CyberProtectionService Userguide en-US
CyberProtectionService Userguide en-US
com
Cyber Protection
23.08
l Your login. This is the user name that you use to log in. Your login is also shown on the account
activation page.
l Activate account button. Click the button and set the password for your account. Ensure that
your password is at least nine characters long. For more information about the password, refer to
"Password requirements" (p. 18).
If your administrator has enabled two-factor authentication, you will be prompted to set it up for
your account. For more information about it, refer to "Two-factor authentication" (p. 18).
Password requirements
The password for a user account must be at least 9 characters long. Passwords are also checked for
complexity, and fall into one of the following categories:
l Weak
l Medium
l Strong
You cannot save a weak password, even though it might contain 9 characters or more. Passwords
that repeat the user name, the login, the user email, or the name of the tenant to which a user
account belongs are always considered weak. Most common passwords are also considered weak.
To strengthen a password, add more characters to it. Using different types of characters, such as
digits, uppercase and lowercase letters, and special characters, is not mandatory but it results in
stronger passwords that are also shorter.
Two-factor authentication
Two-factor authentication (2FA) provides extra protection from unauthorized access to your
account. When 2FA is set up, you are required to enter your password (the first factor) and a one-
time code (the second factor) to log in to the Cyber Protect console. The one-time code is generated
by a special application that must be installed on your mobile phone or another device that belongs
to you. Even if someone discovers your login and password, they will not be able to log in to your
account without having access to your second-factor device.
You must set up 2FA for your account if the administrator has enabled it for your organization. If the
administrator enables 2FA while you are logged in to the Cyber Protect console, you will have to set
it up when your current session expires.
Note
Ensure that you save the PDF file in a safe place or print it for further reference. This is the best
way to restore your access.
5. Return to the Cyber Protect console login page and enter the generated code.
A one-time code is valid for 30 seconds. If you wait longer than 30 seconds, use the next
generated code.
Next time you log in, you can select the Trust this browser... check box. In this case, the code will
not be required for subsequent logins by using this browser on this machine.
Note
We recommend that you leave this check box clear. Otherwise, you will lose the access to 2FA for
your account.
Important
If the code is not working, ensure that the time in the authenticator mobile app is synced with
your device.
If you did not save the PDF file during the setup:
If you do not have access to the previously set-up mobile authenticator app
Privacy settings
Privacy settings help you indicate whether or not you give consent for the collection, use and
disclosure of your personal information.
Depending on the country in which you are using Cyber Protect Cloud and the Cyber Protect Cloud
data center that provides services to you, on the initial launch of Cyber Protect Cloud you may be
asked to confirm whether you agree to use Google Analytics in Cyber Protect Cloud.
Google Analytics helps us better understand user behavior and improve user experience in Cyber
Protect Cloud by collecting pseudonymized data.
If you enabled or refused to enable Google Analytics on the initial launch of Cyber Protect Cloud,
you can change your decision at any time later.
In the How to delete cookies section, you can control and manage cookies directly in your
browser.
Note
If you do not see Google Analytics section, it means that Google Analytics is not used in your
country.
In the In-product onboarding and interactive help section, shown initially during trial period, you
can stop or keep receiving the information about the improvements and new features in the
program in the future. This feature is enabled by default, but you can disable it by switching the
toggle to Off.
services by using the icon in the upper-right corner. Administrators can also use this icon
for switching to the management portal.
The timeout period for the Cyber Protect console is 24 hours for active sessions and 1 hour for idle
sessions.
You can change the language of the web interface by clicking the account icon in the upper-right
corner.
Important
If the customer is in Self-service management mode, you cannot manage services for him. Only the
customer administrators can change the customer mode to Managed by service provider, and
then manage the services.
In other web browsers (including Safari browsers running in other operating systems), the user
interface might be displayed incorrectly or some functions may be unavailable.
Note
To use Cyber Protection with Windows 7, you must install the following updates from Microsoft
before installing the protection agent:
o Windows 7 Extended Security Updates (ESU)
o KB4474419
o KB4490628
For more information on the required updates, refer to this knowledge base article.
l Windows Server 2008 R2* – Standard, Enterprise, Datacenter, Foundation, and Web editions
l Windows Home Server 2011*
l Windows MultiPoint Server 2010*/2011*/2012
l Windows Small Business Server 2011* – all editions
Note
* To use Cyber Protection with this version of Windows, you must install the SHA2 code signing
support update from Microsoft (KB4474419) before installing the protection agent.
For information on issues related to the SHA2 code signing support update, refer to this knowledge
base article.
Agent for SQL, Agent for Active Directory, Agent for Exchange (for database
backup and application-aware backup)
Each of these agents can be installed on a machine running any operating system listed above and a
supported version of the respective application.
Note
Agent for Data Loss Prevention for macOS supports only x64 processors (Apple silicon ARM-based
processors are not supported).
Note
Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is an
integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for Data
Loss Prevention is installed on the computer, but the device control functionality will not work.
Device control functionality will only work on macOS systems that are supported by Agent for Data
Loss Prevention.
Important
Active protection and real-time protection are not supported on kernel versions 4.17 and later.
The following Linux distributions and kernel versions have been specifically tested. However, even if
your Linux distribution or kernel version is not listed below, it may still work correctly in all required
scenarios, due to the specifics of the Linux operating systems.
If you encounter issues while using Cyber Protection with your combination of Linux distribution
and kernel version, contact the Support team for further investigation.
Linux with kernel from 2.6.9 to 5.19 and glibc 2.3.4 or later, including the following x86 and
x86_64 distributions:
l Red Hat Enterprise Linux 4.x, 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*, 8.6*, 8.7*
l Ubuntu 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, 14.10, 15.04, 15.10,
16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04, 20.10, 21.04, 21.10, 22.04, 22.10, 23.04
l Fedora 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 37, 38
l SUSE Linux Enterprise Server 10, 11, 12, 15
Important
Configurations with Btrfs are not supported for SUSE Linux Enterprise Server 12 and SUSE Linux
Enterprise Server 15.
l Debian 4.x, 5.x, 6.x, 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.11, 9.0, 9.1,
9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 10, 11
l CentOS 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*
l CentOS Stream 8
Note
Installing the protection agent on Oracle Linux 8.6 and later, on which Secure Boot is enabled,
requires manual signing of kernel modules. For more information on how to sign a kernel
module, refer to this knowledge base article.
l CloudLinux 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*, 8.6*, 8.7*
l ClearOS 5.x, 6.x, 7.x
l AlmaLinux 8.4*, 8.5*, 8.6*, 8.7*
l Rocky Linux 8.4*, 8.5*, 8.6*, 8.7*
l ALT Linux 7.0
Both x64 and ARM architecture (used in Apple silicon processors such as Apple M1 and M2) are
supported.
Note
You cannot recover disk-level backups of Intel-based Macs to Macs that use Apple silicon
processors, and vice-versa. You can recover files and folders.
Important
Starting from version C23.07, Cyber Protect Cloud does not support the following operating
systems: OS X Yosemite 10.10, OS X El Capitan 10.11, and macOS Sierra 10.12.
We strongly recommend that you upgrade your operating system to a supported version in order to
ensure compatibility and be able to use the full functionality of Cyber Protect Cloud.
The SQL Server Express editions of the above SQL server versions are supported as well.
*In order to use SharePoint Explorer with these versions, you need a SharePoint recovery farm to
attach the databases to.
Because SAP HANA does not support recovery of multitenant database containers by using storage
snapshots, this solution supports SAP HANA containers with only one tenant database.
For more information about the differences between the agent-based and agentless backup, refer
to "Agent-based and agentless backup" (p. 61).
If you encounter issues while using Cyber Protection with your combination of hypervisor vendor
and version, contact the Support team for further investigation.
VMware
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
VMware Player
* In these editions, the HotAdd transport for virtual disks is supported on vSphere 5.0 and later. On
version 4.1, backups may run slower.
** Backup at a hypervisor level is not supported for vSphere Hypervisor because this product
restricts access to Remote Command Line Interface (RCLI) to read-only mode. The agent works
Note
Acronis officially supports any update within the supported major vSphere version.
For example, vSphere 8.0 support includes support for any update within this version, unless stated
otherwise. For example, vSphere 8.0 Update 1 is also supported along with originally released
vSphere 8.0.
Limitations
l Fault tolerant machines
Agent for VMware backs up a fault tolerant machine only if fault tolerance was enabled in
VMware vSphere 6.0 and later. If you upgraded from an earlier vSphere version, it is enough to
disable and enable fault tolerance for each machine. If you are using an earlier vSphere version,
install an agent in the guest operating system.
l Independent disks and RDM
Agent for VMware does not back up Raw Device Mapping (RDM) disks in physical compatibility
mode or independent disks. The agent skips these disks and adds warnings to the log. You can
avoid the warnings by excluding independent disks and RDMs in physical compatibility mode
from the protection plan. If you want to back up these disks or data on these disks, install an
agent in the guest operating system.
l In-guest iSCSI connection
Agent for VMware does not back up LUN volumes connected by an iSCSI initiator that works
within the guest operating system. Because the ESXi hypervisor is not aware of such volumes, the
volumes are not included in hypervisor-level snapshots and are omitted from a backup without a
warning. If you want to back up these volumes or data on these volumes, install an agent in the
guest operating system.
l Encrypted virtual machines (introduced in VMware vSphere 6.5)
o Encrypted virtual machines are backed up in an unencrypted state. If encryption is critical to
you, enable encryption of backups when creating a protection plan.
o Recovered virtual machines are always unencrypted. You can manually enable encryption after
the recovery is complete.
o If you back up encrypted virtual machines, we recommend that you also encrypt the virtual
machine where Agent for VMware is running. Otherwise, operations with encrypted machines
may be slower than expected. Apply the VM Encryption Policy to the agent's machine by
using vSphere Web Client.
o Encrypted virtual machines will be backed up via LAN, even if you configure the SAN transport
mode for the agent. The agent will fall back on the NBD transport because VMware does not
support SAN transport for backing up encrypted virtual disks.
l Secure Boot
o VMware virtual machines: (introduced in VMware vSphere 6.5) Secure Boot is disabled after a
virtual machine is recovered as a new virtual machine. You can manually enable this option
Microsoft
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Note
Hyper-V virtual machines running on a hyper-converged cluster with Storage Spaces Direct (S2D)
are supported. Storage Spaces Direct is also supported as a backup storage.
Limitations
l Pass-through disks
Agent for Hyper-V does not back up pass-through disks. During backup, the agent skips these
disks and adds warnings to the log. You can avoid the warnings by excluding pass-through disks
from the protection plan. If you want to back up these disks or data on these disks, install an
agent in the guest operating system.
l Hyper-V guest clustering
Agent for Hyper-V does not support backup of Hyper-V virtual machines that are nodes of a
Windows Server Failover Cluster. A VSS snapshot at the host level can even temporarily
disconnect the external quorum disk from the cluster. If you want to back up these machines,
install agents in the guest operating systems.
Scale Computing
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Limitations
Linux machines containing logical volumes (LVM)
The following operations are not supported for Linux machines with LVM that you back up in the
agentless mode:
The following operations are not supported for Linux machines with LVM that you back up in the
agent-based mode (that is, by Agent for Linux installed on the backed-up machine):
l Performing a machine migration by recovering its backup as a virtual machine (for example, by
using Agent for VMware, Agent for Hyper-V, Agent for oVirt, Agent for Virtuozzo, Agent for
Virtuozzo Hybrid Infrastructure, or Agent for Scale Computing for P2V, V2P, or V2V migration). To
recover data from such a backup, use a bootable media.
For more information about the migrations scenarios, see "Machine migration" (p. 615).
l Running a virtual machine from a backup.
Citrix
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Limitations
Linux machines containing logical volumes (LVM)
The following operations are not supported for Linux machines with LVM that you back up in the
agentless mode:
l You cannot select individual Linux LVM volumes as backup source—neither by direct selection
nor by using policy rules. You can back up workloads with such volumes only by selecting Entire
machine in What to back up.
l The file filters (Inclusions/Exclusions) are not applicable. Any configured inclusions or exclusions
will be ignored. For more information about the file filters, see "File filters (Inclusions/Exclusions)"
(p. 413).
The following operations are not supported for Linux machines with LVM that you back up in the
agent-based mode (that is, by Agent for Linux installed on the backed-up machine):
l Performing a machine migration by recovering its backup as a virtual machine (for example, by
using Agent for VMware, Agent for Hyper-V, Agent for oVirt, Agent for Virtuozzo, Agent for
Virtuozzo Hybrid Infrastructure, or Agent for Scale Computing for P2V, V2P, or V2V migration). To
Parallels
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Oracle
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Oracle VM Server 3.0, 3.3, 3.4 Not supported Supported only for fully
virtualized (aka HVM) guests.
Paravirtualized (aka PV) guests
are not supported.
The following operations are not supported for Linux machines with LVM that you back up in the
agentless mode:
l You cannot select individual Linux LVM volumes as backup source—neither by direct selection
nor by using policy rules. You can back up workloads with such volumes only by selecting Entire
machine in What to back up.
l The file filters (Inclusions/Exclusions) are not applicable. Any configured inclusions or exclusions
will be ignored. For more information about the file filters, see "File filters (Inclusions/Exclusions)"
(p. 413).
The following operations are not supported for Linux machines with LVM that you back up in the
agent-based mode (that is, by Agent for Linux installed on the backed-up machine):
l Performing a machine migration by recovering its backup as a virtual machine (for example, by
using Agent for VMware, Agent for Hyper-V, Agent for oVirt, Agent for Virtuozzo, Agent for
Virtuozzo Hybrid Infrastructure, or Agent for Scale Computing for P2V, V2P, or V2V migration). To
recover data from such a backup, use a bootable media.
For more information about the migrations scenarios, see "Machine migration" (p. 615).
l Running a virtual machine from a backup.
Nutanix
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Virtuozzo
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Virtuozzo 7.0.13, 7.0.14 Supported for ploop containers Supported for virtual machines
only. Virtual machines are not only. Containers are not
supported. supported.
Limitations
Linux machines containing logical volumes (LVM)
The following operations are not supported for Linux machines with LVM that you back up in the
agentless mode:
l You cannot select individual Linux LVM volumes as backup source—neither by direct selection
nor by using policy rules. You can back up workloads with such volumes only by selecting Entire
machine in What to back up.
l The file filters (Inclusions/Exclusions) are not applicable. Any configured inclusions or exclusions
will be ignored. For more information about the file filters, see "File filters (Inclusions/Exclusions)"
(p. 413).
The following operations are not supported for Linux machines with LVM that you back up in the
agent-based mode (that is, by Agent for Linux installed on the backed-up machine):
l Performing a machine migration by recovering its backup as a virtual machine (for example, by
using Agent for VMware, Agent for Hyper-V, Agent for oVirt, Agent for Virtuozzo, Agent for
Virtuozzo Hybrid Infrastructure, or Agent for Scale Computing for P2V, V2P, or V2V migration). To
recover data from such a backup, use a bootable media.
For more information about the migrations scenarios, see "Machine migration" (p. 615).
l Running a virtual machine from a backup.
Limitations
Linux machines containing logical volumes (LVM)
The following operations are not supported for Linux machines with LVM that you back up in the
agentless mode:
l You cannot select individual Linux LVM volumes as backup source—neither by direct selection
nor by using policy rules. You can back up workloads with such volumes only by selecting Entire
machine in What to back up.
l The file filters (Inclusions/Exclusions) are not applicable. Any configured inclusions or exclusions
will be ignored. For more information about the file filters, see "File filters (Inclusions/Exclusions)"
(p. 413).
The following operations are not supported for Linux machines with LVM that you back up in the
agent-based mode (that is, by Agent for Linux installed on the backed-up machine):
l Performing a machine migration by recovering its backup as a virtual machine (for example, by
using Agent for VMware, Agent for Hyper-V, Agent for oVirt, Agent for Virtuozzo, Agent for
Virtuozzo Hybrid Infrastructure, or Agent for Scale Computing for P2V, V2P, or V2V migration). To
recover data from such a backup, use a bootable media.
For more information about the migrations scenarios, see "Machine migration" (p. 615).
l Running a virtual machine from a backup.
Amazon
Platform Agentless backup Agent-based backup
(Backup at the hypervisor (Backup from inside a guest
level) OS)
Disk-level encryption software encrypts data on the fly. This is why data contained in the backup is
not encrypted. Disk-level encryption software often modifies system areas: boot records, or
partition tables, or file system tables. These factors affect disk-level backup and recovery, the ability
of the recovered system to boot and access to Secure Zone.
You can back up the data encrypted by the following disk-level encryption software:
To ensure reliable disk-level recovery, follow the common rules and software-specific
recommendations.
If you only need to recover one partition of a multi-partitioned disk, do so under the operating
system. Recovery under bootable media may make the recovered partition undetectable for
Windows.
If the recovered system fails to boot, rebuild Master Boot Record as described in the following
Microsoft knowledge base article: https://support.microsoft.com/kb/2622803
If retention lock is enabled, you need to add the AR_RETENTION_LOCK_SUPPORT environment variable to
the machine with the protection agent that uses this storage as a backup destination.
Note
Dell EMC Data Domain storages with enabled retention lock are not supported by Agent for Mac.
In Windows
In Linux
export AR_RETENTION_LOCK_SUPPORT=1
In a virtual appliance
export AR_RETENTION_LOCK_SUPPORT=1
The protection features are only supported on machines on which a protection agent is installed.
They are not available for virtual machines that are backed up in the agentless mode, for example,
by Agent for Hyper-V, Agent for VMware, Agent for Virtuozzo Hybrid Infrastructure, Agent for Scale
Computing, or Agent for oVirt.
Some features might require additional licensing, depending on the applied licensing model.
Unless stated otherwise for a specific feature set, the following Windows versions are supported:
For more information on the required updates, refer to this knowledge base article.
Linux
Supported Linux distributions and their versions depend on the feature sets, and are shown at the
bottom of each table.
macOS
Supported macOS versions depend on the feature sets, and are shown at the bottom of each table.
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Forensic backup
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Active Protection
(Only Active
Yes No Protection and
antimalware
components)
Active Protection
For more information about the supported operating systems and their versions, see "Supported
platforms" (p. 712).
For more information about the supported operating systems and their versions, see "Supported
platforms" (p. 712).
* Static analysis for portable executable files is supported only for scheduled scans on macOS.
*** File/folder exclusions are only supported for the case when you specify files and folders that will
not be scanned by real-time protection or scheduled scans on macOS.
**** Firewall management is supported on Windows 8 and later. Windows Server is not supported.
***** Microsoft Defender Antivirus management is supported on Windows 8.1 and later.
Vulnerability assessment
For more information about the supported operating systems and their versions, refer to "Supported
Microsoft and third-party products" (p. 828), "Supported Linux products" (p. 831), and "Supported Apple
and third-party products" (p. 830).
Patch management
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Disk health
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Smart protection plans based on Acronis Cyber Protection Operations Center (CPOC) alerts
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Backup scanning
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Safe recovery
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
For more information about the supported operating systems and their versions, see "Supported
platforms" (p. 860).
#CyberFit Score
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Yes
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
On macOS, Data loss prevention is supported for macOS 10.15, macOS 11.2.3 and later macOS 11
versions, macOS 12, macOS 13.
Note
Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is an
integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for Data Loss
Prevention is installed on the computer, but the device control functionality will not work. Device control
functionality will only work on macOS systems that are supported by Agent for Data Loss Prevention.
Management options
Protection options
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
On macOS, Cyber Protect Monitor is supported for all versions on which you can install Agent for Mac. For
more information, see "Agent for Mac" (p. 26).
Software inventory
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
Hardware inventory
See the supported Windows versions in "Supported operating systems and versions" (p. 43).
The following table summarizes the file systems that can be backed up and recovered (bootable
media supports only recovery). The limitations apply to both the agents and bootable media.
Supported by
Bootable
File system Bootable Limitations
media for
Agents media for
Windows
Mac
and Linux
No limitations
ext2/ext3/ext4 All agents + -
Agent for
HFS+ - +
Mac
Bootable
File system Bootable Limitations
media for
Agents media for
Windows
Mac
and Linux
Agent for
Linux swap + - No limitations
Linux
+
l Only disk/volume backup
Bootable
is supported
media cannot
be used for
l Files cannot be excluded
exFAT All agents +
recovery if from a backup
the backup is l Individual files cannot be
stored on recovered from a backup
exFAT
The software automatically switches to the sector-by-sector mode when backing up drives with
unrecognized or unsupported file systems (for example, Btrfs). A sector-by-sector backup is possible
for any file system that:
l is block-based
l spans a single disk
l has a standard MBR/GPT partitioning scheme
If the file system does not meet these requirements, the backup fails.
You can back up and recover a data deduplication–enabled volume at a disk level, without
limitations. File-level backup is supported, except when using Acronis VSS Provider. To recover files
from a disk backup, either run a virtual machine from your backup, or mount the backup on a
machine running Windows Server 2012 or later, and then copy the files from the mounted volume.
The Data Deduplication feature of Windows Server is unrelated to the Acronis Backup Deduplication
feature.
Preparation
Step 1
Choose an agent, depending on what you are going to back up. For more information on the
possible choices, refer to Which agent do I need?
Step 2
Ensure that there is enough free space on your hard drive to install an agent. For detailed
information about the required space, refer to "System requirements for agents" (p. 61).
Step 3
Download the setup program. To find the download links, click All devices > Add.
The Add devices page provides web installers for each agent that is installed in Windows. A web
installer is a small executable file that downloads the main setup program from the Internet and
saves it as a temporary file. This file is deleted immediately after the installation.
If you want to store the setup programs locally, download a package containing all agents for
installation in Windows by using the link at the bottom of the Add devices page. Both 32-bit and 64-
bit packages are available. These packages enable you to customize the list of components to install.
These packages also enable unattended installation, for example, via Group Policy. This advanced
scenario is described in "Deploying agents through Group Policy" (p. 153).
To download the setup program for Agent for Microsoft 365, click the account icon in the top-right
corner, and then click Downloads > Agent for Microsoft 365.
All setup programs require an Internet connection to register the machine in the Cyber Protection
service. If there is no Internet connection, the installation will fail.
Step 4
Cyber Protect features require Microsoft Visual C++ 2017 Redistributable. Please ensure that it is
already installed on your machine or install it before installing the agent. After the installation of
Microsoft Visual C++, a restart may be required. You can find the Microsoft Visual C++
Redistributable package here https://support.microsoft.com/help/2999226/update-for-universal-c-
runtime-in-windows.
If a proxy server is enabled in your network, refer to "Configuring proxy server settings" (p. 67) to
understand whether you need to configure these settings on each machine that runs a protection
agent.
The minimum Internet connection speed required for managing an agent from the cloud is 1 Mbit/s
(not to be confused with the data transfer rate acceptable for backing up to the cloud). Consider this
if you use a low-bandwidth connection technology such as ADSL.
TCP ports required for backup and replication of VMware virtual machines
l Port 443
Agent for VMware (both Windows and Virtual Appliance) connects to this port on the ESXi
host/vCenter server to perform VM management operations, such as create, update, and delete
VMs on vSphere during backup, recovery, and VM replication operations.
l Port 902
Agent for VMware (both Windows and Virtual Appliance) connects to this port on the ESXi host to
establish NFC connections to read/write data on VM disks during backup, recovery, and VM
replication operations.
l Port 3333
If the Agent for VMware (Virtual Appliance) is running on the ESXi host/cluster that is the target
for VM replication, VM replication traffic does not go directly to the ESXi host on port 902. Instead,
the traffic goes from the source Agent for VMware to TCP port 3333 on the Agent for VMware
(Virtual Appliance) located on the target ESXi host/cluster.
The source Agent for VMware that reads data from the original VM disks can be anywhere else
and can be of any type: Virtual Appliance or Windows.
The service that is responsible for accepting VM replication data on the target Agent for VMware
(Virtual Appliance) is called “Replica disk server.” This service is responsible for the WAN
optimization techniques, such as traffic compression and deduplication during VM replication,
including replica seeding (see Seeding an initial replica). When no Agent for VMware (Virtual
Appliance) is running on the target ESXi host, this service is not available, and therefore the
replica seeding scenario is not supported.
Step 6
On the machine where you plan to install the protection agent, verify that the following local ports
are not in use by other processes.
l 127.0.0.1:9999
l 127.0.0.1:43234
l 127.0.0.1:9850
Note
You do not have to open them in the firewall.
l In Linux: /opt/Acronis/etc/aakore.yaml
l In Windows: \ProgramData\Acronis\Agent\etc\aakore.yaml
We recommend that you also install Agent for Windows when you install Agent for VMware
(Windows) and Agent for Hyper-V.
In Linux, Agent for Oracle, Agent for MySQL/MariaDB, and Agent for Virtuozzo require that Agent for
Linux (64-bit) is also installed. These agents share one installer.
What are you going to back up? Which agent to Where to install
install? it?
Physical machines
Applications
Depending on the
desired
functionality, you
may or may not
need to install Agent
for Microsoft 365.
Microsoft 365 OneDrive files and SharePoint Online sites — This data can be
backed up only by
an agent that is
installed in the
cloud. For more
information, refer to
"Protecting
Microsoft 365 data".
Google Workspace Gmail mailboxes, Google Drive files, and — This data can be
Shared drive files backed up only by
an agent that is
installed in the
cloud. For more
information, refer to
"Protecting Google
Workspace".
Machines running Active Directory Domain Services Agent for Active On the domain
Directory controller.
Virtual machines
Scale Computing HC3 virtual machines Agent for Scale On the Scale
Computing HC3 Computing HC3
(Virtual Appliance) host.
Red Hat Virtualization virtual machines (managed by oVirt) Agent for oVirt On the Red Hat
Virtuozzo virtual machines and containers*** Agent for Virtuozzo On the Virtuozzo
host.
Virtuozzo Hybrid Infrastructure virtual machines Agent for Virtuozzo On the Virtuozzo
Hybrid Hybrid
Infrastructure Infrastructure host.
Virtual machines hosted on Amazon EC2 The same as for On the machine
physical that will be backed
Virtual machines hosted on Windows Azure
machines**** up.
Citrix XenServer virtual machines
Red Hat Virtualization (RHV/RHEV), managed by oVirt Agent for oVirt On the virtualization
host.
Kernel-based Virtual Machines (KVM), managed by oVirt
Mobile devices
*During the installation, Agent for Exchange checks for enough free space on the machine where it
will run. Free space equal to 15 percent of the biggest Exchange database is temporarily needed
during a granular recovery.
**If your ESXi uses a SAN attached storage, install the agent on a machine connected to the same
SAN. The agent will back up the virtual machines directly from the storage rather than via the ESXi
host and LAN. For detailed instructions, refer to "Agent for VMware - LAN-free backup".
***For Virtuozzo 7, only ploop containers are supported. Virtual machines are not supported.
Agentless backup is supported by some virtualization platforms and it is not available for physical
machines. Agentless backup requires only one protection agent, which is installed on a dedicated
machine in the virtual environment. This agent backs up all other virtual machines in this
environment. For more information about the supported backup types per virtualization platform,
refer to "Supported virtualization platforms" (p. 29).
For some virtualization platforms, virtual appliances are available. A virtual appliance (VA) is a ready-
made virtual machine that contains a protection agent. The virtual appliances are available in
hypervisor-specific formats, such as .ovf, .ova, or .qcow.
l You need additional protection functionality, such as antivirus and antimalware, patch
management, or remote desktop connection. For more information about these features refer to
"Supported protection features by operating system" (p. 43).
l You need to separate the virtual machines on the tenant level, for example, because you want to
provide the users in this tenant with access only to their own backups.
l You need file-level backups that you recover to the guest operating systems.
Backup operations, including deleting backups, require about 1 GB of RAM per 1 TB of backup size.
The memory consumption may vary, depending on the amount and type of data being processed by
the agents.
Note
The RAM usage might increase when backing up to extra large backup sets (4 TB and more).
On x64 systems, operations with bootable media and disk recovery with restart require at least 2 GB
of memory.
On workloads with modern processors, such as 11th Gen Intel Core or AMD Ryzen 7, that support
CET technology, some features of the Agent for Data Loss Prevention are disabled to avoid conflicts.
The following table lists the availability of Device Control and Advanced DLP features on systems
with such CPUs.
Local channels
Printers n/a No
Network communications
Peripheral devices
Printers No No
Windows clipboard No No
Screenshot capture No No
Redirected clipboard No No
Linux packages
To add the necessary modules to the Linux kernel, the setup program needs the following Linux
packages:
l The package with kernel headers or sources. The package version must match the kernel version.
l The GNU Compiler Collection (GCC) compiler system. The GCC version must be the one with
which the kernel was compiled.
l The Make tool.
l The Perl interpreter.
l The libelf-dev, libelf-devel, or elfutils-libelf-devel libraries for building kernels starting with
4.15 and configured with CONFIG_UNWINDER_ORC=y. For some distributions, such as Fedora 28,
they need to be installed separately from kernel headers.
In Red Hat Enterprise Linux, CentOS, and Fedora, the packages normally will be installed by the
setup program. In other distributions, you need to install the packages if they are not installed or do
not have the required versions.
1. Run the following command to find out the kernel version and the required GCC version:
cat /proc/version
This command returns lines similar to the following: Linux version 2.6.35.6 and gcc version
4.5.1
2. Run the following command to check whether the Make tool and the GCC compiler are installed:
For gcc, ensure that the version returned by the command is the same as in the gcc version in
step 1. For make, just ensure that the command runs.
3. Check whether the appropriate version of the packages for building kernel modules is installed:
l In Red Hat Enterprise Linux, CentOS, and Fedora, run the following command:
In either case, ensure that the package versions are the same as in Linux version in step 1.
4. Run the following command to check whether the Perl interpreter is installed:
perl --version
If you see the information about the Perl version, the interpreter is installed.
5. In Red Hat Enterprise Linux, CentOS, and Fedora, run the following command to check whether
elfutils-libelf-devel is installed:
If you see the information about the library version, the library is installed.
Red Hat kernel- The setup program will download and install the packages automatically
Enterprise devel by using your Red Hat subscription.
Linux gcc
make
elfutils-
libelf-devel
CentOS kernel- The setup program will download and install the packages
automatically.
The packages will be downloaded from the distribution's repository and installed.
For other Linux distributions, please refer to the distribution's documentation regarding the exact
names of the required packages and the ways to install them.
l The machine does not have an active Red Hat subscription or Internet connection.
l The setup program cannot find the kernel-devel or gcc version corresponding to the kernel
version. If the available kernel-devel is more recent than your kernel, you need to either update
the kernel or install the matching kernel-devel version manually.
l You have the required packages on the local network and do not want to spend time for
automatic search and downloading.
Obtain the packages from your local network or a trusted third-party website, and install them as
follows:
l In Red Hat Enterprise Linux, CentOS, or Fedora, run the following command as the root user:
1. Run the following command to determine the kernel version and the required GCC version:
cat /proc/version
2. Obtain the kernel-devel and gcc packages that correspond to this kernel version:
kernel-devel-2.6.35.6-45.fc14.i686.rpm
gcc-4.5.1-4.fc14.i686.rpm
make-3.82-3.fc14.i686
4. Install the packages by running the following commands as the root user:
You can specify all these packages in a single rpm command. Installing any of these packages may
require installing additional packages to resolve dependencies.
Because the agent registers itself in the cloud during the installation, you must configure the proxy
server settings during the installation of the agent or in advance.
For Windows
If a proxy server is configured in (Control panel > Internet Options > Connections), the setup
program reads the proxy server settings from the registry and uses them automatically.
Note
This procedure is valid only when the http-proxy.yaml file does not exist on the machine. If the
http-proxy.yaml file exists on the machine, you must update the proxy settings in the file, as it
overrides the settings in the aakore.yaml file. The http-proxy.yaml file is created when you configure
the proxy server settings by using Cyber Protect Monitor. For more information, see "Configuring
proxy server settings in Cyber Protect Monitor" (p. 280).
1. Create a new text document and open it in a text editor, such as Notepad.
2. Copy and paste the following lines into the file.
[HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Global\HttpProxy]
"Enabled"=dword:00000001
"Host"="proxy.company.com"
"Port"=dword:000001bb
"Login"="proxy_login"
"Password"="proxy_password"
3. Replace proxy.company.com with your proxy server host name/IP address, and 000001bb with the
hexadecimal value of the port number. For example, 000001bb is port 443.
4. If your proxy server requires authentication, replace proxy_login and proxy_password with the
proxy server credentials. Otherwise, delete these lines from the file.
5. Save the document as proxy.reg.
6. Run the file as an administrator.
7. Confirm that you want to edit the Windows registry.
8. If the agent is not installed on this workload yet, install it now. If the agent is already installed on
the workload, continue to the next step.
9. Open the %programdata%\Acronis\Agent\etc\aakore.yaml file in a text editor.
10. Locate the env section or create it, and then add the following lines.
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
11. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
12. In the Start menu, click Run, type: cmd, and then click OK.
13. Restart the aakore service by running the following commands.
For macOS
3. Replace proxy.company.com with your proxy server host name/IP address, and 443 with the
decimal value of the port number.
4. If your proxy server requires authentication, replace proxy_login and proxy_password with the
proxy server credentials. Otherwise, delete these lines from the file.
5. Save the file.
6. If the agent is not installed on this workload yet, install it now. If the agent is already installed on
the workload, continue to the next step.
7. Open the /Library/Application Support/Acronis/Agent/etc/aakore.yaml file in a text editor.
8. Locate the env section or create it and then add the following lines.
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
For Linux
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l If the proxy settings were not specified during the agent installation, copy the following lines
and paste them into the file between the <registry name="Global">...</registry> tags.
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
3. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
4. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
5. Save the file.
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
8. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
9. Restart the aakore service by running the following command.
10. Restart the agent by executing the running command in any directory.
When working under bootable media, you might need to access the cloud storage via a proxy
server. To configure the proxy server settings, click Tools > Proxy server, and then configure the
proxy server host name/IP address, port, and credentials.
Download the agent that you need on the workload that you plan to protect. See "Downloading
protection agents" (p. 71).
Note
On Windows machines, the antimalware protection and URL filtering features require the
installation of Agent for Antimalware protection and URL filtering. It will be installed
automatically for protected workloads if the Antivirus & Antimalware protection or the
URL filtering module is enabled in their protection plans.
l To change the method of registering the workload in the Cyber Protection service. You can
switch from Use service console (default) to Use credentials or Use registration token.
l To change the installation path.
l To change the user account under which the agent service will run. For details, refer to
"Changing the logon account on Windows machines" (p. 79).
l To verify or change the proxy server host name/IP address, port, and credentials. If a proxy
server is enabled in Windows, it is detected and used automatically.
4. Click Install.
5. [Only when installing Agent for VMware] Specify the address and access credentials for the
vCenter Server or the stand-alone ESXi host on which you want to back up and recover virtual
machines, and then click Done.
Note
The user account that you specify must be granted the Log on as a service right. This account
must have already been used on the domain controller, in order for its profile folder to be
created on that machine.
For more information about installing the agent on a read-only domain controller, see this
knowledge base article.
7. If you kept the default registration method Use service console in step 3, wait until the
registration screen appears, and then proceed to the next step. Otherwise, no more actions are
required.
8. Do one of the following:
l If you log in under a company administrator account, register workloads for your company:
a. Click Register workload.
b. In the opened browser window, sign in to the Cyber Protect console and review the
registration details.
c. In the Register for account list, select the user account under which you want to register
the workload.
d. Click Check code, and then click Confirm registration.
l If you log in under a partner administrator account, register workloads for your customers:
a. Click Register workload.
b. In the opened browser window, sign in to the Cyber Protect console and review the
registration details.
c. In the Register for account list, select the user account of your customer under which you
want to register the workload.
d. Click Check code, and then click Confirm registration.
l Click Show registration info. The setup program shows the registration link and the
registration code. If you cannot complete the workload registration on the current machine,
copy the registration link and code, and then follow the registration steps on a different
machine. In this case, you will need to enter the registration code in the registration form. The
registration code is valid for one hour.
Alternatively, you can access the registration form by clicking All devices > Add, scrolling
down to Registration via code, and then clicking Register.
As a result, the workload will be assigned to the account that was used to log in to the Cyber
Protect console.
l Register the workload manually by using the command line. For more information on how to
do this, refer to "Registering and unregistering workloads manually" (p. 112).
9. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
Preparation
l Download the agent that you need on the machine that you plan to protect. See "Downloading
protection agents" (p. 71).
l Ensure that the necessary Linux packages are installed on the machine.
l When installing the agent in SUSE Linux, ensure that you use su - instead of sudo. Otherwise, the
following error occurs when you try to register the agent via the Cyber Protect console: Failed to
launch the web browser. No display available.
Some Linux distributions, such as SUSE, do not pass the DISPLAY variable when using sudo, and
the installer cannot open the browser in the graphical user interface (GUI).
Installation
To install Agent for Linux, you need at least 2 GB of free disk space.
If a proxy server is enabled in your network, when running the installation file, specify the server
host name/IP address and port in the following format: --http-proxy-host=ADDRESS --http-
proxy-port=PORT --http-proxy-login=LOGIN --http-proxy-password=PASSWORD.
If you want to change the default method of registering the machine in the Cyber Protection
service, run the installation file with one of the following parameters:
Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the workload will be assigned to the account that was used to log in to the Cyber
Protect console.
6. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
7. If the UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (the one of the root user or
"acronis") should be used.
Note
The installation generates a new key that is used for signing the kernel modules. You must enroll
this new key to the Machine Owner Key (MOK) list by restarting the machine. Without enrolling
the new key, your agent will not be operational. If you enable the UEFI Secure Boot after the
agent is installed, you need to reinstall the agent.
Download the agent that you need on the workload that you plan to protect. See "Downloading
protection agents" (p. 71).
Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the workload will be assigned to the account that was used to log in to the Cyber
Protect console.
l Register the workload manually by using the command line. For more information on how to
do this, refer to "Registering and unregistering workloads manually" (p. 112).
10. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
11. If your macOS version is Mojave 10.14.x or later, grant full disk access to the protection agent to
enable backup operations.
For instructions, see Grant the 'Full Disk Access' permission to the Cyber Protection agent
(64657).
12. To use the remote desktop functionality, grant the required system permissions to the Connect
Agent. For more information, see "Granting the required system permissions to the Connect
Agent" (p. 78).
l Screen Recording - enables screen recording of the macOS workload via NEAR. Until this
permission is granted, all remote control connections will be denied.
l Accessibility - enables remote connections in control mode via NEAR
l Microphone - enables sound redirection from the remote macOS workload to the local workload
via NEAR. To enable the sound redirection feature, a sound capture driver must be installed on
the workload. For more information, see "Remote sound redirection" (p. 862).
l Automation - enables the empty Recycle bin action
After you start the agent on the macOS workload, it will check if the agent has these rights and will
ask you to grant the permissions, if needed.
1. In the Grant required system permissions for Cyber Protect Agent dialog, click Set up system
permissions.
2. In the System permissions dialog, click Request Screen Recording permission.
3. Click Open System Preferences.
4. Select Connect Agent.
If the agent does not have the permission when you try to access the workload remotely, it will show
the Screen Recording permission request dialog. Only the local user may answer the dialog.
1. In the Grant required system permissions for Cyber Protect Agent dialog, click Set up system
permissions.
2. In the System permissions dialog, click Request Accessibility permission.
3. Click Open System Preferences.
4. Click the lock icon in the bottom-left corner of the window so that it changes to an unlocked one.
The system will ask you for an administrator password to make changes.
5. Select Connect Agent.
1. In the Grant required system permissions for the Connect Agent dialog, click Set up system
permissions.
2. In the System permissions dialog, click Request Microphone permission.
3. Click OK.
1. In the Grant required system permissions for the Connect Agent dialog, click Set up system
permissions.
2. In the System permissions dialog, click Request Automation permission.
If you chose the Create a new account or Use the following account option, ensure that the
domain security policies do not affect the related accounts' rights. If an account is deprived of the
user rights assigned during the installation, the component may work incorrectly or not work.
1. Included in the Backup Operators and Administrators groups. On a Domain Controller, the
user must be included in the group Domain Admins.
Important
Ensure that the user which you have added to the Log on as service user right is not listed in the
Deny log on as a service policy in Local Security Policy.
Note that we recommend that you do not change logon accounts manually after the installation is
completed.
l Agent for Antimalware protection and URL filtering – required for the operation of the
antimalware protection and URL filtering features.
l Agent for Data Loss Prevention – required for the operation of the device control features.
l Acronis Cyber Protection Service - required for the operation of the antimalware protection.
By default, these components are not installed. The respective component is automatically installed
if a workload becomes protected by a plan in which any of the following modules is enabled:
Similarly, if no protection plan requires antimalware protection, URL filtering, or device control
features anymore, the respective component is automatically uninstalled.
Dynamic installation or uninstallation of components takes up to 10 minutes after you change the
protection plan. However, if any of the following operations are running, dynamic installation or
uninstallation will start after this operation finishes:
l Backup
l Recovery
l Backup replication
l Virtual machine replication
l Testing a replica
l Running a virtual machine from backup (including finalization)
l Disaster recovery failover
l Disaster recovery failback
l Running a script (for Cyber Scripting functionality)
l Patch installation
l ESXi configuration backup
l By using the EXE file of the setup program and specifying the installation parameters on the
command line.
l By using an MSI file that you extract from the setup program, and specifying the installation
parameters in one of the following ways:
o In an MST file
o Directly on the command line
You do not need to extract installation packages, MSI, and MST files in advance.
To download the setup program, in the Cyber Protect console, click the account icon in the top-right
corner, and then click Downloads. The download link is also available in the Add devices pane.
1. On the command-line interface of the machine, navigate to the EXE file of the setup program.
2. To start the setup program and specify the installation parameters, run the following command:
<file path>/<EXE file> <PARAMETER 1>=<value 1> ... <PARAMETER N>=<value n>
Use spaces to separate the parameters, and commas without spaces to separate the values for a
parameter. For example:
C:\Users\Administrator\Downloads\AgentForWindows_web.exe --add-
components=agentForWindows,agentForSql,commandLine --install-dir="C:\Program
Files\BackupClient" --reg-address=https://eu2-cloud.company.com --reg-token=34F6-
8C39-4A5C --quiet
To check the available parameters and their values, see "Parameters for unattended installation
(EXE)" (p. 83).
Examples
l Installing Agent for Windows, Agent for Antimalware and URL filtering, Command-Line Tool, and
Cyber Protect Monitor. Registering the workload in the Cyber Protection service by using a user
name and password.
C:\Users\Administrator\Downloads\AgentForWindows_web.exe --add-
components=agentForWindows,agentForAmp,commandLine,trayMonitor --install-
dir="C:\Program Files\BackupClient" --agent-account=system --reg-
address=https://cloud.company.com --reg-login=johndoe --reg-password=johnspassword
l Installing Agent for Windows, Command-Line Tool, and Cyber Protect Monitor. Creating a new
logon account for the agent service in Windows. Registering the workload in the Cyber Protection
service by using a token.
C:\Users\Administrator\Downloads\AgentForWindows_web.exe --add-
components=agentForWindows,commandLine,trayMonitor --install-dir="C:\Program
Files\BackupClient" --agent-account=new --reg-address=https://eu2-cloud.company.com -
-reg-token=34F6-8C39-4A5C
l Installing Agent for Windows, Command-Line Tool, Agent for Oracle and Cyber Protect Monitor.
Registering the machine in the Cyber Protection service by using a user name and password.
l Installing Agent for Windows, Command-Line Tool, and Cyber Protect Monitor. Setting the user
interface language to German. Registering the machine in the Cyber Protection service by using a
token. Setting an HTTP proxy.
C:\Users\Administrator\Downloads\AgentForWindows_web.exe --add-
components=agentForWindows,commandLine,agentForOracle,trayMonitor --install-
dir="C:\Program Files\BackupClient"--language=de --agent-account=system --reg-
address=https://eu2-cloud.company.com --reg-token=34F6-8C39-4A5C --http-proxy-
address=https://my-proxy.company.com:80 --http-proxy-login=tomsmith --http-proxy-
password=tomspassword
l Uninstalling all the agents and deleting their logs, tasks, and configuration settings.
This example uses the EXE file of the setup program that you downloaded originally.
C:\Users\Administrator\Downloads\AgentForWindows_web.exe --remove-components=all --
quiet --delete-all-settings
Parameters Description
General parameters
The following values are available: en, bn, bg, cs, da, de,
es, fr, ko, id, it, hi, hu, ms, nl, ja, nb, pl, pt, pt_BR, ru, fi, sr,
sv, th, tr, vi, zh, zh_TW.
Registration parameters
--registration={skip | by-credentials | by- Use this parameter to choose how to register the agent
token | device-flow} after the installation.
--reg-address=<url> The URL of the Cyber Protection service. You can use this
parameter either with the --reg-login and --reg-
password parameters, or with the --reg-token parameter.
--reg-login=<login> The credentials for the account under which the agent
--agent-account={system | new | custom} Use this parameter to specify the logon account under
which agent service will run. For more information about
or
the logon accounts, see "Changing the logon account on
--agent-account-login=<login> Windows machines" (p. 79).
vCenter/ESXi parameters
Proxy parameters
--http-proxy={none | system | custom} Use this parameter to specify the HTTP proxy server that
you want to use for backup to and recovery from the
cloud storage.
Uninstallation parameters
Important
By using this parameter, you can uninstall only
components. To uninstall the product completely, go to
Windows Control Panel > Programs and Features, select
the product, and then click Uninstall.
--delete-all-settings Use this optional parameter when you use the --remove-
components parameter to delete all product logs, tasks,
and configuration settings.
For more information, see "Parameters for unattended installation (EXE)" (p. 83)"Parameters for
unattended installation (MSI)" (p. 92)
When you install components with an MSI file, you can use an MST transform file to customize the
installation parameters. For more information on how to use the combination of MSI and MST files,
see "Installing components with MSI and MST files" (p. 90). You can use this installation method in
an Active Directory domain to install protection agents by using Windows Group Policy. For more
information, see "Deploying agents through Group Policy" (p. 153).
Alternatively, you can specify the installation parameters manually on the command line. In this
case, you do not need an MST file. For more information, see "Installing and removing components
with an MSI file and direct selection" (p. 90).
1. Run the graphical user interface of the setup program, and then click Create .mst and .msi files
for unattended installation.
2. In What to install, select the components that you want to install, and then click Done.
The installation packages for these components will be extracted from the setup program as CAB
files.
3. In Registration settings, select Use credentials or Use registration token. Depending on your
choice, specify the credentials or the registration token, and then click Done.
For more information on how to generate a registration token, see "Generating a registration
token" (p. 153).
4. [Only when installing on a domain controller] In Logon account for the agent service, select
Use the following account. Specify the user account under which the agent service will run,
and then click Done. For security reasons, the setup program does not automatically create new
accounts on a domain controller.
For more information about installing the agent on a read-only domain controller, see this
knowledge base article.
5. Review or modify other installation settings that will be added to the MST file, and then click
Proceed.
6. Select the folder in which the MSI, MST, and CAB files will be extracted, and then click Generate.
1. Extract the MSI and MST files as described in "Extracting the MSI, MST, and CAB files" (p. 89).
2. On the command-line interface of the machine on which you want to install components, run the
following command:
For example:
Installing and removing components with an MSI file and direct selection
Run the MSI file, manually select the components to install, and specify their installation parameters
on the command line. In this case, you do not need the MST file.
1. Extract the MSI file and the installation packages (CAB files) as described in "Extracting the MSI,
MST, and CAB files" (p. 89).
For this installation method, you only need the MSI and CAB files. You do not need the MST file.
2. On the command-line interface of the machine, run the following command:
msiexec /i <MSI file> <PARAMETER 1>=<value 1> ... <PARAMETER N>=<value n>
Use spaces to separate the parameters, and commas without spaces to separate the values for a
parameter. For example:
To check the available parameters and their values, see "Parameters for unattended installation
(MSI)" (p. 92).
Examples
l Installing Agent for Windows, Agent for Antimalware and URL filtering, Command-Line Tool, and
Cyber Protect Monitor. Registering the workload in the Cyber Protection service by using a user
name and password.
l Installing Agent for Windows, Command-Line Tool, and Cyber Protect Monitor. Creating a new
logon account for the agent service in Windows. Registering the workload in the Cyber Protection
service by using a token.
l Installing Agent for Windows, Command-Line Tool, Agent for Oracle and Cyber Protect Monitor.
Registering the machine in the Cyber Protection service by using a user name and encoded in
base64 password. You might need to encode your password if it contains special characters or
blank spaces. For more information about how to encode a password, see "Passwords with
special characters or blank spaces" (p. 116).
l Installing Agent for Windows, Command-Line Tool, and Cyber Protect Monitor. Registering the
machine in the Cyber Protection service by using a token. Setting an HTTP proxy.
l Uninstalling all the agents and deleting their logs, tasks, and configuration settings.
You can also use additional msiexec parameters, as described in the Microsoft documentation.
Parameters Description
General parameters
Note
You must extract the installation files for all components
that you want to install. For more information about
how to extract them, see "Extracting the MSI, MST, and
CAB files" (p. 89).
/l*v <log file> Specify this parameter to save a verbose log. This log is
needed if you have to investigate installation issues.
The following values are available: en, bn, bg, cs, da, de,
es, fr, ko, id, it, hi, hu, ms, nl, ja, nb, pl, pt, pt_BR, ru, fi, sr,
FSS_ONBOARDING_AUTO_START={0,1} Use this parameter with value set to 1 to show the File
Sync & Share on-boarding wizard after an unattended
installation.
Registration parameters
REGISTRATION_ADDRESS The URL of the Cyber Protection service. You can use this
parameter either with the REGISTRATION_LOGIN and
REGISTRATION_PASSWORD parameters, or with
REGISTRATION_TOKEN.
REGISTRATION_LOGIN The credentials for the account under which the agent
will be registered in the Cyber Protection service. This
REGISTRATION_PASSWORD
cannot be a partner administrator account.
REGISTRATION_PASSWORD_ENCODED The password for the account under which the agent will
be registered in the Cyber Protection service, encoded in
base64. For more information on how to encode your
password, see "Passwords with special characters or
blank spaces" (p. 116).
MMS_USE_SYSTEM_ACCOUNT={0,1} Use this parameter with value 1, to make the service run
under the Local System logon account.
vCenter/ESXi parameters
SET_ESX_SERVER={0,1} Use this parameter when you install Agent for VMware.
ESX_USER=<user name> The access credentials to vCenter Server or the ESXi host.
ESX_PASSWORD=<password>
Proxy parameters
HTTP_PROXY_ADDRESS=<IP address> Use these parameters to specify the HTTP proxy server
that the agent will use.
HTTP_PROXY_PORT=<port>
If you do not use a proxy server, do not specify these
parameters.
Uninstallation parameters
1. Open Terminal.
l To start the installation by specifying the parameters on the command line, run the following
command:
Here, <package name> is the name of the installation package (an .i686 or an .x86_64 file). All
available parameters and their values are described in "Unattended installation or uninstallation
parameters".
l To start the installation with parameters that are specified in a separate text file, run the following
command:
This approach might be useful if you don't want to enter sensitive information on the command
line. In this case, you can specify the configuration settings in a separate text file and ensure that
only you can access it. Put each parameter on a new line, followed by the desired value, for
example:
--rain=https://cloud.company.com
--login=johndoe
--password=johnspassword
--auto
or
-C
https://cloud.company.com
-g
If the same parameter is specified both on the command line and in the text file, the command
line value precedes.
3. If UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (that of the root user or
"acronis") should be used. During the system restart, opt for MOK (Machine Owner Key)
management, choose Enroll MOK, and then enroll the key by using the recommended password.
If you enable UEFI Secure Boot after the agent installation, repeat the installation, including step 3.
Otherwise, backups will fail.
The minimal configuration for unattended installation includes -a and registration parameters (for
example, --login and --password parameters; --rain and --token parameters). You can use more
parameters to customize you installation.
Installation parameters
Basic parameters
{-i |--id=}<list of components>
The components to be installed, separated by commas and without space characters. The
following components are available in the .x86_64 installation package:
Agent for Virtuozzo, Agent for Oracle, and Agent for MySQL/MariaDB require that Agent for
Linux is also installed.
The installation and registration process will complete without any further user interaction.
When using this parameter, you must specify the account under which the agent will be registered
in the Cyber Protection service, either by using the --token parameter, or by using the --login and -
-password parameters.
{-t|--strict}
If the parameter is specified, any warning that occurs during the installation results in
installation failure. Without this parameter, the installation completes successfully even in the case
of warnings.
{-n|--nodeps}
The absence of required Linux packages will be ignored during the installation.
{-d|--debug}
--options-file=<location>
The installation parameters will be read from a text file instead of the command line.
--language=<language ID>
The product language. Available values are as follows: en, bg, cs, da, de, es, fr, hu, id,
it, ja, ko, ms, nb, nl, pl, pt, pt_BR, ru, fi, sr, sv, tr, zh, zh_TW.
If this parameter is not specified, the product language will be defined by your system language on
the condition that it is in the list above. Otherwise, the product language will set to English (en).
Registration parameters
Specify one of the following parameters:
Credentials for the account under which the agent will be registered in the Cyber Protection
service. This cannot be a partner administrator account.
l --token=<token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the Cyber Protect console, as described in "Deploying agents through Group
Policy".
You cannot use the --token parameter along with --login, --password, and --register-with-
credentials parameters.
o {-C|--rain=}<service address>
The URL of the Cyber Protection service.
You don't need to include this parameter explicitly when you use --login and --password
parameters for registration, because the installer uses the correct address by default – this
However, when you use {-C|--rain=} with the --token parameter, you must specify the exact
datacenter address. This is the URL that you see once you are logged in to the Cyber
Protection service. For example:
l --register-with-credentials
If this parameter is specified, the installer's graphical interface will start. To finish the
registration, enter the user name and password for the account under which the agent will be
registered in the Cyber Protection service. This cannot be a partner administrator account.
l --skip-registration
Use this parameter if you need to install the agent but you plan to register it in the Cyber
Protection service later. For more information on how to do this, refer to "Registering machines
manually".
