread command-line tool:

• Used for manual checking of the
integrity of the backed up data

1 No need to perform recovery if purpose is to obtain notarization certificate

#CyberFit Academy
Forensic Backup

Notarization:
prove authentic and unchanged since backup

2. Send hash root

tree to notary service 3. Saves hash tree root
Agent
1. Agent calculates
hash code of full image
Blockchain
backup, Builds hash Acronis
Database
tree (Merkle Tree): Notary Cloud
(Ethereum)
saves tree in backup

4. Verifying authenticity

Match > Authentic

Backup with Not Match > Not Authentic
forensic data

#CyberFit Academy
Forensic Backup

When you setup forensic in backup

options and save plan, you cannot switch
back and can only delete plan

When needed:
• Create a protection plan with machine to select for forensic backup and
turn forensics on
• Perform backup process and verify certificate produced
• One can delete the protection plan (only purpose was forensic backup at
that time) for that machine

#CyberFit Academy
Forensic Backup

Enable collection
of forensic data in
Backup options

#CyberFit Academy
Forensic Backup

Recover Forensic
data

#CyberFit Academy
Forensic Backup

Select Forensic
data to recover

#CyberFit Academy
VIDEO – Forensic Process

#CyberFit Academy
URL Filtering

#CyberFit Academy
URL Filtering

Malware distributed by malicious or infected sites. Use drive-by-

download methods to infect machine

• Checks HTTP/HTTPS connections against URL filtering database

• URL deemed malicious: user prevented from accessing or warning alert
shown
• HTTPS: prevent option only / no warning alert
• URL filtering database includes sites sourced from URLhaus1
• URLs manually added as Trusted or Blocked sites
• 44 website categories: helps blocking traffic to website categories to
which access was prohibited (Alert generated)

1 URLhaus database https://urlhaus.abuse.ch/browse/ includes submissions from

Google Safe Browsing (GSB), Spamhaus DBL and SURBL

#CyberFit Academy
URL Filtering

URL Filtering
settings

#CyberFit Academy
URL Filtering

Warning alert
when URL is
blocked

#CyberFit Academy
URL Filtering

Wildcard: no need for

subdomains or http/https/www

#CyberFit Academy
Corporate Allowlist

#CyberFit Academy
Corporate Allowlist
• Applications detected as false positive by antivirus
solutions
• Need to add manually as trusted application to whitelist
(avoid unwanted errors and disruptions)
• Automate by scanning cloud backups:
• Scan backups: two or more machines and enable
Automatic generation of whitelist
• Level of heuristic detection configurable:
Default | Low | High
• Automatic generation of allowlist enabled, manual adding
of applications will be available (seven days to run)
• Allowlist used by all agents during antimalware scanning

#CyberFit Academy
Corporate Allowlist

#CyberFit Academy
Corporate Allowlist

Enable Automatic
generation of
whitelist and level of
heuristics

#CyberFit Academy
Backup Scanning

#CyberFit Academy
Backup Scanning

Cloud storage scanned for malware

(prevent restoring infected files):

• Windows OS:
• Only Entire machine or disks/volumes backups scanned
• NTFS file system with GPT or MBR partitioning volumes
• Acronis Cloud Backups only
• After backup scanning plan created, placed in queue for execution
• May take time for scan to start/complete depending on queue; will
show Not scanned status until scanning complete
• Status of backup once completed: No malware | Malware detected

#CyberFit Academy
Backup Scanning

Create
Backup
Scanning
plan

#CyberFit Academy
Backup Scanning

Backup
Scanning
plan settings

#CyberFit Academy
 Section Summary
Forensic backup goal: identify, collect (in unaltered
1 state), preserve, and analyze data. Enables
investigation in the event of security incident.
Forensic backup takes snapshot of unused disk
space, full memory dump, snapshot of running
2 processes and entire machine backup. It is
automatically notarized.

URL filtering: helps with malware distributed by

3 malicious or infected sites or drive-by-download
methods. Checks http and https connections.
Provides opportunity to allow or block.

#CyberFit Academy
 Section Summary

Allowlist: helps reduce false positives. Two or more

4 machines with backup scanning is required.
Automatic list take seven days to produce results.