Additional parameters
--http-proxy-host=<IP address> and --http-proxy-port=<port>
The HTTP proxy server that the agent will use for backup and recovery from the cloud, and
for connection to the management server. Without these parameters, no proxy server will be used.
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
--tmp-dir=<location>
Specifies the folder where the temporary files are stored during the installation. The default
folder is /var/tmp.
{-s|--disable-native-shared}
Redistributable libraries will be used during the installation, even though they might have
already been present on your system.
--skip-prereq-check
There will be no check of whether the packages required for compiling the snapapi module
are already installed.
--force-weak-snapapi
--skip-svc-start
The services will not start automatically after the installation. Most often, this parameter is
used with the --skip-registration one.
Information parameters
{-?|--help}
--usage
{-v|--version}
--product-info
--snapapi-list
--components-list
{-e|--ssl=}<path>
{-p|--port=}<port>
Specifies the port on which agent.exe listens for connections. The default port is 9876.
Uninstallation parameters
{-u|--uninstall}
--purge
Uninstalls the product and removes its logs, tasks, and configuration settings. You don't
need to specify the --uninstall parameter explicitly when you use the --purge one.
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and registering them by
using credentials.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --login=johndoe --
password=johnspassword
l Installing Agent for Oracle and Agent for Linux, and registering them by using a registration
token.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -i
BackupAndRecoveryAgent,OracleAgentFeature -a --rain=https://eu2-cloud.company.com --
token=34F6-8C39-4A5C
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle with configuration settings in
a separate text file.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --options-
file=/home/mydirectory/configuration_file
l Uninstalling Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and removing all their
logs, tasks, and configuration settings.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --purge
Required permissions
Before you initiate an unattended installation on a mac workload, you must modify the Privacy
Preferences Policy Control to allow App access and kernel and system extensions in the macOS of
the workload to enable the installation of the Cyber Protection agent. See "Required permissions for
unattended installation in macOS" (p. 105).
After you deploy the PPPC payload, you can proceed with the procedures below.
1. Create a temporary directory where you will mount the installation file (.dmg).
mkdir <dmg_root>
Here, <dmg_file> is the name of the installation file. For example, Cyber_Protection_Agent_for_
MAC_x64.dmg.
3. Run the installer.
l If you use a full installer for MAC, like CyberProtect_AgentForMac_x64.dmg or CyberProtect_
AgentForMac_arm64.dmg, run the following command.
Note
If you need to enable auto-onboarding for File Sync & Share, run the following command
instead. This option will request the administrator password.
l If you use an universal installer for MAC, like CyberProtect_AgentForMac_web.dmg, run the
following command.
sudo <dmg_root>/Install.app/Contents/MacOS/cyber_installer -a
Examples
l
mkdir mydirectory
l Register the agent under a specific account, by using a user name and password.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a <Cyber Protection
service address> -t cloud -u <user name> -p <password> -o register
Here:
<Cyber Protection service address> is the address that you use to log in to the Cyber Protection
service. For example:
<user name> and <password> are the credentials for the account under which the agent will be
registered.This cannot be a partner administrator account.
l Register the agent by using a registration token.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a <Cyber Protection
service address> -t cloud -o register --token <token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the Cyber Protect console, as described in "Deploying agents through Group
Policy".
When you use a registration token, you must specify the exact datacenter address. This is the URL
that you see once you are logged in to the Cyber Protection service. For example:
Examples
Registration with a user name and password.
l
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a
https://cloud.company.com -t cloud -u johndoe -p johnspassword -o register
To remove all logs, tasks and configuration settings during the uninstallation, run the following
command:
l
sudo /Library/Application\ Support/BackupClient/Acronis/Cyber\ Protect\ Agent\
Uninstall.app/Contents/MacOS/AgentUninstall /confirm /purge
APP OR SystemPolicyAllFiles
SERVICE
ACCESS Allow
APP OR SystemPolicyAllFiles
SERVICE
ACCESS Allow
APP OR SystemPolicyAllFiles
SERVICE
ACCESS Allow
APP OR SystemPolicyAllFiles
SERVICE
ACCESS Allow
ACCESS Allow
ACCESS Allow
ACCESS Allow
ACCESS Allow
Kernel l com.acronis.systeminterceptors
Extension l com.acronis.ngscan
Bundle IDs l com.acronis.notifyframework
You can also register a workload manually, by using the command line interface. You might need to
use the manual registration, for example, if the automatic registration fails or if you want to move a
workload to a new tenant or under a new user account.
In Windows
For example:
In Linux
For example:
In macOS
For example:
Note
Use the user name and password for the account under which you want to register the workload.
This cannot be a partner administrator account.
The service address is the URL that you use to log in to the Cyber Protection service. For example,
https://cloud.company.com.
Important
If your password contains special characters or blank spaces, refer to "Passwords with special
characters or blank spaces" (p. 116).
For example:
In Linux
For example:
In macOS
For example:
Virtual appliance
1. In the console of the virtual appliance, press CTRL+SHIFT+F2 to open the command-line
interface.
2. At the command prompt, run the following command:
For example:
The registration token is a series of 12 characters, separated by hyphens in three segments. For
more information on how to generate one, refer to "Generating a registration token" (p. 153).
To unregister a workload
In Windows
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o unregister
For example:
"C:\ProgramFiles\BackupClient\RegisterAgentTool\register_agent.exe" -o unregister
In Linux
In macOS
Virtual appliance
1. In the console of the virtual appliance, press CTRL+SHIFT+F2 to open the command-line
interface.
2. At the command prompt, run the following command:
register_agent -o unregister
For more information about how to register a workload in a new tenant or under a new user
account, see "Changing the registration of a workload" (p. 116).
Command template:
Command example:
If this command fails, encode your password into base64 format at https://www.base64encode.org/.
Then, at the command line, specify the encoded password by using the -b or --base64 parameter.
Command template:
Command example:
"C:\ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t
cloud -a https://cloud.company.com -u johndoe -b -p am9obnNwYXNzd29yZA==
If you register the workload in a new tenant, the workload will lose access to the backups in the
cloud storage of the original tenant. The backups in non-cloud storages will remain accessible.
You can change the registration of a workload by using the command line or by using the GUI
installer. When you use the command line, you do not need to uninstall the agent.
1. Unregister the protection agent, as described in "To unregister a workload" (p. 115).
2. Register the protection agent in the new tenant or under the new user account, as described in
"To register a workload by using a user name and password" (p. 112) or in "To register a
workload by using a registration token" (p. 113).
For more information about how to install and register an agent, refer to "Installing protection
agents" (p. 71).
Autodiscovery of machines
Using autodiscovery, you can:
l Automate the installation of protection agents and the registration of machines by detecting the
machines in your Active Directory domain or local network.
l Install and update protection agents on multiple machines.
l Use synchronization with Active Directory, in order to reduce the efforts for provisioning
resources and managing machines in a large Active Directory domain.
Prerequisites
To perform autodiscovery, you need at least one machine with an installed protection agent in your
local network or Active directory domain. This agent is used as a discovery agent.
Remote installation of agents is supported only for machines running Windows (Windows XP is not
supported). For remote installation on a machine running Windows Server 2012 R2, you must have
Windows update KB2999226 installed on this machine.
During an Active Directory discovery, the discovery agent, in addition to the list above, collects
information about the Organizational Unit (OU) of the machines and detailed information about
their names and operating systems. However, the IP and MAC addresses are not collected.
The machines that are shown in the Cyber Protect console, fall into the following categories:
l Discovered – Machines that are discovered, but a protection agent is not installed on them.
l Managed – Machines on which a protection agent is installed.
l Unprotected – Machines to which a protection plan is not applied. Unprotected machines
include both discovered machines and managed machines with no protection plan applied.
l Protected – Machines to which a protection plan is applied.
Note
Remote installation of agents is not supported for Domain Controllers due to the additional
permissions required for the agent service to run.
Note
Autodiscovery is not supported for adding Domain Controllers due to additional permissions
required for the agent service to run.
To discover machines
156.85.34.10
156.85.53.32
156.85.53.12
EN-L00000100
EN-L00000101
After adding machine addresses manually or importing from a file, the agent tries to ping the
added machines and define their availability.
9. Select what actions must be performed after the discovery:
l Install agents and register machines. You can select which components to install on the
machines by clicking Select components. For more details, refer to "Selecting components
for installation" (p. 124).
On the Select components screen, define the account under which the services will run by
specifying Logon account for the agent service. You can select one of the following:
o Use Service User Accounts (default for the agent service)
Service User Accounts are Windows system accounts that are used to run services. The
advantage of this setting is that the domain security policies do not affect these accounts'
user rights. By default, the agent runs under the Local System account.
o Create a new account
The account name will be Agent User for the agent.
o Use the following account
Important
Note that remote installation of agent works without any preparations only if you specify the
credentials of the built-in administrator account (the first account created when the operating
system is installed). If you want to define some custom administrator credentials, then you
should do additional manual preparations as described in "Preparing a machine for remote
installation" (p. 123).
When the discovery of machines is initiated, you will find the corresponding task in Monitoring>
Activities > Discovering machines activity.
To disable UAC
Note
For security reasons, we recommend that after finishing the management operation (for example,
remote installation), you revert both settings to their original state: EnableLUA=1 and
LocalAccountTokenFilterPolicy = 0
Component Description
Mandatory component
Agent for This agent backs up disks, volumes, files and will be installed on Windows machines. It
Windows will be always installed, not selectable.
Additional components
Agent for Data This agent enables you to limit the user access to local and redirected peripheral devices,
Loss ports, and clipboard on machines under protection plans. It will be installed if selected.
Prevention
Antimalware This component enables the Antivirus & Antimalware protection module and URL
and URL filtering module in protection plans. Even if you select not to install it, it will be
filtering automatically installed later, if any of these modules is enabled in a protection plan for
the machine.
Agent for SQL This agent backs up SQL Server databases and will be installed on machines running
Microsoft SQL Server. It will be installed if selected and application detected on a
machine.
Agent for This agent backs up Exchange databases and mailboxes and will be installed on
Exchange machines running the Mailbox role of Microsoft Exchange Server. I will be installed if
selected and application detected on a machine.
Agent for This agent backs up the data of Active Directory Domain Services and will be installed on
Active domain controllers. It will be installed if selected and application detected on a machine.
Directory
Agent for This agent backs up VMware virtual machines and will be installed on Windows machines
VMware that have network access to vCenter Server. It will be installed if selected.
(Windows)
Agent for This agent backs up Microsoft 365 mailboxes to a local destination and will be installed
Microsoft 365 on Windows machines. It will be installed if selected.
Agent for This agent backs up Oracle databases and will be installed on machines running Oracle
Oracle Database. It will be installed if selected.
Cyber This component enables a user to monitor execution of running tasks in the notification
Protection area and will be installed on Windows machines. It will be installed if selected.
Monitor
Supported on Windows 7 Service Pack 1 and later, and Windows Server 2008 R2 Service
Pack 1 and later.
This section is divided into subsections by the discovery method used. The full list of machine
parameters is shown below (it may vary depending on the discovery method):
Name Description
Name The name of the machine. The IP address will be shown if the name of the machine
could not be discovered.
Discovery type The discovery method that was used to detect the machine.
Organizational The organizational unit in Active Directory that the machine belongs to. This column
unit is shown if you view the list of machines in Unmanaged machines > Active
Directory.
There is an Exceptions section, where you can add the machines that must be skipped during the
discovery process. For example, if you do not need the exact machines to be discovered, you can
add them to this list.
To add a machine to Exceptions, select it in the list and click Add to exceptions. To remove a
machine from Exceptions, go to Unmanaged machines > Exceptions, select the machine, and
click Remove from exceptions.
You can install the protection agent and register a batch of discovered machines in Cyber Protection
by selecting them in the list and clicking Install and register. The opened wizard also allows you to
assign the protection plan to a batch of machines.
After the protection agent is installed on machines, those machines will be shown in the Devices>
Machines with agents section.
To check your protection status, go to Monitoring> Overview and add the Protection status
widget or the Discovered machine widget.
Troubleshooting
If you have any issues with the autodiscovery functionality, try to check the following:
l In the “Control Panel\Network and Sharing Center\Advanced sharing settings” turn on network
discovery.
To improve the backup performance and avoid failures related to insufficient RAM memory, we
recommend that you increase these resources to 16 GB of RAM and 4 vCPUs in more demanding
cases. For example, increase the assigned resources when you expect the backup traffic to exceed
100 MB per second (for example, in 10-Gigabit networks) or if you simultaneously back up multiple
virtual machines with large hard drives (500 GB or more).
The appliance's own virtual disks occupy no more than 6 GB. Thick or thin disk format does not
matter, it does not affect the appliance performance.
It is normal to use both the virtual appliance and Agent for VMware (Windows) at the same time, as
long as they are connected to the same vCenter Server or they are connected to different ESXi hosts.
Avoid cases when one agent is connected to an ESXi directly and another agent is connected to the
vCenter Server which manages this ESXi.
We do not recommend that you use locally attached storage (i.e. storing backups on virtual disks
added to the virtual appliance) if you have more than one agent. For more considerations, see
"Using a locally attached storage" (p. 604).
Note
With this method, you need a registration token. For more information about how to
generate one, refer to "Generating a registration token" (p. 153).
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
To be able to update a virtual appliance deployed behind a proxy, edit the appliance config.yaml
file ( /opt/acronis/etc/va-updater/config.yaml), by adding the following line to the bottom of
that file, and then entering values specific to your environment:
httpProxy: http://<proxy_login>:<proxy_password>@<proxy_address>:<port>
For example:
httpProxy: http://mylogin:[email protected]:8080
If you have more than one agent in a cluster, the virtual machines are automatically evenly
distributed between the agents, so that each agent manages a similar number of machines.
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
cluster. The management server will assign the most appropriate machines to the new agent. The
old agents' load will reduce. When you remove an agent from the management server, the
machines assigned to the agent are redistributed among the remaining agents. However, this will
not happen if an agent gets corrupted or is deleted manually from the Scale Computing HC3 cluster.
Redistribution will start only after you remove such an agent from the Cyber Protect console.
1. In the Cyber Protect console, click Devices, and then select Scale Computing.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
After the deployment completes, you must configure the virtual appliance. For more information on
how to configure it, refer to "Configuring the virtual appliance" (p. 133).
Note
If you need more than one virtual appliance in your cluster, repeat the steps above and deploy
additional virtual appliances. Do not clone an existing virtual appliance by using the Clone
VM option in the Scale Computing HC3 web interface.
Note
With this method, you need a registration token. For more information about how to
generate one, refer to "Generating a registration token" (p. 153).
Note
When you use a registration token, you must specify the exact data center address. This is
the URL that you see after you log in to the Cyber Protect console. For example,
https://eu2-cloud.company.com.
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
To be able to update a virtual appliance deployed behind a proxy, edit the appliance config.yaml
file ( /opt/acronis/etc/va-updater/config.yaml), by adding the following line to the bottom of
that file, and then entering values specific to your environment:
httpProxy: http://<proxy_login>:<proxy_password>@<proxy_address>:<port>
For example:
httpProxy: http://mylogin:[email protected]:8080
Operation Role
VM Create/Edit
VM Delete
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
Note
To ensure that backups with enabled Volume Shadow Copy Service (VSS) for virtual machines
backup option run properly and capture data in application-consistent state, verify that Virtuozzo
Guest Tools are installed and up-to-date on the protected virtual machines.
2 vCPUs and 4 GB of RAM (medium flavor) are optimal and sufficient for most operations. To
improve the backup performance and avoid failures related to insufficient RAM memory, we
recommend that you increase these resources to 4 vCPUs and 8 GB of RAM in more demanding
cases. For example, increase the assigned resources when you expect the backup traffic to exceed
If you have more than one agent in a cluster, the virtual machines are automatically evenly
distributed between the agents, so that each agent manages a similar number of machines.
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
cluster. The management server will assign the most appropriate machines to the new agent. The
old agents' load will reduce. When you remove an agent from the management server, the
machines assigned to the agent are redistributed among the remaining agents. However, this will
not happen if an agent gets corrupted or is deleted manually from the Virtuozzo Hybrid
Infrastructure node. Redistribution will start only after you remove such an agent from the Cyber
Protection web interface.
1. In the Cyber Protect console, click Devices, and then select Virtuozzo Hybrid Infrastructure.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
Limitations
l Virtuozzo Hybrid Infrastructure appliance cannot be deployed remotely.
l Application-aware backup of virtual machines is not supported.
Network requirements for the Agent for Virtuozzo Hybrid Infrastructure (Virtual
Appliance)
l The virtual appliance requires 2 network adapters.
l The virtual appliance must be connected to Virtuozzo networks with the following network traffic
types:
o Compute API
o VM Backup
For more information about configuring the networks, see Compute cluster requirements in the
Virtuozzo documentation.
1. Create an environment file for the system administrator. To do this, run the following script in
the Virtuozzo Hybrid Infrastructure cluster via the OpenStack Command-Line Interface. For more
information on how to connect to this interface, refer to Connecting to OpenStack command-line
interface in the Virtuozzo Hybrid Infrastructure documentation.
su - vstoradmin
kolla-ansible post-deploy
exit
. /etc/kolla/admin-openrc.sh
Here, <username> is the Virtuozzo Hybrid Infrastructure account with the Administrator role in
the Default domain. The virtual appliance will use this account in order to back up and restore
the virtual machines in any child project under the Default domain.
Example
su - vstoradmin
kolla-ansible post-deploy
exit
. /etc/kolla/admin-openrc.sh
openstack --insecure user set --project admin --project-domain Default --domain Default
johndoe
openstack --insecure role add --domain Default --user johndoe --user-domain Default
compute --inherited
openstack --insecure role add --domain <domain name> --inherited --user <username> --
user-domain Default admin
Here, <domain name> is the domain to the projects in which the <username> account will have
access.
Example
openstack --insecure role add --domain MyNewDomain --inherited --user johndoe --user-
domain Default admin
After granting access to projects, check what roles are assigned to the account.
Example
openstack --insecure role assignment list --user johndoe --names -c Role -c User -c
Project -c Domain
+--------------+-----------------+---------+-------------+
| Role | User | Project | Domain |
+--------------+-----------------+---------+-------------+
| admin | johndoe@Default | | MyNewDomain |
| compute | johndoe@Default | | Default |
| domain_admin | johndoe@Default | | Default |
| domain_admin | johndoe@Default | | Default |
+--------------+-----------------+---------+-------------+
In this example, the options -c Role, -c User, -c Project, and -c Domain are used to abridge the
command output to fit the page.
To check what effective roles are assigned to the account in all projects, run the following command
as well.
openstack --insecure role assignment list --user johndoe --names --effective -c Role -c
User -c Project -c Domain
+--------------+-----------------+-----------------+---------+
| Role | User | Project | Domain |
+--------------+-----------------+-----------------+---------+
| domain_admin | johndoe@Default | | Default |
| compute | johndoe@Default | admin@Default | |
| compute | johndoe@Default | service@Default | |
| domain_admin | johndoe@Default | admin@Default | |
| domain_admin | johndoe@Default | service@Default | |
| project_user | johndoe@Default | service@Default | |
| member | johndoe@Default | service@Default | |
| reader | johndoe@Default | service@Default | |
| project_user | johndoe@Default | admin@Default | |
| member | johndoe@Default | admin@Default | |
| reader | johndoe@Default | admin@Default | |
| project_user | johndoe@Default | | Default |
| member | johndoe@Default | | Default |
| reader | johndoe@Default | | Default |
+--------------+-----------------+-----------------+---------+
In this example, the options -c Role, -c User, -c Project, and -c Domain are used to abridge the
command output to fit the page.
5. Register the appliance in the Cyber Protection service by using one of the following methods.
l [Only for tenants without two-factor authentication] Register the appliance in its graphical
interface.
a. Under Agent options, in the Management Server field, click Change.
b. In the Server name/IP field, select Cloud.
The Cyber Protection service address appears. Do not change this address unless
instructed otherwise.
c. In the User name and Password fields, specify the credentials for your account in the
Cyber Protection service. The virtual appliance and the virtual machines that the appliance
manages are registered under this account.
d. Click OK.
l Register the appliance in the command-line interface.
Note
With this method, you need a registration token. For more information about how to
generate one, refer to "Generating a registration token" (p. 153).
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
httpProxy: http://<proxy_login>:<proxy_password>@<proxy_address>:<port>
For example:
httpProxy: http://mylogin:[email protected]:8080
If you have more than one agent in the data center, the virtual machines are automatically
distributed between the agents, so that each agent manages a similar number of machines.
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
data center. The management server will assign the most appropriate machines to the new agent.
The old agents' load will reduce. When you remove an agent, the machines assigned to the agent
are redistributed among the remaining agents. However, this will not happen if an agent gets
corrupted or is deleted manually from Red Hat Virtualization/oVirt Administration Portal.
Redistribution will start only after you remove such an agent from the Cyber Protect console.
1. In the Cyber Protect console, click Devices, and then select oVirt.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
Limitations
The following operations are not supported for Red Hat Virtualization/oVirt virtual machines:
l Application-aware backup
l Running a virtual machine from a backup
l Replication of virtual machines
l Changed block tracking
7. Click the vertical ellipsis icon above the main table, and then click Import.
8. In the Import Virtual Machine(s) window, do the following:
a. In Data center, select the data center that you want to protect.
b. In Source, select Virtual Appliance (OVA).
c. In Host, select the host on which you uploaded the .ova file.
d. In File Path, specify the path to the directory that contains the .ova file.
e. Click Load.
The oVirt virtual appliance template from the .ova file appears in the Virtual Machines on
Source panel.
If the template does not appear in this panel, ensure that you have specified the correct path
to the file, the file is not damaged, and the host can be reached.
f. In Virtual Machines on Source, select the oVirt virtual appliance template, and then click the
right arrow.
The template appears in the Virtual machines to import panel.
g. Click Next.
9. In the new window, click the appliance name, and then configure the following settings:
l On the Network interfaces tab, configure the network interfaces.
l [Optional] On the General tab, change the default name of the virtual machine with the agent.
The deployment is now complete. Next, you have to configure the virtual appliance. For more
information on how to configure it, refer to "Configuring the virtual appliance" (p. 146).
Note
If you need more than one virtual appliance in your data center, repeat the steps above and deploy
additional virtual appliances. Do not clone an existing virtual appliance by using the Clone
VM option in Red Hat Virtualization/oVirt Administration Portal.
To exclude the virtual appliance from dynamic group backups, you must also exclude it from the list
of virtual machines in the Cyber Protect console. To exclude it, in Red Hat Virtualization/oVirt
Administration Portal, select the virtual machine with the agent, and then assign the tag acronis_
virtual_appliance to it.
Note
With this method, you need a registration token. For more information about how to
generate one, refer to "Generating a registration token" (p. 153).
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
Note
To be able to update a virtual appliance deployed behind a proxy, edit the appliance config.yaml
file ( /opt/acronis/etc/va-updater/config.yaml), by adding the following line to the bottom of
that file, and then entering values specific to your environment:
httpProxy: http://<proxy_login>:<proxy_password>@<proxy_address>:<port>
For example:
httpProxy: http://mylogin:[email protected]:8080
Required roles
For its deployment and operation, Agent for oVirt requires an administrator account with the
following roles assigned.
Required ports
Agent for oVirt connects to the oVirt engine by using the URL that you specify when you configure
the virtual appliance. Usually, the engine URL has the following format: https://ovirt.company.com.
In this case, the HTTPS protocol and port 443 are used.
Non-default oVirt settings may require another port. You can find the exact port by analyzing the
URL format. For example:
http://ovirt.company.com/ 80 HTTP
No additional ports are required for disk Read/Write operations, because the backup is performed
in the HotAdd mode.
Agent for Synology runs on the NAS device. Thus, you can use the resources of the device for off-
host data processing operations, such as backup replication, validation, and cleanup. To learn more
about these operations, refer to "Off-host data processing" (p. 179).
Note
Agent for Synology only supports NAS devices with x86_64 processors. You cannot install the agent
on devices with ARM processors.
You can recover a backup to the original or a new location on the NAS device, and to a network
folder that is accessible through that device. Backups in the cloud storage can also be recovered to a
non-original NAS device on which Agent for Synology is installed.
The table below summarizes the available backup sources and destinations.
Cloud storage
Local folder*
Local folder*
Files/folders
Network folder (SMB)**
Network folder (SMB)**
NFS folder
** Using external network shares as backup source or backup destination via the SMB protocol is
only available for agents running on Synology DiskStation Manager 6.2.3 and later. The data hosted
Limitations
l Backed-up encrypted shares are recovered as non-encrypted.
l Backed-up shares for which the File compression option is enabled are recovered with this
option disabled.
To install the agent, run the setup program in Synology DiskStation Manager.
During the installation, you need to register the agent in the Cyber Protect console.
Note
Agent for Synology only supports NAS devices with x86_64 processors. You cannot install the agent
on devices with ARM processors.
Prerequisites
Before installing Agent for Synology, ensure that:
l The NAS device runs a supported DiskStation Manager version. See the supported versions in
"Agent for Synology" (p. 27).
l You are a member of the administrators group on the Synology NAS device.
l There are at least 200 MB free space on the NAS volume on which you want to install the agent.
Note
Do not use https://cloud.acronis.com.
For more information how to generate a registration token, refer to "Generating a registration
token" (p. 153).
9. Click Register.
After the registration, you will see the Synology NAS device in the Cyber Protect console, on the
Devices > Network Attached Storage tab.
You cannot update the agent from the Cyber Protect console.
In this section, you will find out how to set up a Group Policy object to deploy agents onto machines
in an entire domain or in its organizational unit.
Every time a machine logs on to the domain, the resulting Group Policy object will ensure that the
agent is installed and registered.
Prerequisites
l Active Directory domain with a domain controller running Microsoft Windows Server 2003 or
later.
l You must be a member of the Domain Admins group in this domain.
l You have downloaded the All agents for Windows setup program.
To download the setup program, in the Cyber Protect console, click the account icon in the top-
right corner, and then click Downloads. The download link is also available in the Add devices
pane.
For security reasons, the tokens have limited lifetime, which you can adjust. The default lifetime is 3
days.
Users can generate registration tokens only for their own accounts. Administrators can generate
registration tokens for all user accounts in the tenant that they manage.
As an administrator
[For partner administrators who manage customer tenants] In the Cyber Protect console, select
the tenant with the user for whom you want to generate a token. You cannot generate a token
on the All customers level.
Note
When you use the token, workloads will be registered under the user account that you select
here.
6. [Optional] To enable the user of the token to apply and revoke a protection plan on the added
workloads, select the plan from the drop-down list.
Note that you will need to run a script that will apply or revoke a protection plan on the added
workloads. Refer to this knowledge base article for more details.
7. Click Generate token.
8. Click Copy to copy the token to your device clipboard, or write the token down manually.
Note
For security reasons, in the Token column, only the first two characters of the token value are
shown.
4. [To delete a token] Select the token, and then click Delete.
Note
The procedure below uses the default registration option, which is registration by token. To learn
how to generate a registration token, refer to "Generating a registration token" (p. 153).
To create the .mst file and extract the installation packages (.msi and .cab files)
As a result, the .mst file, the .msi file, and the .cab files are created and copied to the shared folder
that you specified.
Next, set up the Windows Group Policy object. To learn how to do it, refer to "Setting up the Group
Policy object" (p. 157).
To access the appliance via the SSH protocol, first enable the Secure Shell daemon (sshd) on it, and
then use an SSH client installed on a remote machine. The procedure below uses WinSCP client as
an example.
/bin/sshd
Updating agents
You can update all agents manually either by using the Cyber Protect console or by downloading
and running the installation file.
4.2 GB of free space in the following location is required to update an agent automatically, or
manually by using the Cyber Protect console:
In order to perform automatic or manual update of a virtual appliance located behind a proxy, the
proxy server must be configured on each appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
Virtual appliances with the following versions must be updated only by using the Cyber Protect
console:
Agents with the following versions can also be updated by using the Cyber Protect console:
l Agent for Windows, Agent for VMware (Windows), Agent for Hyper-V: version 12.5.21670 and
later.
l Agent for Linux: version 12.5.23094 and later.
l Other agents: version 12.5.23094 and later.
To find the agent version, in the Cyber Protect console, select the machine, and then click Details.
To update earlier agent versions of those agents, download and install the newest version manually.
To find the download links, click All devices > Add.
Prerequisites
On Windows machines, Cyber Protect features require Microsoft Visual C++ 2017 Redistributable.
Ensure that it is already installed on your machine or install it before updating the agent. After the
installation, a restart may be required. You can find the Microsoft Visual C++ Redistributable
package on the Microsoft website: https://support.microsoft.com/help/2999226/update-for-
universal-c-runtime-in-windows.
Note
During the update, any backups that are in progress will fail.
To update Agent for VMware (Virtual Appliance) whose version is below 12.5.23094
1. Click Settings > Agents > the agent that you want to update > Details, and then examine the
Assigned virtual machines section. You will need to re-enter these settings after the update.
a. Make note of the position of the Automatic assignment switch.
b. To find out what virtual machines are manually assigned to the agent, click the Assigned: link.
The software displays the list of assigned virtual machines. Make note of the machines that
have (M) after the agent name in the Agent column.
2. Remove Agent for VMware (Virtual Appliance), as described in "Uninstalling agents". In step 5,
delete the agent from Settings > Agents, even though you are planning to install the agent
again.
3. Deploy Agent for VMware (Virtual Appliance), as described in "Deploying the OVF template".
4. Configure Agent for VMware (Virtual Appliance), as described in "Configuring the virtual
appliance".
If you want to reconstruct the locally attached storage, in step 7 do the following:
a. Add the disk containing the local storage to the virtual appliance.
b. Click Refresh > Create storage > Mount.
c. The software displays the original Letter and Label of the disk. Do not change them.
d. Click OK.
5. Click Settings > Agents > the agent that you want to update > Details, and then reconstruct the
settings that you made note of in step 1. If some virtual machines were manually assigned to the
agent, assign them again as described in "Virtual machine binding".
Once the agent configuration is completed, the protection plans that were applied to the old
agent are re-applied automatically to the new agent.
6. The plans with application-aware backup enabled require the guest OS credentials to be re-
entered. Edit these plans and re-enter the credentials.
7. The plans that back up ESXi configuration require the "root" password to be re-entered. Edit
these plans and re-enter the password.
Note
An agent with the Updater role can download and distribute patches only for Windows third-
party products. For Microsoft products, patch distribution is not supported by the Updater
agent.
Automatic updates are supported on machines running any of the following operating systems:
The settings for automatic updates are preconfigured on a data center level. A company
administrator can customize these settings – for all machines in a company or a unit, or for
individual machines. If no custom settings are applied, then the settings from the upper level are
used, in this order:
For example, a unit administrator can configure custom auto-update settings for all machines in the
unit, which might differ from the setting applied to the machines on the company level. The
administrator can also configure different settings for one or more individual machines in the unit,
to which neither the unit settings nor the company settings will be applied.
After enabling the automatic updates, you can configure the following options:
1. In a protection plan, expand the Antivirus & Antimalware protection module (Active
Protection module for Cyber Backup editions).
2. Click Self-protection and ensure that the Self-protection switch is enabled.
3. Enable the Password protection switch.
4. In the window that opens, copy the password that you need to uninstall or modify the
components of a protected Agent for Windows.
This password is unique and you will not be able to recover it once you close this window. If you
lose or forget this password, you can edit the protection plan and create a new password.
5. Click Close.
6. In the Self-protection pane, click Done.
7. Save the protection plan.
Password protection will be enabled for the machines to which this protection plan is applied.
Password protection is only available for Agent for Windows version 15.0.25851 or newer. The
machines must be online.
You can apply a protection plan with Password protection enabled to a machine running macOS,
but no protection will be provided. You cannot apply such a plan to a machine running Linux.
Also, you cannot apply more than one protection plan with Password protection enabled to the
same Windows machine. To learn how to resolve a possible conflict, refer to Resolving plan conflicts.
1. In the protection plan, expand the Antivirus & Antimalware protection module (Active
Protection module for Cyber Backup edition).
2. Click Self-protection.
3. Click Create new password.
4. In the window that opens, copy the password that you need to uninstall or modify the
components of a protected Agent for Windows.
This password is unique and you will not be able to recover it once you close this window. If you
lose or forget this password, you can edit the protection plan and create a new password.
5. Click Close.
Uninstalling agents
When you uninstall an agent from a workload, the workload is automatically removed from the
Cyber Protect console. If the workload is still shown after you uninstall the agent, for example, due
to a network problem, manually remove this workload from the console. For more information
about how to do it, refer to "Removing workloads from the Cyber Protect console" (p. 298).
Note
Uninstalling an agent does not delete any plans or backups.
To uninstall an agent
Windows
Linux
macOS
1. On the machine with the agent, double-click the installation .dmg file.
2. Wait until the operating system mounts the installation disk image.
3. Inside the image, double-click Uninstall.
4. If prompted, provide administrator credentials.
5. Confirm your decision.
You can uninstall individual components that are bundled with Agent for Windows, such as Cyber
Protect Monitor, Agent for Data Loss Prevention, or Bootable Media Builder, without uninstalling
Agent for Windows.
Protection settings
To configure the general protection settings for Cyber Protection, in the Cyber Protect console, go to
Settings > Protection.
An administrator can minimize the network bandwidth traffic by selecting one or several agents in
the environment and assigning the Updater role to them. Thus, the dedicated agents will connect to
the Internet and download updates. All other agents will connect to the dedicated updater agents
by using peer-to-peer technology, and then download the updates from them.
The agents without the Updater role will connect to the Internet if there is no dedicated updater
agent in the environment, or if the connection to a dedicated updater agent cannot be established
for about five minutes.
Note
An agent with the Updater role can download and distribute patches only for Windows third-party
products. For Microsoft products, patch distribution is not supported by the Updater agent.
Before assigning the Updater role to an agent, ensure that the machine on which the agent runs is
powerful enough, and has a stable high-speed Internet connection and enough disk space.
1. On agent machine where you plan to enable the Updater role, apply the following firewall rules:
l Inbound (incoming) "updater_incoming_tcp_ports": allow connection to TCP ports 18018 and
6888 for all firewall profiles (public, private, and domain).
l Inbound (incoming) "updater_incoming_udp_ports": allow connection to UDP port 6888 for all
firewall profiles (public, private, and domain).
2. Restart the Acronis Agent Core Service.
3. Restart the Firewall Service.
If you do not apply these rules and the firewall is enabled, peer agents will download the updates
from the Cloud.
1. The agent with the Updater role checks by schedule the index file provided by the service
provider to update the core components.
2. The agent with the Updater role starts to download and distribute updates to all agents.
You can assign the Updater role to multiple agents in the environment. Thus, if an agent with the
Updater role is offline, other agents with this role can serve as the source for definition updates.
l Antimalware
l Vulnerability assessment
l Patch management
Schedule type:
Cache storage
The location of cached data is the following:
To change the cache storage setting, navigate to Settings > Protection > Protection definitions
update > Cache Storage.
In Outdated update files and patch management data, specify after what period to remove
cached data.
l Updater role – define storage size for cache on the machines with the Updater role.
l Other roles – define storage size for cache on other machines.
The most appropriate quota is assigned, depending on the type of the protected machine, its
operating system, required level of protection, and the quota availability. If the most appropriate
quota is not available in your organization, the second-best quota is assigned. For example, if the
most appropriate quota is Web Hosting Server but it is not available, the Server quota is assigned.
You can manually change the original assignment later. For example, to apply a more advanced
protection plan to the same machine, you might need to upgrade the machine's service quota. If the
features required by this protection plan are not supported by the currently assigned service quota,
the protection plan will fail.
Alternatively, you can change the service quota if you purchase a more appropriate quota after the
original one is assigned. For example, the Workstation quota is assigned to a virtual machine. After
you purchase a Virtual machines quota, you can manually assign this quota to the machine,
instead of the original Workstation quota.
You can also release the currently assigned service quota, and then assign this quota to another
machine.
You can change the service quota of an individual machine or for a group of machines.
To collect logs
1. Select the machine that you want to collect the logs from.
2. Click Activities.
3. Click Collect system information.
4. If prompted by your web browser, specify where to save the file.
After you perform failover (run the virtual machine in the cloud), and log in to the virtual machine to
check the IP address of the server, you see the IP address in production network.
When you perform test failover, you can reach the test server only by using the Test IP address,
which is visible only in the configuration of the recovery server.
To reach a test server from your local site, you must use the Test IP address.
Note
The network configuration of the server always shows the IP address in production network (as
the test server mirrors how the production server would look). This happens because the test IP
address does not belong to the test server, but to the VPN gateway, and is translated to the
production IP address using NAT.
The diagram below shows an example of the Site-to-site Open VPN configuration. Some of the
servers in the local environment are recovered to the cloud using failover (while the network
infrastructure is ok).
To: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Fr loc loc loc loc inter p pri fail pri fail test test test VPN VPN
o al al al al net 2 mar ove mar ove fail fail fail appl serv
m: s y r y r ove ove ove ianc er
r r r e
1 local dir via via via n via via via via via via via dire no
ect loc loc local o tun tun tun tun tun tun loca ct
al al route nel: nel: nel: nel: nel: nel: l
ro ro r1 loca loca loca loca NAT NAT rout
ut ut and l l l l (VP (VP er 1
er er Inter N N and
via via via via
1 2 net serv serv tun
loca loca loca loca
er) er) nel:
l l l l
NAT
rout rout rout rout via via
(VP
er 1 er 1 er 1 er 1 loca loca
N
and and and and l l
serv
Inte Inte Inte Inte rout rout
er)
rne rne rne rne er 1 er 1
t: t: t: t: and and via
pub pub pub pub Inte Inte loca
rne rne l
t: t:
2 local dir via via via n via via via via via via via dire no
ect loc loc local o tun tun tun tun tun tun loca ct
al al route nel: nel: nel: nel: nel: nel: l
ro ro r1 loca loca loca loca NAT NAT rout
ut ut and l l l l (VP (VP er 1
er er Inter N N and
via via via via
1 2 net serv serv tun
loca loca loca loca
er) er) nel:
l l l l
NAT
rout rout rout rout via via
(VP
er 1 er 1 er 1 er 1 loca loca
N
and and and and l l
serv
Inte Inte Inte Inte rout rout
er)
rne rne rne rne er 1 er 1
t: t: t: t: and and via
pub pub pub pub Inte Inte loca
rne rne l
t: t: rout
pub pub er 1
and
Inte
rne
t:
pub
3 local via via via via n via via via via via via via via no
loc loc loc local o tun tun tun tun tun tun loca local
al al al route nel: nel: nel: nel: nel: nel: l rout
ro ro ro r1 loca loca loca loca NAT NAT rout er
ut ut ut and l l l l (VP (VP er 1
er er er Inter N N and
via via via via
1 1 2 net serv serv tun
loca loca loca loca
er) er) nel:
l l l l
NAT
rout rout rout rout via via
(VP
er 1 er 1 er 1 er 1 loca loca
N
and and and and l l
serv
Inte Inte Inte Inte rout rout
er)
rne rne rne rne er 1 er 1
4 local via via via via n via via via via via via via via no
loc loc loc local o loca loca loca loca tun tun tun local
al al al route l l l l nel: nel: nel: rout
ro ro ro r 2, rout rout rout rout NAT NAT NAT er 2
ut ut ut and er 2 er 2 er 2 er 2 (VP (VP (VP
er er er route and and and and N N N
2 2 2 r 1, tun tun tun tun serv serv serv
an an and nel: nel: nel: nel: er) er) er)
d d Inter loca loca loca loca
via via via
ro ro net l l l l
loca loca loca
ut ut
via via via via l l l
er er
loca loca loca loca rout rout rout
1 1
l l l l er 2, er 2, er 2,
rout rout rout rout and and and
er 2, er 2, er 2, er 2, rout rout rout
and and and and er 1, er 1, er 1,
loca loca loca loca and and and
l l l l Inte Inte Inte
rout rout rout rout rne rne rne
er 1, er 1, er 1, er 1, t: t: t:
and and and and pub pub pub
Inte Inte Inte Inte
rne rne rne rne
t: t: t: t:
pub pub pub pub
7 prim via via via via via n dire via via via via via no DHC
ary tu tu tu tu Inter o ct in tun tun VPN VPN tun P
nn nn nn nn net clou nel nel serv serv nel and
el el el el (via d: and and er: er: and DNS
an an VPN loca loca loca NAT NAT loca prot
d d serve l l l l ocol
loc loc r) rout rout rout s
al al er 1: er 1: er 1: only
ro ro loca loca NAT
ut ut l l
er er
1 1
an
d2
8 failo via via via via via n dire via via via via via no DHC
ver tu tu tu tu Inter o ct in tun tun VPN VPN tun P
nn nn nn nn net clou nel nel serv serv nel and
el el el el (via d: and and er: er: and DNS
an an VPN loca loca loca NAT NAT loca prot
d d serve l l l l ocol
loc loc r) rout rout rout s
al al er 1: er 1: er 1: only
ro ro loca loca NAT
ut ut l l
er er
1 1
an
d2
9 prim via via via via via n via via dire via via via no DHC
ary tu tu tu tu Inter o tun tun ct in tun tun VPN P
nn nn nn nn net nel nel clou nel nel serv and
el el (via and and d: and and er: DNS
10 failo via via via via via n via via dire via via via no DHC
ver tu tu tu tu Inter o tun tun ct in tun tun VPN P
nn nn nn nn net nel nel clou nel nel serv and
el el el el (via and and d: and and er: DNS
an an VPN loca loca loca loca loca NAT prot
d d serve l l l l l ocol
loc loc r) rout rout rout rout s
al al er 1: er 1: er 1: er 1: only
ro ro loca loca NAT NAT
ut ut l l
er er
1 1
15 VPN no no no no no n no no no no no no no no
serv o
er
You can manage protection plans and other plans by using the Management tab.
Each section of the Management tab contains all the plans of a specific type. The following sections
are available:
l Protection plans
l Scripting plans
l Backup scanning
l Cloud applications backup
l Backup replication
l Validation
l Cleanup
l Conversion to VM
l VM replication
For protection plans and VM replication plans, a clickable status bar is available. It shows the
following color-coded statuses:
l OK (Green)
l Warning (Orange)
l Error (Dark orange)
l Critical (Red)
l The plan is running (Blue)
l The plan is disabled (Gray)
By clicking the status bar, you can see which status a plan has and on how many machines. Each
status in this list is also clickable.
Protection plans
On the Management > Protection plans tab, you can see information about your existing
protection plans, perform actions with them, and create new plans.
For more information about the protection plans, refer to "Protection plans and modules" (p. 193).
Backup plans applied to groups of devices (mailboxes, drives, sites) or containing more than 10
devices cannot be run manually.
Important
Backup scanning plans are not supported for all workloads and backup storages. For details, refer
to "Limitations" (p. 752).
As a result, a backup scanning plan is created and a cloud agent will scan for malware the locations
or the backup sets that you specified.
However, you can use off-host data processing and create separate plans for replication, validation,
cleanup, and conversion to a virtual machine. These separate plans allow you to:
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
The off-host data processing plans run according to the time settings (including the time zone) of
the operating system where the agent is installed. Time zone of a virtual appliance (for example,
Agent for VMware or Agent for Scale Computing HC3) can be configured also in its interface.
Backup replication
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
Note
Some replication operations, such as replicating a whole location or replicating all backups in a
backup set, might be very time-consuming.
You can replicate individual backup sets or whole backup locations. When you replicate a backup
location, all backup sets in it are replicated.
Backup sets consist of backups (also known as recovery points). You must select which backups to
replicate.
l All backups
All backups in the backup set are replicated every time the replication plan runs.
l Only full backups
Only the full backups in the backup set are replicated.
l Only the last backup
Only the newest backup in the backup set is replicated, regardless of its type (full, differential, or
incremental).
Select an option according to your needs and the backup scheme that you use. For example, if you
use the Always incremental (single-file) backup scheme and you want to replicate only the
newest incremental backup, in the backup replication plan, select Only last backup.
The following table summarizes which backups will be replicated with different backup schemes.
All backups All backups in the All backups in the All backups in the All backups in the
backup set backup set backup set backup set
Only full backups Only the first All backups One backup every One backup every
backup, which is week* month*
full
Only last backup Only the newest Only the newest Only the newest in Only the newest in
backup in the backup in the the backup set, the backup set,
backup set* backup set* regardless of its regardless of its
type* type*
* When configuring the schedule of the backup replication plan, ensure that the last replicated
backup will still be available in its original location when the backup replication starts. If this backup
Supported locations
The following table summarizes backup locations supported by backup replication plans.
Cloud storage + +
Local folder + +
Network folder + +
NFS folder – –
Secure Zone – –
Validation
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
By validating a backup, you verify that you can recover the data from it.
To validate a backup as an off-host data processing operation, you create a validation plan. For
more information about how to create one, refer to "Creating a validation plan" (p. 183).
l Checksum verification
l Run as virtual machine
o VM heartbeat
o Screenshot validation
You can select one or more of these methods. When more than one method is selected, the
operations for every validation method run consecutively. For more information about the methods,
refer to "VM heartbeat" (p. 186).
You can validate backup sets or backup locations. Validation of a backup location validates all
backup sets in it.
Supported locations
The following table shows the supported backup locations and validation methods.
Cloud storage + + +
Local folder + + +
Network folder + + +
NFS folder – – –
Secure Zone – – –
Validation status
After a successful validation, the backup is marked with a green dot and the label Validated.
If the validation fails, the backup is marked with a red dot. The validation fails even when only one of
the used validation methods fails. In some cases, this might be the result of a misconfiguration of
the validation plan – for example, using the VM heartbeat method for virtual machines on a wrong
host.
The validation status of a backup is updated with every new validation operation. The status for
each validation method is updated separately. That is why the validation of a backup in which one
method failed, will be shown as failed until the same validation method succeeds, even if the latest
validation operations do not use the failed method and complete successfully.
For more information about how to check the validation status, refer to "Checking the validation
status of a backup" (p. 188).
As a result, your validation plan is ready and will run according to the schedule that you configured.
To run the plan immediately, select it in Management > Validation, and then click Run now.
After the plan starts, you can check the running activities and drill down to their details in Cyber
Protect console, under Monitoring > Activities.
Activity result Plan with one backup Plan with multiple backups
Success All validation methods All validation methods succeeded in all backups
succeeded
Fail At least one validation method At least one validation method failed in all backups
failed
Validation methods
In a validation plan, the following validation methods are available:
l Checksum verification
l Run as virtual machine
o VM heartbeat
o Screenshot validation
Checksum verification
Validation via checksum verification calculates a checksum for every data block that can be
recovered from the backup, and then compares it against the original checksum for that data block,
which was written during the backup process. The only exception is validation of file-level backups
that are located in the cloud storage. These backups are validated by checking the consistency of
the metadata saved in the backup.
A successful validation via checksum verification means a high probability of data recovery.
However, the validation via this method does not check all factors that influence the recovery
process.
If you back up an operating system, we recommend that you use some of the following additional
operations:
The Run as virtual machine validation method is available in the following variants:
l VM heartbeat
l Screenshot validation
VM heartbeat
With this validation method, the agent runs a virtual machine from the backup, connects to VMware
Tools or Hyper-V Integration Services, and then checks the heartbeat response to ensure that the
operating system has started successfully. If the connection fails, the agent attempts to connect
every two minutes, a total of five times. If none of the attempts are successful, the validation fails.
Regardless of the number of validation plans and validated backups, the agent that performs
validation runs one virtual machine at a time. As soon as the validation result becomes clear, the
agent deletes the virtual machine and runs the next one.
Note
Use this method only when you validate backups of VMware virtual machines by running these
backups as virtual machines on an ESXi host, and backups of Hyper-V virtual machines by running
them as virtual machines on a Hyper-V host.
Screenshot validation
With this validation method, the agent runs a virtual machine from the backup, and while the virtual
machine is booting, screenshots are made. A machine intelligence (MI) module checks the
screenshots and if there is a login screen on them, it marks the backup as validated.
The screenshot is attached to the recovery point and you can download it in the Cyber Protect
console within one year of the validation. For more information on how to check the screenshot,
refer to "Checking the validation status of a backup" (p. 188).
If notifications are enabled for your user account, you will receive an email about the validation
status of the backup, in which the screenshot is attached. For more information about the
notifications, refer to Changing the notification settings for a user.
Screenshot validation is supported by agent version 15.0.30971 (released in November, 2022) and
later.
You can change this by editing the configuration file for Agent for VMware or Agent for Hyper-V.
1. Open the configuration file for editing. You can find the file in the following locations:
l For Agent for VMware or Agent for Hyper-V running in Windows: C:\Program
Files\BackupClient\BackupAndRecovery\settings.config
l For Agent for VMware (Virtual appliance): /bin/mms_settings.config
For more information how to access the configuration file on a virtual appliance, refer to
"Accessing virtual appliances via the SSH protocol" (p. 157).
2. Go to <validation>, and then change the values for local backups and cloud backups as needed:
<validation>
<run_vm>
<initial_timeout_minutes>
<local_backups>1</local_backups>
<cloud_backups>5</cloud_backups>
</initial_timeout_minutes>
</run_vm>
</validation>
l [For Agent for VMware (Virtual appliance)] Restart the virtual machine with the agent.
You can also see the status for each validation method and download the screenshot taken by the
screenshot validation method.
For more information about how the statuses work, refer to "Validation status" (p. 183).
Devices
Backup storage
Cleanup
Cleanup is an operation that deletes outdated backups according to the retention rules.
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
You can create a separate plan for conversion to a virtual machine and run this plan manually or on
a schedule.
For information about prerequisites and limitations, refer to "What you need to know about
conversion" (p. 191).
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
Note
To save storage space, each conversion to VHDX files or VMware Workstation overwrites the
VHDX/VMDK files in the target location that were created during the previous conversion.
To perform a conversion to VMware ESXi, Hyper-V, or Scale Computing HC3, you need an ESXi,
Hyper-V, or Scale Computing HC3 host respectively and a protection agent (Agent for VMware, Agent
for Hyper-V, or Agent for Scale Computing HC3) that manages this host.
Conversion to VHDX files assumes that the files will be connected as virtual disks to a Hyper-V virtual
machine.
The following table summarizes the types of virtual machines that you can create with the Convert
to VM operation. The rows in the table show the type of converted virtual machines. The columns
show the agents that perform the conversion.
Age
Agent
Age Age nt Agent for
Agent Agent Age for Agent
nt nt for Virtuozzo
VM for for nt Scale for
for for oVir Hybrid
type VMw Wind for Compu Virtuo
Hyp Lin t Infrastru
are ows Mac ting zzo
er-V ux (KV cture
HC3
M)
VMware
+ – – – – – – – –
ESXi
Microso
ft – + – – – – – – –
Hyper-V
VMware
Workst + + + + – – – – –
ation
VHDX
+ + + + – – – – –
files
Scale
Comput – – – – – + – – –
ing HC3
Limitations
l Backups stored on NFS cannot be converted.
l Backups stored in Secure Zone can be converted only by the agent running on the same machine.
Regular conversion to virtual machine vs. running a virtual machine from a backup
Both operations provide you with a virtual machine that can be started in seconds if the original
machine fails.
Regular conversion to virtual machine takes CPU and memory resources. Files of the virtual
machine constantly occupy space on the datastore (storage). This may be not practical if a
production host is used for conversion. However, the virtual machine performance is limited only by
the host resources.
Running a virtual machine from a backup consumes resources only while the virtual machine is
running. The datastore (storage) space is required only to keep changes to the virtual disks.
However, the virtual machine may run slower, because the host does not access the virtual disks
directly, but communicates with the agent that reads data from the backup. In addition, the virtual
machine is temporary.
l If you choose to save the virtual machine as a set of files: each conversion re-creates the
virtual machine from scratch.
l If you choose to create the virtual machine on a virtualization server: when converting an
incremental or differential backup, the software incrementally updates the existing virtual
machine instead of re-creating it. Such conversion is normally faster. It saves network traffic and
CPU resource of the host that performs the conversion. If updating the virtual machine is not
possible, the software re-creates it from scratch.
l If there has been a full backup since the last conversion, the virtual machine is re-created from
scratch, as described earlier in this section.
l Otherwise, the existing virtual machine is updated to reflect changes since the last conversion. If
updating is not possible (for example, if you deleted the intermediate snapshots, see below), the
virtual machine is re-created from scratch.
Intermediate snapshots
To be able to update the converted virtual machine securely, the software stores an intermediate
hypervisor snapshot of this machine. The snapshot is named Replica... and must be kept.
The Replica... snapshot corresponds to the result of the latest conversion. You can go to this
snapshot if you want to return the machine to that state; for example, if you worked with the
machine and now you want to discard the changes made to it.
For converted Scale Computing HC3 virtual machines, an additional Utility Snapshot is created.
Only Cyber Protection service uses it.
A protection plan consists of different protection modules. Enable the modules that you need and
configure their settings to create protection plans that meet your specific needs.
l On the Devices tab. Select one or more workloads to protect, and then create a protection plan
for them.
l On the Management > Protection plans tab. Create a protection plan, and then select one or
more workloads to which to apply the plan.
When you create a protection plan, only the modules that are applicable to your type of workload
are shown.
You can apply a protection plan to more than one workload. You can also apply multiple protection
plans to the same workload. To learn more about possible conflicts, refer to "Resolving plan
conflicts" (p. 199).
Devices
Note
You can create a plan without applying it to any workloads. You can add workloads later, by
editing the plan. For more information about how to add a workload to a plan, refer to "Applying
a protection plan to a workload" (p. 196).
Note
To create a protection plan with encryption, specify an encryption password. For more
information about this feature, refer to "Encryption" (p. 396).
For more information on the Disaster recovery module, refer to "Create a disaster recovery
protection plan" (p. 644).
For more information on the Device control module, refer to "Working with the Device control
module" (p. 323).
Note
You can import protection plans created in Cyber Protection 9.0 (released in March 2020) and
later. Plans created in earlier versions are not compatible with Cyber Protection 9.0 and later.
Applying a plan is accessible from the Devices tab and from the Management > Protection plans
tab.
Devices
To learn how to apply a protection plan to a device group, refer to "Applying a plan to a group" (p.
322).
You can edit a protection plan for all workloads to which it is applied or only for selected workloads.
Editing a plan is accessible from the Devices tab and from the Management > Protection plans
tab.
Devices
Revoking a plan is accessible from the Devices tab and the Management > Protection plans tab.
Devices
1. Select the workloads from which you want to revoke the plan.
2. Click Protect.
3. Select the protection plan that you want to revoke.
4. Click the ellipsis icon (...) next to the plan name, and then click Revoke.
When you enable or disable a protection plan from the Devices tab, your action affects only the
selected workloads.
When you enable or disable a protection plan from the Management > Protection plans tab, your
action affects all workloads to which this plan is applied. Also, you can enable or disable multiple
protection plans.
Devices
Note
This action does not affect protection plans that were already in the target state. For example, if
your selection includes both enabled and disabled plans, and you click Enable, all selected plans will
be enabled.
Deleting a plan is accessible from the Devices tab and the Management > Protection plans tab.
Devices
1. Select any workload to which the protection plan that you want to delete is applied.
2. Click Protect.
3. Select the protection plan that you want to delete.
4. Click the ellipsis icon (...) next to the plan name, and then click Delete.
You can combine protection plans in which different modules are enabled. You can also combine
multiple protection plans in which only the Backup module is enabled. However, if any other
module is enabled in more than one plan, a conflict occurs. To apply the plan, first you must resolve
the conflict.
l Remove the workload from the device group, and then apply the individual protection plan to it.
l Edit the existing group plan or apply a new group plan to the device group.
License issue
A protection plan module might require that a specific service quota is assigned to the protected
workload. If the assigned service quota is not appropriate, you will not be able to run, update, or
apply the protection plan in which the respective module is enabled.
l Disable the module that is not supported by the currently assigned service quota, and then
continue using the protection plan.
l Change the assigned service quota manually. To learn how to do this, refer to "Changing the
service quota of machines" (p. 167).
When you apply a default protection plan for the first time, the template is copied to your tenant
and you can edit the modules in the plan and their settings.
Where to back up Cloud storage Cloud storage Cloud storage Cloud storage
Additionally
enabled options
and start
conditions:
l If the machine
is turned off,
run missed
tasks at the
machine
startup
l Wake up from
the sleep or
hibernate
mode to start a
scheduled
backup
l Save battery
power: Do not
start when on
battery
l Do not start
when on
metered
connection
Backup options Default options Default options, Default options Default options
plus:
l Performance
and backup
window (the
green set):
CPU priority:
Low
Output speed:
50%
Advanced On On – On
Antimalware
Network folder On On – On
protection
Self protection On On – On
Cryptomining On On – On
process detection
Exploit prevention Notify and stop the Notify and stop – Notify and stop the
process the process process
Additionally
enabled options
and start
conditions:
l If the machine
is turned off,
run missed
tasks at the
machine
startup
l Wake up from
the sleep or
hibernate
mode to start a
scheduled
backup
l Save battery
power: Do not
start when on
battery
Malicious website Always ask user Block Always ask user Always ask user
access
Categories to filter Default options Default options Default options Default options
assessment
Schedule At 01:15 PM, only At 02:20 PM, only At 01:15 PM, only At 01:15 PM, only
on Monday on Monday on Monday on Monday
Microsoft products All updates All updates All updates All updates
Windows third- Only major Only major Only major Only major
party products updates updates updates updates
Schedule At 03:10 PM, only At 02:20 PM, At 03:10 PM, only At 03:10 PM, only
on Monday Monday to Friday on Monday on Monday
Extensions and – Default options Default options (66 Default options (66
exception rules and the following extensions to extensions to
additional detect) detect)
extensions:
Images
l .jpeg
l .jpg
l .png
l .gif
l .bmp
l .ico
l .wbmp
l .xcf
l .psd
l .tiff
l .dwg
l .avi,
l .mov,
l .mpeg,
l .mpg,
l .mkv
l .wav
l .aif
l .aifc
l .aiff
l .au
l .snd
l .mid
l .midi
l .mpga
l .mp3
l .oga
l .flac
l .opus
l .spx
l .ogg
l .ogx
l .mp4
Note
The number of modules in a default protection plan may vary according to your Cyber Protection
license.
The protection plan appears in the Management > Protection plans tab, and then you can
manage it there.
Important
Some of the options cannot be modified.
To stop using an individual protection plan, you can delete it from the Cyber Protect console. You
can identify individual protection plans by the sign next to their name.
If you want a protection plan to protect multiple web hosting servers that use hosting control panel
integrations, you can create a regular protection plan in the Cyber Protect console and assign these
workloads to it. However, any modifications to a protection plan that is shared by multiple web
hosting control panels, can only be made in the Cyber Protect console, and not from within the
integrations.
How it works
The protection agent that is installed on a machine performs a security assessment and calculates
the #CyberFit Score for the machine. The #CyberFit Score of a machine is automatically periodically
recalculated.
and private
firewalls are
disabled.
Based on the summed points awarded to each metric, the total #CyberFit Score of a machine can fit
one of the following ratings that reflect the endpoint's level of protection:
l 0 - 579 - Poor
l 580 - 669 - Fair
l 670 - 739 - Good
l 740 - 799 - Very good
l 800 - 850 - Excellent
You can see the #CyberFit Score for your machines in the Cyber Protect console: go to Devices > All
devices. In the list of devices, you can see the #CyberFit Score column. You can also run the
#CyberFit Score scan for a machine to check its security posture.
6. After addressing the recommendations, you can always recalculate the #CyberFit Score of the
machine by clicking on the arrow button right under the total #CyberFit Score.
Cyber Scripting is available for administrators and users on the customer level, as well as to partner
administrators (service providers). For more information about the different levels of
administration, refer to "Multitenancy support" (p. 290).
The scripts that you can use must be approved in advance. Only the administrators with the Cyber
administrator role can approve and test new scripts.
Performing operations with scripts and scripting plans depend on your user role. For more
information about the roles, refer to "User roles and Cyber Scripting rights" (p. 229).
Prerequisites
l Cyber Scripting functionality requires the Advanced Management pack.
l To use all the features of Cyber Scripting such as script editing, script run, creation of scripting
plans, and so on, you must enable two-factor authentication for your account.
Limitations
l The following scripting languages are supported:
o PowerShell
o Bash
l Cyber Scripting operations can only run on target machines that have an installed protection
agent.
Scripts
A script is a set of instructions that are interpreted at runtime and executed on a target machine. It
provides a convenient solution for automating repetitive or complex tasks.
With Cyber Scripting, you can run a predefined script or create a custom script. You can find all
scripts that are available to you in Management > Script repository. The predefined scripts are
located in the Library section. The scripts that you created or cloned to your tenant are located in
the My Scripts section.
You can use a script by including it in a scripting plan or by starting a Script quick run operation.
The following table summarizes the possible actions with a script, depending on its status.
Draft All new scripts and the scripts that you clone in your repository are in the
Draft status. These scripts cannot be run or included in scripting plans.
Testing The scripts in the Testing status can be run and included in a scripting
plan only by an administrator with the Cyber administrator role.
Approved These scripts are available for running and including in scripting plans.
Only an administrator with the Cyber administrator role can change the state of a script or delete an
approved script. For more information about the administrator rights, refer to "User roles and Cyber
Scripting rights" (p. 229).
Creating a script
Note
Performing operations with scripts and scripting plans depend on your user role. For more
information about the roles, refer to "User roles and Cyber Scripting rights" (p. 229).
To create a script
Important
When you create a script, include exit code checks for each operation. Otherwise, a failed
operation might be ignored and the scripting activity status in Monitoring > Activities might be
incorrectly shown as Succeeded.
4. Specify the script properties that will help you find the script when you need it later:
a. Script name
b. [Optional] Description
c. Language
d. Operating system
e. Status. In the Status drop-down list, select one of the following statuses:
d. Repeat the steps above if you need to add more than one argument.
You can only specify arguments that you have already defined in the script body.
7. Click Save.
As a result, you created a new script and you saved it to your repository. To use this script, an
administrator with the Cyber administrator role must change its status to Approved. For more
information about how to do this, refer to "Changing the script status" (p. 217).
To use a script in another tenant that you manage, you must clone the script to that tenant. For
more information about how to do this, refer to "Cloning a script" (p. 216).
l Before using a script from Library. In this case, first you must clone the script to your My Scripts
section.
l When you want to clone scripts that you created in a parent tenant to its child tenants or units.
To clone a script
As a result, the script is cloned to the My Scripts section of the tenant or unit that you selected. If
you manage only one tenant with no units in it, the script is automatically copied to your My Scripts
section.
Important
Credentials that a script uses are not copied when you clone a script to a non-original tenant.
Note
Performing operations with scripts and scripting plans depend on your user role. For more
information about the roles, refer to "User roles and Cyber Scripting rights" (p. 229).
To edit a script
1. In Script repository, go to My Scripts, and then find the script that you want to edit.
2. Click the ellipsis (...) next to the script name, and then click Edit.
3. Edit the script, and then click Save.
4. [If you edit a script that is used by a scripting plan] Confirm your choice by clicking Save script.
Script versions
A new version of the script is created if you edit any of the following script attributes:
l script body
l script name
l description
l script language
l credentials
l arguments
If you change other attributes, your edits will be added to the current script version. To learn more
about versions and how to compare them, refer to "Comparing script versions" (p. 218).
Note
The script status is updated only when you modify the value in the Status field. Only administrators
with the Cyber administrator role can change a script status.
To delete a script
1. In Script repository, go to My Scripts, and then find the script that you want to delete.
2. Click the ellipsis (...) next to the script name, and then click Delete.
3. Click Delete.
4. [If you want to delete a script that is used by a scripting plan] Confirm your choice by clicking
Save script.
Note
Scripting plans that use the deleted script will fail to run.
Note
Performing operations with scripts and scripting plans depend on your user role. For more
information about the roles, refer to "User roles and Cyber Scripting rights" (p. 229).
1. In Script repository, go to My Scripts, and then find the script whose status you want to
change.
2. Click the ellipsis (...) next to the script name, and then click Edit.
3. In the Status drop-down list, select one of the following statuses:
Note
If the script status was downgraded to Draft, the scripting plans that use it will fail to run.
Only administrators with the Cyber administrator role can run scripts in the Testing state and
scripting plans with such scripts.
1. In Script repository, go to My Scripts, and then find the script whose versions you want to
compare.
2. Click the ellipsis (...) next to the script name, and then click Version history.
3. Select two versions that you want to compare, and then click Compare versions.
Any changes in the body text of the script, its arguments or credentials are highlighted.
l Draft (by default) — this status does not allow you to execute the script right away.
l Testing — this status allows you to execute the script.
l Approved — this status allows you to execute the script.
The selected version is restored and saved as the latest one in the version history.
To restore a script, you can also select a version from the Version history window, and then click on
the Restore button.
Important
You can execute scripts only with the Testing or Approved statuses. For more information, refer to
"Changing the script status" (p. 217).
Script repository
You can locate the script repository under the Management tab. In the repository, you can search
the scripts by their name and description. You can also use filters, or sort the scripts by their name
or status.
To manage a script, click the ellipsis (...) next to its name, and then select the desired action.
Alternatively, click the script and use the buttons on the screen that opens.
l My scripts
Here, you can find the scripts that you can directly use in your environment. These are the scripts
that you created from scratch and the scripts that you cloned here.
You can filter the scripts in this section by the following criteria:
o Tags
o Status
o Language
o Operating system
o Script owner
l Library
The library contains predefined scripts that you can use in your environment after cloning them
to the My scripts section. You can only inspect and clone these scripts.
You can filter the scripts in this section by the following criteria:
o Tags
o Language
o Operating system
For more information, refer to Vendor-Approved Scripts (70595).
Scripting plans
A scripting plan allows you to run a script on multiple workloads, to schedule the running of a script,
and to configure additional settings.
You can find the scripting plans that you created and the ones that are applied to your workloads in
Management > Scripting plans. Here, you can check the plan execution location, owner, or status.
A clickable bar shows the following color-coded statuses for scripting plans:
By clicking the bar, you can see which status a plan has and on how many workloads. Each status is
also clickable.
On the Scripting plans tab, you can manage the plans by performing the following actions:
l Run
l Stop
l Edit
l Rename
l Disable/Enable
l Delete
The visibility of a scripting plan and the available actions with it depend on the plan owner and your
user role. For example, company administrators can only see the partner-owned scripting plans that
are applied to their workloads, and cannot perform any actions with these plans.
For more information about who can create and manage scripting plans, refer to "User roles and
Cyber Scripting rights" (p. 229).
Note
You can only use your own scripts from Script repository > My scripts. Only an administrator
with the Cyber administrator role can use scripts in the Testing status. For more information
about the roles, refer to "User roles and Cyber Scripting rights" (p. 229).
7. Configure the schedule and the start conditions for the scripting plan.
8. Choose under which account the script will run on the target workload. The following options are
available:
l System account (in macOS, this is the root account)
l Currently logged-in account
9. Specify how long the script can run on the target workload.
If the script cannot finish running within the set time frame, the Cyber Scripting operation will
fail.
The minimum value that you can specify is one minute and the maximum is 1440 minutes.
10. [Only for PowerShell scripts] Configure the PowerShell execution policy.
For more information about this policy, refer to the Microsoft documentation.
11. Click Create.
Note
You can also select workloads or device groups after you create the plan.
4. [Optional] To modify the scripting plan name, click the pencil icon.
5. Click Choose script, select the script that you want to use, and then click Done.
6. Configure the schedule and the start conditions for the scripting plan.
7. Choose under which account the script will run on the target workload. The following options are
available:
l System account (in macOS, this is the root account)
l Currently logged-in account
8. Specify how long the script can run on the target workload.
If the script cannot finish running within the set time frame, the Cyber Scripting operation will
fail.
The minimum value that you can specify is one minute and the maximum is 1440 minutes.
9. [Only for PowerShell scripts] Configure the PowerShell execution policy.
For more information about this policy, refer to the Microsoft documentation.
10. Click Create.
Schedule
You can configure a scripting plan to run once or repeatedly, and to start on a schedule or to be
triggered by a certain event.
l Run once
For this option, you must configure the date and time when the plan will run.
l Schedule by time
With this option, you can configure scripting plans that run hourly, daily, or monthly.
To make the schedule effective only temporarily, select the Run within a date range check box,
and then configure the period during which the scheduled plan will run.
l When user logs in to the system
You can choose whether a specific user or any user who logs in triggers the scripting plan.
l When user logs off the system
You can choose whether a specific user or any user who logs off triggers the scripting plan.
l On the system startup
l When system is shut down
Note
This scheduling option only works with scripts that run under the system account.
Start conditions
Start conditions add more flexibility to your scheduled plans. If you configure multiple conditions, all
of them must be met simultaneously in order for the plan to start.
Start conditions are not effective if you run the plan manually, by using the Run now option.
Condition Description
Run only if workload is The script will run when the target workload is connected to the Internet.
online
User is idle This condition is met when a screen saver is running on the machine or the
machine is locked.
User logged off With this condition, you can postpone a scheduled scripting plan until the user
of the target workload logs off.
Fits time interval With this condition, a scripting plan can only start within the specified time
interval. For example, you can use this condition to limit the User is logged off
condition.
Save battery power With this condition, you can ensure that the scripting plan would not be
interrupted because of a low battery. The following options are available:
Do not start on metered This condition prevents the plan from starting if the target workload accesses
connection the Internet via a metered connection.
Do not start when This condition prevents the plan from starting if the target workload is
connected to the connected to any of the specified wireless networks. To use this condition, you
following Wi-Fi networks must specify the SSID of the forbidden network.
The restriction applies to all networks that contain the specified name as a
substring in their name, case-insensitive. For example, if you specify phone as
the network name, the plan will not start when the device is connected to any
of the following networks: John's iPhone, phone_wifi, or my_PHONE_wifi.
Check device IP address This condition prevents the plan from starting if any of the IP addresses of the
target workload are within or outside of the specified IP address range.
If start conditions are This option allows you to set the time interval after which the plan will run,
not met, run the task irrespective of any other conditions. The plan will start as soon as the other
anyway conditions are met or the specified period ends, depending on which comes
first.
This option is not available if you configured the scripting plan to run only
once.
Partner administrators can apply the same plan to workloads from different customers, and can
create device groups that contain workloads from different customers. To learn how to create a
static or a dynamic device group on the partner level, refer to the "Devices tab" (p. 289).
Note
To select a device group, click its parent level, and then, in the main pane, select the check box
next to its name.
Note
To select a device group, click its parent level, and then, in the main pane, select the check
box next to its name.
b. Click Add.
l To remove workloads or device groups, select them, and then click Remove.
4. Click Done.
5. To save the edited plan, click Save.
Important
The owner of a plan is the tenant in which the plan was created. Thus, if a partner administrator
created a plan on the customer tenant level, the customer tenant is the owner of that plan.
l Incompatible operating system – this issue appears when the workload's operating system is not
supported.
l Unsupported agent – this issue appears when the version of the protection agent on the
workload is outdated and does not support the Cyber Scripting functionality.
l Insufficient quota – this issue appears when there is not enough service quota in the tenant to
assign to the selected workloads.
If the scripting plan is applied to more than 150 workloads or to device groups, it will be saved, and
then checked for compatibility. The plan will be automatically disabled for the incompatible
workloads, and alerts will be shown.
Note
When resolving a compatibility issue by removing workloads from a plan, you cannot remove
workloads that are part of a device group.
Note
This option is available only for customer administrators.
5. [To resolve compatibility issues with insufficient quota by removing workloads from the plan]
a. On the Insufficient quota tab, select the workloads that you want to remove.
b. Click Remove workloads from plan.
c. Click Remove, and then click Close.
6. [To resolve compatibility issues with insufficient quota by increasing the quota of the tenant]
Note
This option is available only for partner administrators.
The target workload must be assigned a service quota that supports the Script quick run
functionality, and the Advanced Management pack must be enabled for its tenant. An appropriate
service quota will be automatically assigned if it is available in the tenant.
Note
You can only use your own scripts from Script repository > My scripts. Only an administrator with
the Cyber administrator role can use scripts in the Testing status. For more information about the
roles, refer to "User roles and Cyber Scripting rights" (p. 229).
Administrators can manage objects in their own tenant and in its child tenants. They cannot see or
access objects on an upper administration level, if any.
Lower-level administrators have only read-only access to the scripting plans applied to their
workloads by an upper-level administrator.
l Company administrator
This role grants full administrator rights in all services. With regard to Cyber Scripting, it grants
the same rights as the Cyber administrator role.
l Cyber administrator
This role grants full permissions, including approval of scripts that can be used in the tenant, and
the ability to run scripts with the Testing status.
l Administrator
This role grants partial permissions, with the ability to run approved scripts as well as create and
run scripting plans that use approved scripts.
l Read-only administrator
This role grants limited permissions, with the ability to view scripts and protection plans that are
used in the tenant.
l User
This role grants partial permissions, with the ability to run approved scripts as well as create and
run scripting plans that use approved scripts, but only on the user's own machine.
The following table summarizes all available actions, depending on the script status and the user
role.
Create Create
Edit Edit
Edit (Remove a
draft script from Apply Apply
a plan)
Enable Enable
Delete
Scripting plan Run Run
Revoke
Delete Delete
Disable
Revoke Revoke
Cyber
Stop
administrator Disable Disable
Create
Edit
Apply
View
Enable
Revoke View
Scripting plan Run
Disable Cancel run
Delete
Administrator Stop
Revoke
User (for their
own workloads) Disable
Stop
Create
View Run
Edit
Script Clone Clone
Clone
Cancel running Cancel running
Delete
The protection configuration for Zoom, Cisco Webex Meetings, Citrix Workspace, and Microsoft
Teams is similar. In the example below, we will consider configuration for Zoom.
1. Install the protection agent on the machine where the collaboration application is installed.
2. Log in to the Cyber Protect console and apply a protection plan that has one of the following
modules enabled:
l Antivirus and Antimalware protection (with the Self-Protection and Active Protection
settings enabled) – if you have one of the Cyber Protect editions.
l Active Protection (with the Self-Protection setting enabled) – if you have one of the Cyber
Backup editions.
3. [Optional] For automatic update installation, configure the Patch management module in the
protection plan.
As a result, your Zoom application will be under protection that includes the following activities:
Monitoring
The Monitoring tab provides important information about your current level of protection, and
includes the following dashboards:
l Overview
l Activities
l Alerts
l Threat feed (for more information, see "Threat feed" (p. 272))
The widgets are updated every five minutes. The widgets have clickable elements that enable you to
investigate and troubleshoot issues. You can download the current state of the dashboard or send it
via email in the .pdf or/and .xlsx format.
You can choose from a variety of widgets, presented as tables, pie charts, bar charts, lists, and tree
maps. You can add multiple widgets of the same type with different filters.
The buttons Download and Send in Monitoring > Overview are not available in the Standard
editions of the Cyber Protection service.
To edit a widget
To add a widget
l Click the widget that you want to add. The widget will be added with the default settings.
l To edit the widget before adding it, click Customize when the widget is selected. After editing the
widget, click Done.
To remove a widget
To customize the view of the Activities dashboard, click the gear icon, and then select the columns
that you want to see.
To see the activity progress in real time, select the Refresh automatically check box. However,
frequent updating of multiple activities degrades the performance of the management server.
l Device name
This is the machine on which the activity is carried out.
l Started by
This is the account who started the activity.
l Status
For example, succeeded, failed, in progress, canceled.
l Type
For example, applying plan, deleting backups, installing software updates.
l Time
For example, the most recent activities, the activities from the past 24 hours, or the activities
during a specific period within the default retention period.
To see more details about an activity, select this activity from the list, and then, in the Activity
details panel, click All properties. For more information about the available properties, refer to the
Activity and Task API references in the Developer Network Portal.
1. From the View drop-down list, select one of the following criteria:
l Alert severity
l Alert category
l Alert type
l Monitoring type
l Date range: from ... to ...
l Workload
l Plan
l Customer
2. If you have selected the Alert category, from the Category drop-down list, select the category
of alerts that you want to view.
3. If you want to view all the alerts without filtering them, click All alert types.
l Access the relevant device the alert relates to by clicking the Devices link.
l Read and try to follow some advice in the Troubleshooting section of the alert.
l Access the relevant documentation and knowledge base article by clicking Search for solution.
The Search for solution functionality will pre-fill your request will the current alert details to
assist you the most effectively.
On the alerts table, click on the arrow button next to one of the following column names:
l Alert severity
l Alert type
l Created
l Alert category
l Workload
l Plan
If the Advanced Automation service is enabled for your account, you can also create a new service
desk ticket directly from the alert.
Note
You can only create one ticket per alert.
Alert types
Alerts will be generated for the following alert types:
l Backup alerts
l Disaster recovery alerts
l Antimalware protection alerts
l Licensing alerts
l URL Filtering alerts
l EDR alerts
l Device Control alerts
l System alerts
Backup alerts
Alert Description How to resolve the alert
Backup failed An alert is generated when Check the log of the faulty backup
Backup succeeded with An alert is generated when Check logs of conversion to VM,
warnings the backup succeeded with replication, or validation plans. Issues
warnings. during these operations generate an
"Activity failed" or "Activity finished with
warning" alerts.
Backup is canceled An alert is generated every You can either start the backup
time a backup activity is manually by clicking Run now or wait
manually canceled by the until it runs at the next scheduled time.
user.
Backup canceled due to closed An alert is generated when Re-configure schedule or edit options
backup window the backup activity was of the backup plan in Performance
missed because it did not fit in and backup window. Expand the
the window specified in the section with your product for
backup options. instructions.
Backup is waiting This alert is generated Make sure that your backups are
anytime you have a running in the expected time windows
scheduling conflict and two and according to their schedule, and
backups tasks are initiated at avoid scheduling conflicts where
the same time. In this case, possible.
the second backup task is
queued until the first one is
finished or stopped.
Backup is not responding An alert is generated when The issue might be caused by a lockup.
the running backup has not Follow this article to collect the
shown any progress for some necessary troubleshooting information.
time, and may be frozen.
Backup did not start An alert is generated when Make sure you are using the latest
the scheduled backup failed build of your Acronis Backup product.
to start for unknown reason.
l If the agent machine was available
during the backup start time:
Backup status is unknown An alert is generated when 1. Check if the agent is expected to be
the backup agent was offline offline (for example, it is a notebook
at a scheduled backup time. that is outside the Management
The status of the resource Server network).
backups will be unknown until 2. If the agent should not be offline,
the backup agent becomes make sure Acronis Managed
online. Machine Service is running: Start ->
Search -> services.msc -> locate
Acronis Managed Machine Service
and check its status. Start the
service, if it is stopped.
Backup is corrupted An alert is generated when Follow steps from the article
the validation activity is Troubleshooting Issues with Corrupt
successful and shows that the Backups.
backup is corrupted.
If you need assistance with identifying
the root cause for archive corruption,
contact Acronis Support.
Continuous Data Protection An alert is generated if the Verify the following limitations:
failed continuous protection of
1. Continuous data protection is
backup failed.
supported only for the NTFS file
system and the following operating
systems:
l Desktop: Windows 7 and later
l Server: Windows Server 2008 R2
and later
Hyper-V hosts configuration is An alert is generated when You should register these Agents for
not valid there are 2 or more Agents Hyper-V under different child units of
for Hyper-V installed on this account to avoid conflicts.
Hyper-V hosts with the same
host name, which is not
supported on the same
account level.
Validation failed An alert is generated when Check the log of the faulty operation:
the validation process of your click the machine to select it, click
backup cannot be completed. Activities, and then find the warning in
the log. The message should point you
to the root cause of the issue the
software notifies you about.
Failed to migrate the backups An alert is generated when it Migration of Acronis Cyber Backup
in the cloud storage to the new failed to migrate the backups Advanced archives is described here.
format in the cloud storage to the
Migration of Acronis Cyber Backup
new format.
archives is described here.
migrate_archives.exe --
account=<Acronis Account> --
password=<password> --
subaccounts=All > report1.txt
migrate_archives.exe --
cmd=finishUpgrade --
account=<Acronis Account> --
password=<password> > report2.txt
Backup recovery failed An alert is generated when Determine the exact date of the backup
the recovery operation fails failure and attempt recovery with the
when you try to recover files last successful backup.
or system backups.
Storage quota exceeds An alert is generated when the Increase the quota or remove
soft quota is exceeded for some archives from the cloud
disaster recovery storage storage.
Test failover error An alert is generated when a 1. Click Edit on the recovery
system problem occurred after server. For more information,
the test action was submitted. see Creating a recovery server.
2. Decrease CPU/RAM for the
recovery server.
3. Try the failover again.
Note
Make sure that there is the same
IP address in IP address in
production network as the one
configured in the DHCP server.
Failback error An alert is generated when a You can see the erroneous
system problem occurred after location in the list of backup
Failback is canceled An alert is generated when the Manually dismiss the alert from
failback was canceled by the the console.
user.
VPN connection error An alert is generated when the In case you have faced an issue
VPN connection failure occurs with deploying or connecting
due to reasons not depend on Acronis VPN appliance, please
the user's actions. Status report contact Acronis Support.
from VPN appliance is outdated.
Please send the following
information with your email:
(Vpn Unreachable) Connectivity An alert is generated when the In case you have faced an issue
gateway is not reachable DR service can't reach with deploying or connecting
connectivity gateway. Status Acronis VPN appliance, please
report from connectivity gateway contact Acronis Support.
is outdated.
Please send the following
information with your email:
DR IP reassignment required An alert is generated if VPN Reassign the IP address. For more
appliance detects network information, see Reassigning IP
changes. addresses.
Connectivity gateway failure An alert is generated when it Use Connection Verification Tool
failed to deploy VPN server in the and check its output for errors.
cloud.
Allow Acronis software through
application control of your
firewalls and antimalware
software.
Recovery server creation failure An alert is generated when the Make sure the recovery server
recovery server was not created matches the Software
due to error. requirements.
Server recovery failure An alert is generated when the Find the details. If the error
primary or recovery server failed message is generic or unclear, for
to recover. example "Internal error", navigate
to Disaster Recovery → Servers,
click to select the affected
machine and click Activities. Click
an activity, hold ctrl and left-click
the activity. Now you will be able
to see the ellipsis (...) sign near
every activity. Click and select
Task activity info.
Backup failed An alerts is generated when the 1. Verify the connection of the
backup of cloud server (primary backup location.
or server in production failover 2. Check the backup storage
state) failed. device (local backups).
Runbook failure An alert is generated when the It does not affect the product
runbook execution failed. functionality, and it can be safely
ignored. For more information,
see Creating a runbook.
Runbook warning An alert is generated when the It does not affect the product
runbook execution is completed functionality, and it can be safely
with warnings. ignored. For more information,
see Creating a runbook.
Runbook User Interaction An alert is generated when the It does not affect the product
Required runbook is waiting for user functionality, and it can be safely
interaction. ignored. For more information,
see Creating a runbook.
Licensing switch insufficient An alert is generated when the l Make sure the tenant and user
server quota cloud servers quota is not have Web hosting servers
enough. quota or Servers quota
available for a physical server.
l Make sure the tenant and user
have Web hosting servers
quota or Virtual machines
quota available for a virtual
server. A virtual server cannot
use Servers quota.
Licensing switch insufficient An alert is generated when the For more information, see
offering item disaster recovery storage Disaster recovery quotas.
offering item is disabled.
Licensing switch insufficient An alert is generated when there In the management portal, check
compute points are no compute points available. and increase hard quota for
Compute points.
Policy failed to create recovery An alert is generated when an Manually create Recovery Server
server error occurred while setting up without the Internet Access
the disaster recovery property. For more information,
infrastructure. see Creating recovery server
Note
Each Automated Test Failover
run will consume chargeable
compute points.
Backup processor auto test An alert is generated when the 1. Start a test failover of the
failover overall failure last scheduled automated test recover server manually. For
failover of the recovery server more information, see
failed. Performing a test failover.
2. Wait for the next scheduled
date when automatic test
failover will be performed
Failback failed An alert is generated when there You can see the erroneous
is an error in the failback. location in the list of backup
storages: it has a number instead
of a name (normally, a location
name matches one of the existing
end users names) and you have
not created this location. Remove
the erroneous location:
Failback switchover finished An alert is generated when the Manually dismiss the alert from
switchover is successful. the console.
Suspicious remote An alert is generated when Manually dismiss the alert from the console.
connection activity is ransomware coming from a
detected remote connection is
detected.
Suspicious activity is An alert is generated when Manually dismiss the alert from the console. to
detected ransomware is detected in deactivate the alert.
the workload.
Depending on the option you have specified in
Active Protection plan, the malicious process is
stopped, the changes made by the process are
reverted or none actions have been taken yet
and you need to resolve this issue manually.
Cryptomining activity is An alert is generated when Manually dismiss the alert from the console.
detected Illicit cryptominers are
detected in the workload
MBR defence: Suspicious An alert is generated when Manually dismiss the alert from the console.
activity is detected and ransomware is detected in
suspended the workload (specifically
MBR / GPT partition is
modified by ransomware).
Unsupported network An alert is generated when Specify the local path for network folder
path is specified the recovery path provided protection (recovery path). Manually dismiss
by the administrator is not a the alert from the console
local folder path.
Critical process is added An alert is generated when a Manually dismiss the alert from the console.
as harmful to the Active critical process is added as a
Protection plan blocked process in the
Protection exclusions list.
Failed to apply Active An alert is generated when Check the error message to see why Active
Protection policy Active Protection policy Protection policy cannot be applied.
failed to be applied.
Secure Zone: An alert is generated when Manually dismiss the alert from the console.
Unauthorized operation ransomware is detected in
is detected and blocked the workload (ASZ partition
is modified by ransomware).
Active Protection service An alert is generated when Check the error message to see why Active
is not running the Active Protection service Protection service is not running.
crashed / is not running.
Active Protection service An alert is generated when Check Windows event logs for crashes of
is not available the Active Protection service Acronis Active Protection service (acronis_
is not available because a protection_service.exe).
driver is incompatible or
missing.
Conflict with another An alert is generated if Active Solution 1: If you want to use Acronis real-
security solution Protection is not available for time protection then uninstall third-party
machine '{{resourceName}}' antivirus on the machine.
because a conflict with
Solution 2: If you want to use the third-party
another security solution
antivirus, disable Acronis real-time protection,
was detected. To enable
URL filtering and Windows defender antivirus
Active Protection, disable or
in the protection plan.
uninstall the conflicting
security solution.
Quarantine action failed An alert is generated when Check the error message to see why
antimalware failed to quarantine failed.
quarantine a detected
malware.
Malicious process is An alert is generated when a Manually dismiss the alert from the console.
detected malware (process type) is
detected by Behavior engine.
The detected malware is
quarantined.
Malicious process is An alert is generated when a Manually dismiss the alert from the console.
detected, but not malware (process type) is
quarantined detected by Behavior engine.
The detected malware is not
quarantined.
Malware is detected and An alert is generated when a Manually dismiss the alert from the console.
blocked (ODS) malware is detected by
scheduled scan. The
detected malware is
quarantined.
Malware is detected and An alert is generated when a Manually dismiss the alert from the console.
blocked (RTP) malware is detected by Real-
Time protection. The
detected malware is
quarantined.
Malware is detected in a An alert is generated when a Manually dismiss the alert from the console.
backup malware is detected during
backup scanning.
Conflict detected An alert is generated when Disable or uninstall 3rd party security product,
between Real-time antimalware failed to or disable Real-time antimalware protection in
antimalware protection register with Windows the protection plan.
and a security product Security Center.
Failed to run the An alert is generated when it Check the error message to see why Microsoft
Microsoft Security failed to run the Microsoft Security Essentials module failed to run.
Essentials module Security Essentials module.
Real-time protection is An alert is generated when Disable or uninstall 3rd party security product,
not available because Real-time protection failed to or disable Real-time antimalware protection in
third-party antivirus turn on, because 3rd party the protection plan.
software is installed antivirus still have Real-time
protection enabled.
Real-time protection is An alert is generated when Check the error message to see why Acronis
not available due to Real-time protection is not failed to install driver on workload.
incompatible or missing available due to
driver
incompatible or missing
driver.
Cyber Protection (or An alert is generated when Manually dismiss the alert from the console.
Active Protection) service Cyber Protection Service
is not responding responds to health check
ping from console.
Security definition An alert is generated when Check the error message to see why security
update failed security definition update definition update failed.
failed.
Tamper Protection is An alert is generated when Disable Tamper Protection settings on the
enabled Microsoft Defender settings Windows workload.
cannot be changed because
tamper protection is
enabled.
Windows Defender An alert is generated when Check the error message to see why Windows
module execution failed Windows Defender module defender module failed to run.
execution failed.
Windows Defender is An alert is generated when Disable or uninstall 3rd party security product.
blocked by a third-party Windows Defender is
antivirus software blocked because a third
party Antivirus is installed on
the machine.
Group policy conflict An alert is generated when Disable group policy settings on the Windows
Microsoft Defender settings workload.
cannot be changed because
it is controlled by a group
policy.
Microsoft Security An alert is generated when Manually dismiss the alert from the console.
Essentials took action to Microsoft Security Essential
protect this machine deleted / quarantined a
from malware malware.
Microsoft Security An alert is generated when Manually dismiss the alert from the console.
Essentials detected Microsoft Security Essentials
malware detected malware or other
potentially unwanted
software.
Storage quota almost reached An alert is generated when the usage Consider purchasing additional
drops below 80% (after cleanup or storage or freeing up space in
quota upgrade). your cloud storage.
Storage quota exceeded An alert is generated when all 100% Buy more storage space. For
of the storage quota is used. more information on how to do
that, verify the how to purchase
more cloud storage.
l a dynamic group.
l a backup plan assigned to that
group.
l you added a resource that falls to
that dynamic group, but has some
qualities that forbid applying the
same backup plan to it.
Subscription license expired An alert is generated when the daily After a subscription expires, all
check for license/maintenance product functionality except
expiration alerts, asked the license recovery is blocked until further
server, and got the response that the subscription renewal. Backed
Note
If you have recently purchased
a new subscription but still
receive the message that
subscription is expired, you
need to import new
subscription from Acronis
Account: in Management
Console, go to Settings ->
Licenses and click Sync in the
top right corner. Subscriptions
will be synchronized.
Subscription license will expire An alert is generated when the daily Consider purchasing a new
soon check for license/maintenance subscription.
expiration alerts, asked the license
server, and got the response that the
license will expire in less than 30
days.
Malicious URL was blocked An alert is generated when a Check the URL filtering settings.
malicious URL is blocked by URL URL filtering is blocking pages
filtering. which are supposed to be blocked
according to the URL filtering
settings.
A malicious URL warning was An alert is generated when you Check the URL filtering settings.
ignored selected to proceed with the
malicious URL blocked by
URL filtering.
Conflict detected between URL An alert is generated when the Check the URL filtering settings.
filtering and a security product URL filtering cannot be enabled
due to a conflict with another
security product.
Website URL is blocked An alert is generated when a URL Check the URL filtering settings.
meets all the criteria specified in
the blocked category for URL
filtering.
EDR alerts
Alert Description How to resolve the alert
Incident Detected An alert is generated when an This alert informs you about a
incident is created or when the new incident or if an old incident
status for an existing incident is has been updated. You can view
updated. the alert and close it. You can
choose to open the incident for
further investigation if required.
Indicator of compromise (IOCs) An alert is generated when a new This alert is to inform you that an
detected indicator of compromise was IOC has been detected on one or
detected by EDR IOC threat many workloads. You will view
search service. the alert and then you can click
on the link in the alert to view
details about the IOC.
Failed to isolate the workload An alert is generated when the Take the necessary actions.
from the network user triggers the action to isolate
the machine from network, and
isolation action fails.
Failed to reconnect the workload An alert is generated when the Take the necessary actions.
to the network user triggers the action to
reconnect the machine back to
network, and the action failed.
Windows Defender Firewall An alert is generated when the This alert is to inform you that
settings was modified settings to the firewall were firewall details were modified on
modified on isolated machine. the isolated machine. It is
informative only and you can
close the alert after viewing it.
Device control and Data loss An alert is generated when the Disable the option on the
prevention will run with limited DeviceLock agent started on affected machines to avoid
functionality (Incompatible physical machine with CPU which alerts.
CPU detected) has supporting for CET technology.
Agent is outdated An alert is generated when the Go to Agents list and initiate
agent version is outdated. updating the agent.
Automatic update failed An alert is generated when the Try to perform a manual update.
agent auto update failed.
You need to restart device after An alert is generated when a Restart the workload.
installing a new agent reboot is required after remote
install was successful.
Alert widgets
In the alert widgets, you can see the following details of alerts related to your workload:
Field Description
Historical alerts A graphical widget showing alerts by alert severity, alert type and the time
summary range.
Active alerts A graphical widget showing active alerts by alert severity and alert type,
summary as well as the sum of active alerts.
l Backed up today – the sum of recovery point sizes for the last 24 hours
l Malware blocked – the number of currently active alerts about malware blocked
l URLs blocked – the number of currently active alerts about URLs blocked
l Existing vulnerabilities – the number of currently existing vulnerabilities
l Patches ready to install – the number of currently available patches to be installed
Protection status
This widget shows the current protection status for all machines.
If you click on the machine status, you will be redirected to the list of machines with this status for
more details.
Hover over a workload row to view a breakdown of the current investigation state for the incidents;
the investigation states are Not started, Investigating, Closed, and False positive. Then click on
the workload you want to analyze further; the incident list is refreshed according to the widget
settings.
Threat status
This widget displays the current threat status for all workloads, highlighting the current number of
incidents that are not mitigated and that need investigating. The widget also indicates the number
of incidents that were mitigated (manually and/or automatically by the system).
Click on the Not mitigated number to display the incident list filtered to show incidents that are not
mitigated.
Hover over the graph to view a breakdown of the incident history at a specific point in the previous
24 hours (the default period). Click on the severity level (Critical, High, or Medium) if you want to
view the list of related incidents; you are redirected to the incident list pre-filtered with incidents
matching the selected severity level.
Click on a column to view a breakdown of the incidents according to severity (Critical, High, and
Medium), and an indication of how long it took to resolve the different severity levels. The % value
shown in parentheses indicates the increase or decrease in comparison to the previous time period.
Hover over a column to view a breakdown of the closed and open incidents for the selected day. If
you click the Open value, the incident list is displayed, and filtered to display incidents currently
open (in the Investigating or Not started states). If you click the Closed value, the incident list is
displayed, and filtered to display incidents that are no longer open (in the Closed or False positive
states).
The % value shown in parentheses indicates the increase or decrease in comparison to the previous
time period.
Detection by tactics
This widget displays the number of times specific attack techniques have been found in incidents
during the selected period.
The values in green and red indicate if there has been an increase or decrease over the previous
time period. In the example below, Privilege Escalation and Command and Control attacks have
seen an increase over the previous time period; this could indicate that your credential
management needs to be analyzed and security enhanced.
Click the Isolated value to view the Workload with agents list (under the Workloads menu in the
Cyber Protect console), which is filtered to display isolated workloads. Click the Connected value to
view the Workload with agents list filtered to display connected workloads.
l Antimalware
l Backup
l Firewall
l VPN
To improve the score of each of the metrics, you can view the recommendations that are available
in the report.
For more details about the #CyberFit Score, refer to "#CyberFit Score for machines".
Limitations
l Disk health forecast is supported only for machines running Windows.
l Only disks of physical machines are monitored. Disks of virtual machines cannot be monitored
and are not shown in the disk health widgets.
l RAID configurations are not supported. The disk health widgets do not include any information
about machines with RAID implementation.
l On NVMe drives, disk health monitoring is supported only for drives that communicate the
SMART data via the Windows API. Disk health monitoring is not supported for NVMe drives that
require reading the SMART data directly from the drive.
l OK
Disk health is between 70% and 100%.
l Warning
Disk health is between 30% and 70%.
l Critical
Disk health is between 0% and 30%.
l Calculating disk data
The current disk status and forecast are being calculated.
1. The protection agent collects the SMART parameters of the disks and passes this data to the Disk
Health Prediction Service:
l SMART 5 – Reallocated sectors count.
l SMART 9 – Power-on hours.
l SMART 187 – Reported uncorrectable errors.
l SMART 188 – Command timeout.
l SMART 197 – Current pending sector count.
l SMART 198 – Offline uncorrectable sector count.
l SMART 200 – Write error rate.
2. The Disk Health Prediction Service processes the received SMART parameters, makes forecasts,
and then provides the following disk health characteristics:
l Disk health current state: OK, warning, critical.
l Disk health forecast: negative, stable, positive.
l Disk health forecast probability in percentage.
The prediction period is one month.
3. The Monitoring Service receives these characteristics, and then shows the relevant information
in the disk health widgets in the Cyber Protect console.
l Disk health overview is a treemap widget with two levels of detail that can be switched by
drilling down.
o Machine level
Shows summarized information about the disk health status of the selected customer
machines. Only the most critical disk status is shown. The other statuses are shown in a tooltip
when you hover over a particular block. The machine block size depends on the total size of all
disks of the machine. The machine block color depends on the most critical disk status found.
l Disk health status is a pie chart widget that shows the number of disks for each status.
Disk failure Warning (30 – 70) The <disk name> disk on this machine is likely to fail in
is possible the future. Run a full image backup of this disk as soon
as possible, replace it, and then recover the image to
the new disk.
Disk failure Critical (0 – 30) The <disk name> disk on this machine is in a critical
is imminent state, and will most likely fail very soon. We do not
recommend an image backup of this disk at this point,
as the added stress can cause the disk to fail. Back up
the most important files on this disk immediately and
replace it.
Note
This feature is available with the Advanced Backup pack.
The data protection map feature allows you to discover all data that are important for you and get
detailed information about number, size, location, protection status of all important files in a
treemap scalable view.
Each block size depends on the total number/size of all important files that belong to a
customer/machine.
l Critical – there are 51-100% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l Low – there are 21-50% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l Medium – there are 1-20% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l High – all files with the extensions specified by you are protected (backed up) for the selected
machine/location.
l Machine level – shows information about the protection status of important files per machines of
the selected customer.
To protect files that are not protected, hover over the block and click Protect all files. In the dialog
window, you can find information about the number of unprotected files and their location. To
protect them, click Protect all files.
Vulnerable machines
This widget shows the vulnerable machines by the vulnerability severity.
The found vulnerability can have one of the following severity levels according to the Common
Vulnerability Scoring System (CVSS) v3.0:
Existing vulnerabilities
This widget shows currently existing vulnerabilities on machines. In the Existing vulnerabilities
widget, there are two columns showing timestamps:
l First detected – date and time when a vulnerability was detected initially on the machine.
l Last detected – date and time when a vulnerability was detected the last time on the machine.
l Security updates
l Critical updates
l Other
Recently affected
This widget shows detailed information about workloads that were affected by threats, such as
viruses, malware, and ramsomeware. You can find information about the detected threats, the time
when the threats were detected, and how many files were affected.
Cloud applications
This widget shows detailed information about cloud-to-cloud resources:
Additional information about cloud-to-cloud resources is also available in the following widgets:
l Activities
l Activity list
l 5 latest alerts
l Alerts history
l Active alerts summary
l Historical alerts summary
l Active alert details
l Locations summary
The Software overview widget shows the number of new, updated, and deleted applications on
Windows and macOS devices in your organization for a specified time period (7 days, 30 days, or the
current month).
When you click the part of the bar for a certain status, you are redirected to the Software
Management -> Software Inventory page. The information in the page is filtered for the
corresponding date and status.
The Hardware changes table widget shows information about the added, removed, and changed
hardware on physical and virtual Windows and macOS devices in your organization for a specified
time period (7 days, 30 days, or the current month).
Smart protection
Threat feed
Acronis Cyber Protection Operations Center (CPOC) generates security alerts that are sent only to
the related geographic regions. These security alerts provide information about malware,
vulnerabilities, natural disasters, public health, and other types of global events that may affect your
data protection. The threat feed informs you about all the potential threats and allows you to
prevent them.
Some security alerts can be resolved by following a set of specific actions that are provided by the
security experts. Other security alerts just notify you about the upcoming threats but no
recommended actions are available.
Note
Malware alerts are generated only for machines that have the agent for Antimalware protection
installed.
The main workflow of the threat feed is illustrated in the diagram below.
1. In the Cyber Protect console, go to Monitoring> Threat feed to review if there are any existing
security alerts.
2. Select an alert in the list and review the provided details.
3. Click Start to launch the wizard.
4. Enable the actions that you want to be performed and machines to which these actions must be
applied. The following actions can be suggested:
l Vulnerability assessment – to scan machines for vulnerabilities
l Patch management – to install patches on the selected machines
l Antimalware Protection – to run full scan of the selected machines
Note
This action is available only for machines that have the agent for Anitmalware protection
installed.
l To get detailed information about stored data (classification, locations, protection status, and
additional information) on your machines.
l To detect whether data are protected or not. The data are considered protected if they are
protected with backup (a protection plan with the backup module enabled).
l To perform actions for data protection.
How it works
1. First, you create a protection plan with the Data protection map module enabled.
2. Then, after the plan was performed and your data were discovered and analyzed, you will get the
visual representation of data protection on the Data protection map widget.
3. You can also go to Devices > Data protection map and find there information about
unprotected files per device.
4. You can take actions to protect the detected unprotected files on devices.
To get the information about the unprotected files in the form of report, click Download detailed
report in CSV.
The following settings can be specified for the Data protection map module.
Schedule
You can define different settings to create the schedule according to which the task for data
protection map will be performed.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
Note
Start conditions are not supported for Linux.
On the Exception rules tab, you can define which files and folders not to check on protection status
during data discovery.
l Hidden files and folders – if selected, hidden files and folders will be skipped during data
examination.
l System files and folders – if selected, system files and folders will be skipped during data
examination.
1. In the Device name field, specify the machine on which the activity is carried out.
2. From the Status dropdown list, select the status. For example, succeeded, failed, in progress,
canceled.
3. From the Remote actions dropdown list, select the action. For example, applying plan, deleting
backups, installing software updates.
4. In the Most recent field, set the period of activities. For example, the most recent activities, the
activities from the past 24 hours, or the activities during a specific period within the past 90 days.
5. If you are accessing the Activities tab as a partner administrator, you can filter the activities for a
specific customer that you manage.
To cancel a running activity, click its name, and then, on the Details screen, click Cancel.
l Device name
This is the machine on which the activity is carried out.
l Started by
This is the account that started the activity.
l Creating plan
l Applying plan
l Revoking plan
l Deleting plan
l Remote connection
o Cloud remote desktop connection via RDP
o Cloud remote desktop connection via NEAR
o Cloud remote desktop connection via Apple Screen Sharing
o Remote desktop connection via web client
o Remote desktop connection via Quick Assist
o Direct remote desktop connection via RDP
o Direct remote desktop connection via Apple Screen Sharing
o File transfer
o File transfer via Quick Assist
l Remote action
o Shutting down a workload
o Restarting a workload
o Logging out remote user on the workload
o Emptying recycle bin for user on the workload
o Putting to sleep a workload
Cyber Protect Monitor is accessible to users who might not have administrative rights for the Cyber
Protection or the File Sync & Share service.
Cyber Protection users without administrative rights can perform the following tasks:
They cannot apply custom protection plans or manage protection plans that are already applied.
File Sync & Share users without administrative rights can perform the following tasks:
l Sync content between their local sync folder and their File Sync & Share account
l Pause their sync operations
l Change their sync folder
l Check the file types whose syncing is restricted
All Cyber Protect Monitor users can change the backup encryption settings or configure the proxy
server settings.
Warning!
Changing the encryption settings in Cyber Protect Monitor overwrites the settings in the protection
plan and affects all backups of the machine. This operation can make some protection plans fail.
For more information, refer to "Encryption" (p. 396).
There is no way to recover encrypted backups if you lose or forget the password.
1. Open Cyber Protect Monitor, and then click the gear icon in the top right corner.
2. Click Settings, and then click Proxy.
3. Enable the Use a proxy server switch, and then enter the proxy server address and port.
4. [If the proxy server access is password-protected] Enable the Password required switch, and
then enter the user name and password to access the proxy server.
5. Click Save.
The proxy server settings are saved in the http-proxy.yaml file.
A report about operations can include any set of dashboard widgets. All widgets show summary
information for the entire company.
Depending on the widget type, the report includes data for a time range or for the moment of
browsing or report generation. See "Reported data according to widget type" (p. 284).
All historical widgets show data for the same time range. You can change this range in the report
settings.
You can download a report or send it via email in XLSX (Excel) or PDF format.
The set of default reports depends on the Cyber Protection service edition that you have. The
default reports are listed below:
#CyberFit Score Shows the #CyberFit Score, based on the evaluation of security metrics and
by machine configurations for each machine, and recommendations for improvements.
Backup Shows the detailed information about detected threats in the backups.
scanning details
Daily activities Shows the summary information about activities performed during a specified time
period.
Data protection Shows the detailed information about the number, size, location, protection status of
map all important files on machines.
Detected Shows the details of the affected machines by number of blocked threats and the
threats healthy and vulnerable machines.
Disk health Shows predictions when your HDD/SSD will break down and current disk status.
prediction
Existing Shows the existing vulnerabilities for OS and applications in your organization. The
vulnerabilities report also displays the details of the affected machines in your network for every
product that is listed.
Software Shows information about the software that is installed on your company devices.
Hardware Shows information about the hardware that is available on your company devices.
inventory
Patch Shows the number of missing patches, installed patches, and applicable patches. You
management can drill down the reports to get the missing/installed patch information and details of
summary all the systems.
Summary Shows the summary information about the protected devices for a specified time
period.
Weekly Shows the summary information about activities performed during a specified time
activities period.
Remote Shows information about the remote desktop and file transfer sessions.
sessions
To edit a report
To delete a report
To schedule a report
Note
You can export up to 1000 items in a PDF file and up to 10 000 items in a XLSX file. The
timestamps in the PDF and XLSX files use the local time of your machine.
To download a report
To send a report
By using this option, you can export all data for a custom period, without filtering it, to a CSV file and
send the CSV file to an email recipient.
Note
You can export up to 150 000 items in a CSV file. The timestamps in the CSV file use Coordinated
Universal Time (UTC).
Note
Preparing CSV files for longer periods takes more time.
6. Click Send.
l Widgets that display actual data at the moment of browsing or report generation.
l Widgets that display historical data.
When you configure a date range in the report settings to dump data for a certain period, the
selected time range will apply only for widgets that display historical data. For widgets that display
actual data at the moment of browsing, the time range parameter is not applicable.
The following table lists the available widgets and their data ranges.
Activities Historical
The Cyber Protect console provides access to additional services or features, such as File Sync &
Share or Antivirus and Antimalware protection, Patch management, Device control, and
Vulnerability assessment. The type and number of these services and features vary according to
your Cyber Protection license.
To check the dashboard with the most important information about your protection, go to
Monitoring > Overview.
Depending on your access permissions, you can manage the protection for one or multiple
customer tenants or units in a tenant. To switch the hierarchy level, use the drop-down list in the
navigation menu. Only the levels to which you have access are shown. To go to the management
portal, click Manage.
The Devices section is available in simple and table view. To switch between them, click the
corresponding icon in the top right corner.
Both views provide access to the same features and operations. This document describes access to
operations from the table view.
When a workload goes online or offline, it takes some time for its status to change in the Cyber
Protect console. The workload status is checked every minute. If the agent installed on the
corresponding machine is not transferring data, and there is no answer to five consecutive checks,
the workload is shown as offline. The workload is shown as back online when it answers to a status
check or starts transferring data.
You can also view the description of the new features by clicking the What's new link in the bottom-
left corner of the main Cyber Protect console window.
If there are no new features, the What's new link is not displayed.
To change the level of administration, use the drop-down list in the navigation menu. The drop-
down list is only available for administrators who can access both the Cyber Protect console and the
management portal, and can manage more than one tenant or unit.