Backup scanning scans backups stored in Acronis

cloud storage for malware. Volumes must be with
5 the NTFS file system with GPT or MBR partitioning.
Cloud backups placed in queue for execution.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion – Part 2

#CyberFit Academy
Advanced Security Components Part 2

1. Safe Recovery
2. Windows Defender Antivirus/Microsoft
Security Essentials Integration
3. Microsoft Defender Firewall
Management
4. Remote Wipe
5. Smart Protection Plans

#CyberFit Academy
Safe Recovery

#CyberFit Academy
Safe Recovery

Antimalware scanning and deletion performed as part of recovery

(prevent reinfection if malware is present):

• Windows physical or virtual machine with Agent for Windows

installed
• Supported backup types: Entire machine or disks/volumes backup
of NTFS volumes
• Backups scanned: determine if malware present
• Backup storage tab to show these options:
• No malware
• Malware detected
• Not scanned
• Backup recovered and detected malware deleted

#CyberFit Academy
Safe Recovery

Enable Safe
Recovery

#CyberFit Academy
Windows Defender Antivirus /
Microsoft Security Essentials Integration

#CyberFit Academy
Windows Defender / Security Essentials Antivirus

Can be configured and managed from service console:

• Single place for managing/viewing Windows Defender Antivirus

(Windows 8 / Windows Server 2012 and above) and Microsoft
Security Essentials (before Windows 8) configurations and statuses
• Configure Scheduled scans, default actions, real-time protection
and exclusions

#CyberFit Academy
Windows Defender / Security Essentials Antivirus

Windows
Defender
Antivirus
settings

#CyberFit Academy
Windows Defender / Security Essentials Antivirus

Microsoft
Security
Essentials
settings

#CyberFit Academy
Microsoft Defender
Firewall Management

#CyberFit Academy
Firewall management for Microsoft Defender

Can be managed from service console:

• Enable/Disable Microsoft Defender Firewall in a protection plan

• Ability to configure other firewall rule settings in future
versions
• Use alongside Cyber Scripting's "Configure firewall" script to
configure Microsoft Defender Firewall on workloads, using
recommended Acronis configuration
• Alerts administrators of any unintended tampering of firewall
settings (example: firewall unexpectedly turned off).
• Protection plan > Firewall Management

#CyberFit Academy
Firewall management for Microsoft Defender

Microsoft
Defender Firewall
settings

#CyberFit Academy
Firewall management for Microsoft Defender

Enable Microsoft
Defender Firewall

#CyberFit Academy
Remote Wipe

#CyberFit Academy
Remote Wipe

Deletion of all data on remote machine (loss or theft):

• Windows 10 and above

• Select machine, click on Details > Wipe data1
• Remote wipe initiated when machine is turned on and connected
to Internet
• All data deleted and machine returned to factory default state

1Remote wipe uses RemoteWipeCSP and requires Windows Recovery

Environment (windows RE) to be enabled on the machine in order to
function

#CyberFit Academy
Remote Wipe

Remote Wipe
setting in
machine Details

#CyberFit Academy
Smart Protection Plans

#CyberFit Academy
Smart Protection Plans

Acronis Cyber Protection Operations Center (CPOC) generates

security alerts sent to related geographic regions

• Provides information about malware, vulnerabilities, natural

disasters, public health and other types of global events that may
affect users
• Can include recommended actions provided by security experts to
resolve security alert
• Alerts automatically cleaned up after the following time periods:
• Natural disasters: 1 week
• Vulnerability: 1 month
• Malware: 1 month
• Public health: 1 week

#CyberFit Academy
Smart Protection Plans

Cyber Protection
#CyberFit Academy widgets
Smart Protection Plans

Security alert details

with recommended
actions

#CyberFit Academy
Smart Protection Plans

Select
recommended
actions to take

#CyberFit Academy
 Section Summary

Safe Recovery can be performed as part of recovery

1 to prevent reinfection if malware is present in
backup. Physical or virtual Windows machines with
agent installed needed and backup types are entire
machine or disk/volumes in NTFS format.

Single place to manage, view, and configure

2 Windows Defender and Security Essentials inside
protection plans.

Single place to enable/disable Microsoft Defender

3 Firewall and to receive alerts in case of firewall
settings tampering.

#CyberFit Academy
 Section Summary

Remote wipe: ability to set Windows 10/11 machine

4 back to factory default settings (lost/stolen
machine).