To work on the customer or unit level, select the name of that customer or unit.
Alerts tab
Here, you can see the alerts from all your managed customers, search them, and filter them
according to the following criteria:
l Device
l Customer
l Plan
Activities tab
Here, you can see the activities from all the tenants that you manage or the activities in a specific
customer tenant.
You can filter the activities by customer, status, time, and type.
l Applying plan
l Creating the protection plan
l Protection plan
l Revoking plan
l Scripting
Devices tab
Only the All devices, Machines with agents, and virtualization host tabs are available under
Devices.
In the Machines with agents tab, you can see all workloads from your managed customer tenants,
and you can select workloads from one or more tenants. You can also create device groups that
include workloads from different tenants.
Important
When you work on the partner (All customers) level, a limited number of operations with devices
are available. For example, you cannot see and manage existing protection plans on customer
devices, as well as create new protection plans, add new devices, recover backups, use Disaster
Recovery, or access the Cyber Protection Desktop features. To perform any of these operations,
switch to the customer level.
Multitenancy support
The Cyber Protection service supports multitenancy, which implies administration on the following
levels:
Administrators can manage objects in their own tenant and in its child tenants. They cannot see or
access objects on an upper administration level, if any.
For example, company administrators can manage protection plans both on the customer tenant
level and on the unit level. Unit administrators can manage only their own protection plans on the
unit level. They cannot manage any protection plans on the customer tenant level and cannot
manage the protection plans that are created by the customer administrator on the unit level.
Also, partner administrators can create and apply scripting plans in the customer tenants that they
manage. The company administrators in such tenants have only read-only access to the scripting
plans that are applied to their workloads by a partner administrator. However, customer
administrators can create and apply their own scripting or protection plans.
Workloads
A workload is any type of protected resource − for example, a physical machine, a virtual machine, a
mailbox, or a database instance. In the Cyber Protect console, the workload is shown as an object to
which you can apply a plan (protection plan, backup plan, or scripting plan).
Some workloads require installing a protection agent or deploying a virtual appliance. You can
install agents by using the graphical user interface or by using the command-line interface
(unattended installation). You can use the unattended installation to automate the installation
procedure. For more information about how to install protection agents, refer to "Installing and
deploying Cyber Protection agents" (p. 55).
A virtual appliance (VA) is a ready-made virtual machine that contains a protection agent. With a
virtual appliance, you can back up other virtual machines in the same environment without
installing a protection agent on them (agentless backup). The virtual appliances are available in
hypervisor-specific formats, such as .ovf, .ova, or .qcow. For more information about which
virtualization platforms support agentless backup, refer to "Supported virtualization platforms" (p.
29).
The table below summarizes the workload types and their respective agents.
Server
Virtual Depending on the virtualization platform, the following backup VMware virtual
machines methods might be available: machine
Microsoft 365 These workloads are backed up by a cloud agent for which no Microsoft 365
Business installation is required. mailbox
workloads
To use the cloud agent, you need to add your Microsoft 365 or Microsoft 365
Google Google Workspace organization to the Cyber Protect console. OneDrive
Workspace
Additionally, a local Agent for Office 365 is also available. It requires Microsoft Teams
workloads
installation and can only be used to back up Exchange Online
SharePoint site
mailboxes. For more information about the differences between the
local and the cloud agent, refer to "Protecting Microsoft 365 data" Google mailbox
(p. 523).
Google Drive
Applications The data of specific applications is backed up by dedicated agents, SQL Server
such as Agent for SQL, Agent for Exchange, Agent for databases
MySQL/MariaDB, or Agent for Active Directory.
MySQL/MariaDB
databases
Oracle databases
Active Directory
Websites The websites are backed up by a cloud agent for which no Websites accessed
installation is required. via the FTP
protocol
For more information about which agent you need and where to install it, refer to "Which agent do I
need?" (p. 57)
Note
The workload types that you can add depend on the service quotas for your account. If a specific
workload type is missing, it is grayed out in the Add devices pane.
A partner administrator can enable the required service quotas in the Management portal. For
details, refer to "Information for partner administrators" (p. 297).
To add a workload
The following table summarizes the workload types and required actions.
"Unattended installation or
uninstallation in Windows" (p. 81)
or
or
"Unattended installation or
uninstallation in Linux" (p. 97)
Mobile devices Install the mobile app. "Protecting mobile devices" (p. 516)
(iOS, Android)
Cloud-to-cloud workloads
Microsoft 365 Business Add your Microsoft 365 organization to "Protecting Microsoft 365 data" (p.
the Cyber Protect console and use the 523)
cloud agent to protect Exchange online
mailboxes, OneDrive files, Microsoft
Teams, and SharePoint sites.
Virtual machines
VMware ESXi Deploy Agent for VMware (Virtual "Deploying Agent for VMware
Appliance) in your environment. (Virtual Appliance)" (p. 127)
"Unattended installation or
uninstallation in Windows" (p. 81)
Virtuozzo Hybrid Deploy Agent for Virtuozzo Hybrid "Deploying Agent for Virtuozzo
infrastructure Infrastructure Hybrid Infrastructure (Virtual
(Virtual appliance) in your environment. Appliance)" (p. 136)
or
"Unattended installation or
uninstallation in Windows" (p. 81)
or
"Unattended installation or
uninstallation in Linux" (p. 97)
or
"Unattended installation or
uninstallation in Windows" (p. 81)
"Unattended installation or
uninstallation in Linux" (p. 97)
Red Hat Virtualization Deploy Agent for oVirt (Virtual Appliance) "Deploying Agent for oVirt (Virtual
(oVirt) in your environment. Appliance)" (p. 144)
or
"Unattended installation or
uninstallation in Windows" (p. 81)
or
"Unattended installation or
uninstallation in Linux" (p. 97)
or
"Unattended installation or
uninstallation in Windows" (p. 81)
or
"Unattended installation or
uninstallation in Linux" (p. 97)
or
"Unattended installation or
uninstallation in Windows" (p. 81)
"Unattended installation or
uninstallation in Linux" (p. 97)
Scale Computing HC3 Deploy Agent for Scale Computing HC3 "Deploying Agent for Scale
(Virtual Appliance) in your environment. Computing HC3 (Virtual Appliance)"
(p. 131)
Network-attached storage
Synology Deploy Agent for Synology (Virtual "Deploying Agent for Synology" (p.
Appliance) in your environment. 150)
Applications
Microsoft SQL Server Install Agent for SQL. "Installing protection agents in
Windows" (p. 72)
Microsoft Exchange Install Agent for Exchange.
Server or
Oracle Database Install Agent for Oracle. "Protecting Oracle Database" (p.
582)
Website Configure the connection to the website. "Protecting websites and hosting
servers" (p. 588)
For more information about the available protection agents and where to install them, refer to
"Which agent do I need?" (p. 57)
Alternatively, you can uninstall the agent on the protected workload. When you uninstall an agent,
the protected workload is automatically removed from the Cyber Protect console.
Important
When you remove a workload from the Cyber Protect console, all plans that are applied to that
workload are revoked. Removing a workload does not delete any plans or backups, and does not
uninstall the protection agent.
The following table summarizes the workload types and required actions.
Physical or 1. Remove the "To remove a workload from the Cyber Protect console" (p. 300)
virtual workload from
(Workload with protection agent)
machines on the Cyber
which a Protect console.
protection 2. [Optional]
agent is Uninstall the
installed protection
agent.
Virtual 1. In the Cyber "To remove a workload from the Cyber Protect console" (p. 300)
machines that Protect console,
(Workload without a protection agent)
are backed up remove the
on the machine on
hypervisor level which the
(agentless protection agent
backup) is installed. All
virtual machines
that are backed
up by this agent
will be
automatically
removed from
the console.
2. [Optional]
Uninstall the
protection
agent.
Cloud-to-cloud workloads
Microsoft 365 Delete the Microsoft "To remove a workload from the Cyber Protect console" (p. 300)
Business 365 or the Google
(Cloud-to-cloud workload)
workloads Workspace
organization from
Google
the Cyber Protect
Workspace
console. All
workloads
resources in that
organization will be
automatically
removed from the
console.
Mobile devices
Android devices 1. Remove the "To remove a workload from the Cyber Protect console" (p. 300)
mobile device
iOS devices (Mobile device)
from the Cyber
Protect console.
2. [Optional] On
the mobile
device, uninstall
the app.
Network-attached storage
Synology 1. Remove the "To remove a workload from the Cyber Protect console" (p. 300)
workload from
(Workload with a protection agent)
the Cyber
Protect console.
2. [Optional]
Uninstall the
protection
agent.
Applications
Microsoft SQL 1. In the Cyber "To remove a workload from the Cyber Protect console" (p. 300)
Server Protect console,
(Workload without a protection agent)
remove the
Microsoft
machine on
Exchange
which the
Server
protection agent
Microsoft Active is installed. The
Directory
Websites Remove the website "To remove a workload from the Cyber Protect console" (p. 300)
from the Cyber
(Website)
Protect console.
To remove this type of workload, you need to remove the machine on which the protection agent is
installed.
Cloud-to-cloud workload
To remove workloads that are backed up by the cloud agent, delete your Microsoft 365 or Google
Workspace organization from the Cyber Protect console.
1. In the Cyber Protect console, navigate to Devices > Microsoft 365 or Devices > Google
Workspace.
2. Click the name of your Microsoft 365 or Google Workspace organization.
3. In the Actions pane, click Delete group.
4. Click Delete to confirm your action.
Mobile device
Website
Device groups
Note
Applying a backup plan to a custom group with Microsoft 365 or Google Workspace workloads
requires the Advanced Backup pack.
With device groups, you can protect multiple similar workloads with a group plan. The plan is
applied to the group as a whole and cannot be revoked from a member of the group.
A workload can be a member of more than one group. A workload that is included in a device group
can still be protected by individual plans.
You cannot create device groups within any All-type group, such as the root group All devices, or
built-in groups like Machines with agents > All, Microsoft 365 > your organization > Users > All
users.
Built-in groups
After you register a workload in the Cyber Protect console, the workload appears in one of the built-
in root groups on the Devices tab, such as Machines with agents, Microsoft 365, or Hyper-V.
All registered non-cloud-to-cloud workloads are also listed in the All devices root group. A separate
built-in root group named after your tenant contains all non-cloud-to-cloud workloads and all units
in this tenant.
You cannot delete or edit the root groups, or apply plans to them.
Some of the root groups contain one or more levels of built-in subgroups, for example, Machines
with agents > All, Microsoft 365 > your organization > Teams > All teams, Google Workspace >
your organization > Shared Drives > All Shared Drives.
Custom groups
Protecting all workloads in a built-in group might not be convenient, because there might be
workloads that need different protection settings or a different protection schedule.
In some of the root groups, for example in Machines with agents, Microsoft 365, or Google
Workspace, you can create custom subgroups. These subgroups can be static or dynamic.
l Static
l Dynamic
Static groups
Static groups contain manually added workloads.
The content of a static group changes only when you explicitly add or remove a workload.
Dynamic groups
Dynamic groups contain workloads that match specific criteria. You define these criteria in advance
by creating a search query that includes attributes (for example, osType), their values (for example,
Windows), and search operators (for example, IN).
Thus, you can create a dynamic group for all machines whose operating system is Windows or a
dynamic group that contains all users in your Microsoft 365 organization whose email addresses
begin with john.
All workloads that have the required attributes and values are automatically added to the group and
any workload that loses a required attribute or value is automatically removed from the group.
Example 1: The host names of the machines that belong to the accounting department contain the
word accounting. You search for the machines whose names contain accounting, and then you save
the search results as a dynamic group. Then, you apply a protection plan to the group. If a new
accountant is hired, the accountant's machine will have accounting in its name and will be
automatically added to the dynamic group as soon as you register that machine in the Cyber Protect
console.
Example 2: The accounting department forms a separate Active Directory organizational unit (OU).
You specify the accounting OU as a required attribute, and then you save the search results as a
dynamic group. Then, you apply a protection plan to the group. If a new accountant is hired, the
accountant's machine will be added to the dynamic group as soon as it is added to the Active
Directory OU and is registered in the Cyber Protect console (regardless of which comes first).
Cloud resources, such as Microsoft 365 or Google Workspace users, OneDrive and Google Drive
shares, Microsoft Teams, or Azure AD groups are synchronized to the Cyber Protect console right
after you add a Microsoft 365 or Google Workspace organization to the console. Any further
changes in an organization are synchronized once a day.
If you need to synchronize a change immediately, in the Cyber Protect console, navigate to Devices
> Microsoft 365 or Devices > Google Workspace respectively, select the required organization,
and then click Refresh.
Alternatively, you can select workloads and create a new static group from your selection.
You cannot create device groups within any All-type group, such as the root group All devices, or
built-in groups like Machines with agents > All, Microsoft 365 > your organization > Users > All
users.
Note
Applying a backup plan to a custom group with Microsoft 365 or Google Workspace workloads
requires the Advanced Backup pack.
1. Click Devices, and then select the root group that contains the workloads for which you want to
create a static group.
2. [Optional] To create a nested group, navigate to an existing static group.
Note
Creating nested static groups is not available for cloud-to-cloud workloads.
3. Click + New static group below the group tree or click New static group in the Actions pane.
4. Specify a name for the new group.
5. [Optional] Add a comment for the group.
6. Click OK.
Note
Creating nested static groups is not available for cloud-to-cloud workloads.
From selection
1. Click Devices, and then select the root group that contains the workloads for which you want to
create a static group.
Note
You cannot create device groups within any All-type group, such as the root group All devices,
or built-in groups like Machines with agents > All, Microsoft 365 > your organization > Users >
All users.
2. Select the check boxes next to workloads for which you want to create a new group, and then
click Add to group.
3. In the folder tree, select the parent level for the new group, and then click New static group.
Note
Creating nested static groups is not available for cloud-to-cloud workloads.
Alternatively, you can select the workloads first, and then add them to a group.
1. Click Devices, and then select the root group that contains the required workloads.
2. Select the check boxes next to the workloads that you want to add, and then click Add to group.
3. In the folder tree, select the target group, and then click Done.
The attributes that are supported for searching and creating dynamic groups differ for cloud-to-
cloud workloads and non-cloud-to-cloud workloads. For more information on supported attributes,
refer to "Search attributes for non-cloud-to-cloud workloads" (p. 308) and "Search attributes for
cloud-to-cloud workloads" (p. 307).
Dynamic groups are created in their respective root groups. Nested dynamic groups are not
supported.
You cannot create device groups within any All-type group, such as the root group All devices, or
built-in groups like Machines with agents > All, Microsoft 365 > your organization > Users > All
users.
Note
Applying a backup plan to a custom group with Microsoft 365 or Google Workspace workloads
requires the Advanced Backup pack.
Non-cloud-to-cloud workloads
1. Click Devices, and then select the group that contains the workloads for which you want to
create a new dynamic group.
2. Search for workloads by using the supported search attributes and operators.
You can use multiple attributes and operators in a single query.
3. Click Save as next to the search field.
4. Specify a name for the new group.
5. [Optional] In the Comment field, add a description for the new group.
6. Click OK.
Cloud-to-cloud workloads
To see which attributes you can use in search queries for other types of workloads, refer to "Search
attributes for non-cloud-to-cloud workloads" (p. 308).
'*company.com*support*'
To see which attributes you can use in search queries for cloud-to-cloud workloads, refer to "Search
attributes for cloud-to-cloud workloads" (p. 307).
Supported
Attribute Meaning Search query examples for group
creation
General
l 'exchange'
l 'mssql_server'
l 'mssql_instance'
l 'mssql_database'
l 'mssql_database_folder'
l 'msexchange_database'
l 'msexchange_storage_
group'
l 'msexchange_
mailbox.msexchange'
l 'msexchange_
mailbox.office365'
l 'mssql_aag_group'
l 'mssql_aag_database'
l 'virtual_machine.vmww'
l 'virtual_
machine.vmwesx'
l 'virtual_host.vmwesx'
l 'virtual_
cluster.vmwesx'
l 'virtual_
appliance.vmwesx'
l 'virtual_
application.vmwesx'
l 'virtual_resource_
pool.vmwesx'
l 'virtual_center.vmwesx'
l 'datastore.vmwesx'
l 'datastore_
cluster.vmwesx'
l 'virtual_
network.vmwesx'
l 'virtual_data_
center.vmwesx'
l 'virtual_machine.vmww'
l 'virtual_
cluster.mshyperv'
l 'virtual_
machine.mshyperv'
l 'virtual_host.mshyperv'
l 'virtual_
network.mshyperv'
l 'virtual_
folder.mshyperv'
l 'virtual_data_
center.mshyperv'
l 'datastore.mshyperv'
l 'virtual_machine.msvs'
l 'virtual_
machine.parallelsw'
l 'virtual_
host.parallelsw'
l 'virtual_
cluster.parallelsw'
l 'virtual_machine.rhev'
l 'virtual_machine.kvm'
l 'virtual_machine.xen'
l 'bootable_media'
l laptop
l desktop
l server
l other
l unknown
Note
The automatic
synchronization is disabled
if there is manually added
text in the comment field.
To enable the
synchronization again,
clear this text.
To refresh the
automatically synchronized
comments for your
workloads, restart the
Managed Machine Service
in Windows Services or
run the following
commands at the
command prompt:
To add or change a
comment manually, click
Add or Edit.
l Agent comment
o For physical
machines running
Windows, the
computer description
in Windows is
automatically copied
as a comment. This
value is synchronized
every 15 minutes.
o Empty for other
devices.
Note
The automatic
synchronization is
disabled if there is
manually added text in
the comment field. To
enable the
synchronization again,
clear this text.
l Device comment
o If the agent comment
is specified
automatically, it is
copied as a device
comment. Manually
added agent
comments are not
copied as device
comments.
o Device comments are
not copied as agent
comments.
To add or change a
comment manually, click
Add or Edit.
Possible values:
l true
l false
Possible values:
l true
l false
Possible values:
l 'x64'
l 'x86'
Operating system
l 'windows'
l 'linux'
l 'macosx'
Possible values:
l 'x64'
l 'x86'
Possible values:
l 'dc'
Stands for Domain
Controller.
Note
When the domain
controller role is
assigned on a Windows
server, the
osProductType changes
from server to dc. Such
machines will be not
included in the search
results for
osProductType='server'.
l 'server'
l 'workstation'
operating system.
Agent
Possible values:
l 'vmwesx'
VMware virtual
machines.
l 'mshyperv'
Hyper-V virtual
machines.
l 'pcs'
Virtuozzo virtual
machines.
l 'hci'
Virtuozzo Hybrid
Infrastructure virtual
machines.
l 'scale'
Scale Computing HC3
virtual machines.
l 'ovirt'
oVirt virtual machines
Possible values:
l true
l false
Location
Status
Possible values:
l 'idle'
l 'interactionRequired'
l 'canceling'
l 'backup'
l 'recover'
l 'install'
l 'reboot'
l 'failback'
l 'testReplica'
l 'run_from_image'
l 'finalize'
l 'failover'
l 'replicate'
l 'createAsz'
l 'deleteAsz'
l 'resizeAsz'
l ok
l warning
l error
l critical
l protected
l notProtected
lastVAScanTime* The date and time of the lastVAScanTime > '2023-03-11' Yes
last successful vulnerability lastVAScanTime <= '2023-03-11
assessment. 00:15'
Possible values:
l connected
l isolated
Note
If you skip the hour and minutes value, the start time is considered to be YYYY-MM-DD 00:00, and
the end time is considered to be YYYY-MM-DD 23:59:59. For example, lastBackupTime = 2023-01-20,
means that the search results will include all backups from the interval
lastBackupTime >= 2023-01-20 00:00 and lastBackup time <= 2023-01-20 23:59:59.
Search operators
The following table summarizes the operators that you can use for your search queries.
AND All workloads Logical conjunction name like 'en-00' AND tenant = 'Unit 1'
operator
operators:
l * or % The
asterisk and the
percent sign
represent zero,
one, or multiple
characters
l _ The
underscore
represents a
single character
NOT LIKE All workloads This operator is name NOT LIKE 'en-00'
'wildcard the opposite of the
name NOT LIKE '*en-00'
pattern' LIKE operator.
name NOT LIKE '*en-00*'
You can use the
following wildcard name NOT LIKE 'en-00_'
operators:
l * or % The
asterisk and the
percent sign
represent zero,
one, or multiple
characters
l _ The
underscore
represents a
single character
In dynamic groups that are based on Active Directory, you can also change the Active Directory
group.
1. Click Devices, navigate to the dynamic group that you want to edit, and then select it.
2. Click the gear icon next to the name of the group, and then click Edit. Alternatively, click Edit in
the Actions pane.
3. Change the search query by modifying the search attributes, their values, or the search
operators, and then click Search.
4. Click Save next to the search field.
Note
This procedure applies to dynamic groups based on Active Directory. Active Directory-based
dynamic groups are available only in Microsoft 365 > Users.
1. Click Devices, navigate to Devices > Microsoft 365 > your organization > Users.
2. Select the dynamic group that you want to edit.
You can also save your edits without overwriting the current group. To save the edited configuration
as a new group, click the arrow button next to the search field, and then click Save as.
Deleting a group
When you delete a device group, all plans that are applied to that group will be revoked. The
workloads in the group will become unprotected if no other plans are applied to them.
1. Click Devices, and then navigate to the group that you want to delete.
2. Click the gear icon next to the name of the group, and then click Delete.
3. Confirm your choice by clicking Delete.
Alternatively, you can open a plan for editing, and then add a group to it.
1. Click Devices, and then navigate to the group to which you want to apply a plan.
2. [For non-cloud-to-cloud workloads] Click Protect group.
A list of plans that can be applied is shown.
3. [For cloud-to-cloud workloads] Click Group backup.
A list of backup plans that can be applied is shown.
4. [To apply an existing plan] Select the plan, and then click Apply.
5. [To create a new plan] Click Create plan, select the plan type, and then create the new plan.
For more information about the available types of plans and how to create them, refer to
"Supported plans for device groups" (p. 303).
Note
Backup plans that are applied to cloud-to-cloud device groups are automatically scheduled to run
once a day. You cannot run these plans on demand by clicking Run now.
Alternatively, you can open the plan for editing, and then remove the group from it.
1. Click Devices, and then navigate to the group from which you want to revoke a plan.
2. [For non-cloud-to-cloud workloads] Click Protect group.
A list of plans that are applied to the group is shown.
3. [For cloud-to-cloud workloads] Click Group backup.
A list of backup plans that are applied to the group is shown.
4. Select the plan that you want to revoke.
5. [For non-cloud-to-cloud workloads] Click the ellipsis icon (...), and then click Revoke.
6. [For cloud-to-cloud workloads] Click the gear icon, and then click Revoke.
The module is available for Cyber Protect Essentials, Cyber Protect Standard, and Cyber Protect
Advanced editions that are licensed per workload.
Note
On Windows machines, the device control features require the installation of Agent for Data Loss
Prevention. It will be installed automatically for protected workloads if the Device control module
is enabled in their protection plans.
1As part of a protection plan, the device control module leverages a functional subset of the data loss prevention
agent on each protected computer to detect and prevent unauthorized access and transmission of data over local
computer channels. These include user access to peripheral devices and ports, document printing, clipboard
copy/paste operations, media format and eject operations, as well as synchronizations with locally connected mobile
devices. The device control module provides granular, contextual control over the types of devices and ports that
users are allowed to access on the protected computer and the actions that users can take on those devices.
2A data loss prevention system’s client component that protects its host computer from unauthorized use,
transmission, and storage of confidential, protected, or sensitive data by applying a combination of context and
content analysis techniques and enforcing centrally managed data loss prevention policies. Cyber Protection provides
a fully featured data loss prevention agent. However, the functionality of the agent on a protected computer is limited
to the set of data loss prevention features available for licensing in Cyber Protection, and depends upon the protection
plan applied to that computer.
The device control module controls access to various peripheral devices, whether used directly on
protected computers or redirected in virtualization environments hosted on protected computers. It
recognizes devices redirected in Microsoft Remote Desktop Server, Citrix XenDesktop / XenApp /
XenServer, and VMware Horizon. It can also control data copy operations between the clipboard of
the guest operating system running on VMware Workstation / Player, Oracle VM VirtualBox, or
Windows Virtual PC, and the clipboard of the host operating system running on the protected
computer.
The device control module can protect computers running the following operating systems:
Note
Agent for Data Loss Prevention for macOS supports only x64 processors (Apple silicon ARM-based
processors are not supported).
Note
Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is an
integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for Data
Loss Prevention is installed on the computer, but the device control functionality will not work.
Device control functionality will only work on macOS systems that are supported by Agent for Data
Loss Prevention.
1A system of integrated technologies and organizational measures aimed at detecting and preventing accidental or
intentional disclosure / access to confidential, protected, or sensitive data by unauthorized entities outside or inside
the organization, or the transfer of such data to untrusted environments.
If you use any of the following versions of Agent for Hyper-V, you need to manually remove Agent
for Data Loss Prevention:
l 15.0.26473 (C21.02)
l 15.0.26570 (C21.02 HF1)
l 15.0.26653 (C21.03)
l 15.0.26692 (C21.03 HF1)
l 15.0.26822 (C21.04)
To remove Agent for Data Loss Prevention, on the Hyper-V host, run the installer manually and clear
the Agent for Data Loss Prevention check box, or run the following command:
You can enable and configure the device control module in the Device control section of your
protection plan in the Cyber Protect console. For instructions, see steps to enable or disable device
control.
l Access settings - Shows a summary of device types and ports with restricted (denied or read-only)
access, if any. Otherwise, indicates that all device types are allowed. Click this summary to view or
change the access settings (see steps to view or change access settings).
l Device types allowlist - Shows how many device subclasses are allowed by excluding from device
access control, if any. Otherwise, indicates that the allowlist is empty. Click this summary to view
You might also access the protection plan panel from the Management tab. However, this capability
is not available in all editions of the Cyber Protection service.
1. Install Agent for Mac on the machine that you want to protect.
2. Enable device control settings in the protection plan.
3. Apply the protection plan.
4. The "System Extension Blocked" warning will appear on the protected workload. Click Open
Security Preferences.
6. In the dialog that appears, click Restart to restart the workload and activate the device control
settings.
Note
You do not have to repeat these steps if the device control setting are disabled and then enabled
again.
1. Open the protection plan panel for a protection plan and enable device control in that plan (see
steps to enable or disable device control).
2. Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to Access settings.
The Show alert check box is available only for device types with restricted access (Read-only or
Denied access), except screenshot capture.
1. Open the protection plan panel for a protection plan and enable device control in that plan (see
steps to enable or disable device control).
2. Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to Device types allowlist.
3. On the page for managing the allowlist that appears, view or change the selection of device
subclasses to exclude from access control.
1. Open the protection plan panel for a protection plan and enable device control in that plan (see
steps to enable or disable device control).
2. Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to USB devices allowlist.
1. Open the protection plan panel for a protection plan and enable device control in that plan (see
steps to enable or disable device control).
2. Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to USB devices allowlist.
3. On the page for managing the allowlist that appears, click the delete icon at the end of list item
representing the desired USB device.
The following procedures apply to protection plans that have the device control feature enabled.
Note
Device control must be enabled in the plan, so you can access the Device control settings.
2. Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to USB devices allowlist.
3. On the USB devices allowlist page that appears, click Add from database.
4. On the USB devices database management page that appears, click Add to database.
5. On the Add USB device dialog that appears, click the machine to which the USB device is
connected.
Only machines that are online are displayed in the list of computers.
The list of USB devices is displayed only for machines that have the agent for Data Loss
Prevention installed.
The USB devices are listed in tree view. The first level of the tree represents a device model. The
second level represents a specific device of that model.
A blue icon next to the description of the device indicates that the device is currently attached to
the computer. If the device is not attached to the computer, the icon is grayed out.
6. Select the check boxes for the USB devices that you want to add to the database, and then click
Add to database.
The selected USB devices are added to the database.
7. Close or save the protection plan.
Note
This procedure applies only for devices that are online and have the agent for Data Loss Prevention
installed on them. You cannot view the list of USB devices for a computer that is offline or does not
have the Data Loss Prevention agent installed.
You can import a JSON file with a list of USB devices to the database. See "Import a list of
USB devices to the database" (p. 341).
Note
Device control must be enabled in the plan, so you can access the Device control settings.
2. Click the arrow next to the Device control switch to expand the settings, and then click the USB
devices allowlist row.
3. On the page for managing the allowlist that appears, click Add from database.
4. On the page for selecting USB devices from the database, click ellipsis (...) at the end of the list
item representing the device, click Delete, and confirm the deletion.
Access settings
On the Access settings page, you can allow or deny access to devices of certain types, as well as
enable or disable OS notification and device control alerts.
The access settings allow you to limit user access to the following device types and ports:
l Removable (access control by device type) - Devices with any interface for connecting to a
computer (USB, FireWire, PCMCIA, IDE, SATA, SCSI, etc.) that are recognized by the operating
system as removable storage devices (for example, USB sticks, card readers, magneto-optical
drives, etc.). The device control classifies all hard drives connected via USB, FireWire, and PCMCIA
as removable devices. It also classifies some hard drives (usually with SATA and SCSI) as
removable devices if they support the hot-plug function and do not have the running operating
system installed on them.
You can allow full access, read-only access, or deny access to removable devices to control data
copy operations to and from any removable device on a protected computer. Access rights do
not affect devices that are encrypted with BitLocker or FileVault (only HFS+ file system).
This device type is supported on both Windows and macOS.
l Encrypted removable (access control by device type) - Removable devices that are encrypted
with BitLocker (on Windows) or FileVault (on macOS) drive encryption.
On macOS, only encrypted removable drives using the HFS+ (also known as HFS Plus or Mac OS
Extended, or HFS Extended) file system are supported. Encrypted removable drives using the
APFS file system are treated as removable drives.
You can allow full access, read-only access, or deny access to encrypted removable devices to
control data copy operations to and from any encrypted removable device on a protected
computer. Access rights affect only devices that are encrypted with BitLocker or FileVault (only
HFS+ file system).
This device type is supported on both Windows and macOS.
l Printers (access control by device type) - Physical printers with any interface for connecting to a
computer (USB, LPT, Bluetooth, etc.), as well as printers accessed from a computer on the
Note
When you change the access setting for printers to Deny, the applications and processes
accessing the printers must be restarted to enforce the newly configured access settings. To
ensure that access settings are enforced correctly, restart the protected workloads.
Note
When you change the access setting for clipboard to Deny, the applications and processes
accessing the clipboard must be restarted to enforce the newly configured access settings. To
ensure that access settings are enforced correctly, restart the protected workloads.
Note
When you change the access setting for screenshot capture to Deny, the applications and
processes accessing the screenshot capture must be restarted to enforce the newly configured
access settings. To ensure that access settings are enforced correctly, restart the protected
workloads.
Note
When you change the access setting for mobile devices to Read-only or Deny, the applications
and processes accessing the mobile devices must be restarted to enforce the newly configured
access settings. To ensure that access settings are enforced correctly, restart the protected
workloads.
Note
On macOS, the access rights for Bluetooth do not affect Bluetooth HID devices. The access to
these devices is always allowed to prevent wireless HID devices (mice and keyboards) from being
disabled on iMac and Mac Pro hardware.
Note
When you change the access setting for clipboard incoming to Deny, the applications and
processes accessing the clipboard must be restarted to enforce the newly configured access
settings. To ensure that access settings are enforced correctly, restart the protected
workloads.
o Clipboard outgoing - Allow or deny access to control data copy operations through the
clipboard from the session hosted on a protected computer.
Note
When you change the access setting for clipboard outgoing to Deny, the applications and
processes accessing the clipboard must be restarted to enforce the newly configured access
settings. To ensure that access settings are enforced correctly, restart the protected
workloads.
o USB ports - Allow or deny access to control data copy operations to and from devices
connected to any USB port redirected to the session hosted on a protected computer.
Device control settings affect all users equally. For example, if you deny access to removable
devices, you prevent any user from copying data to and from such devices on a protected computer.
It is possible to selectively allow access to individual USB devices by excluding them from access
control (see Device types allowlist and USB devices allowlist).
When access to a device is controlled by both its type and its interface, denying access at the
interface level takes precedence. For example, if access to USB ports is denied (device interface),
then access to mobile devices connected to a USB port is denied regardless of whether access to
mobile devices is allowed or denied (device type). To allow access to such a device, you must allow
both its interface and type.
Note
If the protection plan used on macOS has settings for device types that are supported only on
Windows, then the settings for these device types will be ignored on macOS.
l A denied attempt to use a device on a USB or FireWire port. This notification appears whenever
the user plugs in a USB or FireWire device that is denied at the interface level (for example, when
denying access to the USB port) or at the type level (for example, when denying the use of
removable devices). The notification informs that the user is not allowed to access the specified
device/drive.
l A denied attempt to copy a data object (such as a file) from a certain device. This notification
appears when denying read access to the following devices: floppy drives, optical drives,
removable devices, encrypted removable devices, mobile devices, redirected mapped drives, and
redirected clipboard incoming data. The notification informs that the user is not allowed to get
the specified data object from the specified device.
The denied read notification is also displayed when denying read/write access to Bluetooth,
FireWire port, USB port, and redirected USB port.
l A denied attempt to copy a data object (such as a file) to a certain device. This notification
appears when denying write access to the following devices: floppy drives, optical drives,
removable devices, encrypted removable devices, mobile devices, local clipboard, screenshot
capture, printers, redirected mapped drives, and redirected clipboard outgoing data. The
notification informs that the user is not allowed to send the specified data object to the specified
device.
User attempts to access blocked device types on protected computers can raise alerts that are
logged in the Cyber Protect console. It is possible to enable alerts for each device type (excluding
screenshot capture) or port separately by selecting the Show alert check box in the access settings.
For example, if access to removable devices is restricted to read-only, and the Show alert check box
is selected for that device type, an alert is logged every time a user on a protected computer
attempts to copy data to a removable device. See Device control alerts for further details.
The device control module provides the option to allow access to devices of certain subclasses
within a denied device type. This option allows you to deny all devices of a certain type, except for
some subclasses of devices of this type. It can be useful, for example, when you need to deny access
to all USB ports while allowing the use of a USB keyboard and mouse at the same time.
When configuring the device control module, you can specify which device subclasses to exclude
from device access control. When a device belongs to an excluded subclass, access to that device is
allowed regardless of whether or not the device type or port is denied. You can selectively exclude
the following device subclasses from device access control:
l USB HID (mouse, keyboard, etc.) - When selected, allows access to Human Interface Devices
(mouse, keyboard, and so on) connected to a USB port even if USB ports are denied. By default,
this item is selected so that denying access to the USB port does not disable the keyboard or
mouse.
Supported on both Windows and macOS.
l USB and FireWire network cards - When selected, allows access to network cards connected to
a USB or FireWire (IEEE 1394) port even if USB ports and/or FireWire ports are denied.
Supported on both Windows and macOS.
l USB scanners and still image devices - When selected, allows access to scanners and still
image devices connected to a USB port even if USB ports are denied.
Supported only on Windows.
l USB audio devices - When selected, allows access to audio devices, such as headsets and
microphones, connected to a USB port even if USB ports are denied.
Supported only on Windows.
l USB cameras - When selected, allows access to Web cameras connected to a USB port even if
USB ports are denied.
Supported only on Windows.
l Bluetooth HID (mouse, keyboard, etc.) - When selected, allows access to Human Interface
Devices (mouse, keyboard, and so on) connected via Bluetooth even if Bluetooth is denied.
Supported only on Windows.
l Clipboard copy/paste within application - When selected, allows copying/pasting of data
through the clipboard within the same application even if the clipboard is denied.
Supported only on Windows.
Note
Settings for unsupported device subclasses are ignored if these settings are configured in the
applied protection plan.
On the USB devices allowlist page, you can specify individual USB devices or USB device models to
exclude from device access control. As a result, access to those devices is allowed regardless of the
access settings in the device control module.
l Model of device - Collectively identifies all devices of a certain model. Each device model is
identified by vendor ID (VID) and product ID (PID), such as USB\VID_0FCE&PID_E19E.
This combination of VID and PID does not identify a specific device, but an entire device model.
By adding a device model to the allowlist, you allow access to any device of that model. For
example, this way you can allow the use of USB printers of a particular model.
l Unique device - Identifies a certain device. Each unique device is identified by vendor ID (VID),
product ID (PID), and serial number, such as USB\VID_0FCE&PID_E19E\D55E7FCA.
Not all USB devices are assigned a serial number. You can add a device to the allowlist as a
unique device only if the device has been assigned a serial number during production. For
example, a USB stick that has a unique serial number.
To add a device to the allowlist, you first need to add it to the USB devices database. Then, you can
add devices to the allowlist by selecting from that database.
The allowlist is managed on a separate configuration page called USB devices allowlist. Each item
in the list represents a device or device model and has the following fields:
l Description - The operating system assigns a certain description when connecting the USB
device. You can modify the description of the device in the USB devices database (see USB
Note
The Reinitialize field is hidden by default. To display it in the table, click the gear icon in the
upper right corner of the table, and then select the Reinitialize check box.
Note
The Read-only and Reinitialize fields are not supported on macOS. If these fields are configured
in the applied protection plan, they will be ignored.
l Click Add from database above the list and then select the desired device/s from those
registered with the USB devices database. The selected device is added to the list, where you can
configure its settings and confirm the changes.
l Click Allow this USB device in an alert informing that access to the USB device is denied (see
Device control alerts). This adds the device to the allowlist and to the USB devices database.
l Click the delete icon at the end of a list item. This removes the respective device/model from the
allowlist.
l Add a device on the page that appears when adding a device to the exclusion list (see USB
devices database management page).
l Add a device from the USB Devices tab of a computer's Inventory pane in the Cyber Protect
console (see List of USB devices on a computer).
l Allow the device from an alert on denying access to the USB device (see Device control alerts).
See also steps to add or remove USB devices from the database.
1. On the USB devices database page click ellipsis (...) at the end of the list item representing the
device and then click Edit.
2. Make changes to the description in the dialog box that appears.
1. Click the ellipsis (...) at the end of the list item representing the device.
2. Click Delete, and confirm the deletion.
For each device, the list on the page provides the following information:
l Description - A readable identifier of the device. You can change the description as needed.
l Device type - Displays Unique if the list item represents a unique device, or Model if it represents
a device model. A unique device must have a serial number along with a vendor ID (VID) and
product ID (PID), whereas a device model is identified by a combination of VID and PID.
l Vendor ID, Product ID, Serial number - These values together make up the device ID in the
form USB\VID_<vendor ID>&PID_<product ID>\<serial number>.
l Account - Indicates the tenant to which this device belongs. This is the tenant that contains the
user account that was used to register the device with the database.
Note
This column is hidden by default. To display it in the table, click the gear icon in the upper right
corner of the table, and then select Account.
l Click Search at the top of the page and enter a search string. The list displays devices whose
description matches the string you typed.
l Click Filter, and then configure and apply a filter in the dialog box that appears. The list is limited
to devices with the type, vendor ID, product ID, and account that you selected when configuring
the filter. To cancel the filter and list all devices, click Reset to default.
You can export the list of USB devices that are added to the database.
You can edit the resulting JSON file to add or remove devices from it, and make mass changes of
device descriptions.
Instead of adding USB devices from the Cyber Protect console, you can import a list of USB devices.
The list is a file in JSON format.
Note
You can import JSON files to a database that does not contain the devices described in the file. To
import a modified file to the database from which it was exported, you must clear the database first
because you cannot import duplicate entries. If you export the list of USB devices, modify it, and try
to import to the same database without clearing it, the import will fail.
The USB devices are listed in tree view. The first level of the tree represents a device model. The
second level represents a specific device of that model.
l Description - The operating system assigns a description when connecting the USB device. This
description can serve as a readable identifier of the device.
A blue icon next to the description of the device indicates that the device is currently attached to
the computer. If the device is not attached to the computer, the icon is grayed out.
l Device ID - The identifier that the operating system assigned to the device. This identifier has the
following format: USB\VID_<vendor ID>&PID_<product ID>\<serial number> where <serial
number> is optional. Examples: USB\VID_0FCE&PID_ADDE\D55E7FCA (device with a serial
number); USB\VID_0FCE&PID_ADDE (device without serial number).
To add devices to the USB devices database, select the check boxes of the desired devices, and then
click the Add to database button.
Note
Excluding processes from access control is not supported on macOS. If a list of excluded processes
is configured in the applied protection plan, it will be ignored.
On the Exclusions page, you can specify a list of processes that will not be hooked. This means that
clipboard (local and redirected), screenshot capture, printer, and mobile device access controls will
not be applied to such processes.
For example, you applied a protection plan that denies access to printers, then started the Microsoft
Word application. An attempt to print from this application will be blocked. But if you add the
Microsoft Word process to the list of exclusions, then the application will not be hooked. As a result,
printing from Microsoft Word will not be blocked, while printing from other applications will still be
blocked.
Note
Device control must be enabled in the plan, so you can access the Device control settings.
2. Click the arrow next to the Device control switch to expand the settings, and then click the
Exclusions row.
3. On the Exclusions page, in the Processes and folders row, click +Add.
4. Add the processes that you want to exclude from the access control.
For example, C:\Folder\subfolder\process.exe.
You can use wildcards:
l * replaces any number of characters.
l ? replaces one character.
For example:
C:\Folder\*
*\Folder\SubFolder?\*
*\process.exe
5. Click the check mark, and then click Done.
6. In the protection plan, click Save.
7. Restart the processes that you excluded to ensure that the hooks are properly removed.
The excluded processes will have access to clipboard, screenshot capture, printers, and mobile
devices regardless of the access settings for those devices.
Click the ellipsis (...) next to the name of the protection plan and select Edit.
Note
Device control must be enabled in the plan, so you can access the Device control settings.
1. Click the arrow next to the Device control switch to expand the settings, and then click the
Exclusions row.
2. On the Exclusions page, click the trash can icon next to the process that you want to remove
from the exclusions.
3. Click Done.
4. In the protection plan, click Save.
5. Restart the process to ensure that hooks are properly injected.
The access settings from the protection plan will be applied to the processes that you removed from
the exclusions.
Note
Device control must be enabled in the plan, so you can access the Device control settings.
2. Click the arrow next to the Device control switch to expand the settings, and then click the
Exclusions row.
3. On the Exclusions page, click the Edit icon next to the process that you want to edit.
4. Apply the changes and click the check mark to confirm.
5. Click Done.
6. In the protection plan, click Save.
7. Restart the affected processes to ensure that your changes are applied correctly.
When configuring the device control module, you can enable alerts for most items listed under
device Type (except screenshot capture) or Ports. If alerts are enabled, each attempt by a user to
perform an operation that is not allowed generates an alert. For example, if access to removable
devices is restricted to read-only, and the Show alert option is selected for that device type, an alert
is generated every time a user on a protected computer attempts to copy data to a removable
device.
To view alerts in the Cyber Protect console, go to Monitoring > Alerts. Within each device control
alert, the console provides the following information about the respective event:
l Type—Warning.
l Status—Displays “Peripheral device access is blocked”.
l Message—Displays “Access to '<device type or port>' on '<computer name>' is blocked”. For
example, “Access to 'Removable' on 'accountant-pc' is blocked”.
l Date and time—The date and time that the event occurred.
l Device—The name of the computer on which the event occurred.
l Plan name—The name of the protection plan that caused the event.
l Source—The device type or port involved in the event. For example, in the event of a denied user
attempt to access a removable device, this field reads Removable device.
l Action—The operation that caused the event. For example, in the event of a denied user attempt
to copy data to a device, this field reads Write. For more information, see Action field values.
l Name—The name of the event target object, such as the file the user attempted to copy or the
device the user attempted to use. Not displayed if the target object cannot be identified.
If an alert applies to a USB device (including removable devices and encrypted removable devices),
then, directly from the alert, the administrator can add the device to the allowlist, which prevents
the device control module from restricting access to that particular device. Clicking Allow this USB
device adds it to the USB devices allowlist in the device control module’s configuration, and also
adds it to the USB devices database for further reference.
Remote wipe allows a Cyber Protection service administrator and a machine owner to delete the
data on a managed machine – for example, if it gets lost or stolen. Thus, any unauthorized access to
sensitive information will be prevented.
Remote wipe is only available for machines running Windows versions 10 and later. To receive the
wipe command, the machine must be turned on and connected to the Internet.
Note
You can wipe data from one machine at a time.
Note
You can check the details about the wiping process and who started it in Monitoring >
Activities.
Isolating a workload from the network enables you to mitigate the risk of malware present on a
specific workload from spreading to other workloads.
Note that you can also isolate a workload when defining response actions to an incident. For more
information, see "Manage the network isolation of a workload" (p. 811).
If you need to recover a backup for a workload, see "Recovery" (p. 446).
4. In the Message to display field, add a message to display to end users to let them know that the
workload is under investigation, and access to and from the workload is prohibited until further
notice.
5. Click Manage network exclusions to add ports, URLs, hostnames, and IP addresses that will
have access to the workload during the isolation. For more information, see how to manage
network exclusions.
6. Click Isolate. The workload is isolated and shows in the displayed list of workloads.
Note that when you isolate a workload, or reconnect it to the network, this action is recorded in
the Activities screen (go to Monitoring > Activities). You can also see these recorded actions for
each individual workload (select a workload, and click Activities in the right side panel).
Note
Backups that occurred during the isolation will be marked as suspicious. If you try to recover this
suspicious backup, a warning message is displayed.
1. In the Workloads with agents screen, locate and select the required workload(s). Note that you
can use the search option to find workloads with the Isolated network status.
3. [Optional] In the displayed dialog, add a message in the Message to display field; this message
is displayed to end users when they access the connected workload.
4. Click Connect (or Connect all if you selected multiple workloads). The workload is reconnected
to the network and all access to and from the workload is no longer restricted.
Note
Even if all Acronis Cyber Protect technologies are working when the workload is in isolation, there
may be scenarios in which you need additional network connections to be established (for example,
you may need to upload a file from the workload to a shared directory). In these scenarios, you can
add a network exclusion, but make sure any threats are removed before you add the exclusion.
1. Locate and select the relevant workload(s), as described in "Isolating a workload from the
network" (p. 348).
2. Click Manage network exclusions.
3. For each of the options available (Ports, DNS names / IP addresses), do the following:
a. Click Add and then enter the relevant port(s), or DNS names / IP addresses. Note that if you
selected multiple workloads, you cannot define ports or DNS names / IP addresses.
Note
For best practice, make the exclusion rule as restrictive as possible.
4. Click Save.
When you integrate an RMM platform as part of the Advanced Automation service, you can view
and monitor information from devices that are managed by the RMM platform. This information is
available in the Cyber Protect console by navigating to Devices.
By linking a workload to a specific user, you can automatically link the workload to new service desk
tickets created by or assigned to the user.
1. Go to Devices > All devices, and then select the relevant workload.
2. In the Actions pane, select Link to a user.
3. Select the relevant user.
You can also change the selected user for existing linked workloads, as required.
4. Click Done. The selected user is now displayed in the Linked user column.
1. Go to Devices > All devices, and then select the relevant workload.
2. In the Actions pane, select Link to a user.
3. Click Unlink user.
4. Click Done.
You can enable or disable displaying the Last login information in Remote management plans.
In the Dashboard:
In Device Details:
To show or hide Last login and Last login time columns In the Dashboard
Backup
A protection plan with the Backup module enabled is a set of rules that specify how the given data
will be protected on a given machine.
A protection plan can be applied to multiple machines at the time of its creation, or later.
To create the first protection plan with the Backup module enabled
ITEMS TO
BACK UP WHERE SCHEDULE HOW LONG TO
WHAT TO BACK UP TO BACK
Selection Backup schemes KEEP
UP
methods
Secure
Zone**
Monthly full, Weekly
Cloud
differential, Daily
Local incremental (GFS)
NFS*
Cloud
Local
Direct folder Always incremental
selection (Single-file)
Files (physical machines Network
only2) Policy rules folder Always full By total size of
File filters NFS* Weekly full, Daily backups***
NFS*
Always full
System state
Cloud Weekly full, daily
Local incremental
Direct
SQL databases folder Custom (F-I)
selection
Network Always incremental
folder (Single-file) - only for SQL
Exchange databases
databases
1A virtual machine that is backed up at a hypervisor level by an external agent such as Agent for VMware or Agent for
Hyper-V. A virtual machine with an agent inside is treated as physical from the backup standpoint.
2A machine that is backed up by an agent installed in the operating system.
Mailboxes
(cloud Agent
for Microsoft
Direct
365)
selection
Public folders
Cloud Up to 6 backups per day
Teams
Gmail Direct
mailboxes selection
*** The By total size of backups retention rule is not available with the Always incremental
(single-file) backup scheme or when backing up to the cloud storage.
Limitations
l Disk-level backups are not supported for encrypted APFS volumes that are locked. During a
backup of an entire machine, such volumes are skipped.
l The OneDrive root folder is excluded from backup operations by default. If you select to back up
specific OneDrive files and folders, they will be backed up. Files that are not available on the
device will have invalid contents in the backup set.
You can select the disks or volumes to back up for each individual workload in the protection plan
(direct selection) or you can configure policy rules for multiple workloads. Additionally, you can
exclude specific files from a backup, or include only specific files to it, by configuring file filters. For
more information, see "File filters (Inclusions/Exclusions)" (p. 413).
Direct selection
By policy rules
Limitations
l Disk-level backups are not supported for encrypted APFS volumes that are locked. During a
backup of an entire machine, such volumes are skipped.
l The OneDrive root folder is excluded from backup operations by default. If you select to back up
specific OneDrive files and folders, they will be backed up. Files that are not available on the
device will have invalid contents in the backup set.
l You cannot select individual Linux LVM volumes as backup source—neither by direct selection
nor by using policy rules. You can back up workloads with such volumes only by selecting Entire
machine in What to back up.
With the sector-by-sector (raw mode) backup option enabled, a disk backup stores all the disk
sectors. The sector-by-sector backup can be used for backing up disks with unrecognized or
unsupported file systems and other proprietary data formats.
Windows
A volume backup stores all files and folders of the selected volume independent of their attributes
(including hidden and system files), the boot record, the file allocation table (FAT) if it exists, the root
and the zero track of the hard disk with the master boot record (MBR).
A disk backup stores all volumes of the selected disk (including hidden volumes such as the vendor's
maintenance partitions) and the zero track with the master boot record.
The following items are not included in a disk or volume backup (as well as in a file-level backup):
l The swap file (pagefile.sys) and the file that keeps the RAM content when the machine goes into
hibernation (hiberfil.sys). After recovery, the files will be re-created in the appropriate place with
the zero size.
l If the backup is performed under the operating system (as opposed to bootable media or backing
up virtual machines at a hypervisor level):
o Windows shadow storage. The path to it is determined in the registry value VSS Default
Provider which can be found in the registry key HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup. This
means that in operating systems starting with Windows Vista, Windows Restore Points are not
backed up.
o If the Volume Shadow Copy Service (VSS) backup option is enabled, files and folders that are
specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
registry key.
Linux
A volume backup stores all files and directories of the selected volume independent of their
attributes, a boot record, and the file system super block.
A disk backup stores all disk volumes as well as the zero track with the master boot record.
l System metadata, such as the file system journal and Spotlight index
l The Trash
l Time machine backups
Physically, disks and volumes on a Mac are backed up at a file level. Bare metal recovery from disk
and volume backups is possible, but the sector-by-sector backup mode is not available.
Windows
Linux
This output shows two logical volumes, lv1 and lv2, that belong to the volume group vg_1. To
back up these volumes, specify:
/dev/mapper/vg_1-lv1
/dev/mapper/vg-l-lv2
macOS
Important
You cannot recover an operating system from a file-level backup.
You can select the files and folders to back up for each individual workload in the protection plan
(direct selection) or you can configure policy rules for multiple workloads. Additionally, you can
exclude specific files from a backup, or include only specific files in it, by configuring the filters. For
more information, see "File filters (Inclusions/Exclusions)" (p. 413).
Direct selection
Limitations
l You can select files and folders when you back up physical machines or virtual machines on
which an agent is installed (agent-based backup). File-level backup is not available for virtual
machines that you back up in the agentless mode. For more information about the differences
between these types of backup, see "Agent-based and agentless backup" (p. 61).
l The OneDrive root folder is excluded from backup operations by default. If you select to back up
specific OneDrive files and folders, they will be backed up. Files that are not available on the
device will have invalid contents in the backup set.
l You can back up files and folders that are located on disks connected via the iSCSI protocol to a
physical machine. Some limitations apply if you use Agent for VMware or Agent for Hyper-V for
backing up the data on the iSCSI-connected disks.
Windows
macOS
Note
System state backup is available for machines running Windows 7 or later on which Agent for
Windows is installed. System state backup is not available for virtual machines that are backed up at
the hypervisor level (agentless backup).
The virtual machines running on the host are not included in the backup. They can be backed up
and recovered separately.
Prerequisites
l SSH must be enabled in the Security Profile of the ESXi host configuration.
l You must know the password for the 'root' account on the ESXi host.
Limitations
l ESXi configuration backup is not supported for hosts running VMware ESXi 7.0 and later.
l An ESXi configuration cannot be backed up to the cloud storage.
1. Click Devices > All devices, and then select the ESXi hosts that you want to back up.
2. Click Protect.
3. In What to back up, select ESXi configuration.
4. In ESXi 'root' password, specify a password for the 'root' account on each of the selected hosts
or apply the same password to all of the hosts.
Continuous data protection is supported only for the NTFS file system and the following operating
systems:
Only local folders are supported. Network folders cannot be selected for Continuous data
protection.
Continuous data protection is not compatible with the Application backup option.
How it works
Changes in the files and folders that are tracked by Continuous data protection are immediately
saved to a special CDP backup. There is only one CDP backup in a backup set, and it is always the
most recent one.
When a scheduled regular backup starts, Continuous data protection is put on hold because the
latest data is to be included in the scheduled backup. When the scheduled backup finishes,
Continuous data protection resumes, the old CDP backup is deleted, and a new CDP backup is
created. Thus, the CDP backup always stays the most recent backup in the backup set and stores
only the latest state of the tracked files or folders.
Continuous data protection requires that at least one regular backup is created before the CDP
backup. That is why, when you run a protection plan with Continuous data protection for the first
time, a full backup is created, and a CDP backup is immediately added on top of it. If you enable the
Continuous data protection option for an existing protection plan, the CDP backup is added to the
existing backup set.
Note
Continuous Data protection is enabled by default for protection plans that you create from the
Devices tab, if the Advanced Backup functionality is enabled for you and you are not using other
Advanced Backup features for the selected machines. If you already have a plan with Continuous
data protection for a selected machine, Continuous data protection will not be enabled by default
for that machine in newly created plans.
Continuous data protection is not enabled by default for plans created for device groups.
l Entire machine
l Disks/volumes
l Files/folders
Supported destinations
You can configure Continuous data protection with the following destinations:
l Local folder
l Network folder
l Cloud storage
l Acronis Cyber Infrastructure
l Location defined by a script
Note
You can define by a script only the locations listed above.
1. In the Backup module of a protection plan, enable the Continuous data protection (CDP)
switch.
This switch is available only for the following data sources:
l Entire machine
l Disk/volumes
l Files/folders
2. In Items to protect continuously, configure Continuous data protection for Applications or
Files/folders, or both.
l Click Applications to configure CDP backup for files that are modified by specific applications.
You can select applications from predefined categories or add other applications by specifying
the path to the their executable file, for example:
o C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
o *:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
l Click Files/folders to configure CDP backup for files in specific locations.
You can define these locations by using selection rules or by selecting the files and folders
directly.
o [For all machines] To create a selection rule, use the text box.
You can use the full paths to files or paths with wildcard characters (* and ?). The asterisk
matches zero or more characters. The question mark matches a single character.
As a result, the data that you specified will be backed up continuously between the scheduled
backups.
Selecting a destination
Click Where to back up, and then select one of the following:
l Cloud storage
Backups will be stored in the cloud data center.
l Local folders
If a single machine is selected, browse to a folder on the selected machine or type the folder
path.
If multiple machines are selected, type the folder path. Backups will be stored in this folder on
each of the selected physical machines or on the machine where the agent for virtual machines is
installed. If the folder does not exist, it will be created.
l Network folder
This is a folder shared via SMB/CIFS/DFS.
Browse to the required shared folder or enter the path in the following format:
o For SMB/CIFS shares: \\<host name>\<path>\ or smb://<host name>/<path>/
o For DFS shares: \\<full DNS domain name>\<DFS root>\<path>
For example, \\example.company.com\shared\files
Then, click the arrow button. If prompted, specify the user name and password for the shared
folder. You can change these credentials at any time by clicking the key icon next to the folder
name.
Backing up to a folder with anonymous access is not supported.
l NFS folder (available for machines running Linux or macOS)
Verify that the nfs-utils package is installed on the Linux server where the Agent for Linux is
installed.
Note
It is not possible to back up to an NFS folder protected with a password.
Note
This functionality is available only in the Advanced edition of the Cyber Protection service.
You can store each machine's backups in a folder defined by a script. The software supports scripts
written in JScript, VBScript, or Python 3.5. When deploying the protection plan, the software runs the
script on each machine. The script output for each machine should be a local or network folder
path. If a folder does not exist, it will be created (limitation: scripts written in Python cannot create
folders on network shares). On the Backup storage tab, each folder is shown as a separate backup
location.
In Script type, select the script type (JScript, VBScript, or Python), and then import, or copy and
paste the script. For network folders, specify the access credentials with the read/write permissions.
Examples:
l The following JScript script outputs the backup location for a machine in the format
\\bkpsrv\<machine name>:
WScript.Echo("\\\\bkpsrv\\" + WScript.CreateObject("WScript.Network").ComputerName);
As a result, the backups of each machine will be saved in a folder of the same name on the server
bkpsrv.
l The following JScript script outputs the backup location in a folder on the machine where the
script runs:
WScript.Echo("C:\\Backup");
As a result, the backups of this machine will be saved in the folder C:\Backup on the same
machine.
Should the disk experience a physical failure, the backups located in the Secure Zone may be lost.
That's why Secure Zone should not be the only location where a backup is stored. In enterprise
environments, Secure Zone can be thought of as an intermediate location used for backup when an
ordinary location is temporarily unavailable or connected through a slow or busy channel.
l Enables recovery of a disk to the same disk where the disk's backup resides.
l Offers a cost-effective and handy method for protecting data from software malfunction, virus
attack, human error.
l Eliminates the need for a separate media or network connection to back up or recover the data.
This is especially useful for roaming users.
l Can serve as a primary destination when using replication of backups.
Limitations
l Secure Zone cannot be organized on a Mac.
l Secure Zone is a partition on a basic disk. It cannot be organized on a dynamic disk or created as
a logical volume (managed by LVM).
l Secure Zone is formatted with the FAT32 file system. Because FAT32 has a 4-GB file size limit,
larger backups are split when saved to Secure Zone. This does not affect the recovery procedure
and speed.
As is apparent from the above, specifying the maximum possible Secure Zone size is not advisable.
You will end up with no free space on any volume, which might cause the operating system or
applications to work unstably and even fail to start.
Important
Moving or resizing the volume from which the system is booted requires a reboot.
You can now choose Secure Zone in Where to back up when creating a protection plan.
Backup schedule
You can configure a backup to run automatically at a specific time, at specific intervals, or on a
specific event.
Scheduled backups for non-cloud-to-cloud resources run according to the time zone settings of the
workload on which the protection agent is installed. For example, if you apply the same protection
plan to workloads with different time zones settings, the backups will start according to the local
time zone of each workload.
Backup schemes
A backup scheme is a part of the protection plan schedule that defines which type of backup (full,
differential, or incremental) is created and when. You can select one of the predefined backup
schemes or create a custom scheme.
The available backup schemes and types depend on the backup location and source. For example, a
differential backup is not available when you back up SQL data, Exchange data, or system state. The
Always incremental (single-file) scheme is not supported for tape devices.
Always incremental The first backup is full and might be time- l Schedule type:
(single-file) consuming. Subsequent backups are incremental monthly, weekly,
and significantly faster. daily, hourly
l Backup trigger: time
The backups use the single-file backup format1*.
or event
By default, backups are performed on a daily basis, l Start time
Monday to Friday. l Start conditions
We recommend that you use this scheme when l Additional options
you store your backups in the cloud storage,
because incremental backups are fast and involve
less network traffic.
1A backup format, in which the initial full and subsequent incremental backups are saved to a single .tibx file. This
format leverages the speed of the incremental backup method, while avoiding its main disadvantage–difficult deletion
of outdated backups. The software marks the blocks used by outdated backups as "free" and writes new backups to
these blocks. This results in extremely fast cleanup, with minimal resource consumption. The single-file backup format
is not available when backing up to locations that do not support random-access reads and writes.
Always full All backups in the backup set are full. l Schedule type:
monthly, weekly,
By default, backups are performed on a daily basis,
daily, hourly
Monday to Friday.
l Backup trigger: time
or event
l Start time
l Start conditions
l Additional options
Weekly full, Daily A full backup is created once a week and other l Backup trigger: time
incremental backups are incremental. or event
l Start time
The first backup is full and the other backups
during the week are incremental, then the cycle
l Start conditions
repeats. l Additional options
Monthly full, Weekly By default, incremental backups are performed on l Change the existing
differential, Daily a daily basis, Monday to Friday. Differential schedule per backup
incremental (GFS) backups are performed every Saturday. Full type:
o Schedule type:
backups are performed on the first day of each
month. monthly, weekly,
daily, hourly
Note o Backup trigger:
This is a predefined custom scheme. In the time or event
protection plan, it is shown as Custom. o Start time
o Start conditions
o Additional options
l Add new schedules
per backup type
Custom You must select the backup types (full, differential, l Change the existing
and incremental), and configure a separate schedule per backup
schedule for each of them*. type:
o Schedule type:
monthly, weekly,
daily, hourly
o Backup trigger:
time or event
o Start time
o Start conditions
o Additional options
l Add new schedules
per backup type
* After you create a protection plan, you cannot switch between Always incremental (single-file)
and the other backup schemes, and vice versa. Always incremental (single-file) is a single-file
format scheme, and the other schemes are multi-file format. If you want to switch between formats,
create a new protection plan.
Backup types
The following backup types are available:
l Full—a full backup contains all source data. This backup is self-sufficient. To recover data, you do
not need access to any other backups.
Note
The first backup created by any protection plan is a full backup.
l Incremental—an incremental backup stores changes to the data since the latest backup,
regardless of whether the latest backup is full, differential, or incremental. To recover data, you
need the whole chain of backups on which the incremental backup depends, back to the initial
full backup.
l Differential—a differential backup stores changes to the data since the latest full backup. To
recover data, you need both the differential backup and the corresponding full backup on which
the differential backup depends.
To enable a schedule
As a result, a backup operation starts every time when the schedule conditions are met.
Note
If the schedule is disabled, the retention rules are not applied automatically. To apply them, run the
backup manually.
Schedule by time
The following table summarizes the scheduling options that are based on time. The availability of
these options depends on the backup scheme. For more information, see "Backup schemes" (p.
374).
Monthly Select the months, days of the month or Run a backup on January 1, and February
days of the week, and then select the 3, at 12:00 AM.
backup start time.
Run a backup on the first day of each
month, at 10:00 AM.
Weekly Select the days of the week, and then Run a backup Monday to Friday, at 10:00
select the backup start time. AM.
Daily Select the days (everyday or weekdays Run a backup every day, at 11:45 AM.
only), and then select the backup start
Run a backup Monday to Friday, at 09:30
time.
PM.
Hourly Select the days of the week, and then Run a backup every hour between 08:00
select a time interval between two AM and 06:00 PM, Monday to Friday.
consecutive backups and the time range
Run a backup every 3 hours between
within which the backups run. 01:00 AM and 06:00 PM, on Saturday and
Sunday.
When you configure the interval in
minutes, you can select a suggested
interval between 10 and 60 minutes, or
specify a custom one, for example, 45 or
75 minutes.
Additional options
When you schedule a backup by time, the following additional scheduling options are available.
l If the machine is turned off, run missed tasks at the machine startup
Default setting: Disabled.
l Prevent the sleep or hibernate mode during backup
This option is applicable only to machines running Windows.
Default setting: Enabled.
l Wake up from the sleep or hibernate mode to start a scheduled backup
This option is applicable only to machines running Windows, in the power plans for which the
Allow wake timers option is enabled.
Schedule by events
To configure a backup that runs upon a specific event, select one of the following options.
Upon time A backup runs after a specified period Run a backup one day after the last
since last following the last successful backup. successful backup.
backup
Run a backup four hours after the last
successful backup.
Note
This option depends on how the previous
backup completed. If a backup fails, the
next backup will not start automatically. In
this case, you must run the backup
manually and ensure that it completes
successfully, in order to reset the
schedule.
When a user A backup runs when a user logs in to the Run a backup when user John Doe logs
logs on to the machine. in.
system
You can configure this option for any login
or for a login of a specific user.
When a user A backup runs when a user logs off the Run a backup when every user logs off.
logs off the machine.
system
You can configure this option for any
logoff or for the logoff of a specific user.
Note
With this condition, a backup will not start
if a user shuts down the machine.
On the system A backup runs when the protected Run a backup when a user starts the
startup machine starts up. machine.
On the system A backup runs when the protected Run a backup when a user shuts down
shutdown machine shuts down. the machine.
On Windows A backup runs upon a Windows event that Run a backup when event 7 of type error
Event Log event you specify. and source disk is recorded in the
Windows System log.
The availability of these options depends on the backup source and the operating system of the
protected workloads. The table below summarizes the available options for Windows, Linux, and
macOS.
Upon
time Windows, Windows, Windows,
Windows Windows Windows
since last Linux, macOS Linux Linux
backup
When a
user logs
Windows N/A N/A N/A N/A N/A
on to the
system
When a
user logs
Windows N/A N/A N/A N/A N/A
off the
system
On the
Windows,
system N/A N/A N/A N/A N/A
Linux, macOS
startup
On the
system Windows N/A N/A N/A N/A N/A
shutdown
On
Windows
Windows N/A N/A Windows Windows Windows
Event Log
event
Note
You can browse the events and view their properties in Computer Management > Event Viewer
in Windows. To open the Security log, you need administrator rights.
Parameter Description
Event source The event source indicates the program or the system
component that caused the event. For example, disk.
Any event source that contains the specified text string will
trigger the scheduled backup. This option is not case-sensitive. For
example, if you specify service, both Service Control Manager and Time-
Service event sources will trigger a backup.
Event type Type of the event: Error, Warning, Information, Audit success, or
Audit failure.
For example, an Error event with event source disk and event ID
7 occurs when Windows discovers a bad block on a disk, while an Error
event with event source disk and event ID 15 occurs when a disk is not
ready for access.
When Windows detects a bad block on the disk, an error event with the event source disk and event
number 7 is recorded to the system log. In the protection plan, configure the following schedule:
Important
To ensure that the backup completes despite the bad blocks, in Backup options, go to Error
handling, and then select the Ignore bad sectors check box.
Start conditions are not applicable when you start a backup manually.
The table below lists the start conditions available for various data under Windows, Linux, and
macOS.
The backup
Windows,
location's Windows, Windows,
Linux, Windows Windows Windows
host is Linux Linux
macOS
available
Users logged
Windows N/A N/A N/A N/A N/A
off
Save battery
Windows N/A N/A N/A N/A N/A
power
Do not start
when on
Windows N/A N/A N/A N/A N/A
metered
connection
Do not start
when
connected to Windows N/A N/A N/A N/A N/A
the following
Wi-Fi
networks
Check device
Windows N/A N/A N/A N/A N/A
IP address
User is idle
"User is idle" means that a screen saver is running on the machine or the machine is locked.
Example
Run a backup every day at 09:00 PM, preferably when the user is idle. If the user is still active by
11:00 PM, run the backup anyway.
As a result:
l If the user is idle before 09:00 PM, the backup starts at 09:00 PM.
l If the user becomes idle between 09:00 PM and 11:00 PM, the backup starts immediately.
l If the user is still active at 11:00 PM, the backup starts at 11:00 PM.
This condition is applicable to network folders, the cloud storage, and locations managed by a
storage node.
This condition does not cover the availability of the location itself—only the host availability. For
example, if the host is available, but the network folder on this host is not shared or the credentials
for the folder are no longer valid, the condition is still considered met.
As a result:
Example
You run a backup every Friday at 08:00 PM, preferably when all users are logged off. If one of the
users is still logged in at 11:00 PM, run the backup anyway.
As a result:
l If all users are logged off at 08:00 PM, the backup starts at 08:00 PM.
l If the last user logs off between 08:00 PM and 11:00 PM, the backup starts immediately.
l If there are still logged-in users at 11:00 PM, the backup starts at 11:00 PM.
Example
A company backs up user data and servers to different locations on the same network-attached
storage.
The workday starts at 08:00 AM and ends at 05:00 PM. User data should be backed up as soon as
the users log off, but not earlier than 04:30 PM.
Backing up user data takes no more than one hour, so the latest backup start time is 10:00 PM. If a
user is still logged in within the specified time interval, or logs off at any other time, the backup of
the user data should be skipped.
l Event: When a user logs off the system. Specify the user account: Any user.
l Condition: Fits the time interval from 04:30 PM to 10:00 PM.
l Backup start conditions: Skip the scheduled backup.
As a result:
l If the user logs off between 04:30 PM and 10:00 PM, the backup starts immediately.
l If the user logs off at any other time, the backup is skipped.
Example
You back up your data every workday at 09:00 PM. If your machine is not connected to a power
source, you want to skip the backup to save the battery power and wait until you connect the
machine to a power source.
As a result:
l If the machine is connected to a power source at 09:00 PM, the backup starts immediately.
l If the machine is running on battery power at 09:00 PM, the backup starts when you connect the
machine to a power source.
The additional start condition Do not start when connected to the following Wi-Fi networks is
automatically enabled when you enable the Do not start when on metered connection
condition. This is an additional measure to prevent backups over mobile hotspots. The following
network names are specified by default: android, phone, mobile, and modem.
To remove these names from the list, click the X sign. To add a new name, type it in the empty field.
Example
You back up your data every workday at 09:00 PM. If the machine is connected to the Internet by
using a metered connection, you want to skip the backup to save the network traffic and wait for the
scheduled start on the next workday.
As a result:
l At 09:00 PM, if the machine is not connected to the Internet through a metered connection, the
backup starts immediately.
l At 09:00 PM, if the machine is connected to the Internet through a metered connection, the
backup starts on the next workday.
l If the machine is always connected to the Internet through a metered connection on workdays at
09:00 PM, the backup never starts.
You can specify the Wi-Fi network names, also known as service set identifiers (SSID). The restriction
applies to all networks that contain the specified name as a substring in their name, not case-
sensitive. For example, if you specify phone as the network name, the backup will not start when the
machine is connected to any of the following networks: John's iPhone, phone_wifi, or my_PHONE_wifi.
The start condition Do not start when connected to the following Wi-Fi is automatically enabled
when you enable the Do not start when on metered connection condition. The following
network names are specified by default: android, phone, mobile, and modem.
To remove these names from the list, click the X sign. To add a new name, type it in the empty field.
Example
You back up your data every workday at 09:00 PM. If the machine is connected to the Internet
through a mobile hotspot, you want to skip the backup and wait for the scheduled start on the next
As a result:
l If the machine is not connected to the specified network at 09:00 PM, the backup starts
immediately.
l If the machine is connected to the specified network at 09:00 PM, the backup starts the next
workday.
l If the machine is always connected to the specified network on workdays at 09:00 PM, the backup
never starts.
With either option, you can specify several ranges. Only IPv4 addresses are supported.
Example
You back up your data every workday at 09:00 PM. If the machine is connected to the corporate
network by using a VPN tunnel, you want to skip the backup.
As a result:
l If the machine IP address is not in the specified range at 09:00 PM, the backup starts
immediately.
l If the machine IP address is in the specified range at 09:00 PM, the backup starts when the
machine obtains a non-VPN IP address.
l If the machine IP address is always in the specified range on workdays at 09:00 PM, the backup
never starts.
As a result, the backups will run only during the specified period.
To configure a delay
To avoid excessive network load when you back up multiple workloads to a network location, a
small random delay is configured as a backup option. You can disable it or change its setting.
Alternatively, in the protection plan, expand the Backup module, and then click the Run now
button.
5. [To create a specific type of backup] In the protection plan, expand the Backup module, click the
arrow next to the Run now button, and then select the backup type.
Note
Selecting the type is not available for backup schemes that use only one backup method, for
example, Always incremental (single-file) or Always full.
As a result, the backup operation starts. You can check its progress and its result on the Devices
tab, in the Status column.
Retention rules
To delete older backups automatically, configure the backup retention rules in the protection plan.
You can base the retention rules on any of the following backup properties:
l Age
l Number
l Size
You can disable the automatic cleanup of older backups, by selecting the Keeping backups
infinitely option while configuring the retention rules. This might result in increased storage usage,
and you have to delete the unnecessary old backups manually.
Important tips
l Retention rules are part of the protection plan. If you revoke or delete a plan, the retention rules
in that plan will no longer be applied. For more information about how to delete the backups that
you no longer need, see "Deleting backups" (p. 481).
l If, according to the backup scheme and backup format, each backup is stored as a separate file,
you cannot delete a backup on which other incremental or differential backups depend. This
backup will be deleted according to the retention rules applied to the dependent backups. This
configuration may result in increased storage usage because the deletion of some backups is
postponed. Also, the backup age, number, or size of backups may exceed the values that you
specified. For more information about how to change this behavior, see "Backup consolidation"
(p. 403).
l By default, the newest backup that a protection plan creates is never deleted. However, if you
configure a retention rule to clean up the backups before starting a new backup operation, and
set the number of backups to keep to zero, the newest backup will also be deleted.
Warning!
If you apply this retention rule to a backup set with a single backup, and the backup operation
fails, you will not be able to recover your data, because the existing backup will be deleted before
a new one is created.
The following table summarizes the available retention rules and their settings.
Event-triggered backups
Event-triggered backups
Weekly full, Daily Daily By backup age (separate settings for weekly and
incremental daily backups)
Event-triggered backups
By number of backups
Monthly full, Weekly Monthly By backup age (separate settings for full,
differential, daily differential, and incremental backups)
Weekly
incremental
By number of backups
Daily
By total size of backups
Hourly
Keep backups indefinitely
Event-triggered backups
Backup Description
A weekly backup is the first backup on the day of the week that you
Weekly specify in the Weekly backup option. This day is considered as the
beginning of the week in terms of retention rules.
A daily backup is the first backup of the day, unless this backup falls
Daily within the definition of a monthly or weekly backup. In this case, a daily
backup is created the following day.
An hourly backup is the first backup of the hour, unless this backup
Hourly falls within the definition of a monthly, weekly, or daily backup. In this
case, an hourly backup is created the next hour.
Example
You use the Always incremental (single-file) backup scheme with the default setting for hourly
backups:
l Scheduled by time.
l Backups run hourly: Monday to Friday, every 1 hour, from 08:00 AM to 06:00 PM.
l The Weekly backup option is set to Monday.
In the How long to keep section of the protection plan, you can apply retention rules to monthly,
weekly, daily, and hourly backups.
The following table summarizes the backup types that are created during an 8-day period.
July 1 Monday The first backup each month is monthly, so the first backup
today is a monthly backup. The other backups during the day
are hourly.
July 2 Tuesday The first backup is daily, the other backups during the day are
hourly.
July 3 Wednesday The first backup is daily, the other backups during the day are
hourly.
July 4 Thursday The first backup is daily, the other backups during the day are
hourly.
July 5 Friday The first backup is daily, the other backups during the day are
hourly.
July 6 Saturday The first backup is daily, the other backups during the day are
hourly.
July 7 Sunday The first backup is daily, the other backups during the day are
hourly.
July 8 Monday The first backup is weekly, the other backups during the day
are hourly.
Replicated backups do not depend on the backups remaining in the original location and vice versa.
You can recover data from any backup, without access to other locations.
Usage examples
l Reliable disaster recovery
Store your backups both on-site (for immediate recovery) and off-site (to secure the backups
from local storage failure or a natural disaster).
l Using the cloud storage to protect data from a natural disaster
Replicate the backups to the cloud storage by transferring only the data changes.
l Keeping only the latest recovery points
Delete older backups from a fast storage according to retention rules, in order to not overuse
expensive storage space.
Supported locations
You can replicate a backup from any of these locations:
l A local folder
l A network folder
l Secure Zone
l A local folder
l A network folder
l The cloud storage
1. On the protection plan panel, in the Backup section, click Add location.
Note
The Add location control is available only if replication is supported from the last selected
backup or replication location.
2. From the list of available locations, select the location where the backups will be replicated.
Note
This option is supported with protection agent version from release C21.06 or later.
4. [Optional] In the How long to keep row under the location, configure the retention rules for the
selected location, as described in "Retention rules" (p. 390).
5. [Optional] Repeat steps 1 – 4 to add locations where you want to replicate the backups. You can
configure up to four replication locations, as long as replication is supported by the previously
selected backup or replication location.
Important
If you enable backup and replication in the same protection plan, ensure that the replication
completes before the next scheduled backup. If the replication is still in progress, the scheduled
backup will not start―for example, a scheduled backup that runs once every 24 hours will not start
if the replication takes 26 hours to complete.
To avoid the this dependency, use a separate plan for backup replication. For more information
about this specific plan, refer to "Backup replication" (p. 179).
Encryption
We recommend that you encrypt all backups that are stored in the cloud storage, especially if your
company is subject to regulatory compliance.
Warning!
There is no way to recover encrypted backups if you lose or forget the password.
For accounts in the Enhanced security mode, you cannot set the encryption password in a
protection plan. You must set this password locally, on the protected device.
1. On the protection plan panel in the Backup module settings, enable the Encryption switch.
2. Specify and confirm the encryption password.
3. Select one of the following encryption algorithms:
l AES 128 – the backups will be encrypted by using the Advanced Encryption Standard (AES)
algorithm with a 128-bit key.
l AES 192 – the backups will be encrypted by using the AES algorithm with a 192-bit key.
l AES 256 – the backups will be encrypted by using the AES algorithm with a 256-bit key.
4. Click OK.
Saving the encryption settings on a machine affects the protection plans in the following way:
l Protection plans that are already applied to the machine. If the encryption settings in a
protection plan are different, the backups will fail.
l Protection plans that will be applied to the machine later. The encryption settings saved on
a machine will override the encryption settings in a protection plan. Any backup will be encrypted,
even if encryption is disabled in the Backup module settings.
This option can also be used on a machine running Agent for VMware. However, be careful if you
have more than one Agent for VMware connected to the same vCenter Server. It is mandatory to
use the same encryption settings for all of the agents, because there is a type of load balancing
among them.
Important
Change the encryption settings on a machine only before its protection plan creates any backups. If
you change the encryption settings later, the protection plan will fail and you will need a new
protection plan to continue backing up this machine.
After the encryption settings are saved, they can be changed or reset as described below.
The encryption key is then encrypted with AES-256 using an SHA-2 (256-bit) hash of the password as
a key. The password itself is not stored anywhere on the disk or in the backups; the password hash
is used for verification purposes. With this two-level security, the backup data is protected from any
unauthorized access, but recovering a lost password is not possible.
Notarization enables you to prove that a file is authentic and unchanged since it was backed up. We
recommend that you enable notarization when backing up your legal document files or other files
that require proved authenticity.
Notarization is available only for file-level backups. Files that have a digital signature are skipped,
because they do not need to be notarized.
When configuring recovery, the notarized files will be marked with a special icon, and you can verify
the file authenticity.
How it works
During a backup, the agent calculates the hash codes of the backed-up files, builds a hash tree
(based on the folder structure), saves the tree in the backup, and then sends the hash tree root to
the notary service. The notary service saves the hash tree root in the Ethereum blockchain database
to ensure that this value does not change.
When verifying the file authenticity, the agent calculates the hash of the file, and then compares it
with the hash that is stored in the hash tree inside the backup. If these hashes do not match, the file
is considered not authentic. Otherwise, the file authenticity is guaranteed by the hash tree.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected file is guaranteed to be authentic. Otherwise, the software displays a
message that the file is not authentic.
When creating a protection plan, a user can override a default value with a custom value that will be
specific for this plan only.
Backup options
To modify the backup options of a protection plan, in the Backup module, in the Backup options
field, click Change.
Windo Linu mac Windo Linu mac ESX Hype Virtuoz Windo
ws x OS ws x OS i r-V zo ws
Alerts + + + + + + + + + +
Backup + + + + + + + + + -
consolidation
Backup format + + + + + + + + + +
Backup validation + + + + + + + + + +
Changed block + - - - - - + + - -
tracking (CBT)
Cluster backup - - - - - - - - - +
mode
Compression + + + + + + + + + +
level
Error handling
Re-attempt, if an + + + + + + + + + +
error occurs
Do not show + + + + + + + + + +
messages and
dialogs while
processing (silent
mode)
Ignore bad + - + + - + + + + -
sectors
Re-attempt, if an - - - - - - + + + -
error occurs
during VM
snapshot
creation
Fast + + + - - - - - - -
incremental/diffe
rential backup
File-level backup - - - + + + - - - -
snapshot
File filters + + + + + + + + + -
Forensic data + - - - - - - - - -
LVM snapshotting - + - - - - - - - -
Mount points - - - + - - - - - -
One-click + + - - - - - - - -
recovery
Performance and + + + + + + + + + +
backup window
Physical Data + + + + + + + + + -
Shipping
Pre/Post + + + + + + + + + +
commands
Pre/Post data + + + + + + - - - +
capture
commands
Scheduling
Distribute start + + + + + + + + + +
times within a
time window
Sector-by-sector + + - - - - + + + -
backup
Splitting + + + + + + + + + +
Task failure + + + + + + + + + +
handling
Task start + + - + + - + + + +
conditions
Volume Shadow + - - + - - - + - +
Copy Service
(VSS)
Volume Shadow - - - - - - + + - -
Copy Service
(VSS) for virtual
machines
Weekly backup + + + + + + + + + +
Windows event + - - + - - + + - +
log
This option determines whether to generate an alert if no successful backups were performed by
the protection plan for a specified period of time. In addition to failed backups, the software counts
backups that did not run on schedule (missed backups).
The alerts are generated on a per-machine basis and are displayed on the Alerts tab.
You can specify the number of consecutive days without backups after which the alert is generated.
Backup consolidation
This option defines whether to consolidate backups during cleanup or to delete entire backup
chains.
Consolidation is the process of combining two or more subsequent backups into a single backup.
If this option is enabled, a backup that should be deleted during cleanup is consolidated with the
next dependent backup (incremental or differential).
Otherwise, the backup is retained until all dependent backups become subject to deletion. This
helps avoid the potentially time-consuming consolidation, but requires extra space for storing
backups whose deletion is postponed. The backups' age or number can exceed the values specified
in the retention rules.
Important
Please be aware that consolidation is just a method of deletion, but not an alternative to deletion.
The resulting backup will not contain data that was present in the deleted backup and was absent
from the retained incremental or differential backup.
Backups stored in the cloud storage, as well as single-file backups (both version 11 and 12 formats),
are always consolidated because their inner structure makes for fast and easy consolidation.
However, if version 12 format is used, and multiple backup chains are present (every chain being
stored in a separate .tibx file), consolidation works only within the last chain. Any other chain is
deleted as a whole, except for the first one, which is shrunk to the minimum size to keep the meta
information (~12 KB). This meta information is required to ensure the data consistency during
In all other cases, backups whose deletion is postponed are marked with the trash can icon ( ) in
the GUI. If you delete such a backup by clicking the X sign, consolidation will be performed.
For backup files that are created by protection plans, you can see these names in a file manager
when you browse the backup location.
Version One TIB file and one XML metadata file Multiple TIB files and one XML metadata file
11 backup
format
Version One TIBX file per backup chain (a full or differential backup, and all incremental backups that
12 backup depend on it). If the size of a file stored in a local or network (SMB) folder exceeds 200 GB, the
format file is split to 200-GB files by default.
All files have the same name, with or without the addition of a timestamp or a sequence number.
You can define this name (referred to as the backup file name) when you create or edit a protection
plan or a cloud applications backup plan.
Note
Timestamp is added to the backup file name only in the version 11 backup format.
If you change a backup file name in a protection plan or a cloud applications backup plan, the next
backup will be a full backup.
If you specify a file name of an existing backup of the same machine, a full, incremental, or
differential backup will be created according to the plan schedule.
Note
If you move backup files (.tibx) from their original storage, do not rename them. Renamed files will
appear corrupted and you will not be able to recover data from them.
For cloud applications backup plans, on the Backup storage tab, select the location, select the
backup set, and then click the gear icon.
Note
Choose user-friendly backup file names. This will help you to easily distinguish backups when
browsing the backup location with a file manager.
The default name for Exchange mailbox backups and Microsoft 365 mailbox backups created by a
local Agent for Microsoft 365 is [Mailbox ID]_mailbox_[Plan ID]A.
The default name for cloud application backups created by cloud agents is [Resource Name]_
[Resource Type]_[Resource Id]_[Plan Id]A.
l [Machine Name] This variable is replaced with the name of the machine (the same name that is
shown in the Cyber Protect console).
l [Plan ID], [Plan Id] These variables are replaced with the unique identifier of the protection
plan. This value does not change if the plan is renamed.
l [Unique ID] This variable is replaced with the unique identifier of the selected machine. This
value does not change if the machine is renamed.
The diagram below shows the default backup file name for Microsoft 365 mailbox backups
performed by a local agent.
For the version 12 format with the Always incremental (single-file) backup scheme:
MyBackup.tibx
MyBackup.tibx
MyBackup-0001.tibx
MyBackup-0002.tibx
...
Using variables
Besides the variables that are used by default, you can use the following variables:
If multiple machines or mailboxes are selected for backup, the backup file name must contain the
[Machine Name], the [Unique ID], the [Mailbox ID], the [Resource Name], or the [Resource Id]
variable.
Let us assume that a protection plan is applied to a single machine, and you have to remove this
machine from the Cyber Protect console or to uninstall the agent along with its configuration
settings. After the machine is added again or the agent is reinstalled, you can force the protection
plan to continue backing up to the same backup or backup sequence. To do this, in the backup
options of the protection plan, click Backup file name, and then click Select to select the desired
backup.
The Select button shows the backups in the location selected in the Where to back up section of
the protection plan panel. You cannot browse anything outside this location.
Note
The Select button is only available for protection plans that are created for and applied to a single
workload.
1. On the Management > Cloud applications backup tab, select the plan, and then click the gear
icon next to the plan's name.
Backup format
The Backup format option defines the format of the backups created by the protection plan. This
option is available only for protection plans that already use the version 11 backup format. If this is
the case, you can change the backup format to version 12. After you switch the backup format to
version 12, the option becomes unavailable.
l Version 11
The legacy format preserved for backward compatibility.
Note
You cannot back up Database Availability Groups (DAG) by using the backup format version 11.
Backing up of DAG is supported only in the version 12 format.
l Version 12
The backup format that was introduced in Acronis Backup 12 for faster backup and recovery.
Each backup chain (a full or differential backup, and all incremental backups that depend on it) is
saved to a single TIBX file.
Version One TIB file and one XML metadata file Multiple TIB files and one XML metadata file
11 backup
format
Version One TIBX file per backup chain (a full or differential backup, and all incremental backups that
12 backup depend on it). If the size of a file stored in a local or network (SMB) folder exceeds 200 GB, the
format file is split to 200-GB files by default.
In-archive deduplication
The TIBX backup format of version 12 supports in-archive deduplication that brings the following
advantages:
l Significantly reduced backup size, with built-in block-level deduplication for any type of data
l Efficient handling of hard links ensures that there are no storage duplicates
l Hash-based chunking
Note
In-archive deduplication is enabled by default for all backups in the TIBX format. You do not have to
enable it in the backup options, and you cannot disable it.
Backup validation
Validation is an operation that checks the possibility of data recovery from a backup. When this
option is enabled, each backup created by the protection plan is validated immediately after
creation, by using the checskum verification method. This operation is performed by the protection
agent.
For more information about the validation via checksum verification, refer to "Checksum
verification" (p. 185).
Note
Depending on the settings chosen by your service provider, validation might not be available when
backing up to the cloud storage.
This option determines whether to use Changed Block Tracking (CBT) when performing an
incremental or differential backup.
The CBT technology accelerates the backup process. Changes to the disk or database content are
continuously tracked at the block level. When a backup starts, the changes can be immediately
saved to the backup.
Note
This feature is available with the Advanced Backup pack.
These options are effective for database-level backup of Microsoft SQL Server and Microsoft
Exchange Server.
These options are effective only if the cluster itself (Microsoft SQL Server Always On Availability
Groups (AAG) or Microsoft Exchange Server Database Availability Group (DAG)) is selected for
backup, rather than the individual nodes or databases inside of it. If you select individual items
inside the cluster, the backup will not be cluster-aware and only the selected copies of the items will
be backed up.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the SYNCHRONIZED or SYNCHRONIZING states when the backup starts.
If all databases are skipped, the backup fails.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the HEALTHY or ACTIVE states when the backup starts. If all databases are
skipped, the backup fails.
Compression level
Note
This option is not available for cloud-to-cloud backups. Compression for these backups is enabled
by default with a fixed level that corresponds to the Normal level below.
The option defines the level of compression applied to the data being backed up. The available
levels are: None, Normal, High, Maximum.
A higher compression level means that the backup process takes more time, but the resulting
backup occupies less space. Currently, the High and Maximum levels work similarly.
Error handling
These options enable you to specify how to handle errors that might occur during backup.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds or the specified number of attempts are performed, depending on which
comes first.
For example, if the backup destination on the network becomes unavailable or not reachable during
a running backup, the software will attempt to reach the destination every 30 seconds, but no more
than 30 times. The attempts will be stopped as soon as the connection is resumed or the specified
number of attempts is performed, depending on which comes first.
However, if the backup destination is not available when the backup starts, only 10 attempts will be
made.
With the silent mode enabled, the program will automatically handle situations requiring user
interaction (except for handling bad sectors, which is defined as a separate option). If an operation
cannot continue without user interaction, it will fail. Details of the operation, including errors, if any,
can be found in the operation log.
When this option is disabled, each time the program comes across a bad sector, the backup activity
will be assigned the Interaction required status. In order to back up the valid information on a
rapidly dying disk, enable ignoring bad sectors. The rest of the data will be backed up and you will
be able to mount the resulting disk backup and extract valid files to another disk.
When taking a virtual machine snapshot fails, the program re-attempts to perform the unsuccessful
operation. You can set the time interval and the number of attempts. The attempts will be stopped
as soon as the operation succeeds OR the specified number of attempts are performed, depending
on which comes first.
This option is not effective (always disabled) for volumes formatted with the JFS, ReiserFS3,
ReiserFS4, ReFS, or XFS file systems.
Incremental or differential backup captures only data changes. To speed up the backup process, the
program determines whether a file has changed or not by the file size and the date/time when the
file was last modified. Disabling this feature will make the program compare the entire file contents
to those stored in the backup.
File filters are available for entire machine backups, disk-level backups, and file-level backups, unless
stated otherwise.
File filters are not applicable to dynamic disks (LVM or LDM volumes) of virtual machines that are
backed up in the agentless mode, for example, by Agent for VMware, Agent for Hyper-V, or Agent for
Scale Computing.
Note
This filter is not supported for file-level backups when the backup format is Version 11, and the
backup destination is not the cloud storage.
You can use both filters in the same time. The exclusion filter takes precedence over the inclusion
filter – that is, if you specify C:\File.exe in both fields, this file will be skipped during a backup.
Filter criteria
As filter criteria, you can use file and folder names, full paths to files and folders, and masks with
wildcard symbols.
The filter criteria are case insensitive. For example, by specifying C:\Temp, you will select C:\TEMP and
C:\temp.
l Name
Specify the name of the file or folder, such as Document.txt. All files and folders with that name
will be selected.
l Full path
Specify the full path to the file or folder, starting with the drive letter (when backing up Windows)
or the root directory (when backing up Linux or macOS). In Windows, Linux, and macOS, you can
use forward slashes (as in C:/Temp/File.tmp). In Windows, you can also use the traditional
backslashes (as in C:\Temp\File.tmp).
l Mask
You can use the following wildcard characters for the names and full paths: asterisk (*), double
asterisk (**) , and question mark (?).
The asterisk (*) represents zero or more characters. For example, the filter criterion Doc*.txt
matches the files Doc.txt and Document.txt.
The double asterisk (**) represents zero or more characters, including the slash character. For
example, **/Docs/**.txt matches all .txt files in all subfolders of all folders named Docs. You can
use the double asterisk (**) wildcard only for backups in the Version 12 format.
The question mark (?) represents only one character. For example, Doc?.txt matches the files
Doc1.txt and Docs.txt, but not the files Doc.txt or Doc11.txt.
This option defines whether to back up files one by one or by taking an instant data snapshot.
Note
Files that are stored on network shares are always backed up one by one.
l If only machines running Linux are selected for backup: Do not create a snapshot.
l Otherwise: Create snapshot if it is possible.
Forensic data
Viruses, malware, and ransomware can carry out malicious activities, such as stealing or changing
data. These activities may need to be investigated, which is possible only if digital evidence is
provided. However, pieces of digital evidence, such as files or activity traces, may be deleted or the
machine on which the malicious activity happened may become unavailable.
Backups with forensic data allow investigators to analyze disk areas that are not usually included in
a regular disk backup. The Forensic data backup option allows you to collect the following pieces of
digital evidence that can be used in forensic investigations: snapshots of unused disk space,
memory dumps, and snapshots of running processes.
The Forensic data option is available only for entire machine backups of Windows machines that
run the following operating systems:
Backups with forensic data are not available for the following machines:
l Machines that are connected to your network through VPN and do not have direct access to the
Internet
l Machines with disks that are encrypted by BitLocker
Note
You cannot modify the forensic data settings after you apply a protection plan with enabled Backup
module to a machine. To use different forensic data settings, create a new protection plan.
You can store backups with forensic data in the following locations:
l Cloud storage
l Local folder
Note
The local folder location is supported only for external hard disks connected via USB.
Local dynamic disks are not supported as a location for backups with forensic data.
l Network folder
1. In the Cyber Protect console, go to Devices > All devices. Alternatively, the protection plan can
be created from the Management tab.
2. Select the device and click Protect.
3. In the protection plan, enable the Backup module.
4. In What to back up, select Entire machine.
5. In Backup options, click Change.
6. Find the Forensic data option.
7. Enable Collect forensic data. The system will automatically collect a memory dump and create
a snapshot of running processes.
Note
Full memory dump may contain sensitive data such as passwords.
As a result, backups will include forensic data and you will be able to get them and analyze. Backups
with forensic data are marked and can be filtered among other backups in Backup storage >
Locations by using the Only with forensic data option.
The system will show a folder with forensic data. Select a memory dump file or any other
forensic file, and then click Download.
l To recover a full forensic backup, click Entire machine. The system will recover the backup
without the boot mode. Thus, it will be possible to check that the disk was not changed.
You can use the provided memory dump with several of third-party forensic software, for example,
use Volatility Framework at https://www.volatilityfoundation.org/ for further memory analysis.
During a backup, the agent calculates the hash codes of the backed-up disks, builds a hash tree,
saves the tree in the backup, and then sends the hash tree root to the notary service. The notary
service saves the hash tree root in the Ethereum blockchain database to ensure that this value does
not change.
When verifying the authenticity of the disk with forensic data, the agent calculates the hash of the
disk, and then compares it with the hash that is stored in the hash tree inside the backup. If these
hashes do not match, the disk is considered not authentic. Otherwise, the disk authenticity is
guaranteed by the hash tree.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected disk is guaranteed to be authentic. Otherwise, the software displays a
message that the disk is not authentic.
The scheme below shows shortly the notarization process for backups with forensic data.
To verify the notarized disk backup manually, you can get the certificate for it and follow the
verification procedure shown with the certificate by using the tibxread tool.
The installation path: the same folder as the agent has (for example, C:\Program
Files\BackupClient\BackupAndRecovery).
HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\BackupAndRecovery\Settings\OnlineBackup\FesAddressCache\Defa
ult\<tenant_login>\FesUri
For Linux:
/etc/Acronis/BackupAndRecovery.config
For macOS:
/Library/Application Support/Acronis/Registry/BackupAndRecovery.config
%allusersprofile%\Acronis\BackupAndRecovery\OnlineBackup\Default
For Linux:
/var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default
/Library/Application Support/Acronis/BackupAndRecovery/OnlineBackup/Default
l list backups
l list content
l get content
l calculate hash
list backups
Lists recovery points in a backup.
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--raw
--utc
--log=PATH
Output template:
<date> – a creation date of the backup. Format is “DD.MM.YYYY HH24:MM:SS”. In local timezone by
default (can be changed by using the --utc option).
Output example:
list content
Lists content in a recovery point.
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--raw
--log=PATH
Output template:
<notarization_status> – the following statuses are possible: Without notarization, Notarized, Next
backup.
Output example:
get content
Writes content of the specified disk in the recovery point to the standard output (stdout).
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--disk=DISK_NUMBER
--raw
calculate hash
Calculates the hash of the specified disk in the recovery point by using the SHA-2 (256-bit) algorithm
and writes it to the stdout.
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--disk=DISK_NUMBER
--raw
--log=PATH
Options description
Option Description
--arc=BACKUP_ The backup file name that you can get from the backup properties in the Cyber
NAME Protect console. The backup file must be specified with the extension .tibx.
--disk=DISK_ Disk number (the same as was written to the output of the "get content" command)
NUMBER
--loc=URI A backup location URI. The possible formats of the "--loc" option are:
--log=PATH Enables writing the logs by the specified PATH (local path only, format is the same as
for --loc=URI parameter). Logging level is DEBUG.
-- An encryption password for your backup. If the backup is not encrypted, leave this
password=PASS value empty.
WORD
--raw Hides the headers (2 first rows) in the command output. It is used when the
command output should be parsed.
Output with"--raw":
For example:
1%
2%
3%
4%
...
100%
Log truncation
This option is effective for backup of Microsoft SQL Server databases and for disk-level backup with
enabled Microsoft SQL Server application backup.
This option defines whether the SQL Server transaction logs are truncated after a successful backup.
LVM snapshotting
This option is effective only for physical machines.
This option is effective for disk-level backup of volumes managed by Linux Logical Volume Manager
(LVM). Such volumes are also called logical volumes.
This option defines how a snapshot of a logical volume is taken. The backup software can do this on
its own or rely on Linux Logical Volume Manager (LVM).
l By the backup software. The snapshot data is kept mostly in RAM. The backup is faster, and
unallocated space on the volume group is not required. Therefore, we recommend that you
change the preset only if you are experiencing problems with backing up logical volumes.
l By LVM. The snapshot is stored on unallocated space of the volume group. If the unallocated
space is missing, the snapshot will be taken by the backup software.
The snapshot is used only during the backup operation, and is automatically deleted when the
backup operation completes. No temporary files are kept.
Mount points
This option is effective only in Windows for a file-level backup of a data source that includes
mounted volumes or cluster shared volumes.
This option is effective only when you select for backup a folder that is higher in the folder hierarchy
than the mount point. (A mount point is a folder on which an additional volume is logically
attached.)
l If such folder (a parent folder) is selected for backup, and the Mount points option is enabled, all
files located on the mounted volume will be included in the backup. If the Mount points option is
disabled, the mount point in the backup will be empty.
During recovery of a parent folder, the mount point content will or will not be recovered,
depending on whether the Mount points option for recovery is enabled or disabled.
l If you select the mount point directly, or select any folder within the mounted volume, the
selected folders will be considered as ordinary folders. They will be backed up regardless of the
state of the Mount points option and recovered regardless of the state of the Mount points
option for recovery.
Example
Let's assume that the C:\Data1\ folder is a mount point for the mounted volume. The volume
contains folders Folder1 and Folder2. You create a protection plan for file-level backup of your
data.
If you select the check box for volume C and enable the Mount points option, the C:\Data1\ folder
in your backup will contain Folder1 and Folder2. When recovering the backed-up data, be aware of
proper using the Mount points option for recovery.
If you select the check box for volume C, and disable the Mount points option, the C:\Data1\ folder
in your backup will be empty.
If you select the check box for the Data1, Folder1 or Folder2 folder, the checked folders will be
included in the backup as ordinary folders, regardless of the state of the Mount points option.
Multi-volume snapshot
This option is effective for backups of physical machines running Windows or Linux.
This option applies to disk-level backup. This option also applies to file-level backup when the file-
level backup is performed by taking a snapshot. (The "File-level backup snapshot" option
determines whether a snapshot is taken during file-level backup).
This option determines whether to take snapshots of multiple volumes at the same time or one by
one.
When this option is enabled, snapshots of all volumes being backed up are created simultaneously.
Use this option to create a time-consistent backup of data spanning multiple volumes; for instance,
for an Oracle database.
When this option is disabled, the volumes' snapshots are taken one after the other. As a result, if the
data spans several volumes, the resulting backup may be not consistent.
One-click recovery
Note
This feature is available with the Advanced Backup pack only.
l Secure Zone
l Network storage
l Cloud storage
Important
You must suspend the Bitlocker encryption until the next restart of your machine when you
perform any of the following operations:
If the Bitlocker encryption was not suspended when you restart your machine after performing any
of the operations above, you will need to specify your Bitlocker PIN.
Important
Activating One-click recovery also activates Startup Recovery Manager on the target machine. If
Startup Recovery Manager cannot be activated, the backup operation that creates One-click
recovery backups will fail.
For more information about Startup Recovery Manager, refer to "Startup Recovery Manager" (p.
637).
Important
We strongly recommend that you specify a recovery password. Ensure that the user who
performs One-click recovery on the target machine knows this password.
As a result, after the protection plan runs and creates a backup, One-click recovery becomes
accessible to the users of the protected machine.
Important
One-click recovery is temporarily unavailable after you update the protection agent. It becomes
available again when the next backup finishes.
Prerequisites
l A protection plan with enabled One-click recovery backup option is applied to the machine.
l There is at least one disk backup of the machine.
To recover a machine
After a while, the recovery starts and its progress is shown. When the recovery completes, your
machine reboots.
This option is not available for backups executed by the cloud agents, such as website backups or
backups of servers located on the cloud recovery site.
Note
You can configure this option separately for each location specified in the protection plan. To
configure this option for a replication location, click the gear icon next to the location name, and
then click Performance and backup window.
This option is effective only for the backup and backup replication processes. Post-backup
commands and other operations included in a protection plan (for example, validation) will run
regardless of this option.
When this option is disabled, backups are allowed to run at any time, with the following parameters
(no matter if the parameters were changed against the preset value):
When this option is enabled, scheduled backups are allowed or blocked according to the
performance parameters specified for the current hour. At the beginning of an hour when backups
are blocked, a backup process is automatically stopped and an alert is generated.
Even if scheduled backups are blocked, a backup can be started manually. It will use the
performance parameters of the most recent hour when backups were allowed.
Backup window
Each rectangle represents an hour within a week day. Click a rectangle to cycle through the
following states:
l Green: backup is allowed with the parameters specified in the green section below.
l Blue: backup is allowed with the parameters specified in the blue section below.
This state is not available if the backup format is set to Version 11.
l Gray: backup is blocked.
You can click and drag to change the state of multiple rectangles simultaneously.
This option sets the priority of the backup process (service_process.exe) in Windows and the
niceness of the backup process (service_process) in Linux and macOS.
The table below summarizes the mapping for this setting in Windows, Linux, and macOS.
Normal Normal 0
When this option is enabled, you can specify the maximum allowed output speed:
l As a percentage of the estimated writing speed of the destination hard disk (when backing up to a
local folder) or of the estimated maximum speed of the network connection (when backing up to
a network share or cloud storage).
This setting works only if the agent is running in Windows.
l In KB/second (for all destinations).
This option is effective for disk-level backups and file backups created by Agent for Windows, Agent
for Linux, Agent for Mac, Agent for VMware, Agent for Hyper-V, and Agent for Virtuozzo.
Use this option to ship the first full backup created by a protection plan to the cloud storage on a
hard disk drive by using the Physical Data Shipping service. The subsequent incremental backups
are performed over the network.
For local backups that are replicated to cloud, incremental backups continue and are saved locally
until the initial backup is uploaded in the cloud storage. Then all incremental changes are replicated
to the cloud and the replication continues per the backup schedule.
For detailed instructions about using the Physical Data Shipping service and the order creation tool,
refer to the Physical Data Shipping Administrator's Guide. To access this document in the Physical
Data Shipping service web interface, click the question mark icon.
Note
This option is supported with protection agent version from release C21.06 or later.
Important
Once the initial full backup is done, the subsequent backups must be performed by the same
protection plan. Another protection plan, even with the same parameters and for the same
machine, will require another Physical Data Shipping cycle.
Important
Ensure that you follow the packaging instructions provided in the Physical Data Shipping
Administrator's Guide.
9. Track the order status by using the Physical Data Shipping service web interface. Note that the
subsequent backups will fail until the initial backup is uploaded to the cloud storage.
Pre/Post commands
The option enables you to define the commands to be automatically executed before and after the
backup procedure.
l Delete some temporary files from the disk before starting backup.
l Configure a third-party antivirus product to be started each time before the backup starts.
l Selectively copy backups to another location. This option may be useful because the replication
configured in a protection plan copies every backup to subsequent locations.
The agent performs the replication after executing the post-backup command.
Pre-backup command
To specify a command/batch file to be executed before the backup process starts
Result
#!/bin/sh
unset LD_LIBRARY_PATH
unset LD_PRELOAD
Post-backup command
To specify a command/executable file to be executed after the backup is completed
The following scheme illustrates when the pre/post data capture commands are run.
If the Multi-volume snapshot option is enabled, the pre/post data capture commands will run only
once, because the snapshots for all volumes are created simultaneously. If the Multi-volume
If the Volume Shadow Copy Service (VSS) option is enabled, the pre/post data capture commands
and the Microsoft VSS actions will run as follows:
Pre-data capture commands > VSS Suspend > Data capture > VSS Resume > Post-data capture commands
By using the pre/post data capture commands, you can suspend and resume a database or
application that is not compatible with VSS. Because the data capture takes seconds, the database
or application idle time will be minimal.
Result
#!/bin/sh
unset LD_LIBRARY_PATH
unset LD_PRELOAD
Result
For more information about how to configure the backup schedule, see "Running a backup on a
schedule" (p. 376).
The preset is: Distribute backup start times within a time window. Maximum delay: 30
minutes.
Sector-by-sector backup
The option is effective only for disk-level backup.
If this option is enabled, all disk or volume's sectors will be backed up, including unallocated space
and those sectors that are free of data. The resulting backup will be equal in size to the disk being
backed up (if the "Compression level" option is set to None). The software automatically switches to
the sector-by-sector mode when backing up drives with unrecognized or unsupported file systems.
Note
It will be impossible to perform a recovery of application data from the backups which were created
in the sector-by-sector mode.
Splitting
This option enables you to select the method of splitting of large backups into smaller files.
Note
Splitting is not available in protection plans that use the cloud storage as a backup location.
l If the backup location is a local or network (SMB) folder, and the backup format is Version 12:
Fixed size - 200 GB
This setting allows the backup software to work with large volumes of data on the NTFS file
system, without negative effects caused by file fragmentation.
l Otherwise: Automatic
l Automatic
A backup will be split if it exceeds the maximum file size supported by the file system.
l Fixed size
Enter the desired file size or select it from the drop-down list.
If this option is enabled, the program will try to execute the protection plan again. You can specify
the number of attempts and the time interval between the attempts. The program stops trying as
soon as an attempt completes successfully or the specified number of attempts is performed,
depending on which comes first.
If this option is enabled and your machine restarts while a backup is running, the backup operation
will not fail. A few minutes after the restart, the backup operation will continue automatically and
Note
This option is not effective in forensic backups.