Security alerts generated from Acronis CPOC for

5 geographic regions related to malware,
vulnerabilities, natural disasters, public health and
other type of events that may affect clients systems
and data.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion – Part 3

#CyberFit Academy
Advanced Security Components Part 3

1. Exploit prevention
2. Local signature-based detection
antimalware
3. Real-time antimalware protection

#CyberFit Academy
Exploit Prevention

#CyberFit Academy
Exploit Prevention

Detects and prevents malicious processes from

exploiting software vulnerabilities on a system

• Memory protection
• Code injection
• Privilege escalation
• ROP protection (return-oriented programming)

#CyberFit Academy
Exploits

Memory protection Code Injection

Stop attacks based on modification Malicious code into remote

of execution rights of memory processes. To hide malicious intent
pages looking suspicious. Made to of an application behind clean
enable shellcode execution from processes (also evade detection
areas like stacks and heaps. by antimalware solutions).

#CyberFit Academy
Exploits

Privilege escalation Return-oriented

programming (ROP)

Stop elevation of privileges made Allows attacker to use code in

by unauthorized code or presence of security defenses like
application. code signing and space protection
Goal: prevent unauthorized code to
access system resources or modify
system settings.

#CyberFit Academy
Exploit Prevention

#CyberFit Academy
Local Signature-Based
Detection Antimalware

#CyberFit Academy
Local Signature Based Detection

Known threats, higher processing speed

and low false positive rates
Cloud based in core solution: look-up can
help for on-demand scan when
something is not executed. If executed:
looked up but might have already started
(signature based benefit).
Slow Internet connection benefit

#CyberFit Academy
Real-time Antimalware
scanning

#CyberFit Academy
Real-time Antimalware Scanning

Real-time: Runs in background Constantly checks malicious

threats entire time system is
depending on scan mode powered on (unless paused by
computer user)

Applying protection plan when

On-access (default) On-execution turned on and another solution
running: will not enable real-time
Scanned when Scan only
scanning to protect machine from
accessed for executables when
conflicts
reading or writing launched
(or launching
program)

#CyberFit Academy
 Section Summary
Exploit Prevention detects and prevents different
1 malicious processes from exploiting various
vulnerabilities on a system including memory
protection, code injection, privilege escalation and
return-oriented programming.
Local signature based detection used for known
2 threats. Since running local on machine can
process at a higher speed and produce low false
positive rates to known threats. Slow Internet
connections benefit.
Real-time antimalware scanning runs in background
3 depending on scan mode setting of on-
access(default) or on-execution.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security Pack
Scenarios and Examples

#CyberFit Academy
Topics for Scenarios and Examples

1. Forensic Backup
2. Active Protection
• Ransomware – Live Malware
• Self Protection – MS Teams exploited
• Cryptomining - XMRig
3. URL Filtering
• Live malicious URL’s and trusted and blocked
4. Device Control
• Lock down of USB port yet use other items on port
• Protection of intellectual property

#CyberFit Academy
Forensic Backup

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Going after bad actors:

• Ransomware distributors
• Intellectual property theft cases
• Espionage
• Fraud
• Employment disputes
• Using email/messaging services for inappropriate things
• Other reasons
• Bankruptcy investigations
• Issues surrounding regulatory compliance

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Laws and regulations:

• Requiring companies to safeguard personal data (and

privacy)
• Companies prove complying with security practices
• Incident affected critical data: show followed sound
security policy
• Potentially avoid lawsuits or regulatory audit

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Already attacked?

Answer questions like:

• What systems/files/applications/networks involved and/or
affected?
• How did it occur?
• What data stolen or accessed?
• Hackers still on network?

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Company victim to recent cyber attack?

Overall forensics investigations:

• Safeguarding digital evidence used in attack
• Search for data access and/or exfiltration
• Identify cause and possible intent
• Retrace hackers steps
• Help prevent some future attack: detect gaps to be filled
• Opportunity to see additional security weaknesses

#CyberFit Academy
Scenarios and Examples – Forensic Backup

CERT statement

“Should an intrusion lead to a court case, the organization

with computer forensics capability will be at a distinct
advantage”

• Cybersecurity and forensics go hand in hand

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Flip Side – show something did NOT happen

• 2006 - US Dept of Veterans Affairs

• Laptop recovered and analyzed
• Determined sensitive files “probably” not viewed
• Examined access and modification times with each file
• Files not opened by conventional means

#CyberFit Academy
Scenarios and Examples – Forensic Backup
Final Thought

Whoever collects evidence: able to testify during

Need to be authenticated
direct examination

Evidence not be authenticated? Usually Authentication: record of who collected

inadmissible evidence needs to be kept

#CyberFit Academy
Active Protection

#CyberFit Academy
Scenarios and Examples – Active Protection

Malware example (video)

Video conferencing attack on MS Teams (video)
Cryptomining with XMRig (video)

#CyberFit Academy
URL Filtering

#CyberFit Academy
Scenarios and Examples – URL Filtering

Deny social sites category (video)

• Put facebook.com as a trusted site
• Block ESPN
• Block and allow user options
Other URL examples to display

#CyberFit Academy
Device Control

#CyberFit Academy
Scenarios and Examples – Device Control

USB shutdown - webcam and mouse utilized still

• Show alert on USB restriction (video)
Intellectual property theft (engineers AutoCAD
drawings/sales rep taking client information in
excel file)

#CyberFit Academy
Thank you for watching!