This option determines the program behavior in case a task is about to start (the scheduled time
comes or the event specified in the schedule occurs), but the condition (or any of multiple
conditions) is not met. For more information about conditions refer to "Start conditions" (p. 383).
The preset is: Wait until the conditions from the schedule are met.
To handle the situation when the conditions are not met for too long and further delaying the task is
becoming risky, you can set the time interval after which the task will run irrespective of the
condition. Select the Run the task anyway after check box and specify the time interval. The task
will start as soon as the conditions are met OR the maximum time delay lapses, depending on which
comes first.
It defines whether a backup can succeed if one or more Volume Shadow Copy Service (VSS) writers
fail and which provider has to notify the VSS-aware applications that the backup will start.
Using the Volume Shadow Copy Service ensures the consistent state of all data used by the
applications; in particular, completion of all database transactions at the moment of taking the data
snapshot by the backup software. Data consistency, in turn, ensures that the application will be
recovered in the correct state and become operational immediately after recovery.
The snapshot is used only during the backup operation, and is automatically deleted when the
backup operation completes. No temporary files are kept.
Note
Files and folders that are specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot registry
key are not backed up. In particular, offline Outlook Data Files (.ost) are not backed up because they
are specified in the OutlookOST value of this key.
Important
Application-aware backups will always fail if the application-specific writer fails. For example, if
you are making application-aware backup of SQL Server data, and SqlServerWriter fails, the
backup operation will also fail.
When this option is enabled, up to three consecutive attempts for a VSS snapshot will be made.
In the first attempt, all VSS writers are required. If this attempt fails, it will be repeated. If the
second attempt also fails, the failed VSS writers will be excluded from the scope of the backup
operation, and then a third attempt will be made. If the third attempt is successful, the backup
will complete with a warning about the failed VSS writers. If the third attempt is not successful,
the backup will fail.
Note
If the failed VSS writers are not essential for the consistency of your backups, and you want to
remove the warnings, you can permanently exclude these writers from the scope of the backup
operation. For more information on how to exclude a VSS writer, refer to this knowledge base
article.
l If you use Agent for Exchange or third-party software for backing up the Exchange Server data.
This is because the log truncation will interfere with the consecutive transaction log backups.
l If you use third-party software for backing up the SQL Server data. The reason for this is that the
third-party software will take the resulting disk-level backup for its "own" full backup. As a result,
the next differential backup of the SQL Server data will fail. The backups will continue failing until
the third-party software creates the next "own" full backup.
l If other VSS-aware applications are running on the machine and you need to keep their logs for
any reason.
Important
Enabling this option does not result in the truncation of Microsoft SQL Server logs. To truncate the
SQL Server log after a backup, enable the Log truncation backup option.
Note
For Red Hat Virtualization (oVirt) virtual machines, we recommend that you install QEMU Guest
Tools instead of Red Hat Virtualization Guest Tools. Some versions of Red Hat Virtualization Guest
Tools do not support application-consistent snapshots.
If this option is enabled, transactions of all VSS-aware applications running in a virtual machine are
completed before taking snapshot. If a quiesced snapshot fails after the number of re-attempts
specified in the "Error handling" option, and application backup is disabled, a non-quiesced
snapshot is taken. If application backup is enabled, the backup fails.
If this option is disabled, a non-quiesced snapshot is taken. The virtual machine will be backed up in
a crash-consistent state.
Note
This option does not affect Scale Computing HC3 virtual machines. For them, quiescing depends on
whether Scale Tools are installed on the virtual machine.
Weekly backup
This option determines which backups are considered "weekly" in retention rules and backup
schemes. A "weekly" backup is the first backup created after a week starts.
This option defines whether the agents have to log events of the backup operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
Recovery
Note
You cannot recover backups in the Cyber Protect console for tenants in the Enhanced security
mode. For more information on how to recover such backups, refer to "Recovering backups for
tenants in the Enhanced security mode" (p. 946).
Microsoft 365
Mailboxes
Using the Cyber Protect console
(local Agent for Microsoft 365)
Mailboxes
Using the Cyber Protect console
(cloud Agent for Microsoft 365)
Google Workspace
Safe recovery
A backed-up OS image can have malware that can reinfect a machine after recovery.
The safe recovery functionality allows you to prevent recurrence of infections by using the
integrated antimalware scanning and malware deletion during the recovery process.
Limitations:
l Safe recovery is supported only for physical or virtual Windows machines with Agent for Windows
installed inside the machine.
l The supported backup types are "Entire machine" or "Disks/volumes" backups.
l Safe recovery is supported only for the volumes with NTFS file system. Non-NTFS partitions will
be recovered without antimalware scanning.
l Safe recovery is not supported for CDP backups. The machine will be recovered based on the last
regular backup without the data in the CDP backup. To recover the CDP data, start a Files/folders
recovery.
How it works
If you enable the Safe recovery option during the recovery process, then the system will perform the
following:
1. Scan the image backup for malware and mark the infected files. One of the following statuses is
assigned to a backup:
l No malware – no malware was found in a backup during scanning.
l Malware detected – malware was found in a backup during scanning.
l Not scanned – backup was not scanned for malware.
Recovering a machine
Use bootable media instead of the web interface if you need to recover:
Note
You cannot recover disk-level backups of Intel-based Macs to Macs that use Apple silicon
processors, and vice-versa. You can recover files and folders.
Important
Backed-up encrypted volumes are recovered as non-encrypted.
Recovering an encrypted system volume does not require any additional actions. To recover an
encrypted non-system volume, you must lock it first, for example, by opening a file that resides on
this volume. Otherwise, the recovery will continue without restart and the recovered volume might
not be recognized by Windows.
Note
If the recovery fails and your machine restarts with the Cannot get file from partition error, try
disabling Secure Boot. For more information on how to do it, refer to Disabling Secure Boot in the
Microsoft documentation.
This section describes the recovery of a physical machine as a virtual machine by using the web
interface. This operation can be performed if at least one agent for the relevant hypervisor is
installed and registered in Acronis Management Server. For example, recovery to VMware ESXi
requires at least one Agent for VMware, recovery to Hyper-V requires at least one Agent for Hyper-V
installed and registered in the environment.
Recovery through the web interface is not available for tenants in the Enhanced security mode.
Note
You cannot recover macOS virtual machines to Hyper-V hosts, because Hyper-V does not support
macOS. You can recover macOS virtual machines to a VMware host that is installed on Mac
hardware.
Also, you cannot recover backups of macOS physical machines as virtual machines.
Note
At least one agent for that hypervisor must be installed and registered in Acronis
Management Server.
b. Select whether to recover to a new or existing machine. The new machine option is
preferable as it does not require the disk configuration of the target machine to exactly
match the disk configuration in the backup.
c. Select the host and specify the new machine name, or select an existing target machine.
d. Click OK.
7. [For Virtuozzo Hybrid Infrastructure] Click VM settings to select Flavor. Optionally, you can
change the memory size, the number of processors, and the network connections of the virtual
machine.
Note
Selecting flavor is a required step for Virtuozzo Hybrid Infrastructure.
Note
You cannot recover backups in the Cyber Protect console for tenants in the Enhanced security
mode. For more information on how to recover such backups, refer to "Recovering backups for
tenants in the Enhanced security mode" (p. 946).
Prerequisites
l A virtual machine must be stopped during the recovery to this machine. By default, the software
stops the machine without a prompt. When the recovery is completed, you have to start the
machine manually. You can change the default behavior by using the VM power management
recovery option (click Recovery options > VM power management).
Procedure
Note
You cannot recover disk-level backups of Intel-based Macs to Macs that use Apple silicon
processors, and vice-versa. You can recover files and folders.
10. In Backup contents, select the disks that you want to recover. Click OK to confirm your
selection.
11. Under Where to recover, the software automatically maps the selected disks to the target disks.
If the mapping is not successful or if you are unsatisfied with the mapping result, you can re-map
disks manually.
Note
Changing disk layout may affect the operating system bootability. Please use the original
machine's disk layout unless you feel fully confident of success.
12. [When recovering Linux] If the backed-up machine had logical volumes (LVM) and you want to
reproduce the original LVM structure:
a. Ensure that the number of the target machine disks and each disk capacity are equal to or
exceed those of the original machine, and then click Apply RAID/LVM.
Preparation
Prepare drivers
Before applying Universal Restore to a Windows operating system, make sure that you have the
drivers for the new HDD controller and the chipset. These drivers are critical to start the operating
system. Use the CD or DVD supplied by the hardware vendor or download the drivers from the
vendor’s website. The driver files should have the *.inf extension. If you download the drivers in the
*.exe, *.cab or *.zip format, extract them using a third-party application.
The best practice is to store drivers for all the hardware used in your organization in a single
repository sorted by device type or by the hardware configurations. You can keep a copy of the
repository on a DVD or a flash drive; pick some drivers and add them to the bootable media; create
the custom bootable media with the necessary drivers (and the necessary network configuration)
for each of your servers. Or, you can simply specify the path to the repository every time Universal
Restore is used.
l If the drivers are on a vendor's disc or other removable media, turn on the Search removable
media.
l If the drivers are located in a networked folder or on the bootable media, specify the path to the
folder by clicking Add folder.
In addition, Universal Restore will search the Windows default driver storage folder. Its location is
determined in the registry value DevicePath, which can be found in the registry key HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. This storage folder is usually
WINDOWS/inf.
Universal Restore will perform the recursive search in all the sub-folders of the specified folder, find
the most suitable HAL and HDD controller drivers of all those available, and install them into the
system. Universal Restore also searches for the network adapter driver; the path to the found driver
is then transmitted by Universal Restore to the operating system. If the hardware has multiple
network interface cards, Universal Restore will try to configure all the cards' drivers.
l The hardware has a specific mass storage controller such as RAID (especially NVIDIA RAID) or a
fibre channel adapter.
l You migrated a system to a virtual machine that uses a SCSI hard drive controller. Use SCSI
drivers bundled with your virtualization software or download the latest drivers versions from the
software manufacturer website.
l If the automatic drivers search does not help to boot the system.
Specify the appropriate drivers by clicking Add driver. The drivers defined here will be installed,
with appropriate warnings, even if the program finds a better driver.
If Universal Restore cannot find a compatible driver in the specified locations, it will display a
prompt about the problem device. Do one of the following:
l Add the driver to any of the previously specified locations and click Retry.
Once Windows boots, it will initialize the standard procedure for installing new hardware. The
network adapter driver will be installed silently if the driver has the Microsoft Windows signature.
Otherwise, Windows will ask for confirmation on whether to install the unsigned driver.
After that, you will be able to configure the network connection and specify drivers for the video
adapter, USB and other devices.
When Universal Restore is applied to a Linux operating system, it updates a temporary file system
known as the initial RAM disk (initrd). This ensures that the operating system can boot on the new
hardware.
Universal Restore adds modules for the new hardware (including device drivers) to the initial RAM
disk. As a rule, it finds the necessary modules in the /lib/modules directory. If Universal Restore
cannot find a module it needs, it records the module’s file name into the log.
Universal Restore may modify the configuration of the GRUB boot loader. This may be required, for
example, to ensure the system bootability when the new machine has a different volume layout
than the original machine.
The initial RAM disk is stored on the machine in a file. Before updating the initial RAM disk for the
first time, Universal Restore saves a copy of it to the same directory. The name of the copy is the
name of the file, followed by the _acronis_backup.img suffix. This copy will not be overwritten if
you run Universal Restore more than once (for example, after you have added missing drivers).
l Rename the copy accordingly. For example, run a command similar to the following:
mv initrd-2.6.16.60-0.21-default_acronis_backup.img initrd-2.6.16.60-0.21-default
l Specify the copy in the initrd line of the GRUB boot loader configuration.
Note
You cannot recover backups in the Cyber Protect console for tenants in the Enhanced security
mode. For more information on how to recover such backups, refer to "Recovering backups for
tenants in the Enhanced security mode" (p. 946).
1. Select the machine that originally contained the data that you want to recover.
2. Click Recovery.
3. Select the recovery point. Note that recovery points are filtered by location.
If the selected machine is physical and it is offline, recovery points are not displayed. Do any of
the following:
l [Recommended] If the backup location is cloud or shared storage (i.e. other agents can access
it), click Select machine, select a target machine that is online, and then select a recovery
point.
l Select a recovery point on the Backup storage tab.
l Download the files from the cloud storage.
l Use bootable media.
4. Click Recover > Files/folders.
5. Browse to the required folder or use the search bar to obtain the list of the required files and
folders.
Search is language-independent.
You can use one or more wildcard characters (* and ?). For more details about using wildcards,
refer to "Mask " (p. 415).
Note
Search is not available for disk-level backups that are stored in the cloud storage.
Note
Symbolic links are not supported.
Limitations
l Backups of system state, SQL databases, and Exchange databases cannot be browsed.
6. Select the check boxes for the items you need to recover, and then click Download.
If you select a single file, it will be downloaded as is. Otherwise, the selected data will be archived
into a .zip file.
7. Select the location to save the data to, and then click Save.
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section, or steps 1-5 of the "Downloading files from the cloud storage" section.
2. Ensure that the selected file is marked with the following icon: . This means that the file is
notarized.
3. Do one of the following:
l Click Verify.
The software checks the file authenticity and displays the result.
Note
This feature is available with the Advanced Backup pack.
ASign is a service that allows multiple people to sign a backed-up file electronically. This feature is
available only for file-level backups stored in the cloud storage.
Only one file version can be signed at a time. If the file was backed up multiple times, you must
choose the version to sign, and only this version will be signed.
For example, ASign can be used for electronic signing of the following files:
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section, or steps 1-5 of the "Downloading files from the cloud storage" section.
2. Ensure that the correct date and time is selected on the left panel.
3. Click Sign this file version.
4. Specify the password for the cloud storage account under which the backup is stored. The login
of the account is displayed in the prompt window.
The ASign service interface is opened in a web browser window.
5. Add other signees by specifying their email addresses. It is not possible to add or remove signees
after sending invitations, so ensure that the list includes everyone whose signature is required.
Requirements
l This functionality is available only in Windows by using File Explorer.
l The backed-up file system must be one of the following: FAT16, FAT32, NTFS, ReFS, Ext2, Ext3,
Ext4, XFS, or HFS+.
Prerequisites
l A protection agent must be installed on the machine from which you browse a backup.
l The backup must be stored in a local folder or on a network share (SMB/CIFS).
BLACKLIST_RPC=
Note
You cannot recover backups in the Cyber Protect console for tenants in the Enhanced security
mode. For more information on how to recover such backups, refer to "Recovering backups for
tenants in the Enhanced security mode" (p. 946).
1. Select the machine for which you want to recover the system state.
2. Click Recovery.
3. Select a system state recovery point. Note that recovery points are filtered by location.
4. Click Recover system state.
5. Confirm that you want to overwrite the system state with its backed-up version.
The recovery progress is shown on the Activities tab.
If you are recovering an ESXi configuration to a non-original host and the original ESXi host is still
connected to the vCenter Server, disconnect and remove this host from the vCenter Server to avoid
The virtual machines running on the host are not included in an ESXi configuration backup. They can
be backed up and recovered separately.
Recovery options
To modify the recovery options, click Recovery options when configuring recovery.
l The environment the agent that performs recovery operates in (Windows, Linux, macOS, or
bootable media).
l The type of data being recovered (disks, files, virtual machines, application data).
Backup + + + + + + + + +
validation
Boot mode + - - - - - - + -
Date and - - - + + + + - -
time for
files
Error + + + + + + + + +
handling
File - - - + + + + - -
exclusions
File-level - - - + - - - - -
security
Flashback + + + - - - - + -
Full path - - - + + + + - -
recovery
Mount - - - + - - - - -
points
Performan + + - + + + - + +
ce
Pre/post + + - + + + - + +
commands
SID + - - - - - - - -
changing
VM power - - - - - - - + -
manageme
nt
Windows + - - + - - - Hyper-V +
event log only
For more information about the validation via checksum verification, refer to "Checksum
verification" (p. 185).
Note
Depending on the settings chosen by your service provider, validation might not be available when
backing up to the cloud storage.
Boot mode
This option is effective when recovering a physical or a virtual machine from a disk-level backup that
contains a Windows operating system.
This option enables you to select the boot mode (BIOS or UEFI) that Windows will use after the
recovery. If the boot mode of the original machine is different from the selected boot mode, the
software will:
l Initialize the disk to which you are recovering the system volume, according to the selected boot
mode (MBR for BIOS, GPT for UEFI).
l Adjust the Windows operating system so that it can start using the selected boot mode.
Recommendations
If you need to transfer Windows between UEFI and BIOS:
l Recover the entire disk where the system volume is located. If you recover only the system
volume on top of an existing volume, the agent will not be able to initialize the target disk
properly.
l Remember that BIOS does not allow using more than 2 TB of disk space.
Limitations
l Transferring between UEFI and BIOS is supported for:
o 64-bit Windows operating systems starting with Windows 7
o 64-bit Windows Server operating systems starting with Windows Server 2008 SP1
l Transferring between UEFI and BIOS is not supported if the backup is stored on a tape device.
When transferring a system between UEFI and BIOS is not supported, the agent behaves as if the As
on the backed-up machine setting is chosen. If the target machine supports both UEFI and BIOS,
you need to manually enable the boot mode corresponding to the original machine. Otherwise, the
system will not boot.
This option defines whether to recover the files' date and time from the backup or assign the files
the current date and time.
If this option is enabled, the files will be assigned the current date and time.
Error handling
These options enable you to specify how to handle errors that might occur during recovery.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds OR the specified number of attempts are performed, depending on which
comes first.
When this option is enabled, you can specify a folder on the local disk (including flash or HDD drives
attached to the target machine) or on a network share where the log, system information, and crash
dump files will be saved. This file will help the technical support personnel to identify the problem.
File exclusions
This option is effective only when recovering files.
The option defines which files and folders to skip during the recovery process and thus exclude
from the list of recovered items.
Note
Exclusions override the selection of data items to recover. For example, if you select to recover file
MyFile.tmp and to exclude all .tmp files, file MyFile.tmp will not be recovered.
File-level security
This option is effective when recovering files from disk- and file-level backups of NTFS-formatted
volumes.
This option defines whether to recover NTFS permissions for files along with the files.
You can choose whether to recover the permissions or let the files inherit their NTFS permissions
from the folder to which they are recovered.
Flashback
This option is effective when recovering disks and volumes on physical and virtual machines, except
for Mac.
This option works only if the volume layout of the disk being recovered exactly matches that of the
target disk.
If the option is enabled, only the differences between the data in the backup and the target disk
data are recovered. This accelerates recovery of physical and virtual machines. The data is
compared at the block level.
If this option is enabled, the full path to the file will be re-created in the target location.
Mount points
This option is effective only in Windows for recovering data from a file-level backup.
Enable this option to recover files and folders that were stored on the mounted volumes and were
backed up with the enabled Mount points option.
This option is effective only when you select for recovery a folder that is higher in the folder
hierarchy than the mount point. If you select for recovery folders within the mount point or the
mount point itself, the selected items will be recovered regardless of the Mount points option
value.
Note
Please be aware that if the volume is not mounted at the moment of recovery, the data will be
recovered directly to the folder that has been the mount point at the time of backing up.
Performance
This option defines the priority of the recovery process in the operating system.
The priority of a process running in a system determines the amount of CPU and system resources
allocated to that process. Decreasing the recovery priority will free more resources for other
applications. Increasing the recovery priority might speed up the recovery process by requesting the
operating system to allocate more resources to the application that will perform the recovery.
However, the resulting effect will depend on the overall CPU usage and other factors like disk I/O
speed or network traffic.
Pre/Post commands
The option enables you to define the commands to be automatically executed before and after the
data recovery.
The program does not support interactive commands, i.e. commands that require user input (for
example, "pause".)
A post-recovery command will not be executed if the recovery proceeds with reboot.
Pre-recovery command
To specify a command/batch file to be executed before the recovery process starts
Result
Note
A post-recovery command will not be executed if the recovery proceeds with reboot.
SID changing
This option is effective when recovering Windows 8.1/Windows Server 2012 R2 or earlier.
This option is not effective when recovery to a virtual machine is performed by Agent for VMware,
Agent for Hyper-V, Agent for Scale Computing HC3, or Agent for oVirt.
The software can generate a unique security identifier (Computer SID) for the recovered operating
system. You only need this option to ensure operability of third-party software that depends on
Computer SID.
Microsoft does not officially support changing SID on a deployed or recovered system. So use this
option at your own risk.
VM power management
These options are effective when recovery to a virtual machine is performed by Agent for VMware,
Agent for Hyper-V, Agent for Virtuozzo, Agent for Scale Computing HC3, or Agent for oVirt.
Recovery to an existing virtual machine is not possible if the machine is online, and so the machine
is powered off automatically as soon as the recovery starts. Users will be disconnected from the
machine and any unsaved data will be lost.
After a machine is recovered from a backup to another machine, there is a chance the existing
machine's replica will appear on the network. To be on the safe side, power on the recovered virtual
machine manually, after you take the necessary precautions.
This option defines whether the agents have to log events of the recovery operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
Backups that are stored in a shared location (such as an SMB or NFS share) are visible to all users
that have the read permission for the location.
In Windows, backup files inherit the access permissions from their parent folder. Therefore, we
recommend that you restrict the read permissions for this folder.
In the cloud storage, users have access only to their own backups.
An administrator can view backups to cloud on behalf of any account that belongs to the given unit
or company and its child groups, by selecting the cloud storage for the account. To select the device
that you want to use to obtain data from cloud, click Change in the Machine to browse from row.
The Backup storage tab shows the backups of all machines ever registered under the selected
account.
Backups created by the cloud Agent for Microsoft 365 and backups of Google Workspace data are
shown not in the Cloud storage location, but in a separate section named Cloud applications
backups.
1An orphaned backup is a backup that is not associated to a protection plan anymore.
If you added or removed some backups by using a file manager, click the gear icon next to the
location name, and then click Refresh.
Warning!
Do not try editing the backup files manually because this may result in file corruption and make the
backups unusable. Also, we recommend that you use the backup replication instead of moving
backup files manually.
A backup location (except for the cloud storage) disappears from the Backup storage tab if all
machines that had ever backed up to the location were deleted from the Cyber Protection service.
This ensures that you do not have to pay for the backups stored in this location. As soon as a
backup to this location occurs, the location is re-added along with all backups that are stored in it.
On the Backup storage tab, you can filter backups in the list by using the following criteria:
l Only with forensic data – only backups having forensic data will be shown.
l Only pre-update backups created by Patch management – only backups that were created
during patch management run before patch installation will be shown.
1. On the Backup storage tab, select the location where the backups are stored.
The software displays all backups that your account is allowed to view in the selected location.
The backups are combined in groups. The group names are based on the following template:
<machine name> - <protection plan name>
2. Select a group from which you want to recover the data.
3. [Optional] Click Change next to Machine to browse from, and then select another machine.
Some backups can only be browsed by specific agents. For example, you must select a machine
running Agent for SQL to browse the backups of Microsoft SQL Server databases.
Important
Please be aware that the Machine to browse from is a default destination for recovery from a
physical machine backup. After you select a recovery point and click Recover, double check the
Target machine setting to ensure that you want to recover to this specific machine. To change
the recovery destination, specify another machine in Machine to browse from.
Note
This operation is available only if you have an online agent.
Select a location from one of the following locations types, and then click Done:
l Local folder
l Network folder
l Secure Zone
l NFS folder
Mounting volumes in the read/write mode enables you to modify the backup content; that is, save,
move, create, delete files or folders, and run executables consisting of one file. In this mode, the
software creates an incremental backup that contains the changes you make to the backup content.
Note that none of the subsequent backups will contain these changes.
Requirements
l This functionality is available only in Windows by using File Explorer.
l Agent for Windows must be installed on the machine that performs the mount operation.
l The backed-up file system must be supported by the Windows version that the machine is
running.
l The backup must be stored in a local folder, on a network share (SMB/CIFS), or in the Secure
Zone.
Usage scenarios
l Sharing data
Mounted volumes can be easily shared over the network.
l "Band-aid" database recovery solution
Mount a volume that contains an SQL database from a recently failed machine. This will provide
access to the database until the failed machine is recovered. This approach can also be used for
granular recovery of Microsoft SharePoint data by using SharePoint Explorer.
l Offline virus removal
If a machine is infected, mount its backup, clean it with an antivirus program (or find the latest
backup that is not infected), and then recover the machine from this backup.
l Error check
If a recovery with volume resize has failed, the reason may be an error in the backed-up file
system. Mount the backup in the read/write mode. Then, check the mounted volume for errors
by using the chkdsk /r command. After the errors are fixed and a new incremental backup is
created, recover the system from this backup.
Note
Double-click a volume to browse its content. You can copy files and folders from the backup to
any folder on the file system.
5. Right-click a volume to mount, and then select one of the following options:
a. Mount
Note
Only the last backup in the archive (backup chain) can be mounted in read-write mode.
To unmount a volume
1. Browse to Computer (This PC in Windows 8.1 and later) by using File Explorer.
2. Right-click the mounted volume.
3. Click Unmount.
4. [Optional] If the volume was mounted in the read/write mode, and its content was modified,
select whether to create an incremental backup containing the changes. Otherwise, skip this
step.
Validating backups
By validating a backup, you verify that you can recover the data from it. For more information about
this operation, refer to "Validation" (p. 182).
To validate a backup
Exporting backups
The export operation creates a self-sufficient copy of a backup in the location that you specify. The
original backup remains untouched. Exporting backups allows you to separate a specific backup
from a chain of incremental and differential backups for fast recovery, for writing onto removable or
detachable media, or for other purposes.
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
The result of an export operation is always a full backup. If you want to replicate the entire backup
chain to a different location and preserve multiple recovery points, use a backup replication plan.
For more information about this plan, refer to "Backup replication" (p. 179).
The backup file name of the exported backup is the same as that of the original backup, except for
the sequence number. If multiple backups from the same backup chain are exported to the same
location, a four-digit sequence number is appended to the file names of all backups except for the
first one.
The exported backup inherits the encryption settings and password from the original backup. When
exporting an encrypted backup, you must specify the password.
To export a backup
Deleting backups
Warning!
If immutable storage is disabled, backup data is permanently deleted and cannot be recovered.
To delete backups of a workload that is online and present in the Cyber Protect console
1. On the All devices tab, select a workload whose backups you want to delete.
2. Click Recovery.
3. Select the location to delete the backups from.
4. Delete the desired backups. You can delete the whole backup chain or a single backup in it.
l To delete the whole backup chain, click Delete all.
l To delete a single backup in the selected chain:
a. Select the backup to delete, and then click the gear icon.
b. Click Delete.
5. Confirm your decision.
1. On the Backup storage tab, select the location from which you want to delete the backups.
The software displays all backups that your account is allowed to view in the selected location.
The backups are combined in backup sets. The backup set names are based on the following
template:
l <workload name> - <protection plan name>
l <user name> or <drive name> - <cloud service> - <protection plan name> – for cloud-to-cloud
backups
2. Select a backup set.
3. Delete the desired backups. You can delete the whole backup set or a single backup in it.
l To delete the whole backup set, click Delete.
l To delete a single backup in the selected set:
a. Click Show backups.
b. Select the backup to delete, and then click the gear icon.
c. Click Delete.
4. Confirm your decision.
1. Log in to the cloud storage, as described in "Downloading files from the cloud storage" (p. 462).
2. Click the name of the workload whose backups you want to delete.
The software displays one or more backup groups.
3. Click the gear icon corresponding to the backup group that you want to delete.
We recommend that you delete backups by using the Cyber Protect console, whenever possible. If
you deleted local backups by using a file manager, do the following:
1. On the Backup storage tab, click the gear icon next to the location name.
2. Click Refresh.
This way you will inform the Cyber Protection service that the local storage usage is decreased.
As bottlenecks always occur in any transmission event, it does not necessarily mean they need to be
resolved. Your backups may be already fast enough and meet your backup windows perfectly, as
well as meet your SLAs, so there is typically nothing you need to actually resolve.
You can easily view and track bottlenecks in the Activity details tab. To do this, in the Cyber Protect
console, go to Monitoring > Activities, and then click the relevant activity. For more information
about viewing bottlenecks, see "Viewing bottleneck details" (p. 484) and "On what workloads,
agents, and backup locations are bottlenecks shown?" (p. 485).
What is a bottleneck?
Bottlenecks are typically caused due to a slow component in the processing chain, in other words, a
component that the other components wait for.
The bottleneck detection feature enables you to track these slow components during the backup
and recovery process, helping you understand which of the following component types is the
slowest:
l Source: At a glance, you can determine if the reading speed from the backup/recovery source is
causing a bottleneck.
l Destination: Understand if the writing speed to the backup/recovery destination is affecting
performance.
l Agent: Understand if the agent is processing the data fast enough.
The bottleneck type, whether from the source, destination, or agent, can change at different times
during the backup/recovery activity. The percentages shown in the Bottleneck section of the
Activity details tab below (for example, Read data from source (workload): 63%), represent the
percentage of time when this type of bottleneck was encountered. In this case, for 63% of the
recovery activity time, the bottleneck type was reading data, in other words, the slow speed in
reading data from the backup archive by the agent.
Note
It is normal behavior to see bottleneck statistics in the Activity details tab. These statistics are only
available for tasks more than one minute long.
Тo reduce bottlenecks and improve the read/write data flow performance, you should analyze the
channel between the agent and the data source/backup archive. For example, you can try
benchmarking your hard disks if the agent is backing up some local files.
For more information on the definition and core concepts of bottleneck types, see "Understanding
the detection of bottlenecks" (p. 482).
3. Click Show details to view the most frequently encountered bottleneck during the
backup/recovery operation.
The Bottleneck section expands to show a summary of the relevant bottleneck types.
Note
The bottleneck values update dynamically every minute while the corresponding activity is
running.
l Update index
The recovery points in the backup set are checked and the missing indexes are added to them.
l Rebuild index
The indexes for all the recovery points in the backup set are deleted, and then they are created
again.
l Delete index
The indexes for all recovery points in the backup set are deleted.
1. On the Backup storage tab, select the location where the backups are stored.
2. On the right tab, select the action that you want to perform: Update index, Rebuild index or
Delete index.
Note
The manual operations with indexes are used for troubleshooting and they are only available to
partner administrators and customer administrators. We recommend that you contact the Support
team before using any of them.
You can define which operation with indexes is available for each user role.
Partner administrator + + +
Customer administrator + - -
l Database backup
This is a file-level backup of the databases and the metadata associated with them. The
databases can be recovered to a live application or as files.
l Application-aware backup
This is a disk-level backup that also collects the applications' metadata. This metadata enables
browsing and recovery of the application data without recovering the entire disk or volume. The
disk or volume can also be recovered as a whole. This means that a single solution and a single
protection plan can be used for both disaster recovery and data protection purposes.
For Microsoft Exchange Server, you can opt for Mailbox backup. This is a backup of individual
mailboxes via the Exchange Web Services protocol. The mailboxes or mailbox items can be
recovered to a live Exchange Server or to Microsoft 365. Mailbox backup is supported for Microsoft
Exchange Server 2010 Service Pack 1 (SP1) and later.
To protect only the content, you can back up the content databases separately.
Recovering applications
The following table summarizes the available application recovery methods.
Microsoft SQL Server Databases to a live SQL Server Entire machine Entire
instance machine
Databases to a live SQL Server
Databases as files instance
Databases as files
* Granular recovery is also available from a mailbox backup. Recovery of Exchange data items to
Microsoft 365, and vice versa, is supported on the condition that Agent for Microsoft 365 is installed
locally.
Prerequisites
Before configuring the application backup, ensure that the requirements listed below are met.
Common requirements
For Microsoft SQL Server, ensure that:
Note
Agent for Exchange needs a temporary storage to operate. By default, the temporary files are
located in %ProgramData%\Acronis\Temp. Ensure that you have at least as much free space on the
volume where the %ProgramData% folder is located as 15 percent of an Exchange database size.
Alternatively, you can change the location of the temporary files before creating Exchange backups
as described in Changing Temp Files and Folder Location (40040).
l For physical machines and machines with the agent installed inside, the Volume Shadow Copy
Service (VSS) backup option is enabled.
l For virtual machines, the Volume Shadow Copy Service (VSS) for virtual machines backup option
is enabled.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
Select the databases as described below, and then specify other settings of the protection plan as
appropriate.
The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options.
An incremental backup contains the changed blocks of the database files, the checkpoint files, and a
small number of the log files that are more recent than the corresponding database checkpoint.
Because changes to the database files are included in the backup, there is no need to back up all the
transaction log records since the previous backup. Only the log that is more recent than the
checkpoint needs to be replayed after a recovery. This makes for faster recovery and ensures
successful database backup, even with circular logging enabled.
The transaction log files are truncated after each successful backup.
Note
This feature is available with the Advanced Backup pack.
In a Failover Cluster Instance, SQL databases are located on a shared storage. This storage can only
be accessed from the active cluster node. If the active node fails, a failover occurs and a different
node becomes active.
In an availability group, each database replica resides on a different node. If the primary replica
becomes not available, a secondary replica residing on a different node is assigned the primary role.
Thus, the clusters are already serving as a disaster recovery solution themselves. However, there
might be cases when the clusters cannot provide data protection: for example, in case of a database
logical corruption, or when the entire cluster is down. Also cluster solutions do not protect from
harmful content changes, as they usually immediately replicate to all cluster nodes.
How many agents are required for cluster data backup and recovery?
For successful data backup and recovery of a cluster Agent for SQL has to be installed on each node
of the WSFC cluster.
Warning!
The database set must be exactly the same in all nodes. If even one set is different, or not
defined on all nodes, the cluster backup will not work correctly.
Important
A database that is included in an Always On Availability Group cannot be overwritten during a
recovery because Microsoft SQL Server prohibits this. You need to exclude the target database
from the AAG before the recovery. Or, just recover the database as a new non-AAG one. When
the recovery is completed, you can reconstruct the original AAG configuration.
Note
This feature is available with the Advanced Backup pack.
However, there might be cases when failover cluster solutions cannot provide data protection: for
example, in case of a database logical corruption, or when a particular database in a cluster has no
copy (replica), or when the entire cluster is down. Also cluster solutions do not protect from harmful
content changes, as they usually immediately replicate to all cluster nodes.
Cluster-aware backup
With cluster-aware backup, you back up only one copy of the clustered data. If the data changes its
location within the cluster (due to a switchover or a failover), the software will track all relocations of
this data and safely back it up.
DAG is a group of up to 16 Exchange Mailbox servers. Any node can host a copy of mailbox
database from any other node. Each node can host passive and active database copies. Up to 16
copies of each database can be created.
How many agents are required for cluster-aware backup and recovery?
For successful backup and recovery of clustered databases, Agent for Exchange has to be installed
on each node of the Exchange cluster.
Note
After you install the agent on one of the nodes, the Cyber Protect console displays the DAG and its
nodes under Devices > Microsoft Exchange > Databases. To install Agents for Exchange on the
rest of the nodes, select the DAG, click Details, and then click Install agent next to each of the
nodes.
Important
For cluster-aware backup, ensure to select the DAG itself. If you select individual nodes or
databases inside the DAG, only the selected items will be backed up and the Cluster backup mode
option will be ignored.
Application-aware backup
Application-aware disk-level backup is available for physical machines, ESXi virtual machines, and
Hyper-V virtual machines.
When you back up a machine running Microsoft SQL Server, Microsoft Exchange Server, or Active
Directory Domain Services, enable Application backup for additional protection of these
applications' data.
l The applications are backed up in a consistent state and thus will be available immediately after
the machine is recovered.
l You can recover the SQL and Exchange databases, mailboxes, and mailbox items without
recovering the entire machine.
l The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options. The Exchange transaction logs are truncated on virtual
machines only. You can enable the VSS full backup option if you want to truncate Exchange
transaction logs on a physical machine.
l If a domain contains more than one domain controller, and you recover one of them, a
nonauthoritative restore is performed and a USN rollback will not occur after the recovery.
On a virtual machine, no agent installation is required; it is presumed that the machine is backed up
by Agent for VMware (Windows) or Agent for Hyper-V.
Note
For Hyper-V and VMware ESXi virtual machines that are running Windows Server 2022, application-
aware backup is not supported in the agentless mode – that is, when the backup is performed by
Agent for Hyper-V or Agent for VMware, respectively. To protect Microsoft applications on these
machines, install Agent for Windows inside the guest operating system.
Agent for VMware (Virtual Appliance) can create application-aware backups, but cannot recover
application data from them. To recover application data from backups created by this agent, you
need Agent for VMware (Windows), Agent for SQL, or Agent for Exchange on a machine that has
access to the location where the backups are stored. When configuring recovery of application data,
select the recovery point on the Backup storage tab, and then select this machine in Machine to
browse from.
Other requirements are listed in the "Prerequisites" and "Required user rights" sections.
Note
Application-aware backups of Hyper-V virtual machines may fail with the error "WMI 'ExecQuery'
failed executing query." or "Failed to create a new process via WMI" if the backups are performed
on a host under high load, due to no or delayed response from Windows Management
Instrumentation. Retry these backups in a time slot when the load on the host is lower.
If you do not want to disable UAC, you must provide the credentials of the built-in domain
administrator (DOMAIN\Administrator) when enabling application backup.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
If you do not want to disable UAC, you must provide the credentials of the built-in domain
administrator (DOMAIN\Administrator) when enabling application backup.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
Mailbox backup
Mailbox backup is supported for Microsoft Exchange Server 2010 Service Pack 1 (SP1) and later.
Mailbox backup is available if at least one Agent for Exchange is registered on the management
server. The agent must be installed on a machine that belongs to the same Active Directory forest as
Microsoft Exchange Server.
Before backing up mailboxes, you must connect Agent for Exchange to the machine running the
Client Access server role (CAS) of Microsoft Exchange Server. In Exchange 2016 and later, the CAS
role is not available as a separate installation option. It is automatically installed as part of the
Mailbox server role. Thus, you can connect the agent to any server running the Mailbox role.
As a result, the mailboxes appear under Devices > Microsoft Exchange > Mailboxes.
Membership of the account in the Organization Management role group enables access to any
mailbox, including mailboxes that will be created in the future.
You can recover SQL databases to the original instance, to a different instance on the original
machine, or to an instance on a non-original machine. When you perform recovery to a non-original
machine, Agent for SQL must be installed on the target machine.
If you use Windows authentication for the SQL instance, you must provide credentials for an
account that is a member of the Backup Operators or Administrators group on the machine and
a member of the sysadmin role on the target instance. If you use SQL Server authentication, you
must provide credentials for an account that is a member of the sysadmin role on the target
instance.
System databases are recovered as user databases, with some distinctions. To learn more about
these distinctions, refer to "Recovering system databases" (p. 506).
During a recovery, you can check the progress of the operation in the Cyber Protect console, on the
Monitoring > Activities tab.
The SQL Server version on the target machine must be the same as the version on the source
machine, or newer.
4. Select the backup set, and then in the Actions pane, click Show backups.
Application-aware backup sets and database backup sets have different icons.
5. Select the recovery point from which you want to recover data.
6. [For database backups] Click Recover SQL databases.
7. [For application-aware backups] Click Recover > SQL databases.
8. Select the SQL Server instance or click the instance name to select specific databases that you
want to recover, and then click Recover.
9. [If there is more than one SQL instance on the target machine] Click Target SQL Server
instance, select the target instance, and then click Done.
10. Click the database name, specify the new database path and log path, and then click Done.
You can specify the same path in both fields, for example:
From Devices
You can recover databases as files to the original machine or to non-original target machines, on
which Agent for SQL is installed. When you recover data to non-original machines, the backups must
be located on the cloud storage or on a shared storage that the target machine can access.
Note
Recovering databases as files is the only recovery method if you use Agent for VMware (Windows).
Recovering databases by using Agent for VMware (Virtual Appliance) is not possible.
6. In Path, click Browse, select a local or network folder to save the files to, and then click Done.
7. Click Start recovery.
This procedure applies to application-aware backups and database backups on source machines
that are offline.
4. Select the backup set, and then in the Actions pane, click Show backups.
Application-aware backup sets and database backup sets have different icons.
5. Select the recovery point from which you want to recover data.
6. [For database backups] Click Recover SQL databases.
7. [For application-aware backups] Click Recover > SQL databases.
8. Select the SQL Server instance or click the instance name to select specific databases that you
want to recover, and then click Recover as files.
9. In Path, click Browse, select a local or a network folder to save the files to, and then click Done.
10. Click Start recovery.
l System databases can only be recovered to an instance of the same version as the original
instance.
l System databases are always recovered in the "ready to use" state.
l Databases that have appeared in the instance after the backup was done are not visible by the
instance. To bring these databases back to production, attach them to the instance manually by
using SQL Server Management Studio.
l Databases that have been deleted after the backup was done are displayed as offline in the
instance. Delete these databases by using SQL Server Management Studio.
Attaching a database requires any of the following permissions: CREATE DATABASE, CREATE ANY
DATABASE, or ALTER ANY DATABASE. Normally, these permissions are granted to the sysadmin
role of the instance.
To attach a database
You can recover Exchange Server data to a live Exchange Server. This may be the original Exchange
Server or an Exchange Server of the same version running on the machine with the same fully
qualified domain name (FQDN). Agent for Exchange must be installed on the target machine.
Alternatively, you can recover the databases (storage groups) as files. The database files, along with
transaction log files, will be extracted from the backup to a folder that you specify. This can be
useful if you need to extract data for an audit or further processing by third-party tools, or when the
recovery fails for some reason and you are looking for a workaround to mount the databases
manually.
If you use only Agent for VMware (Windows), recovering databases as files is the only available
recovery method. Recovering databases by using Agent for VMware (Virtual Appliance) is not
possible.
We will refer to both databases and storage groups as "databases" throughout the below
procedures.
The recovered databases will be in a Dirty Shutdown state. A database that is in a Dirty Shutdown
state can be mounted by the system if it is recovered to its original location (that is, information
about the original database is present in Active Directory). When recovering a database to an
alternate location (such as a new database or as the recovery database), the database cannot be
The account you use to attach a database must be delegated an Exchange Server Administrator role
and a local Administrators group for the target server.
For details about how to mount databases, see the following articles:
Note
Available only from database backups. See "Selecting Exchange Server data" (p. 491).
Granular recovery can be performed by Agent for Exchange or Agent for VMware (Windows). The
target Exchange Server and the machine running the agent must belong to the same Active
Directory forest.
When a mailbox is recovered to an existing mailbox, the existing items with matching IDs are
overwritten.
User mailboxes and their contents can be recovered only if their associated user accounts are
enabled. Shared, room, and equipment mailboxes can be recovered only if their associated user
accounts are disabled.
A mailbox that does not meet the above conditions is skipped during recovery.
If some mailboxes are skipped, the recovery will succeed with warnings. If all mailboxes are skipped,
the recovery will fail.
Recovery can be performed from backups of Microsoft Exchange Server 2010 and later.
When a mailbox is recovered to an existing Microsoft 365 mailbox, the existing items are kept intact,
and the recovered items are placed next to them.
When recovering a single mailbox, you need to select the target Microsoft 365 mailbox. When
recovering several mailboxes within one recovery operation, the software will try to recover each
mailbox to the mailbox of the user with the same name. If the user is not found, the mailbox is
skipped. If some mailboxes are skipped, the recovery will succeed with warnings. If all mailboxes are
skipped, the recovery will fail.
For more information about recovery to Microsoft 365, refer to "Protecting Microsoft 365
mailboxes".
Recovering mailboxes
To recover mailboxes from an application-aware backup or a database backup
1. [Only when recovering from a database backup to Microsoft 365] If Agent for Microsoft 365 is
not installed on the machine running Exchange Server that was backed up, do one of the
following:
l If there is not Agent for Microsoft 365 in your organization, install Agent for Microsoft 365 on
the machine that was backed up (or on another machine with the same Microsoft Exchange
Server version).
l If you already have Agent for Microsoft 365 in your organization, copy libraries from the
machine that was backed up (or from another machine with the same Microsoft Exchange
Server version) to the machine with Agent for Microsoft 365, as described in "Copying
Microsoft Exchange libraries".
7. Click Recover.
8. [Only when recovering to Microsoft 365]:
a. In Recover to, select Microsoft 365.
b. [If you selected only one mailbox in step 6] In Target mailbox, specify the target mailbox.
c. Click Start recovery.
Further steps of this procedure are not required.
Click Target machine with Microsoft Exchange Server to select or change the target machine.
This step allows recovery to a machine that is not running Agent for Exchange.
Specify the fully qualified domain name (FQDN) of a machine where the Client Access role (in
Microsoft Exchange Server 2010/2013) or Mailbox role (in Microsoft Exchange Server 2016 or
later) is enabled. The machine must belong to the same Active Directory forest as the machine
that performs the recovery.
9. If prompted, provide the credentials of an account that will be used to access the machine. The
requirements for this account are listed in "Required user rights".
1. [Only when recovering from a database backup to Microsoft 365] If Agent for Microsoft 365 is
not installed on the machine running Exchange Server that was backed up, do one of the
following:
l If there is not Agent for Microsoft 365 in your organization, install Agent for Microsoft 365 on
the machine that was backed up (or on another machine with the same Microsoft Exchange
Server version).
l If you already have Agent for Microsoft 365 in your organization, copy libraries from the
machine that was backed up (or from another machine with the same Microsoft Exchange
Server version) to the machine with Agent for Microsoft 365, as described in "Copying
Microsoft Exchange libraries".
2. Do one of the following:
l When recovering from an application-aware backup: under Devices, select the machine that
originally contained the data that you want to recover.
l When recovering from a database backup, click Devices > Microsoft Exchange > Databases,
and then select the database that originally contained the data that you want to recover.
3. Click Recovery.
4. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Use other ways to recover:
l [Only when recovering from an application-aware backup] If the backup location is cloud or
shared storage (i.e. other agents can access it), click Select machine, select an online machine
that has Agent for Exchange or Agent for VMware, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions will perform the recovery
instead of the original machine that is offline.
5. Click Recover > Exchange mailboxes.
Note
Click the name of an attached file to download it.
8. Click Recover.
9. To recover to Microsoft 365, select Microsoft 365 in Recover to.
To recover to an Exchange Server, keep the default Microsoft Exchange value in Recover to.
[Only when recovering to an Exchange Server] Click Target machine with Microsoft Exchange
Server to select or change the target machine. This step allows recovery to a machine that is not
running Agent for Exchange.
Specify the fully qualified domain name (FQDN) of a machine where the Client Access role (in
Microsoft Exchange Server 2010/2013) or Mailbox role (in Microsoft Exchange Server 2016 or
later) is enabled. The machine must belong to the same Active Directory forest as the machine
that performs the recovery.
10. If prompted, provide the credentials of an account that will be used to access the machine. The
requirements for this account are listed in "Required user rights".
11. In Target mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist or a non-original target
machine is selected, you must specify the target mailbox.
12. [Only when recovering email messages] In Target folder, view or change the target folder in the
target mailbox. By default, the Recovered items folder is selected. Due to Microsoft Exchange
Note
Click the name of an attached file to download it.
When an email message is selected, you can click Send as email to send the message to an
email address. The message is sent from your administrator account's email address.
Copy the following files, according to the Microsoft Exchange Server version that was backed up.
store.exe
msvcr110.dll %WINDIR%\system32
msvcr110.dll %WINDIR%\system32
msvcp110.dll
The libraries should be placed in the folder %ProgramData%\Acronis\ese. If this folder does not exist,
create it manually.
Note
Make sure you remember the password, because a forgotten password can never be
restored or changed.
b. Tap Encrypt.
6. Tap Back up.
7. Allow the app access to your personal data. If you deny access to some data categories, they will
not be backed up.
l To download individual photos, videos, contacts, calendars, or reminders, click the respective
data category name, and then select the check boxes for the required data items. Click
Download.
l Mailboxes
l Email folders
l Email messages
l Calendar events
l Tasks
l Contacts
l Journal entries
l Notes
When recovering mailboxes, mailbox items, public folders, and public folder items, you can select
whether to overwrite the items in the target location.
Recovery of mailbox items does not overwrite anything. Instead, the full path to a mailbox item is
recreated in the target folder.
Selecting mailboxes
Select the mailboxes as described below, and then specify other settings of the protection plan as
appropriate.
Recovering mailboxes
1. Click Devices > Hosted Exchange.
2. If multiple Hosted Exchange organizations were added to the Cyber Protection service, select the
organization whose backed-up data you want to recover. Otherwise, skip this step.
3. Do one of the following:
l To recover a user mailbox, expand the Users node, select All users, select the user whose
mailbox you want to recover, and then click Recovery.
l To recover a shared mailbox, expand the Users node, select All users, select the shared
mailbox that you want to recover, and then click Recovery.
l To recover a group mailbox, expand the Groups node, select All groups, select the group
whose mailbox you want to recover, and then click Recovery.
l If the user, group, or the shared mailbox was deleted, select the item in the Cloud
applications backups section of the Backup storage tab, and then click Show backups.
You can search users and groups by name. Wildcards are not supported.
icon:
Additionally, you can do any of the following:
l When an item is selected, click Show content to view its contents, including
attachments. Click the name of an attached file to download it.
l When an email message or a calendar item is selected, click Send as email to send the item
to the specified email addresses. You can select the sender and write a text to be added to the
forwarded item.
l Only if the backup is not encrypted, you used search, and selected a single item in the search
results: click Show versions to select the item version to recover. You can select any backed-
up version, earlier or later than the selected recovery point.
8. Click Recover.
9. If multiple Hosted Exchange organizations were added to the Cyber Protection service, click
Hosted Exchange organization to view, change, or specify the target organization.
By default, the original organization is selected. If this organization is no longer registered in the
Cyber Protection service, you must specify the target organization.
10. In Recover to mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist or a non-original
organization is selected, you must specify the target mailbox.
11. [Only when recovering to a user or a shared mailbox] In Path, view or change the target folder in
the target mailbox. By default, the Recovered items folder is selected.
Group mailbox items are always recovered to the Inbox folder.
12. Click Start recovery.
13. Select one of the overwriting options:
l Overwrite existing items
l Do not overwrite existing items
14. Click Proceed to confirm your decision.
Backed-up data is automatically compressed and it uses less space on the backup location than on
its original location. The compression level for cloud-to-cloud backups is fixed and corresponds to
the Normal level of non-cloud-to-cloud backups. For more information about these levels, refer to
"Compression level" (p. 411).
Note
For tenants in the Enhanced security mode, only the local agent is available. These tenants can only
back up Microsoft 365 mailboxes. They cannot use the additional features provided by the cloud
agent.
Local Agent for Microsoft 365 Cloud Agent for Microsoft 365
Data items that can be Exchange Online: user mailboxes and l Exchange Online:
o user mailboxes and shared
backed up shared mailboxes (including mailboxes
of users on a Kiosk plan and mailboxes mailboxes (including
on litigation hold) mailboxes of users on a
Kiosk plan and mailboxes on
litigation hold)
o group mailboxes
o public folders
l OneDrive: user files and folders
l SharePoint Online:
o classic site collections
o team channels
o channel files
o team mailboxes
o files and email messages in
team mailboxes
o meetings
o team sites
l OneNote notebooks: as part of
OneDrive, SharePoint Online,
and Microsoft 365 Teams
backups
Backup locations Cloud storage, local folder, network Cloud storage only
folder
(including partner-hosted storage)
Recovery to an on- No No
premises Microsoft
Exchange Server
Maximum number of When backing up to the cloud storage: 10 000 protected items (mailboxes,
items that can be backed 5000 mailboxes per company OneDrives, or sites) per
up without performance company**
When backing up to other destinations:
degradation
2000 mailboxes per protection plan (no
limitation for number of mailboxes per
company)
* The default option is Once a day. With the Advanced Backup pack, you can schedule up to six
backups per day. The backups start at approximate intervals that depend on the current load of the
cloud agent, which serves multiple customers in a data center. This ensures even load during the
day and equal quality of service for all customers.
Note
The protection schedule might be affected by the operation of third-party services, for example, the
accessibility of Microsoft 365 servers, throttling settings on the Microsoft servers, and others. See
also https://docs.microsoft.com/en-us/graph/throttling.
1. Mailboxes.
2. After all mailboxes are backed up, proceed with OneDrives.
3. After OneDrive backup is completed, proceed with the SharePoint Online sites.
The first full backup may take several days, depending on the number of protected items and their
size.
Limitations
l All users with a mailbox or OneDrive are shown in the Cyber Protect console, including users
without a Microsoft 365 license and users who are blocked from signing in to the Microsoft 365
services.
l A mailbox backup includes only folders visible to users. The Recoverable items folder and its
subfolders (Deletions, Versions, Purges, Audits, DiscoveryHold, Calendar Logging) are not
included in a mailbox backup.
l Automatic creation of users, public folders, groups, or sites during a recovery is not possible. For
example, if you want to recover a deleted SharePoint Online site, first create a new site manually,
and then specify it as the target site during a recovery.
l You cannot simultaneously recover items from different recovering points, even though you can
select such items from the search results.
l During a backup, any sensitivity labels that are applied to the content will be preserved.
Therefore, sensitive content might not be shown if it is recovered to a non-original location and
its user has different access permissions.
l You cannot apply more than one individual backup plan to the same workload.
l When an individual backup plan and a group backup plan are applied to the same workload, the
settings in the individual plan take precedence.
The cloud Agent for Microsoft 365 can be used both on a customer tenant level and on a unit level.
For more information about these levels and their respective administrators, refer to "Administering
Microsoft 365 organizations added on different levels" (p. 533).
In Microsoft 365
Your account must be assigned the global administrator role in Microsoft 365.
l The local agent will log in to Microsoft 365 by using this account. To enable the agent to access
the contents of all mailboxes, this account will be assigned the ApplicationImpersonation
management role. If you change this account password, update the password in the Cyber
Protect console, as described in "Changing the Microsoft 365 access credentials".
l The cloud agent does not log in to Microsoft 365. The agent is given the necessary permissions
directly by Microsoft 365. You only need to confirm granting these permissions once, being
signed in as a global administrator. The agent does not store your account credentials and does
not use them to perform backup and recovery. Changing this account password or disabling this
account or deleting this account in Microsoft 365 does not affect agent operation.
This report is only available for tenants in which a Microsoft 365 Organization is registered.
Logging
Actions with cloud-to-cloud resources, such as viewing the content of backed-up emails,
downloading attachments or files, recovering emails to non-original mailboxes, or sending them as
emails may violate user privacy. These actions are logged in Monitoring > Audit log in the
Management Portal.
As a result, your organization data items appear in the Cyber Protect console, on the Microsoft
Office 365 (Local agent) tab.
Important
There must be only one locally installed Agent for Office 365 in an organization (company group).
Note
On the machine where Agent for Office 365 is installed, ensure that you allow access to
graph.microsoft.com through port 443.
Your application is now created. In the Azure portal, navigate to the application's Overview page
and check your application (client) ID and directory (tenant) ID.
1. In the Azure portal, navigate to the application's API permissions, and then click Add a
permission.
2. Select the APIs my organization uses tab, and then search for Office 365 Exchange Online.
3. Click Office 365 Exchange Online, and then click Application permissions.
4. Select the full_access_as_app check box, and then click Add permissions.
5. In API permissions, click Add a permission.
6. Select Microsoft Graph.
7. Select Application permissions.
8. Expand the Directory tab, and then select the Directory.Read.All check box. Click Add
permissions.
9. Check all permissions, and then click Grant admin consent for <your application's name>.
10. Confirm your choice by clicking Yes.
1. In the Azure portal, navigate to your application's Certificates & secrets > New client secret.
2. In the dialog box that opens, select Expires: Never, and then click Add.
3. Check your application secret in the Value field and make sure that you remember it.
For more information on the application secret, refer to the Microsoft documentation.
l Mailboxes
l Email folders
l Email messages
l Calendar events
l Tasks
l Contacts
l Journal entries
l Notes
When a mailbox is recovered to an existing mailbox, the existing items with matching IDs are
overwritten.
Recovery of mailbox items does not overwrite anything. Instead, the full path to a mailbox item is
recreated in the target folder.
Selecting mailboxes
Select the mailboxes as described below, and then specify other settings of the protection plan as
appropriate.
To select mailboxes
Recovering mailboxes
1. Click Microsoft Office 365 (Local agent).
2. Select the mailbox to recover, and then click Recovery.
You can search mailboxes by name. Wildcards are not supported.
If the mailbox was deleted, select it on the Backup storage tab, and then click Show backups.
3. Select a recovery point. Note that recovery points are filtered by location.
4. Click Recover > Mailbox.
5. In Target mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist, you must specify the
target mailbox.
6. Click Start recovery.
Note
Click the name of an attached file to download it.
When an email message is selected, you can click Send as email to send the message to an
email address. The message is sent from your administrator account's email address.
The mailbox items are always recovered to the Recovered items folder of the target mailbox.
Company administrators add organizations to customer tenants. Unit administrators and customer
administrators acting on the unit level add organizations to units.
1. Depending on where you need to add the organization, log in to the Cyber Protect console as a
company administrator or unit administrator.
2. [For company administrators acting on the unit level] In the management portal, navigate to the
desired unit.
3. Click Devices > Add > Microsoft 365 Business.
The software redirects you to the Microsoft 365 login page.
4. Sign in with the Microsoft 365 global administrator credentials.
Microsoft 365 displays a list of permissions that are necessary to back up and recover your
organization's data.
5. Confirm that you grant the Cyber Protection service these permissions.
As a result, your Microsoft 365 organization appears under the Devices tab in the Cyber Protect
console.
Useful tips
l The cloud agent synchronizes with Microsoft 365 every 24 hours, starting from the moment when
the organization is added to the Cyber Protection service. If you add or remove a user, group, or
site, you will not see this change in the Cyber Protect console immediately. To synchronize the
change immediately, select the organization on the Microsoft 365 page, and then click Refresh.
For more information about synchronizing the resources of a Microsoft 365 organization and the
Cyber Protect console, refer to "Discovering Microsoft 365 resources" (p. 534).
Company administrators have limited access to the organizations that are added to a unit. In these
organizations, shown with the unit name in brackets, company administrators can do the following:
Company administrators, when acting on the customer tenant level, cannot do the following:
Unit administrators and company administrators acting on the unit level have full access to the
organizations that are added to a unit. However, they do not have access to any resources from the
parent customer tenant, including the protection plans that are created in it.
For more information about how to delete backups, see "To delete backups of any workload" (p.
481).
1. Depending on where the organization is added, sign in to the Cyber Protect console as a
company administrator or unit administrator.
However, you should additionally revoke access rights of the Backup Service application to Microsoft
365 organization data manually.
As a result, access rights to the Microsoft 365 organization data will be revoked from the Backup
Service application.
After the discovery operation completes, you can see the resources of the Microsoft 365
organization on the Devices > Microsoft 365 tab in the Cyber Protect console, and you can apply
backup plans to them.
An automatic discovery operation runs once a day to keep the list of resources in the Cyber Protect
console up to date. You can also synchronize this list on demand, by re-running a discovery
operation manually.
If the Advanced Backup pack is enabled in your tenant, you can configure more frequent backups.
You can select the number of backups per day, but you cannot configure the backup start time. The
backups start automatically at approximate intervals that depend on the current load of the cloud
agent, which serves multiple customers in a data center. This ensures even load during the day, and
equal quality of service for all customers.
Note
Depending on the load on the cloud agent and possible throttling on the Microsoft 365 side, a
backup might start later than scheduled or take longer to complete. If a backup takes longer that
the average interval between two backups, the next backup will be rescheduled, which might result
in fewer backups per day than selected. For example, only two backups per day might be able to
complete, even though you selected six per day.
Starting from version 8.0 of the Cyber Protection service, you can back up public folders. If your
organization was added to the Cyber Protection service before the version 8.0 release, you need to
re-add the organization to obtain this functionality. Do not delete the organization, simply repeat
l Mailboxes
l Email folders
l Email messages
l Calendar events
l Tasks
l Contacts
l Journal entries
l Notes
l Subfolders
l Posts
l Email messages
When recovering mailboxes, mailbox items, public folders, and public folder items, you can select
whether to overwrite the items in the target location.
Selecting mailboxes
Select the mailboxes as described below, and then specify other settings of the protection plan as
appropriate.
Note
Public folders consume licenses from your backup quota for Microsoft 365 seats.
Recovering mailboxes
1. Click Microsoft 365.
2. If multiple Microsoft 365 organizations were added to the Cyber Protection service, select the
organization whose backed-up data you want to recover. Otherwise, skip this step.
Note
To see only the recovery points that contain mailboxes, select Mailboxes in Filter by content.
Note
To see only the recovery points that contain mailboxes, select Mailboxes in Filter by content.
icon:
Additionally, you can do any of the following:
l When an item is selected, click Show content to view its contents, including
attachments. Click the name of an attached file to download it.
l When an email message or a calendar item is selected, click Send as email to send the item
to the specified email addresses. You can select the sender and write a text to be added to the
forwarded item.
l Only if the backup is not encrypted, you used search, and selected a single item in the search
results: click Show versions to select the item version to recover. You can select any backed-
up version, earlier or later than the selected recovery point.
8. Click Recover.
9. If multiple Microsoft 365 organizations were added to the Cyber Protection service, click
Microsoft 365 organization to view, change, or specify the target organization.
By default, the original organization is selected. If this organization is no longer registered in the
Cyber Protection service, you must specify the target organization.
10. In Recover to mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist or a non-original
organization is selected, you must specify the target mailbox.
Note
Mailbox recovery to PST files can be time-consuming, as it involves not only data transfer, but also
data transformation using complex algorithms.
Important
Do not import these files to Microsoft Outlook by using the Import and Export Wizard.
Open the files by double-clicking them or right-clicking them and selecting Open with... >
Microsoft Outlook in the context menu.
icon:
Additionally, you can do any of the following:
l When an item is selected, click Show content to view its contents, including
attachments. Click the name of an attached file to download it.
l When an email message or a calendar item is selected, click Send as email to send the item
to the specified email addresses. You can select the sender and write a text to be added to the
forwarded item.
l Only if the backup is not encrypted, you used search, and selected a single item in the search
results: click Show versions to select the item version to recover. You can select any backed-
up version, earlier or later than the selected recovery point.
7. Click Recover as PST files.
8. Set the password to encrypt the archive with the PST files.
The password should contain at least one symbol.
9. Confirm the password and click DONE.
The selected mailbox items will be recovered as PST data files and archived in ZIP format. The
maximum size of one PST file is limited to 2 GB, so if the data you are recovering exceeds 2 GB, it will
be split into several PST files. The ZIP archive will be protected with the password you set.
You will receive an email with a link to a ZIP archive containing the created PST files.
The administrator will receive an email notification that you have performed the recovery
procedure.
icon:
Additionally, you can do any of the following:
l When an email message or a post is selected, click Show content to view its contents,
including attachments. Click the name of an attached file to download it.
l When an email message or a post is selected, click Send as email to send the item to
specified email addresses. You can select the sender and write a text to be added to the
forwarded item.
l Only if the backup is not encrypted, you used search, and selected a single item in the search
results: click Show versions to select the item version to recover. You can select any backed-
up version, earlier or later than the selected recovery point.
8. Click Recover.
Option Description
Do not overwrite If the destination location contains a file of the same name, that file is not
existing items overwritten and the source file is not saved to the destination location.
A separate option in the backup plan enables the backup of OneNote notebooks.
Files are backed up together with their sharing permissions. Advanced permission levels (Design,
Full, Contribute) are not backed up.
Some files may contain sensitive information and the access to them may be blocked by a data loss
prevention (DLP) rule in Microsoft 365. These files are not backed up, and no warnings are displayed
after the backup operation completes.
Limitations
Backing up OneDrive content is not supported for shared mailboxes. To back up this content,
convert the shared mailbox to a regular user account and ensure that OneDrive is enabled for that
account.
Note
To see only the recovery points that contain OneDrive files, select OneDrive in Filter by
content.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Note
To see only the recovery points that contain OneDrive files, select OneDrive in Filter by
content.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Note
When you recover OneNote notebooks, both Overwrite an existing file if it is older and
Overwrite existing files will result in overwriting the exiting OneNote notebooks.
A separate option in the backup plan enables the backup of OneNote notebooks.
l The Look and Feel site settings (except for Title, description, and logo).
l Site page comments and page comments settings (comments On/Off).
l The Site features site settings.
l Web part pages and web parts embedded in the wiki pages (due to SharePoint Online API
limitations).
l Checked out files—files that are manually checked out for editing and all files that are created or
uploaded in libraries, for which the option Require Check Out was enabled. To backup these
files, first check them in.
l External data and Managed Metadata types of columns.
l The default site collection "domain-my.sharepoint.com". This is a collection where all of the
organization users’ OneDrive files reside.
l The contents of the recycle bin.
l Entire site
l Subsites
l Lists
l List items
l Document libraries
l Documents
l List item attachments
l Site pages and wiki pages
Items can be recovered to the original or a non-original site. The path to a recovered item is the
same as the original one. If the path does not exist, it is created.
You can choose whether to recover the sharing permissions or let the items inherit the permissions
from the parent object after the recovery.
Note
To see only the recovery points that contain SharePoint sites, select SharePoint sites in Filter
by content.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Note
When you recover OneNote notebooks, both Overwrite an existing file if it is older and
Overwrite existing files will result in overwriting the exiting OneNote notebooks.
A separate option in the backup plan enables the backup of OneNote notebooks.
You cannot recover conversations in team channels, but you can download them as a single html
file.
Limitations
The following items are not backed up:
l The settings of the general channel (moderation preferences) – due to a Microsoft Teams beta
API limitation.
l The settings of the custom channels (moderation preferences) – due to a Microsoft Teams beta
API limitation.
l Meeting notes.
Backup and recovery are supported for the following channel tabs:
l Word
l Excel
l PowerPoint
l PDF
l Document Library
Files that are shared in private channels are backed up, but not restored due to an API limitation.
Note
These files are stored in specific locations, separately from the files that are shared in public
channels.
Selecting teams
Select teams as described below, and then specify other settings of the protection plan as
appropriate.
To select teams
Note
When you recover OneNote notebooks, both of the options Overwrite existing content if it is
older and Overwrite existing content will result in overwriting the exiting OneNote notebooks.
When you delete a channel in Microsoft Teams' graphic interface, it is not immediately removed
from the system. Thus, when you recover the whole team, this channel's name cannot be used and
a postfix will be added to it.
Conversations are recovered as a single html file in the Files tab of the channel. You can find this file
in a folder named according to the following pattern: <Team name>_<Channel name>_conversations_
backup_<date of recovery>T<time of recovery>Z.
Note
You can also download the files locally, instead of recovering them.
7. If multiple Microsoft 365 organizations were added to the Cyber Protection service, click
Microsoft 365 organization to view, change, or specify the target organization.
By default, the original organization is selected. If this organization is no longer registered in the
Cyber Protection service, you must specify the target organization.
8. In Recover to team, view, change, or specify the target team.
By default, the original team is selected. If this team does not exist or a non-original organization
is selected, you must specify the target team.
9. In Recover to channel, view, change, or specify the target channel.
10. Click Start recovery.
11. Select one of the overwriting options:
l Overwrite existing content if it is older
l Overwrite existing content
l Do not overwrite existing content
Note
When you recover OneNote notebooks, both of the options Overwrite existing content if it is
Conversations are recovered as a single html file in the Files tab of the channel. You can find this file
in a folder named according to the following pattern: <Team name>_<Channel name>_conversations_
backup_<date of recovery>T<time of recovery>Z.
Note
After recovering a team or team channels, go to Microsoft Teams, select the channels that were
recovered, and then click their Files tab. Otherwise, the subsequent backups of these channels will
not include this tab's content – due to a Microsoft Teams beta API limitation.
Note
When you recover OneNote notebooks, both of the options Overwrite existing content if it is
older and Overwrite existing content will result in overwriting the exiting OneNote notebooks.
You cannot recover individual conversations. In the main pane, you can only browse the
Conversation folder or download its content as a single html file. To do so, click the "recover
folders" icon , select the desired Conversations folder, and then click Download.
l Sender
l Content
l Attachment name
l Date
6. Click the "recover folders" icon , select the root mailbox folder, and then click Recover.
Note
You can also recover individual folders from the selected mailbox.
7. Click Recover.
8. If multiple Microsoft 365 organizations were added to the Cyber Protection service,
click Microsoft 365 organization to view, change, or specify the target organization.
By default, the original organization is selected. If this organization is no longer registered in the
Cyber Protection service, you must specify the target organization.
9. In Recover to mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist or a non-original
organization is selected, you must specify the target mailbox.
10. Click Start recovery.
11. Select one of the overwriting options:
icon:
Additionally, you can do any of the following:
l When an item is selected, click Show content to view its contents, including
attachments. Click the name of an attached file to download it.
l When an email message or a calendar item is selected, click Send as email to send the item
to the specified email addresses. You can select the sender and write a text to be added to the
forwarded item.
l When the backup is not encrypted, you used search, and selected a single item from the
search results: click Show versions to view the item version. You can select any backed-up
version, no matter if it is earlier or later than the selected recovery point.
8. Click Recover as PST files.
9. Set the password to encrypt the archive with the PST files.
The password should contain at least one symbol.
10. Confirm the password and click DONE.
The selected mailbox items will be recovered as PST data files and archived in ZIP format. The
maximum size of one PST file is limited to 2 GB, so if the data you are recovering exceeds 2 GB, it will
be split into several PST files. The ZIP archive will be protected with the password you set.
You will receive an email with a link to a ZIP archive containing the created PST files.
Note
You can find the meetings in the Calendar folder.
To exclude the OneNote notebooks from these backups, disable the Include OneNote switch in the
respective backup plan.
l For OneDrive backups, see "Recovering an entire OneDrive" (p. 546) or "Recovering OneDrive
files" (p. 547).
l For Teams backups, see "Recovering an entire team" (p. 554), "Recovering team channels or files
in team channels" (p. 555) or "Recovering a team site or specific items of a site" (p. 560).
l For SharePoint site backups, see "Recovering SharePoint Online data" (p. 550).
Supported versions
l OneNote (OneNote 2016 and later)
l OneNote for Windows 10
In Google Workspace
To add your Google Workspace organization to the Cyber Protection service, you must be signed in
as a Super Admin with enabled API access (Security > API reference > Enable API access in the
Google Admin console).
The Super Admin password is not stored anywhere and is not used to perform backup and
recovery. Changing this password in Google Workspace does not affect Cyber Protection service
operation.
If the Super Admin who added the Google Workspace organization is deleted from Google
Workspace or assigned a role with less privileges, the backups will fail with an error like 'Access
denied'. In this case, repeat the 'Adding a Google Workspace organization' procedure, and specify
The default option is Once a day. With the Advanced Backup pack, you can schedule up to six
backups per day. The backups start at approximate intervals that depend on the current load of the
cloud agent, which serves multiple customers in a data center. This ensures even load during the
day and equal quality of service for all customers.
Limitations
l The console shows only users that have an assigned Google Workspace license and a mailbox or
Google Drive.
l Search in encrypted backups is not supported.
l Documents in the native Google formats are backed up as generic office documents and are
shown with a different extension in the Cyber Protect console – such as .docx or .pptx, for
example. The documents are converted back to their original format during recovery.
l No more than 10 manual backup runs during an hour.
l No more than 10 simultaneous recovery operations (this number includes both Microsoft 365
and Google Workspace recovery).
l You cannot simultaneously recover items from different recovering points, even though you can
select such items from the search results.
l The backups of deleted Google Workspace user accounts are not automatically deleted from the
cloud storage. These backups are billed for the storage space that they use.
l You cannot apply more than one individual backup plan to the same workload.
l When an individual backup plan and a group backup plan are applied to the same workload, the
settings in the individual plan take precedence.
Logging
Actions with cloud-to-cloud resources, such as viewing the content of backed-up emails,
downloading attachments or files, recovering emails to non-original mailboxes, or sending them as
emails may violate user privacy. These actions are logged in Monitoring > Audit log in the
Management Portal.
To add a Google Workspace organization by using a dedicated personal Google Cloud project
5. Click Confirm.
As a result, your Google Workspace organization appears under the Devices tab in the Cyber
Protect console.
Useful tips
l After adding a Google Workspace organization, the user data and Shared drives in both the
primary domain and all the secondary domains, if there are any, will be backed up. The backed-
up resources will be displayed in one list, and will not be grouped by their domain.
l The cloud agent synchronizes with Google Workspace every 24 hours, starting from the moment
when the organization is added to the Cyber Protection service. If you add or remove a user or
Shared drive, you will not see this change in the Cyber Protect console immediately. To
synchronize the change immediately, select the organization on the Google Workspace page,
and then click Refresh.
For more information about synchronizing the resources of a Google Workspace organization
and the Cyber Protect console, refer to "Discovering Google Workspace resources" (p. 567).
l If you applied a protection plan to the All users or All Shared drives group, the newly added
items will be included in the backup only after the synchronization.
l According to Google policy, when a user or Shared drive is removed from the Google Workspace
graphical user interface, it remains available via an API for a few days. During this period, the
removed item is inactive (grayed out) in the Cyber Protect console and is not backed up. When
the removed item becomes unavailable via the API, it disappears from the Cyber Protect console.
Its backups (if any) can be found at Backup storage > Cloud applications backups.
Note
This topic contains a description of third-party user interface that might be subject to change
without prior notice.
1. From the navigation menu in the Google Cloud Platform, select APIs and services > OAuth
consent screen.
2. In the window that opens, select Internal for user type, and then click Create.
3. In the App name field, specify a name for your application.
4. In the User support email field, enter the Super Administrator email.
5. In the Developer contact information field, enter the Super Administrator email.
6. Leave all other fields blank, and then click Save and continue.
7. On the Scopes page, click Save and continue, without changing anything.
8. On the Summary page, verify your settings, and then click Back to dashboard.
To create and configure the service account for the Cyber Protection service
1. From the navigation menu in the Google Cloud Platform, select IAM & Admin > Service
accounts.
2. Click Create service account.
3. Specify a name for the service account.
4. Specify a description for the service account.
5. Click Create and continue.
6. Do not change anything in the Grant this service account access to the project and Grant
users access to this service account steps.
7. Click Done.
The Service accounts page opens.
8. On the Service accounts page, select the new service account, and then under Actions, click
Manage keys.
9. Under Keys, click Add key > Create new key, and then select the JSON key type.
10. Click Create.
As a result, a JSON file with the private key of the service account is automatically downloaded to
your machine. Store this file securely because you need it to add your Google Workspace
organization to the Cyber Protection service.
1. From the navigation menu in the Google Cloud Platform, select IAM & Admin > Service
Accounts.
2. In the list, find the service account that you created, and then copy its client ID that is shown in
the OAuth 2.0 Client ID column.
3. Sign in to the Google Admin console (admin.google.com) as a Super Administrator.
4. From the navigation menu, select Security > Access and data control > API controls.
5. Scroll down the API controls page, and then under Domain-wide delegation, click Manage
domain-wide delegation.
The Domain-wide delegation page opens.
As a result, your new Google Cloud project can access the data in your Google Workspace account.
To back up the data, you need to link this project to the Cyber Protection service. For more
information on how to do this, refer to "To add a Google Workspace organization by using a
dedicated personal Google Cloud project" (p. 564).
If you need to revoke the access of your Google Cloud project to your Google Workspace account,
and respectively the access of the Cyber Protection service, delete the API client that your project
uses.
After the discovery operation completes, you can see the resources of the Google Workspace
organization on the Devices > Google Workspace tab in the Cyber Protect console, and you can
apply backup plans to them.
Note
You can manually run a discovery operation up to 10 times per hour. When this number is reached,
the allowed runs are reset to one per hour, and then every hour an additional run becomes
available, until a total of 10 runs per hour is reached again.
If the Advanced Backup pack is enabled in your tenant, you can configure more frequent backups.
You can select the number of backups per day, but you cannot configure the backup start time. The
backups start automatically at approximate intervals that depend on the current load of the cloud
agent, which serves multiple customers in a data center. This ensures even load during the day, and
equal quality of service for all customers.
The following Calendar items are skipped, due to Google Calendar API limitations:
l Appointment slots
l The conferencing field of an event
l The calendar setting All-day event notifications
l The calendar setting Auto-accept invitations (in calendars for rooms or shared spaces)
The following Contacts items are skipped, due to Google People API limitations:
l Mailboxes
l Email folders (According to Google terminology, "labels". Labels are presented in the backup
software as folders, for consistency with other data presentation.)
l Email messages
l Calendar events
l Contacts
You can use search to locate items in a backup, unless the backup is encrypted. Search in encrypted
backups is not supported.
Limitations
l Contact photos cannot be recovered
l The Out of office calendar item is recovered as a regular calendar event, due to Google Calendar
API limitations
Selecting mailboxes
Select the mailboxes as described below, and then specify other settings of the protection plan as
appropriate.
Full-text search
This option defines whether the email messages content is indexed by the cloud agent.
If this option is enabled, the messages content is indexed and you can search messages by their
content. Otherwise, only searching by subject, sender, recipient, or date is available.
Note
Search in encrypted backups is not supported.
The indexing process does not affect the backup performance because it is performed by a different
software component. Indexing of the first (full) backup may take some time, therefore, there may be
a delay between the backup completion and the content appearing in the search results.
When you re-enable full-text search, the software indexes all of the backups previously created by
the protection plan. This also takes some time.
All indexes contain metadata that supports the main searching functionality. The indexes for
backups with enabled full-text search contain additional data that allows searching in the body text
of Gmail emails. You can limit the scope of the manual operations with indexes only to the metadata
(for the Delete index operation, only to the full-text search data) or you can include both the
metadata and the data related to full-text search.
Note
The manual operations with indexes are used for troubleshooting and they are only available to
partner administrators and customer administrators. We recommend that you contact the Support
team before using any of them.
Recovering mailboxes
1. Click Google Workspace.
2. If multiple Google Workspace organizations were added to the Cyber Protection service, select
the organization whose backed-up data you want to recover. Otherwise, skip this step.
3. Expand the Users node, select All users, select the user whose mailbox you want to recover,
and then click Recovery.
If the user was deleted, select the user in the Cloud applications backups section of the Backup
storage tab, and then click Show backups.
You can search users and groups by name. Wildcards are not supported.
4. Select a recovery point.
Note
To see only the recovery points that contain mailboxes, select Gmail in Filter by content.
Note
To see only the recovery points that contain mailboxes, select Gmail in Filter by content.
icon:
Additionally, you can do any of the following:
l When an item is selected, click Show content to view its contents, including
attachments. Click the name of an attached file to download it.
l Only if the backup is not encrypted, you used search, and selected a single item in the search
results: click Show versions to select the item version to recover. You can select any backed-
up version, earlier or later than the selected recovery point.
8. Click Recover.
9. If multiple Google Workspace organizations were added to the Cyber Protection service, click
Google Workspace organization to view, change, or specify the target organization.
By default, the original organization is selected. If this organization is no longer registered in the
Cyber Protection service, you must select a new target organization from the available registered
organizations.
10. In Recover to mailbox, view, change, or specify the target mailbox.
By default, the original mailbox is selected. If this mailbox does not exist or a non-original
organization is selected, you must specify the target mailbox.
11. In Path, view or change the target folder in the target mailbox. By default, the original folder is
selected.
12. Click Start recovery.
13. Select one of the overwriting options:
l Overwrite existing items
l Do not overwrite existing items
14. Click Proceed to confirm your decision.
Important
The following items are not backed up:
Limitations
Out of the Google-specific file formats, Google Docs, Google Sheets, and Google Slides are fully
supported for backup and recovery. Other Google-specific formats might not be fully supported or
might not be supported at all – for example, Google Drawings files are recovered as .svg files,
Note
File formats that are not Google-specific – for example, .txt, .docx, .pptx, .pdf, .jpg, .png, .zip, are
fully supported for backup and recovery.
You can use search to locate items in a backup, unless the backup is encrypted. Search in encrypted
backups is not supported.
You can choose whether to recover the sharing permissions or let the files inherit the permissions
from the folder to which they are recovered.
Limitations
l Comments in files are not recovered.
l Sharing links for files and folders are not recovered.
l The read-only Owner settings for shared files (Prevent editors from changing access and
adding new people and Disable options to download, print and copy for commenters and
viewers) cannot be changed during a recovery.
l Ownership of a shared folder cannot be changed during a recovery if the Prevent editors from
changing access and adding new people option is enabled for this folder. This setting prevents
the Google Drive API from listing the folder permissions. Ownership of the files in the folder is
recovered correctly.
Note
To see only the recovery points that contain Google Drive files, select Google Drive in Filter by
content.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Note
To see only the recovery points that contain Google Drive files, select Google Drive in Filter by
content.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Important
The Shared with me folder is not backed up.
Limitations
l A Shared drive without members cannot be backed up, due to Google Drive API limitations.
l Out of the Google-specific file formats, Google Docs, Google Sheets, and Google Slides are fully
supported for backup and recovery. Other Google-specific formats might not be fully supported
or might not be supported at all – for example, Google Drawings files are recovered as .svg files,
Note
File formats that are not Google-specific – for example, .txt, .docx, .pptx, .pdf, .jpg, .png, .zip,
are fully supported for backup and recovery.
You can use search to locate items in a backup, unless the backup is encrypted. Search in encrypted
backups is not supported.
You can choose whether to recover the sharing permissions or let the files inherit the permissions
from the folder to which they are recovered.
l Sharing permissions for a file that was shared with a user outside the organization are not
recovered if sharing outside the organization is disabled in the target Shared drive.
l Sharing permissions for a file that was shared with a user who is not a member of the target
Shared drive are not recovered if Sharing with non-members is disabled in the target Shared
drive.
Limitations
l Comments in files are not recovered.
l Sharing links for files and folders are not recovered.
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Option Description
Overwrite an If there is a file with the same name in the destination location, and it is older than
existing file if it the source file, the source file will be saved in the destination location, replacing
is older the older version.
Overwrite All existing files in the destination location are overwritten, regardless of their last
existing files modified date.
Do not If there is a file with the same name in the destination location, no changes are
overwrite applied to it, and the source file is not saved to the destination location.
existing files
Notarization
Notarization enables you to prove that a file is authentic and unchanged since it was backed up. We
recommend that you enable notarization when backing up your legal document files or other files
that require proved authenticity.
Notarization is available only for backups of Google Drive files and Google Workspace Shared drive
files.
When configuring recovery, the notarized files will be marked with a special icon, and you can verify
the file authenticity.
How it works
During a backup, the agent calculates the hash codes of the backed-up files, builds a hash tree
(based on the folder structure), saves the tree in the backup, and then sends the hash tree root to
the notary service. The notary service saves the hash tree root in the Ethereum blockchain database
to ensure that this value does not change.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected file is guaranteed to be authentic. Otherwise, the software displays a
message that the file is not authentic.
2. Ensure that the selected file is marked with the following icon: . This means that the file is
notarized.
3. Do one of the following:
l Click Verify.
The software checks the file authenticity and displays the result.
l Click Get certificate.
A certificate that confirms the file notarization is opened in a web browser window. The
window also contains instructions that allow you to verify the file authenticity manually.
Note
Application-aware backup of MySQL or MariaDB data is available with the Advanced Backup pack.
To protect a physical or virtual machine that runs MySQL or MariaDB instances with application-
aware backup, you need to install Agent for MySQL/MariaDB on this machine. Agent for
MySQL/MariaDB is bundled with Agent for Linux (64-bit) and therefore can be installed only on 64-
bit Linux-based operating systems. See "Supported operating systems and environments" (p. 22).
To recover databases and tables to a live instance, Agent for MySQL/MariaDB needs a temporary
storage to operate. By default, the /tmp directory is used. You can change this directory by setting
the ACRONIS_MYSQL_RESTORE_DIR environment variable.
Limitations
l MySQL or MariaDB clusters are not supported.
l MySQL or MariaDB instances running in Docker containers are not supported.
l MySQL or MariaDB instances running on operating systems that use BTRFS file system are not
supported.
l System databases (sys, mysql, information-schema, and performance_schema) and databases that
do not contain any tables cannot be recovered to live instances. However, these databases can be
recovered as files, when recovering the whole instance.
l Recovery is supported only to target instances of the same version as the backed-up instance or
later, with the following restrictions:
o Recovery from MySQL 5.x instances to MySQL 8.x instances is not supported.
o Recovery to a later MySQL 5.x version (including the minor versions) is supported only via
recovery of the whole instance as files. Before attempting recovery, consult the official MySQL
upgrade guide for the target version, for example, the MySQL 5.7 upgrade guide.
l Recovery from backups stored on Secure Zone is not supported.
Known issues
If you encounter issues while recovering data from password protected Samba shares, log out from
the Cyber Protect console, and then log in back to it. Select the desired recovery point, and then click
MySQL/MariaDB databases. Do not click Entire machine or Files/folders.
Prerequisites
l At least one MySQL or MariaDB instance must be running on the selected machine.
l On the machine where the MySQL or MariaDB instance is running, the protection agent must be
started under the root user.
l Application-aware backup is available only when the Entire machine is selected as a backup
source in the protection plan.
l The Sector-by-sector backup option must be disabled in the protection plan. Otherwise, it is
impossible to recover application data.
1. In the Cyber Protect console, select one or more machines on which MySQL or MariaDB
instances are running.
You can have one or more instances on each machine.
2. Create a protection plan with the backup module enabled.
3. In What to back up, select Entire machine.
4. Click Application backup, and then enable the switch next to MySQL/MariaDB Server.
5. Select how to specify the MySQL or MariaDB instances:
l For all workloads
Use this option if you run instances with identical configurations on multiple servers. The
same connection parameters and access credentials will be used for all instances.
l For specific workloads
Use this option to specify the connection parameters and access credentials for each instance.
6. Click Add instance to configure the connection parameters and access credentials.
a. Select the connection type, and then specify the following:
l [For TCP socket] IP address and port.
l [For Unix socket] Socket path.
b. Specify the credentials of a user account that has the following privileges for the instance:
MariaDB
Server
MariaDB
Server
* A virtual machine with an agent inside is treated as a physical machine from the backup
standpoint.
Recovering instances
From an application-aware backup, you can recover MySQL or MariaDB instances as files.
To recover an instance
1. In the Cyber Protect console, select the machine that originally contained the data that you want
to recover.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do one of the following:
l If the backup location is cloud or shared storage (that is, other agents can access it), click
Select machine, select an online machine that has Agent for MySQL/MariaDB, and then select
a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions becomes a target machine for
the recovery.
4. Click Recover > MySQL/MariaDB databases.
5. Select the instance that you want to recover, and then click Recover as files.
6. Under Path, select the directory to which the files will be recovered.
7. Click Start recovery.
Recovering databases
From an application-aware backup, you can recover databases to live MySQL or MariaDB instances.
1. In the Cyber Protect console, select the machine that originally contained the data that you want
to recover.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do one of the following:
l If the backup location is cloud or shared storage (that is, other agents can access it), click
Select machine, select an online machine that has Agent for MySQL/MariaDB, and then select
a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions becomes a target machine for
the recovery.
4. Click Recover > MySQL/MariaDB databases.
5. Click the name of the desired instance to drill down to its databases.
Recovering tables
From an application-aware backup, you can recover tables to live MySQL or MariaDB instances.
1. In the Cyber Protect console, select the machine that originally contained the data that you want
to recover.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do one of the following:
l If the backup location is cloud or shared storage (that is, other agents can access it), click
Select machine, select an online machine that has Agent for MySQL/MariaDB, and then select
a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions becomes a target machine for
the recovery.
4. Click Recover > MySQL/MariaDB databases.
Protecting websites
A website can be corrupted as a result of unauthorized access or a malware attack. Back up your
website if you want to easily revert it to a healthy state, in case of corruption.
If your website employs databases, we recommend that you back up both the files and the
databases, to be able to recover them to a consistent state.
Limitations
l The only backup location available for website backup is the cloud storage.
l It is possible to apply several protection plans to a website, but only one of them can run on a
schedule. Other plans need to be started manually.
l The only available backup option is "Backup file name".
l The website protection plans are not shown on the Management > Protection planstab.
Backing up a website
To add a website
Important
Only the files that are accessible to the specified account will be backed up.
Instead of a password, you can specify your private SSH key. To do this, select the Use SSH
private key instead of password check box, and then specify the key.
4. Click Next.
5. If your website uses MySQL databases, configure the access settings for the databases.
Otherwise, click Skip.
a. In Connection type, select how to access the databases from the cloud:
l Via SSH from host—The databases will be accessed via the host specified in step 3.
l Direct connection—The databases will be accessed directly. Choose this setting only if the
databases are accessible from the Internet.
b. In Host, specify the name or IP address of the host where the MySQL server is running.
Important
Only the databases that are accessible to the specified account will be backed up.
e. Click Create.
The website appears in the Cyber Protect console under Devices > Websites.
You can edit, revoke, and delete protection plans for websites in the same way as for machines.
These operations are described in "Operations with protection plans".
Recovering a website
To recover a website
Quotas
Servers that run Plesk, cPanel, DirectAdmin, VirtualMin , or ISPManager control panels are
considered web hosting servers. Each backed-up web hosting server consumes the Web hosting
servers quota. If this quota is disabled or the overage for this quota is exceeded, a quota will be
assigned as follows or the backups will fail:
l Backing up entire web hosting server to the cloud storage with disk-level backup
l Recovering the entire server, including all websites and accounts
l Performing granular recovery and downloading of accounts, websites, individual files, mailboxes,
or databases
l Enabling resellers and customers to perform self-service recovery of their own data
To perform the integration, you need to use a Cyber Protection service extension. For detailed
information, please refer to the corresponding integration guides:
l DirectAdmin Integration Guide
l WHM and cPanel Integration Guide
l Plesk Integration Guide
We recommend that you leave this temporary virtual machine working for up to three days. Then,
you can completely remove it or convert it to a regular virtual machine (finalize) without downtime.
As long as the temporary virtual machine exists, retention rules cannot be applied to the backup
being used by that machine. Backups of the original machine can continue to run.
Usage examples
l Disaster recovery
Instantly bring a copy of a failed machine online.
l Testing a backup
Run the machine from the backup and ensure that the guest OS and applications are functioning
properly.
l Accessing application data
Prerequisites
l At least one Agent for VMware or Agent for Hyper-V must be registered in the Cyber Protection
service.
l The backup can be stored in a network folder or in a local folder of the machine where Agent for
VMware or Agent for Hyper-V is installed. If you select a network folder, it must be accessible
from that machine. A virtual machine can also be run from a backup stored in the cloud storage,
but it works slower because this operation requires intense random-access reading from the
backup.
l The backup must contain an entire machine or all of the volumes that are required for the
operating system to start.
l Backups of both physical and virtual machines can be used. Backups of Virtuozzo containers
cannot be used.
l Backups that contain Linux logical volumes (LVM) must be created by Agent for VMware or Agent
for Hyper-V. The virtual machine must be of the same type as the original machine (ESXi or Hyper-
V).
As a result, the machine appears in the web interface with one of the following icons: or
1. On the All devices tab, select a machine that is running from a backup.
2. Click Delete.
The machine is removed from the web interface. It is also removed from the vSphere or Hyper-V
inventory and datastore (storage). All changes that occurred to the data while the machine was
running are lost.
You have the option to make this machine permanent, i.e. recover all of its virtual disks, along with
the changes that occurred while the machine was running, to the datastore that stores these
changes. This process is named finalization.
Finalization is performed without downtime. The virtual machine will not be powered off during
finalization.
The location of the final virtual disks is defined in the parameters of the Run as VM operation
(Datastore for ESXi or Path for Hyper-V). Prior to starting the finalization, ensure that free space,
sharing capabilities, and performance of this datastore are suitable for running the machine in
production.
Note
Finalization is not supported for Hyper-V running in Windows Server 2008/2008 R2 and Microsoft
Hyper-V Server 2008/2008 R2 because the necessary API is missing in these Hyper-V versions.
1. On the All devices tab, select a machine that is running from a backup.
2. Click Finalize.
3. [Optional] Specify a new name for the machine.
4. [Optional] Change the disk provisioning mode. The default setting is Thin.
5. Click Finalize.
The machine name changes immediately. The recovery progress is shown on the Activities tab.
Once the recovery is completed, the machine icon changes to that of a regular virtual machine.
l During a finalization, the agent performs random access to different parts of the backup. When
an entire machine is being recovered, the agent reads data from the backup sequentially.
l If the virtual machine is running during the finalization, the agent reads data from the backup
more often, to maintain both processes simultaneously. During a regular recovery, the virtual
machine is stopped.
Replication is the process of creating an exact copy (replica) of a virtual machine, and then
maintaining the replica in sync with the original machine. By replicating a critical virtual machine,
you will always have a copy of this machine in a ready-to-start state.
The replication can be started manually or on the schedule you specify. The first replication is full
(copies the entire machine). All subsequent replications are incremental and are performed with
Changed Block Tracking, unless this option is disabled.
However, powering on a replica is much faster than a recovery and faster than running a virtual
machine from a backup. When powered on, a replica works faster than a VM running from a backup
and does not load the Agent for VMware.
Restrictions
The following types of virtual machines cannot be replicated:
As a result of running a replication plan, the virtual machine replica appears in the All devices list
Testing a replica
To prepare a replica for testing
While the replica is in a failover state, you can choose one of the following actions:
l Stop failover
Stop failover if the original machine was fixed. The replica will be powered off. Replication will be
resumed.
l Perform permanent failover to the replica
This instant operation removes the 'replica' flag from the virtual machine, so that replication to it
is no longer possible. If you want to resume replication, edit the replication plan to select this
machine as a source.
l Failback
Perform failback if you failed over to the site that is not intended for continuous operations. The
replica will be recovered to the original or a new virtual machine. Once the recovery to the
original machine is complete, it is powered on and replication is resumed. If you choose to
recover to a new machine, edit the replication plan to select this machine as a source.
Stopping failover
To stop a failover
Failing back
To failback from a replica
Replication options
To modify the replication options, click the gear icon next to the replication plan name, and then
click Replication options.
Disk provisioning
This option defines the disk provisioning settings for the replica.
The following values are available: Thin provisioning, Thick provisioning, Keep the original
setting.
Error handling
This option is similar to the backup option "Error handling".
Pre/Post commands
This option is similar to the backup option "Pre/Post commands".
Failback options
To modify the failback options, click Recovery options when configuring failback.
Performance
This option is similar to the recovery option "Performance".
Pre/Post commands
This option is similar to the recovery option "Pre/Post commands".
VM power management
This option is similar to the recovery option "VM power management".
Important
To perform replica seeding, Agent for VMware (Virtual Appliance) must be running on the target
ESXi.
As a result, the software will continue updating the replica. All replications will be incremental.
The diagram below illustrates a LAN-based and a LAN-free backup. LAN-free access to virtual
machines is available if you have a fibre channel (FC) or iSCSI Storage Area Network. To completely
eliminate transferring the backed-up data via LAN, store the backups on a local disk of the agent's
machine or on a SAN attached storage.
As a result, the agent will use the SAN transport mode to access the virtual disks, i.e. it will read raw
LUN sectors over iSCSI/FC without recognizing the VMFS file system (which Windows is not aware
of).
Limitations
l In vSphere 6.0 and later, the agent cannot use the SAN transport mode if some of the VM disks
are located on a VMware Virtual Volume (VVol) and some are not. Backups of such virtual
machines will fail.
l Encrypted virtual machines, introduced in VMware vSphere 6.5, will be backed up via LAN, even if
you configure the SAN transport mode for the agent. The agent will fall back on the NBD
transport because VMware does not support SAN transport for backing up encrypted virtual
disks.
Example
If you are using an iSCSI SAN, configure the iSCSI initiator on the machine running Windows where
Agent for VMware is installed.
1. Log on as an administrator, open the command prompt, type diskpart, and then press Enter.
2. Type san, and then press Enter. Ensure that SAN Policy : Offline All is displayed.
3. If another value for SAN Policy is set:
a. Type san policy=offlineall.
b. Press Enter.
c. To check that the setting has been applied correctly, perform step 2.
d. Restart the machine.
Note
To find the Administrative Tools applet, you may need to change the Control Panel view to
something other than Home or Category, or use search.
2. If this is the first time that Microsoft iSCSI Initiator is launched, confirm that you want to start the
Microsoft iSCSI Initiator service.
The ready SAN LUN should appear in Disk Management as shown in the screenshot below.
A virtual appliance that is running on the same host or cluster with the backed-up virtual machines
has direct access to the datastore(s) where the machines reside. This means the appliance can
attach the backed-up disks by using the HotAdd transport, and therefore the backup traffic is
directed from one local disk to another. If the datastore is connected as Disk/LUN rather than NFS,
the backup will be completely LAN-free. In the case of NFS datastore, there will be network traffic
between the datastore and the host.
You can add the storage to an already working agent or when deploying the agent from an OVF
template.
1. In VMware vSphere inventory, right click the Agent for VMware (Virtual Appliance).
2. Add the disk by editing the settings of the virtual machine. The disk size must be at least 10 GB.
Warning!
Be careful when adding an already existing disk. Once the storage is created, all data previously
contained on this disk will be lost.
3. Go to the virtual appliance console. The Create storage link is available at the bottom of the
screen. If it is not, click Refresh.
4. Click the Create storage link, select the disk and specify a label for it. The label length is limited
to 16 characters, due to file system restrictions.
When creating a protection plan, in Where to back up, select Local folders, and then type the
letter corresponding to the locally attached storage, for example, D:\.
The below distribution algorithm works for both virtual appliances and agents installed in Windows.
Distribution algorithm
The virtual machines are automatically evenly distributed between Agents for VMware. By evenly,
we mean that each agent manages an equal number of machines. The amount of storage space
occupied by a virtual machine is not counted.
However, when choosing an agent for a machine, the software tries to optimize the overall system
performance. In particular, the software considers the agent and the virtual machine location. An
agent hosted on the same host is preferred. If there is no agent on the same host, an agent from the
same cluster is preferred.
Once a virtual machine is assigned to an agent, all backups of this machine are delegated to this
agent.
For example, you realize that you need more agents to help with throughput and deploy an
additional virtual appliance to the cluster. The Cyber Protection service will assign the most
appropriate machines to the new agent. The old agents' load will reduce.
When you remove an agent from the Cyber Protection service, the machines assigned to the agent
are distributed among the remaining agents. However, this will not happen if an agent gets
corrupted or is deleted manually from vSphere. Redistribution will start only after you remove such
agent from the web interface.
l in the Agent column for each virtual machine on the All devices section
l in the Assigned virtual machines section of the Details panel when an agent is selected in the
Settings > Agents section
Manual binding
The Agent for VMware binding lets you exclude a virtual machine from this distribution process by
specifying the agent that must always back up this machine. The overall balance will be maintained,
but this particular machine can be passed to a different agent only if the original agent is removed.
Automatic assignment cannot be disabled for an agent if there are no other registered agents, or if
automatic assignment is disabled for all other agents.
Usage examples
l Manual binding comes in handy if you want a particular (very large) machine to be backed up by
Agent for VMware (Windows) via a fibre channel while other machines are backed up by virtual
appliances.
l It is necessary to bind VMs to an agent if the agent has a locally attached storage.
l Disabling the automatic assignment enables you to ensure that a particular machine is
predictably backed up on the schedule you specify. The agent that only backs up one VM cannot
be busy backing up other VMs when the scheduled time comes.
l Disabling the automatic assignment is useful if you have multiple ESXi hosts that are separated
geographically. If you disable the automatic assignment, and then bind the VMs on each host to
the agent running on the same host, you can ensure that the agent will never back up any
machines running on the remote ESXi hosts, thus saving network traffic.
Prerequisites
The pre‐freeze and post‐thaw scripts must be located in a specific folder on the virtual machine.
You do not need to run custom quiescing scripts on virtual machines running VSS-aware
applications, such as Microsoft SQL Server or Microsoft Exchange. To create an application-
consistent backup for such machines, enable the Volume Shadow Copy Service (VSS) for virtual
machines option in the protection plan.
vMotion allows moving the state and configuration of a virtual machine to another host, while the
machine's disks remain in the same location on a shared storage. Storage vMotion allows moving
the disks of a virtual machine from one datastore to another.
l Migration with vMotion, including Storage vMotion, is not supported for a virtual machine that
runs Agent for VMware (Virtual Appliance), and is disabled automatically. This virtual machine is
added to the VM overrides list in the vSphere cluster configuration.
l When a backup of a virtual machine starts, migration with vMotion, including Storage vMotion, is
automatically disabled. This virtual machine is temporarily added to the VM overrides list in the
vSphere cluster configuration. After the backup finishes, the VM overrides settings are
automatically reverted to their previous state.
l A backup cannot start for a virtual machine while its migration with vMotion, including Storage
vMotion, is in progress. The backup for this machine will start when its migration finishes.
In the VMware tab, you can back up the following vSphere infrastructure objects:
l Data center
l Folder
l Cluster
l ESXi host
l Resource pool
Each of these infrastructure objects works as a group object for virtual machines. When you apply a
protection plan to any of these group objects, all virtual machines included in it, will be backed up.
You can back up either the selected group machines by clicking Protect, or the parent group
machines in which the selected group is included by clicking Protect group.
For example, you have selected the Stefano cluster and then selected the resource pool inside it. If
you click Protect, all virtual machines included in the selected resource pool will be backed up. If
you click Protect group, all virtual machines included in the Stefano cluster will be backed up.
The VMware tab enables you to change access credentials for the vCenter Server or stand-alone
ESXi host without re-installing the agent.
This information appears in the virtual machine summary (Summary > Custom
attributes/Annotations/Notes, depending on the client type and vSphere version). You can also
enable the Last backup and Backup status columns on the Virtual Machines tab for any host,
datacenter, folder, resource pool, or the entire vCenter Server.
To provide these attributes, Agent for VMware must have the following privileges in addition to
those described in "Agent for VMware - necessary privileges":
Specify the vSphere account with the necessary privileges during Agent for VMware installation or
configuration. If you need to change the account later, refer to "Managing virtualization
environments" (p. 609).
Direct Access +*
Browse datastore +
Configure datastore + + + +
Global Licenses + + + +
Disable methods + + +
Enable methods + + +
Delete VM +
Advanced + + +
Disk lease + +
Memory +
Remove disk + + + +
Rename +
Set annotation +
Settings + + +
Configure CD media + +
Power off + +
Power on + + +
Register +
Remove + + +
Unregister +
Remove snapshot + + +
1. A machine must be available for backup no matter what node it migrates to. To ensure that
Agent for Hyper-V can access a machine on any node, the agent service must run under a
domain user account that has administrative privileges on each of the cluster nodes.
We recommend that you specify such an account for the agent service during the Agent for
Hyper-V installation.
2. Install Agent for Hyper-V on each node of the cluster.
3. Register all of the agents in the Cyber Protection service.
When you recover backed-up disks to a new Hyper-V virtual machine, the resulting machine is not
highly available. It is considered as a spare machine and is normally powered off. If you need to use
When multiple protection plans overlap in time, their backups can run simultaneously. This
functionality can also be referred to as concurrent backup or parallel backup. In this case, the
numbers specified in the backup options of each plan are added up. Even though the resulting total
number is programmatically limited to 10, overlapping plans can affect the backup performance
and overload both the host and the virtual machine storage.
To avoid this, you can limit the total number of virtual machines that an Agent for VMware or Agent
for Hyper-V can back up simultaneously.
To limit the total number of virtual machines that Agent for VMware (Windows) or Agent for
Hyper-V can back up
1. On the machine running the agent, create a new text document and open it in a text editor, such
as Notepad.
2. Copy and paste the following lines into the file:
[HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\MMS\Configuration\ManagedMachine\SimultaneousBackupsLimits]
"MaxNumberOfSimultaneousBackups"=dword:00000001
3. Replace 00000001 with the hexadecimal value of the limit that you want to set. For example,
00000001 is 1 and 0000000A is 10.
4. Save the document as limit.reg.
5. Run the file as an administrator.
6. Confirm that you want to edit the Windows registry.
7. Do the following to restart the agent:
a. In the Start menu, click Run, and then type: cmd
b. Click OK.
c. Run the following commands:
To limit the total number of virtual machines that Agent for VMware (Virtual Appliance) can back
up
<key name="SimultaneousBackupsLimits">
<value name="MaxNumberOfSimultaneousBackups" type="Tdword">"10"</value>
</key>
4. Replace 10 with the decimal value of the limit that you want to set.
5. Save the file.
6. Execute the reboot command to restart the agent.
Machine migration
You can perform machine migration by recovering its backup to a non-original machine.
Backed- Scale
Hype Virtuozzo Virtuozzo
up ESXi Compu RHV/o
Physi r-V Hybrid
machine virtua ting Virt
cal virtua Infrastru
type l Virtu HC3 virtual
machi l cture
machi al Contai virtual machi
ne machi virtual
ne machi ner machin ne
ne machine
ne e
Physical
+ + + - - + +* +
machine
VMware
ESXi virtual + + + - - + +* +
machine
Hyper-V
virtual + + + - - + +* +
machine
Virtuozzo
virtual + + + + - + +* +
machine
Virtuozzo
- - - - + - - -
container
Virtuozzo
Hybrid + + + - - + +* +
Infrastructu
Scale
Computing
+ + + - - + + +
HC3 virtual
machine
Red Hat
Virtualizatio
n/oVirt + + + - - + +* +
virtual
machine
*If Secure Boot is enabled on the source machine, the recovered VM will not be able to start up
unless you disable Secure Boot in the VM console after the recovery.
Note
You cannot recover macOS virtual machines to Hyper-V hosts, because Hyper-V does not support
macOS. You can recover macOS virtual machines to a VMware host that is installed on Mac
hardware.
Although it is possible to perform V2P migration in the web interface, we recommend that you use
bootable media in specific cases. Sometimes, you may want to use the media for migration to ESXi
or Hyper-V.
l Perform P2V migration or V2P migration or V2V migration from Virtuozzo, of a Linux machine
containing logical volumes (LVM). Use Agent for Linux or bootable media to create the backup
and bootable media to recover.
l Provide drivers for specific hardware that is critical for the system bootability.
The difference from a physical machine is that Microsoft Azure and Amazon EC2 virtual machines
cannot be booted from bootable media. If you need to recover to a new Microsoft Azure or Amazon
EC2 virtual machine, follow the procedure below.
1. Create a new virtual machine from an image/template in Microsoft Azure or Amazon EC2. The
new machine must have the same disk configuration as the machine that you want to recover.
2. Install Agent for Windows or Agent for Linux on the new machine.
3. Recover the backed-up machine as described in "Physical machine". When configuring the
recovery, select the new machine as the target machine.
Note
Bootable media does not support hybrid drives.
Alternatively, you can download a ready-made bootable media (Linux-based only). You can use the
ready-made bootable media for recovery operations and access to the Universal Restore feature.
Linux-based
Linux-based bootable media contains a protection agent based on a Linux kernel. The agent can
boot and perform operations on any PC-compatible hardware, including bare metal, and machines
with corrupted or non-supported file systems.
WinPE proved to be the most convenient bootable solution in large environments with
heterogeneous hardware.
Advantages:
l Using Cyber Protection in Windows Preinstallation Environment provides more functionality than
using Linux-based bootable media. Having booted PC-compatible hardware into WinPE, you can
use not only the protection agent, but also PE commands and scripts, and other plugins that you
have added to the PE.
l PE-based bootable media helps overcome some Linux-related bootable media issues, such as
support for certain RAID controllers or certain levels of RAID arrays only. Media based on WinPE
2.x and later allows dynamic loading of the necessary device drivers.
Limitations:
l Bootable media based on WinPE versions earlier than 4.0 cannot boot on machines that use
Unified Extensible Firmware Interface (UEFI).
You can recover either Windows or Linux by using the same media. To recover macOS, create a
separate media on a machine running macOS.
1. Create a custom bootable media ISO file or download the ready-made ISO file.
To create a custom ISO file, use "Bootable Media Builder" (p. 619).
To download the ready-made ISO file, in the Cyber Protect console, select a machine, and then
click Recover > More ways to recover... > Download ISO image.