#CyberFit Academy
Cyber Foundation
Building a More Knowledgeable Future

Create, Spread and Protect

Knowledge with Us!
www.acronis.org
#CyberFit
Building New Schools
Publishing Education Programs
Publishing Books

#CyberFit Academy
Cyber Protect Cloud
APPENDIX
Top Troubleshooting Issues

#CyberFit Academy
Set Up Exclusion Settings /
Processes Have No Path
Problem
Receive a false positive alert about
suspicious process from Active
Protection
Want to exclude process (add to
“Trusted” processes), but no exact
path for exclusion
Process has new name or new
location by each run
Excluding entire folder where
process is located does not help

#CyberFit Academy
Set Up Exclusion Settings /
Processes Have No Path
Cause
Active Protection – zero-day technology /
behavioral heuristics
Constantly observing patterns in how data
files being changed in system
One set behaviors typical and expected.
Another: signal a suspect process taking
hostile action
Looks at actions and compares against
behavior patterns
Exact path to executable is required to
exclude a specific process from monitoring
Not possible to exclude all processes in a
specific folder

#CyberFit Academy
Set Up Exclusion Settings /
Processes Have No Path
Solution
Workaround 1: Active protection always
monitors processes that do not have a valid
signature. If possible, update the software or
contact the vendor to add valid signature to
process files
Workaround 2: Instead of adding process to
“Trusted” list: exclude the folder where
process performs value changes (example:
folders with databases that are being
updated by affected “suspicious” processes)
Side note: not possible to exclude a file or
executable located on a network share from
Active Protection Monitoring. Adding to
exclusions supported only for local NTFS
volumes.

#CyberFit Academy
Alert – Windows Defender Is
Blocked
Problem
When Acronis Antimalware Real-time
protection conflicts with a third-party
antivirus or Windows Defender,
Acronis generates alerts
Unclear to partners – three alerts

#CyberFit Academy
Alert – Windows Defender Is
Blocked
Cause
“Windows Defender Is Blocked By A
Third-Party Antivirus Software: Windows
Defender Blocked because Acronis
Cyber Protect installed on machine”
Both Defender and Acronis real-time
protection are enabled – not good to run
two AV real-time on one machine

Want to use Acronis

Disable Windows Defender A/V in
protection plan

#CyberFit Academy
Alert – Windows Defender Is
Blocked
Cause
“Windows Defender Is Blocked By A Third-
Party Antivirus Software: Windows Defender
Blocked because ANY third-party A/V and
Acronis Cyber Protect Is Installed On The
Machine”
Some third party running: both Acronis and
Defender enabled in protection plan
Want to use third party
Disabled Acronis real-time protection, URL
Filtering and Windows Defender
Want to use Acronis
Uninstall third party A/V and disable
Windows' Defender from the protection plan
#CyberFit Academy
Alert – Windows Defender Is
Blocked
Cause
“Detected a conflict with security protect.
Real-time Antimalware was not enabled
because it conflicts with another security
solution <vendor name> installed on machine
<machine name>
Acronis real-time protection is enabled in
protection plan and third-party A/V is installed
on machine

Want to use third party

Disabled Acronis real-time protection, URL
Filtering and Windows Defender
Want to use Acronis
Uninstall third party A/V on the machine
#CyberFit Academy
Note on Disabling

Do not have to completely disable antivirus

and antimalware protection module in a
protection plan
Disabling real-time protection is important
Do not run two real-time at the same time
• Slows down machine (Resource hogs –
no benefit since one has first right of
refusal)
• Can produce false positives (tripping
other solution)
• Run both for a period of time – small
chance of file corruption

#CyberFit Academy
Links to KB Articles – Top
Troubleshooting Issues
• Set Up Exclusion Settings / Processes
Have No Path
• https://kb.acronis.com/content/69641
• Windows Defender Blocked
• https://kb.acronis.com/content/68358

#CyberFit Academy