2. [Optional] In the Cyber Protect console, generate a registration token. The registration token is
displayed automatically when you download a ready-made ISO file.
This token allows the bootable media to access the cloud storage, without prompting you to
enter a login and password.
3. Create physical bootable media in one of the following ways:
1. On a machine where Agent for Mac is installed, click Applications > Rescue Media Builder.
2. The software displays the connected removable media. Select the one that you want to make
bootable.
Warning!
All data on the disk will be erased.
3. Click Create.
4. Wait while the software creates the bootable media.
Bootable Media Builder allows you to create customized Linux-based and WinPE-based bootable
media images.
32-bit or 64-bit?
Bootable Media Builder creates bootable media with both 32-bit and 64-bit components. In most
cases, you will need a 64-bit media to boot a machine that uses Unified Extensible Firmware
Interface (UEFI).
Kernel parameters
You can specify one or more parameters of the Linux kernel that will be automatically applied when
the bootable media starts. These parameters are typically used when you experience problems
while working with the bootable media. Normally, you can leave this field empty.
You can also specify any of these parameters by pressing F11 while you are in the boot menu.
Parameters
When specifying multiple parameters, separate them with spaces.
Predefined scripts
Bootable Media Builder provides the following predefined scripts:
The scripts are located in the following folders on the machine where Bootable Media Builder is
installed:
l In Windows: %ProgramData%\Acronis\MediaBuilder\scripts\
l In Linux: /var/lib/Acronis/MediaBuilder/scripts/
Custom scripts
Important
Creating custom scripts requires the knowledge of the Bash command language and JavaScript
Object Notation (JSON). If you are not familiar with Bash, a good place to learn it is
http://www.tldp.org/LDP/abs/html. The JSON specification is available at http://www.json.org.
l In Windows: %ProgramData%\Acronis\MediaBuilder\scripts\
l In Linux: /var/lib/Acronis/MediaBuilder/scripts/
l <script_file>.sh - a file with your Bash script. When creating the script, use only a limited set of
shell commands, which you can find at https://busybox.net/downloads/BusyBox.html. Also, the
following commands can be used:
o acrocmd - the command-line utility for backup and recovery
o product - the command that starts the bootable media user interface
This file and any additional files that the script includes (for example, by using the dot command)
must be located in the bin subfolder. In the script, specify the additional file paths as
/ConfigurationFiles/bin/<some_file>.
l autostart - a file for starting <script_file>.sh. The file contents must be as follows:
#!/bin/sh
. /ConfigurationFiles/bin/variables.sh
. /ConfigurationFiles/bin/<script_file>.sh
. /ConfigurationFiles/bin/post_actions.sh
Structure of autostart.json
Top-level object
Pair
Required Description
Name Value type
timeout number No A timeout (in seconds) for the boot menu before
Variable object
Pair
Required Description
Name Value type
description string Yes The control label that is displayed above the control in
Bootable Media Builder.
default string if type No The default value for the control. If the pair is not
is string, specified, the default value will be an empty string or a
multiString, zero, based on the control type.
password, or
The default value for a check box can be 0 (the cleared
enum
state) or 1 (the selected state).
number if
type is number,
spinner, or
checkbox
order number Yes The control order in Bootable Media Builder. The
higher the value, the lower the control is placed relative
(non-
to other controls defined in autostart.json. The initial
negative)
value must be 0.
min number No The minimum value of the spin control in a spin box. If
the pair is not specified, the value will be 0.
(for spinner
only)
max number No The maximum value of the spin control in a spin box. If
the pair is not specified, the value will be 100.
(for spinner
only)
required number No Specifies if the control value can be empty (0) or not (1).
If the pair is not specified, the control value can be
(for string,
empty.
multiString,
password, and
enum)
Control type
Name Description
string A single-line, unconstrained text box used to enter or edit short strings.
multiString A multi-line, unconstrained text box used to enter or edit long strings.
spinner A single-line, numeric-only text box used to enter or edit numbers, with a spin
control. Also, called a spin box.
checkbox A check box with two states - the cleared state or the selected state.
The sample autostart.json below contains all possible types of controls that can be used to
configure variables for <script_file>.sh.
"variables": {
"var_string": {
"displayName": "VAR_STRING",
},
"displayName": "VAR_MULTISTRING",
},
"var_number": {
"displayName": "VAR_NUMBER",
},
"var_spinner": {
"displayName": "VAR_SPINNER",
},
"var_enum": {
"displayName": "VAR_ENUM",
},
"var_password": {
"displayName": "VAR_PASSWORD",
},
"var_checkbox": {
"displayName": "VAR_CHECKBOX",
WinRE images
Creating WinRE images is supported for the following operation systems:
l Windows 7 (64-bit)
l Windows 8, 8.1, 10 (32-bit and 64-bit)
l Windows Server 2012, 2016, 2019 (64-bit)
WinPE images
After installing Windows Automated Installation Kit (AIK), or Windows Assessment and Deployment
Kit (ADK), Bootable Media Builder supports WinPE distributions that are based on any the following
kernels:
Bootable Media Builder supports both 32-bit and 64-bit WinPE distributions. The 32-bit WinPE
distributions can also work on 64-bit hardware. However, you need a 64-bit distribution to boot a
machine that uses Unified Extensible Firmware Interface (UEFI).
Note
PE images based on WinPE 4 and later require approximately 1 GB of RAM to work.
1. On the machine where the protection agent is installed, run Bootable Media Builder.
2. In Bootable media type, select Windows PE or Windows PE (64-bit). A 64-bit media is required
to boot a machine that uses Unified Extensible Firmware Interface (UEFI).
3. Select the subtype of the bootable media: WinRE or WinPE.
Creating WinRE bootable media does not require installation of any additional packages.
To create a 64-bit WinPE media, you must download Windows Automated Installation Kit (AIK) or
Windows Assessment and Deployment Kit (ADK). To create 32-bit WinPE media, in addition to
downloading the AIK or ADK, you need to do the following:
a. Click Download the Plug-in for WinPE (32-bit).
b. Save the plugin to %PROGRAM_FILES%\BackupClient\BootableComponents\WinPE32.
4. [Optional] Select the language for the bootable media.
5. [Optional] Select the boot mode (BIOS or UEFI) that Windows will use after the recovery.
6. Specify the network settings for the network adapters of the booted machine or keep the
automatic DHCP configuration.
7. [Optional] Select how to register the bootable media in the Cyber Protection service on booting
up. For more information about the registration settings, refer to "Registering the bootable
media" (p. 631).
8. [Optional] Specify the Windows drivers to be added to the bootable media.
After you boot a machine into Windows PE or Windows RE, the drivers can help you access the
device where the backup is located. Add 32-bit drivers if you use a 32-bit WinPE or WinRE
distribution or 64-bit drivers if you use a 64-bit WinPE or WinRE distribution.
To add the drivers:
l Click Add, and then specify the path to the necessary .inf file for a corresponding SCSI, RAID,
SATA controller, network adapter, tape drive, or other device.
l Repeat this procedure for each driver that you want to include in the resulting WinPE or
WinRE media.
9. Select the file type of the created bootable media:
l ISO image
l WIM image
10. Specify the full path to the resulting image file, including the file name.
11. Check your settings in the summary screen, and then click Proceed.
l Replace the default boot.wim file in your Windows PE folder with the newly created WIM file. For
the above example, type:
Warning!
Do not copy and paste this example. Type the command manually, otherwise it will fail.
Network settings
While creating bootable media, you can preconfigure the network connections that will be used by
the bootable agent. The following parameters can be preconfigured:
l IP address
l Subnet mask
l Gateway
After the bootable agent starts on a machine, the configuration is applied to the machine’s network
interface card (NIC). If the settings have not been preconfigured, the agent uses DHCP auto
configuration.
You can also configure the network settings manually when the bootable agent is running on the
machine.
You can change the settings, except for the MAC address, or configure the settings for a non-
existent NIC.
After the bootable agent starts on the server, it retrieves the list of available NICs. This list is sorted
by the slots that the NICs occupy, the closest to the processor is on top.
The bootable agent assigns each known NIC the appropriate settings, and identifies the NICs by
their MAC addresses. After the NICs with known MAC addresses are configured, the remaining NICs
are assigned the settings that you made for non-existent NICs, starting from the upper non-
assigned NIC.
You can customize the bootable media for any machine, and not only for the machine where the
media is created. To do so, configure the NICs according to their slot order on that machine: NIC1
occupies the slot closest to the processor, NIC2 is in the next slot, and so on. When the bootable
agent starts on that machine, it will not find the NICs with known MAC addresses and will configure
the NICs in the same order as you did.
Example
The bootable agent can use one of the network adapters for communication with the management
console through the production network. Automatic configuration can be done for this connection.
Sizeable data for recovery can be transferred through the second NIC, included in the dedicated
backup network by means of static TCP/IP settings.
Local connection
To operate directly on the machine booted from bootable media, click Manage this machine
locally in the startup window.
The changes that are made during a session will be lost after the machine reboots.
Adding VLANs
In the Network Settings window, you can add virtual local area networks (VLANs). Use this
functionality if you need access to a backup location that is included in a specific VLAN.
VLANs are mainly used to divide a local area network into segments. A NIC that is connected to an
access port of the switch always has access to the VLAN specified in the port configuration. A NIC
connected to a trunk port of the switch can access the VLANs allowed in the port configuration only
if you specify the VLANs in the network settings.
After you click OK, a new entry appears in the list of network adapters.
If you need to remove a VLAN, click the required VLAN entry, and then click Remove VLAN.
1. Under bootable media with a Windows-like volume representation, a volume has the same drive
letter as in Windows. Volumes that do not have drive letters in Windows (such as the System
Reserved volume) are assigned free letters in order of their sequence on the disk.
If the bootable media cannot detect Windows on the machine or detects more than one, all
volumes, including those without drive letters, are assigned letters in order of their sequence on
the disk. Thus, the volume letters may differ from those seen in Windows. For example, the D:
drive under the bootable media might correspond to the E: drive in Windows.
Note
It is advisable to assign unique names to the volumes.
2. The bootable media with a Linux-like volume representation shows local disks and volumes as
unmounted (sda1, sda2...).
If you do not want to follow this procedure every time you boot a given hardware configuration,
recreate the bootable media with the appropriate mode number (in the example above, vga=0x318)
specified in the Kernel parameters field.
Note
This feature is available with the Advanced Backup pack.
To see the bootable media in the Cyber Protect console, first you need to register it as described in
"Registering the bootable media" (p. 631).
After you register the media in the Cyber Protect console, it appears on the Devices > Bootable
media tab. A bootable media disappears from this tab when it has been offline for more than 30
days.
Important
You cannot update the bootable media remotely, on the Settings > Agents tab in the Cyber Protect
console.
To update the bootable media, create a new one, as described in the "Bootable Media Builder" (p.
619) section. Alternatively, download the ready-made media, by clicking your account icon
> Downloads > Bootable media in the Cyber Protect console.
1. On the Devices tab, go to the Bootable media group, and then select the media that you want
to use for data recovery.
2. Click Recovery.
3. Select the location, and then select the backup that you need. Note that backups are filtered by
location.
1. On the Devices tab, go to the Bootable media group, and then select the media that you want
to use for data recovery.
2. Click Reboot.
3. Confirm that you want to restart the machine booted with the media.
1. On the Devices tab, go to the Bootable media group, and then select the media that you want
to use for data recovery.
2. Click Shut down.
3. Confirm that you want to shut down the machine booted with the media.
1. On the Devices tab, go to the Bootable media group, and then select the media that you want
to use for data recovery.
2. Click Details, Activities, or Alerts to see the corresponding information.
1. On the Devices tab, go to the Bootable media group, and then select the media that you want
to use for data recovery.
2. Click Delete to delete the bootable media from the Cyber Protect console.
3. Confirm that you want to delete the bootable media.
Startup Recovery Manager is especially useful for traveling users. If a failure occurs, reboot the
machine, wait for the prompt Press F11 for Acronis Startup Recovery Manager to appear, and
then press F11. The program starts and you can perform recovery. On machines with the GRUB
boot loader installed, you select the Startup Recovery Manager from the boot menu, instead of
pressing F11 during a reboot.
To use Startup Recovery Manager, you have to activate it first. Thus, you enable the boot-time
prompt Press F11 for Acronis Startup Recovery Manager (or add the Startup Recovery
Manager item to GRUB menu if you use the GRUB boot loader).
You can activate Startup Recovery Manager on a machine that has a BitLocker-encrypted volume if
the machine has at least one other non-encrypted volume. The non-encrypted volume must have at
least 500 MB of free space. For recovery operations that require machine restart, the machine must
have additional 500 MB of free space.
Important
If Startup Recovery Manager cannot be activated, the backup operations that create One-click
recovery backups will fail.
Unless you use the GRUB boot loader and it is installed in the Master Boot Record (MBR), Startup
Recovery Manager activation overwrites the MBR with its own boot code. Thus, you may need to
reactivate third-party boot loaders if such boot loaders are installed.
In Linux, when using a boot loader other than GRUB (such as LILO, for example), consider installing
it to a Linux root (or boot) partition boot record instead of the MBR, before activating Startup
Recovery Manager. Otherwise, reconfigure the boot loader manually after the activation.
To activate Startup Recovery Manager on a machine with Agent for Windows or Agent for Linux
1. In the Cyber Protect console, select the machine that you want to activate Startup Recovery
Manager on.
2. Click Details.
3. Enable the Startup Recovery Manager switch.
4. Wait while the software activates Startup Recovery Manager.
To deactivate Startup Recovery Manager, repeat the activation procedure and select the respective
opposite actions. The deactivation disables the boot-time prompt Press F11 for Acronis Startup
Recovery Manager (or the menu item in GRUB).
You can set up and configure disaster recovery in the following ways:
l Create a protection plan that includes the disaster recovery module and apply it to your devices.
This will automatically set up default disaster recovery infrastructure. See Create a disaster
recovery protection plan.
l Set up the disaster recovery cloud infrastructure manually and control each step. See "Setting up
recovery servers" (p. 682).
Note
Some features might require additional licensing, depending on the applied licensing model.
l Manage the Cyber Disaster Recovery Cloud service from a single console
l Extend up to 23 local networks to the cloud, by using a secure VPN tunnel
l Establish the connection to the cloud site without any VPN appliance1 deployment (the cloud-only
mode)
l Establish the point-to-site connection to your local and cloud sites
l Protect your machines by using recovery servers in the cloud
l Protect applications and appliances by using primary servers in the cloud
l Perform automatic disaster recovery operations for encrypted backups
l Perform a test failover in the isolated network
l Use runbooks to spin up the production environment in the cloud
1[Disaster Recovery] A special virtual machine that enables connection between the local network and the cloud site
via a secure VPN tunnel. The VPN appliance is deployed on the local site.
Windows desktop operating systems are not supported due to Microsoft product terms.
The software may work with other Windows operating systems and Linux distributions, but this is
not guaranteed.
Note
Protection with a recovery server has been tested for Microsoft Azure VM with the following
operating systems.
The VPN appliance has been tested for the following virtualization platforms:
The software may work with other virtualization platforms and versions, but this is not guaranteed.
Limitations
The following platforms and configurations are not supported in Cyber Disaster Recovery Cloud:
1. Unsupported platforms:
l Agents for Virtuozzo
l macOS
2. Unsupported configurations:
Microsoft Windows
l Dynamic disks are not supported
l Windows desktop operating systems are not supported (due to Microsoft product terms)
l Active Directory service with FRS replication is not supported
l Removable media without either GPT or MBR formatting (so-called "superfloppy") are not
supported
Linux
l File systems without a partition table
l Linux workloads that are backed up with an agent from a guest OS and have volumes with the
following advanced Logical Volume Manager (LVM) configurations: Striped volumes, Mirrored
volumes, RAID 0, RAID 4, RAID 5, RAID 6, or RAID 10 volumes.
Important
If you create a recovery server from a backup having a CDP recovery point, then during the
failback or creating backup of a recovery server, you will loose the data contained in the CDP
recovery point.
A recovery server has one network interface. If the original machine has several network interfaces,
only one is emulated.
l You can use only 100 compute points. For more information about compute points, see
Compute-points.htm.
l You can use only 1 TB of cold Acronis Cloud Storage for storing backups.
l No access to public internet for recovery and primary servers. You cannot assign public IP
addresses to the servers.
l IPsec Multi-site VPN is not available.
Compute points
In Disaster Recovery, compute points are used for primary servers and recovery servers during test
failover and production failover. Compute points reflect the compute resources used for running
the servers (virtual machines) in the cloud.
The consumption of compute points during disaster recovery depends on the server's parameters,
and the duration of the time period in which the server is in failover state. The more powerful the
server and the longer the time period, the more compute points will be consumed. And the more
compute points are consumed, the higher the price that you will be charged.
In the table below you can see eight different flavors for servers in the cloud. You can change the
flavors of the servers in the Details tab.
F1 1 vCPU 2 GB 1
F2 1 vCPU 4 GB 2
F3 2 vCPU 8 GB 4
F4 4 vCPU 16 GB 8
F5 8 vCPU 32 GB 16
F6 16 vCPU 64 GB 32
F7 16 vCPU 128 GB 64
Using the information in the table, you can easily estimate how much compute points a server
(virtual machine) will consume.
For example, if you want to protect with Disaster Recovery one virtual machine with 4 vCPU* of 16
GB RAM, and one virtual machine with 2 vCPU with 8 GB of RAM, the first virtual machine will
consume 8 compute points per hour, and the second virtual machine – 4 compute points per hour.
If both virtual machines are in failover, the total consumption will be 12 compute points per hour, or
288 compute points for the whole day (12 compute points x 24 hours = 288 compute points).
*vCPU refers to a physical central processing unit (CPU) that is assigned to a virtual machine and is a
time dependent entity.
As a result, you have set up the disaster recovery functionality to protect your local servers from a
disaster.
If a disaster occurs, you can fail over the workload to the recovery servers in the cloud. At least one
recovery point must be created before failing over to recovery servers. When your local site is
recovered from a disaster, you can switch the workload back to your local site by performing
failback. For more information about the failback process, see "Performing failback to a virtual
machine" (p. 694) and "Performing failback to a physical machine" (p. 697).
By default, when creating a new protection plan, the Disaster Recovery module is disabled. After you
enable the disaster recovery functionality and apply the plan to your devices, the cloud network
infrastructure is created, including a recovery server for each protected device. The recovery server is
a virtual machine in the cloud that is a copy of the selected device. For each of the selected devices a
recovery server with default settings is created in a standby state (virtual machine not running). The
recovery server is sized automatically depending on the CPU and RAM of the protected device.
Default cloud network infrastructure is also created automatically: VPN gateway and networks on
the cloud site, to which the recovery servers are connected.
If you revoke, delete, or switch off the Disaster Recovery module of a protection plan, the recovery
servers and cloud networks are not deleted automatically. You can remove the disaster recovery
infrastructure manually, if needed.
Note
l After you configure disaster recovery, you will be able to perform a test or production failover
from any of the recovery points generated after the recovery server was created for the device.
Recovery points that were generated before the device was protected with disaster recovery (e.g.
before the recovery server was created) cannot be used for failover.
l A disaster recovery protection plan cannot be enabled if the IP address of a device cannot be
detected. For example, when virtual machines are backed up agentless and are not assigned an
IP address.
l When you apply a protection plan, the same networks and IP addresses are assigned in the cloud
site. The IPsec VPN connectivity requires that network segments of the cloud and local sites do
not overlap. If a Multi-site IPsec VPN connectivity is configured, and you apply a protection plan
to one or several devices later, you must additionally update the cloud networks and reassign the
IP addresses of the cloud servers. For more information, see "Reassigning IP addresses" (p. 672).
What to do next
l You can edit the default configuration of the recovery server. For more information, see "Setting
up recovery servers" (p. 682).
l You can edit the default networking configuration. For more information, see "Setting up
connectivity" (p. 647).
l You can learn more about the recovery server default parameters and the cloud network
infrastructure. For more information, see "Editing the Recovery server default parameters" (p.
645) and "Cloud network infrastructure" (p. 646).
Note
A recovery server is created only if it does not exist. Existing recovery servers are not changed or
recreated.
parameter value
CPU and RAM auto The number of virtual CPUs and the amount of
RAM for the recovery server. The default settings
will be automatically determined based on the
original device CPU and RAM configuration.
IP address in auto The IP address that the server will have in the
production production network. By default, the IP address of
network the original machine is set.
Test IP address disabled Test IP address gives you the capability to test a
failover in the isolated test network and to
connect to the recovery server via RDP or SSH
during a test failover. In the test failover mode,
the VPN gateway will replace the test IP address
with the production IP address by using the NAT
protocol. If a test IP address is not specified, the
console will be the only way to access the server
during a test failover.
Internet Access enabled Enable the recovery server to access the Internet
during a real or test failover. By default, TCP port
25 is denied for outbound connections.
Use Public address disabled Having a public IP address makes the recovery
server available from the Internet during a failover
or test failover. If you do not use a public IP
address, the server will be available only in your
production network. To use a public IP address,
you must enable internet access. The public IP
address will be shown after you complete the
configuration. By default, TCP port 443 is open for
inbound connections.
Set RPO threshold disabled RPO threshold defines the maximum allowable
time interval between the last recovery point and
the current time. The value can be set within 15 –
60 minutes, 1 – 24 hours, 1 – 14 days.
Note
Applying a disaster recovery protection plan creates recovery cloud network infrastructure only if it
does not exist. Existing cloud networks are not changed or recreated.
The system checks devices IP addresses and if there are no existing cloud networks where an IP
address fits, it automatically creates suitable cloud networks. If you already have existing cloud
l If you do not have existing cloud networks or you setup disaster recovery configuration for the
first time, the cloud networks will be created with maximum ranges recommended by IANA for
private use (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) based on your devices IP address range.
You can narrow your network by editing the network mask.
l If you have devices on multiple local networks, the network on the cloud site may become a
superset of the local networks. You may reconfigure networks in the Connectivity section. See
"Managing networks" (p. 666).
l If you need to set up Site-to-site Open VPN connectivity, download the VPN appliance and set up
it. See "Configuring Site-to-site Open VPN" (p. 658). Make sure your cloud networks ranges match
your local network ranges connected to the VPN appliance.
l To change the default network configuration, click the Go to connectivity link on the Disaster
Recovery module of the Protection plan, or navigate to Disaster Recovery > Connectivity.
Setting up connectivity
This section explains the network concepts necessary for you to understand how it all works in
Cyber Disaster Recovery Cloud. You will learn how to configure different types of connectivity to the
cloud site, depending on your needs. Finally, you will learn how to manage your networks in the
cloud and manage the settings of the VPN appliance and VPN gateway.
Networking concepts
Note
Some features might require additional licensing, depending on the applied licensing model.
With Cyber Disaster Recovery Cloud you can define the following connectivity types to the cloud site:
l Cloud-only mode
This type of connection does not require a VPN appliance deployment on the local site.
The local and cloud networks are independent networks. This type of connection implies either
the failover of all the local site's protected servers or partial failover of independent servers that
do not need to communicate with the local site.
Cloud servers on the cloud site are accessible through the point-to-site VPN, and public IP
addresses (if assigned).
l Site-to-site Open VPN connection
This type of connection requires a VPN appliance deployment on the local site.
The Site-to-site Open VPN connection allows to extend your networks to the cloud and retain the
IP addresses.
Your local site is connected to the cloud site by means of a secure VPN tunnel. This type of
connection is suitable in case you have tightly dependent servers on the local site, such as a web
Cloud-only mode
The cloud-only mode does not require a VPN appliance deployment on the local site. It implies that
you have two independent networks: one on the local site, another on the cloud site. Routing is
performed with the router on the cloud site.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
To understand how networking works in Cyber Disaster Recovery Cloud, we will consider a case
when you have three networks with one machine each in the local site. You are going to configure
the protection from a disaster for the two networks – Network 10 and Network 20.
On the diagram below, you can see the local site where your machines are hosted, and the cloud
site where the cloud servers are launched in case of a disaster.
With the Cyber Disaster Recovery Cloud solution you can fail over all the workload from the
corrupted machines in the local site to the cloud servers in the cloud. You can protect up to 23
networks with Cyber Disaster Recovery Cloud.
For each source machine to be protected, you must create a recovery server on the cloud site. It
stays in the Standby state until a failover event happens. If a disaster happens and you start a
failover process (in the production mode), the recovery server representing the exact copy of your
protected machine is launched in the cloud. It may be assigned the same IP address as the source
machine and it can be launched in the same Ethernet segment. Your clients can continue working
with the server, without noticing any background changes.
You can also start a failover process in the test mode. This means that the source machine is still
working and at the same time the respective recovery server with the same IP address is launched
in the cloud. To prevent IP address conflicts, a special virtual network is created in the cloud – test
network. The test network is isolated to prevent duplication of the source machine IP address in
one Ethernet segment. To access the recovery server in the test failover mode, when you create a
VPN gateway
The major component that allows communication between the local and cloud sites is the VPN
gateway. It is a virtual machine in the cloud on which special software is installed, and network is
specifically configured. The VPN gateway has the following functions:
l Connects the Ethernet segments of your local network and production network in the cloud in
the L2 mode.
l Provides iptables and ebtables rules.
l Works as a default router and NAT for the machines in the test and production networks.
l Works as a DHCP server. All machines in the production and test networks get the network
configuration (IP addresses, DNS settings) via DHCP. Every time a cloud server will get the same IP
address from the DHCP server. If you need to set up the custom DNS configuration, you should
contact the support team.
l Works as a caching DNS.
In addition, two virtual interfaces are added for Point-to-site and Site-to-site connections.
When the VPN gateway is deployed and initialized, the bridges are created – one for the external
interface, and one for the client and production interfaces. Though the client-production bridge and
the test interface use the same IP addresses, the VPN gateway can route packages correctly by using
a specific technique.
VPN appliance
The VPN appliance is a virtual machine on the local site with Linux that has special software
installed, and a special network configuration. It allows communication between the local and cloud
sites.
When creating a recovery server, you must specify the following network parameters:
l Cloud network (required): a cloud network to which a recovery server will be connected.
l IP address in production network (required): an IP address with which a virtual machine for a
recovery server will be launched. This address is used in both the production and test networks.
Before launching, the virtual machine is configured for getting the IP address via DHCP.
l Test IP address (optional): an IP address to access a recovery server from the client-production
network during the test failover, to prevent the production IP address from being duplicated in
the same network. This IP address is different from the IP address in the production network.
Servers in the local site can reach the recovery server during the test failover via the test IP
address, while access in the reverse direction is not available. Internet access from the recovery
server in the test network is available if the Internet access option was selected during the
recovery server creation.
l Public IP address (optional): an IP address to access a recovery server from the Internet. If a
server has no public IP address, it can be reached only from the local network.
l Internet access (optional): it allows a recovery server to access the Internet (in both the
production and test failover cases).
Primary servers
A primary server – a virtual machine that does not have a linked machine on the local site if
compared to a recovery server. Primary servers are used for protecting an application by
replication, or running various auxiliary services (such as a web server).
Typically, a primary server is used for real-time data replication across servers running crucial
applications. You set up the replication by yourself, using the application's native tools. For example,
Active Directory replication, or SQL replication, can be configured among the local servers and the
primary server.
Alternatively, a primary server can be included in an AlwaysOn Availability Group (AAG) or Database
Availability Group (DAG).
Both methods require a deep knowledge of the application and the administrator rights. A primary
server constantly consumes computing resources and space on the fast disaster recovery storage. It
needs maintenance on your side: monitoring the replication, installing software updates, and
backing up. The benefits are the minimal RPO and RTO with a minimal load on the production
environment (as compared to backing up entire servers to the cloud).
Primary servers are always launched only in the production network and have the following network
parameters:
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can use the Multi-site IPsec VPN connectivity to connect a single local site, or multiple local sites
to the Cyber Disaster Recovery Cloud through a secure L3 IPsec VPN connection.
This connectivity type is useful for Disaster Recovery scenarios if you have one of the following use
cases:
To establish a Multi-site IPsec VPN communication between the local sites and the cloud site, a VPN
gateway is used. When you start configuring the Multi-site IPsec VPN connection in the Cyber
Protect console, the VPN gateway is automatically deployed in the cloud site. You should configure
the cloud network segments and make sure that they do not overlap with the local network
segments. A secure VPN tunnel is established between local sites and the cloud site. The local and
cloud servers can communicate through this VPN tunnel as if they are all in the same Ethernet
segment.
For each source machine to be protected, you must create a recovery server on the cloud site. It
stays in the Standby state until a failover event happens. If a disaster happens and you start a
failover process (in the production mode), the recovery server representing the exact copy of your
protected machine is launched in the cloud. Your clients can continue working with the server,
without noticing any background changes.
You can also launch a failover process in the test mode. This means that the source machine is still
working and at the same time the respective recovery server is launched in the cloud in a special
virtual network that is created in the cloud – test network. The test network is isolated to prevent
duplication of IP addresses in the other cloud network segments.
l Connects the Ethernet segments of your local network and production network in the cloud in
the L3 IPsec mode.
l Works as a default router and NAT for the machines in the test and production networks.
l Works as a DHCP server. All machines in the production and test networks get the network
configuration (IP addresses, DNS settings) via DHCP. Every time a cloud server will get the same IP
address from the DHCP server.
If you prefer, you can set up a custom DNS configuration. For more information, see "Configuring
custom DNS servers" (p. 673).
l Works as a caching DNS.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The Point-to-site connection is a secure connection from the outside by using your endpoint devices
(such as computer or laptop) to the cloud and local sites through a VPN. It is available after you
establish a Site-to-site Open VPN connection to the Cyber Disaster Recovery Cloud site. This type of
connection is useful in the following cases:
l In many companies, the corporate services and web resources are available only from the
corporate network. You can use the Point-to-site connection to securely connect to the local site.
l In case of a disaster, when a workload is switched to the cloud site and your local network is
down, you may need direct access to your cloud servers. This is possible through the Point-to-site
connection to the cloud site.
For the Point-to-site connection to the local site, you need to install the VPN appliance on the local
site, configure the Site-to-site connection, and then the Point-to-site connection to the local site.
Thus, your remote employees will have access to the corporate network through L2 VPN.
The scheme below shows the local site, cloud site, and communications between servers
highlighted in green. The L2 VPN tunnel connects your local and cloud sites. When a user establishes
a Point-to-site connection, the communications to the local site are performed through the cloud
site.
l Users should use their Cyber Protect Cloud credentials to authenticate in the VPN client. They
must have either a "Company Administrator" or a "Cyber Protection" user role.
l If you re-generated the OpenVPN configuration, you need to provide the updated configuration
to all of the users using the Point-to-site connection to the cloud site.
The following criteria are used to define if the customer tenant is active:
l Currently, there is at least one cloud server or there were cloud server(s) in the last seven days.
OR
l The VPN access to local site option is enabled and either the Site-to-site Open VPN tunnel is
established or there are data reported from the VPN appliance for the last 7 days.
All the rest of the tenants are considered as inactive tenants. For such tenants the system performs
the following:
l Deletes the VPN gateway and all cloud resources related to the tenant.
l Unregisters the VPN appliance.
The inactive tenants are rolled back to their state before the connectivity was configured.
To learn how to manage your networks in the cloud and set up the VPN gateway settings, refer to
"Managing cloud networks".
Note
The availability of this feature depends on the service quotas that are enabled for your account.
System requirements
l 1 CPU
l 1 GB RAM
l 8 GB disk space
Ports
l TCP 443 (outbound) – for VPN connection
l TCP 80 (outbound) – for automatic update of the appliance
Ensure that your firewalls and other components of your network security system allow connections
through these ports to any IP address.
Note
The VPN gateway is provided without additional charge. It will be deleted if the Disaster
Recovery functionality is not used, i.e. no primary or recovery server is present in the cloud for
seven days.
3. In the VPN appliance block, click Download and deploy. Depending on the virtualization
platform you are using, download the VPN appliance for VMware vSphere or Microsoft Hyper-V.
4. Deploy the appliance and connect it to the production networks.
In vSphere, ensure that Promiscuous mode and Forged transmits are enabled and set to
Accept for all virtual switches that connect the VPN appliance to the production networks. To
access these settings, in vSphere Client, select the host > Summary > Network, and then select
the switch > Edit settings... > Security.
In Hyper-V, create a Generation 1 virtual machine with 1024 MB of memory. Also, we
recommend that you enable Dynamic Memory for the machine. Once the machine is created,
go to Settings > Hardware > Network Adapter > Advanced Features and select the Enable
MAC address spoofing check box.
5. Power on the appliance.
6. Open the appliance console and log in with the "admin"/"admin" user name and password.
7. [Optional] Change the password.
8. [Optional] Change the network settings if needed. Define which interface will be used as the
WAN for Internet connection.
9. Register the appliance in the Cyber Protection service by using the credentials of the company
administrator.
These credentials are only used once to retrieve the certificate. The data center URL is
predefined.
Note
If two-factor authentication is configured for your account, you will also be prompted to enter
the TOTP code. If two-factor authentication is enabled but not configured for your account, you
cannot register the VPN appliance. First, you must go to the Cyber Protect console login page
and complete the two-factor authentication configuration for your account. For more details on
two-factor authentication, go to the Management Portal Administrator's Guide.
Once the configuration is complete, the appliance will have the Online status. The appliance
connects to the VPN gateway and starts to report information about networks from all active
interfaces to the Cyber Disaster Recovery Cloud service. The Cyber Protect console shows the
interfaces, based on the information from the VPN appliance.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can configure a Multi-site IPsec VPN connection in the following two ways:
Note
The availability of this feature depends on the service quotas that are enabled for your account.
After you configure a Multi-site IPsec VPN, you must configure the cloud site and the local sites
settings on the Disaster Recovery > Connectivity tab.
Prerequisites
l Multi-site IPsec VPN connectivity is configured. For more information about configuring the Multi-
site IPsec VPN connectivity, see "Configuring Multi-site IPsec VPN" (p. 660).
l Each local IPsec VPN gateway has a public IP address.
Note
When you add a cloud network, a corresponding test network is added automatically with
the same network address and mask for performing test failovers. The cloud servers in the
test network have the same IP addresses as the ones in the cloud production network. If you
need to access a cloud server from the production network during a test failover, when you
create a recovery server, assign it a second test IP address.
Note
You must use the same pre-shared key for the local and the cloud VPN gateways.
g. Click IPsec/IKE security settings to configure the settings. For more information about the
settings that you can configure, see "IPsec/IKE security settings" (p. 662).
Note
The availability of this feature depends on the service quotas that are enabled for your account.
When you configure the local sites for your Multi-site IPsec VPN connectivity, consider the following
recommendations:
l For each IKE Phase, set at least one of the values that are configured in the cloud site for the
following parameters: Encryption algorithm, Hash algorithm, and Diffie-Hellman group numbers.
l Enable Perfect forward secrecy with at least one of the values for Diffie-Hellman group numbers
that is configured in the cloud site for IKE Phase 2.
l Configure the same Lifetime value for IKE Phase 1 and IKE Phase 2 as in the cloud site.
l Configurations with NAT traversal (NAT-T) are not supported. Disable the NAT-T configuration on
the local site. Otherwise, the additional UDP encapsulation cannot be negotiated.
l The Startup action configuration defines which side initiates the connection. The default value
Add means that the local site initiates the connection, and cloud site is waiting for the connection
initiation. Change the value to Start if you want the cloud site to initiate the connection, or to
Route if you want both sides to be able to initiate the connection (suitable for firewalls that
support the route option).
For more information and configuration examples for different solutions, see:
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The following table provides more information about the Psec/IKE security parameters.
Hash algorithm The hash algorithm that will be used to verify the
data integrity and authenticity. By default, all
algorithms are selected. You must configure at
least one of the selected algorithms on your local
gateway device for each IKE phase.
Rekey margin time (seconds) The margin time before connection expiration or
keying-channel expiration, during which the local
side of the VPN connection attempts to negotiate a
replacement. The exact time of the rekey is
randomly selected based on the value of Rekey
fuzz. Relevant only locally, the remote side does
Replay window size (packet) The IPsec replay window size for this connection.
DPD timeout (seconds) Time after which a dead peer detection (DPD)
timeout occurs. You can specify value 30 or higher.
The default value is 30.
Dead peer detection (DPD) timeout The action to take after a dead peer detection
action (DPD) timeout occurs.
With custom DNS you can set your own custom DNS server for all cloud servers. For more
information, see "Configuring custom DNS servers" (p. 673).
The recommendations for a dedicated AD DC instance that is configured as a primary server in the
cloud site are the following:
With custom DNS you can set your own custom DNS server for all cloud servers. For more
information, see "Configuring custom DNS servers" (p. 673).
Note
The availability of this feature depends on the service quotas that are enabled for your account.
If you need to connect to your local site remotely, you can configure the Point-to-site connection to
the local site. You can follow the procedure below or watch the video tutorial.
Prerequisites
l A Site-to-site Open VPN connectivity is configured.
l The VPN appliance is installed on the local site.
Important
If you enabled two-factor authentication for your account, you need to re-generate the
configuration file and renew it for your existing OpenVPN clients. Users must re-log in to Cyber
Protect Cloud to set up two-factor authentication for their accounts.
As a result, your user will be able to connect to machines on the local site.
Network management
This section describes network management scenarios.
Managing networks
Note
Some features might require additional licensing, depending on the applied licensing model.
1. On the VPN appliance, set up the new network interface with the local network that you want to
extend in the cloud.
2. Log in to the VPN appliance console.
3. In the Networking section, set up network settings for the new interface.
As a result, the local network extension to the cloud via a secure VPN tunnel will be stopped. This
network will operate as an independent cloud segment. If this interface is used to pass the traffic
from (to) the cloud site, all of your network connections from (to) the cloud site will be disconnected.
Cloud-only mode
You can have up to 23 networks in the cloud.
As a result, the additional cloud network with the defined address and mask will be created on the
cloud site.
Note
You cannot delete a cloud network if there is at least one cloud server in it. First, delete the cloud
server, and then delete the network.
IP address reconfiguration
For proper disaster recovery performance, the IP addresses assigned to the local and cloud servers
must be consistent. If there is any inconsistency or mismatch in IP addresses, you will see the
exclamation mark next to the corresponding network in Disaster Recovery > Connectivity.
1. A recovery server was migrated from one network to another or the network mask of the cloud
network was changed. As a result, cloud servers have the IP addresses from networks to which
they are not connected.
2. The connectivity type was switched from one without Site-to-site connection to a Site-to-site
connection. As a result, a local server is placed in the network different from the one that was
created for the recovery server on the cloud site.
3. The connectivity type was switched from Site-to-site Open VPN to Multi-site IPsec VPN, or from
Multi-site IPsec VPN to Site-to-site Open VPN. For more information about this scenario, see
Switching connections and Reassigning IP addresses.
4. Editing the following network parameters on the VPN appliance site:
l Adding an interface via the network settings
l Editing the network mask manually via the interface settings
l Editing the network mask via DHCP
l Editing the network address and mask manually via the interface settings
l Editing the network mask and address via DHCP
As a result of the actions listed above, the network on the cloud site may become a subset or
superset of the local network, or the VPN appliance interface may report the same network
settings for different interfaces.
When you create a disaster recovery protection plan and apply it on selected devices, the system
checks devices IP addresses and automatically creates cloud networks if there are not existing cloud
networks where IP address fits. By default, the cloud networks are configured with maximum
ranges recommended by IANA for private use (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). You can
narrow your network by editing the network mask.
In case if the selected devices was on the multiple local networks, the network on the cloud site may
become a superset of the local networks. In this case, to reconfigure cloud networks:
1. Click the cloud network that requires network size reconfiguration and then click Edit.
2. Reconfigure the network size with the correct settings.
3. Create other required networks.
4. Click the notification icon next to the number of devices connected to the network.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
In the Cyber Protect console (Disaster Recovery > Connectivity), you can:
To access these settings, click the i icon in the VPN appliance block.
Reinstalling the VPN gateway process includes the following automatic actions: deleting the existing
VPN gateway virtual machine completely, installing a new virtual machine from the template, and
applying the settings of the previous VPN gateway on the new virtual machine.
Prerequisites:
One of the connectivity types to the cloud site must be set.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
l If you need the cloud servers on the cloud site to communicate with servers on the local site.
l After a failover to the cloud, the local infrastructure is recovered, and you want to fail back your
servers to the local site.
As a result, the site-to-site VPN connection is enabled between the local and cloud sites. The Cyber
Disaster Recovery Cloud service gets the network settings from the VPN appliance and extends the
local networks to the cloud site.
If you do not need cloud servers on the cloud site to communicate with servers on the local site, you
can disable the Site-to-site connection.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can easily switch form a Site-to-site Open VPN connection to a Multi-site IPsec VPN connection,
and from a Multi-site IPsec VPN connection to a Site-to-site Open VPN connection.
When you switch the connectivity type, the active VPN connections are deleted, but the cloud
servers and network configurations are preserved. However, you will still need to reassign the
IP addresses of the cloud networks and servers.
The following table compares the basic characteristics of the Site-to-site Open VPN connection and
the Multi-site IPsec VPN connection.
Network segments Extends the local network to the Local networks and
cloud network cloud network segments
should not overlap
To switch form a Site-to-site Open VPN connection to a Multi-site IPsec VPN connection
To switch form a Multi-site IPsec VPN connection to a Site-to-site Open VPN connection
Reassigning IP addresses
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You must reassign the IP addresses of the cloud networks and the cloud servers in order to
complete the configuration in the following cases:
l After you switch from Site-to-site Open VPN to Multi-site IPsec VPN, or the opposite.
l After you apply a protection plan (if the Multi-site IPsec VPN connectivity is configured).
After you reassign the IP address of a cloud network, you must reassign the cloud servers that
belong to the reassigned cloud network.
1. In the Connectivity tab, click the IP address of the server in the cloud network.
2. In the Servers pop-up, click Change IP address.
3. In the Change IP address pop-up, type the new IP address of the server, or use the
automatically generated IP address which is part of the reassigned cloud network.
Note
Cyber Disaster Recovery Cloud automatically assigns IP addresses from the cloud network to all
cloud servers that were part of the cloud network before the reassignment of the network IP
address. You can use the suggested IP addresses to reassign the IP addresses of all the cloud
servers at once.
4. Click Confirm.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
When you configure a connectivity, Cyber Disaster Recovery Cloud creates your cloud network
infrastructure. The cloud DHCP server automatically assigns default DNS servers to the recovery
servers and primary servers, but you can change the default settings and configure custom
DNS servers. The new DNS settings will be applied at the time of the next request to the DHCP
server.
Prerequisites:
One of the connectivity types to the cloud site must be set.
Note
After you add the custom DNS servers, you can also add the default DNS servers. In that way, if
the custom DNS servers are unavailable, Cyber Disaster Recovery Cloud will use the default
DNS servers.
7. Click Done.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can delete DNS servers from the custom DNS list.
Prerequisites:
Custom DNS servers are configured.
Note
The delete operation is disabled when only one custom DNS server is available. If you want to
delete all custom DNS servers, select Default (provided by Cloud Site) .
5. Click Done.
1. Go to Disaster Recovery>Connectivity.
2. Click Show properties, and then click Local routing.
As a result, the servers from the specified local networks can communicate with the cloud servers.
Prerequisites:
Note
The availability of this feature depends on the service quotas that are enabled for your account.
In the Cyber Protect console, go to Disaster Recovery > Connectivity and then click Show
properties in the upper right corner.
Re-generate configuration
You can re-generate the configuration file for the OpenVPN client.
As soon as the configuration file is updated, connecting by means of the old configuration file
becomes not possible. Make sure to distribute the new file among the users who are allowed to use
the Point-to-site connection.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can view all active point-to-site connections in Disaster recovery > Connectivity. Click the
machine icon on the blue Point-to-site line and you will see the detailed information about active
point-to-site connections grouped by the user name.
The following list describes the log files that are part of the .zip archive, and the information that
they contain.
dnsmasq.config.txt - The file contains information about the configuration of the service that
provides DNS and DHCP addresses.
dnsmsq.leases.txt - The file contains information about the current DHCP address leases.
ip.txt - The file contains the logs from the configuration of the network interfaces, including their
names which can be used in the configuration of the Capturing network packets settings.
NetworkManager_status.txt - The file contains information about the status of the NetworkManager
service.
openvpn@p2s_status.txt - The file contains information about the status of the VPN tunnels.
resolf.conf.txt - The file contains information about the configuration of the DNS servers.
uname.txt - The file contains information about the current version of the kernel of the operating
system.
uptime.txt - The file contains information about the length of period for which the operating system
has not been restarted.
vpnserver_status.txt - The file contains information about the status of the VPN server.
For more information about log files that are specific to the IPsec VPN connectivity, see "Multi-site
IPSec VPN log files" (p. 682).
1. On the Connectivity page, click the gear icon next to the VPN appliance.
2. Click the Download log.
3. [Optional] Select Capture network packets, and configure the settings. For more information,
see "Capturing network packets" (p. 679).
4. Click Done.
5. When the .zip archive is ready for download, click Download log, and save it locally.
1. On the Connectivity page, click the gear icon next to the VPN gateway.
2. Click the Download log.
3. [Optional] Select Capture network packets, and then configure the settings. For more
information, see "Capturing network packets" (p. 679).
4. Click Done.
5. When the .zip archive is ready for download, click Download log, and save it locally.
After collecting 32000 network packets, or reaching time limit, capturing network packets stops, and
the results are written in a .libpcap file that is added to the logs .zip archive.
The following table provides more information about the Capture network packets settings that
you can configure.
Setting Description
Network The network interface on which to capture network packets. If you want to
interface capture network packets on all network interfaces, select Any.
name
Time limit The time limit for capturing network packets. The maximum value you can set is
(seconds) 1800.
You can enter a string containing protocols, ports, directions, and their
combinations, separated by space, such as: "and", "or", "not", " ( ", " ) ", "src",
"dst", "net", "host", "port", "ip", "tcp", "udp", "icmp", "arp", "esp".
If you want to use brackets, surround them with spaces. You can also enter IP
addresses and network addresses, for example: "icmp or arp" and "port 67 or
68".
For more information about the values that you can enter, see the Linux
tpcdump help.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
When you configure or use the IPsec VPN connection, you might experience problems.
You can learn more about the problems that you encountered in the IPsec log files, and check the
Troubleshooting IPsec VPN configuration issues topic for possible solutions of some of the common
problems that might occur.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
I see the following error message: IKE Click Retry and check if a more specific error
phase 1 negotiation error. Check the message appears. For example, a more specific
IPsec IKE settings on the Cloud and error message may be an error message about an
the Local sites. algorithm mismatch or an incorrect Pre-shared
key.
Note
For security reasons, the following restrictions
apply to the IPsec VPN connectivity:
The connection between my local site You see this status when the Startup action for
and the cloud site stays in status Waiting cloud site is set to Add, which means that the cloud
for a connection. site is waiting for the local site to initiate the
connection.
The connection between my local site You see this status when the Startup action for
and the cloud site stays in status Waiting cloud site is set to Route.
for traffic.
If you are expecting a connection from the local
site, do the following:
The connection between my local site This issue may be due to the following reasons:
and the cloud site is established, but I
l Network mapping in the cloud IPsec site is
can see that one or more of the network
different from the network mapping in the local
policies are down.
site.
Ensure that the network mappings and the
sequence of the network policies in the local
and cloud sites match exactly.
l This state is correct when the Startup action of
the local site and/or of the cloud site is set to
Route (for example, on Cisco ASA devices), and
currently there is no traffic. You can try to ping
to make sure that the tunnel is established. If
the ping is not working, check the network
mapping on the local and the cloud site.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can find additional information about the IPsec connectivity in the log files on the VPN server.
The log files are compressed in a .zip archive that you can download and extract.
Prerequisites
Multi-site IPsec VPN connectivity is configured.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The following list describes the IPsec VPN log files that are part of the zip archive, and the
information that they contain.
l ip.txt - The file contains the logs from the configuration of the network interfaces. You must see
two IP addresses - a public IP address, and a local IP address. If you do not see these IP addresses
in the log, there is a problem. Contact the Support team.
Note
The mask for the public IP address must be 32.
Important
When you perform a failover, you can select only recovery points that were created after the
creation of the recovery server.
Prerequisites
l A protection plan must be applied to the original machine that you want to protect. This plan
must back up the entire machine, or only the disks, required for booting up and providing the
necessary services, to a cloud storage.
l One of the connectivity types to the cloud site must be set.
Note
You can see the compute points for every option. The number of compute points reflects the
cost of running the recovery server per hour. For more information, see "Compute points" (p.
642).
Custom The IP address of the server will be provided by your own DHCP server in
the cloud.
Note
If you use a DHCP server, add this IP address to the server exclusion list in order to avoid IP
address conflicts.
If you use a custom DHCP server, you must specify the same IP address in IP address in
production network as the one configured in the DHCP server. Otherwise, test failover will not
work properly, and the server will not be reachable via a public IP address.
8. [Optional] Select the Test IP address check box, and then specify the IP address.
This will give you the capability to test a failover in the isolated test network and to connect to
the recovery server via RDP or SSH during a test failover. In the test failover mode, the VPN
gateway will replace the test IP address with the production IP address by using the NAT
protocol.
If you leave the check box cleared, the console will be the only way to access the server during a
test failover.
You can select one of the proposed IP addresses or type in a different one.
9. [Optional] Select the Internet access check box.
This will enable the recovery server to access the Internet during a real or test failover. By
default, the TCP port 25 is open for outbound connections to public IP addresses.
10. [Optional] Set the RPO threshold.
The RPO threshold defines the maximum time interval allowed between the last suitable
recovery point for a failover and the current time. The value can be set within 15 – 60 minutes, 1
– 24 hours, 1 – 14 days.
11. [Optional] Select the Use public IP address check box.
Having a public IP address makes the recovery server available from the Internet during a
failover or test failover. If you leave the check box cleared, the server will be available only in
your production network.
The Use public IP address option requires the Internet access option to be enabled.
The public IP address will be shown after you complete the configuration. By default, TCP port
443 is open for inbound connections to public IP addresses.
Note
If you clear the Use Public IP address check box or delete the recovery server, its public IP
address will not be reserved.
12. [Optional] If the backups for the selected machine are encrypted, you can specify the password
that will be automatically used when creating a virtual machine for the recovery server from the
encrypted backup. Click Specify, and then define the credential name and password. By default,
you will see the most recent backup in the list. To view all the backups, select Show all backups.
13. [Optional] Change the recovery server name.
14. [Optional] Type a description for the recovery server.
15. [Optional] Click the Cloud firewall rules tab to edit the default firewall rules. For more
information, see "Setting firewall rules for cloud servers" (p. 704).
16. Click Create.
The recovery server appears in the Disaster Recovery > Servers > Recovery servers tab of the
Cyber Protect console. You can view its settings by selecting the original machine and clicking
Disaster recovery.
Production failover
Note
The availability of this feature depends on the service quotas that are enabled for your account.
When a recovery server is created, it stays in the Standby state. The corresponding virtual machine
does not exist until you initiate the failover. Before starting the failover process, you need to create
at least one disk image backup (with bootable volume) of your original machine.
When starting the failover process, you select the recovery point of the original machine from which
a virtual machine with the predefined parameters is created. The failover operation uses the "run
VM from a backup" functionality. The recovery server gets the transition state Finalization. This
process implies transferring the server's virtual disks from the backup storage ("cold" storage) to the
disaster recovery storage ("hot" storage).
Note
During the Finalization, the server is accessible and operable, although the performance is lower
than normal. You can open the server console by clicking the Console is ready link. The link is
available in the VM State column on the Disaster Recovery > Servers screen, and in the server's
Details view.
When the Finalization is completed, the server performance reaches its normal value. The server
state changes to Failover. The workload is now switched from the original machine to the recovery
server in the cloud site.
If the recovery server has a protection agent inside, the agent service is stopped in order to avoid
interference (such as starting a backup or reporting outdated statuses to the backup component).
On the diagram below, you can see both the failover and failback processes.
During test failover, the virtual machine (recovery server) is not finalized. The agent reads the
content of the virtual disks directly from the backup and randomly accesses different parts of the
backup. This might make the performance of the recovery server in the test failover state slower
than its normal performance.
Though performing a test failover is optional, we recommend that you make it a regular process
with a frequency that you find adequate in terms of cost and safety. A good practice is creating a
runbook – a set of instructions describing how to spin up the production environment in the cloud.
You can perform failover only from recovery points that were created after the recovery server of
the device was created.
At least one recovery point must be created before failing over to a recovery server. The maximum
number of recovery points that is supported is 100.
1. Select the original machine or select the recovery server that you want to test.
2. Click Disaster Recovery.
The description of the recovery server opens.
3. Click Failover.
4. Select the failover type Test failover.
5. Select the recovery point, and then click Test failover.
When the recovery server starts, its state changes to Testing failover.
Note
The Start server and Stop server actions are not applicable for test failover operations, both in
runbooks and when starting a test failover manually. If you try executing such an action, it will fail
with the following error message:
Failed: The action is not applicable to the current server state.
Note
Automated test failover consumes compute points.
You can configure the automated test failover in the recovery server's settings. For more
information, see "Configuring automated test failover" (p. 688).
Note that, in very rare cases, automated test failover might be skipped and might not be performed
at the scheduled time. This is because production failover has higher priority than automated test
failover, so the hardware resources (CPU and RAM) allocated for automated test failover might be
temporarily limited to ensure that there are enough resources for a concurrent production failover.
If automated test failover is skipped for some reason, an alert will be raised.
1. In the console, go to Disaster recovery > Servers > Recovery servers, and then select the
recovery server.
2. Click Edit.
3. In the Automated test failover section, in the Schedule field, select Monthly.
4. In Screenshot timeout, enter the maximum time period (in minutes) for the system to try
performing automated test failover, or leave the default one.
1. In the console, go to Disaster recovery > Servers > Recovery servers and then select the
recovery server.
2. In the Automated test failover section, check the details of the last automated test failover.
3. [Optional] Click Show screenshot to view the screenshot of the virtual machine.
1. In the console, go to Disaster recovery > Servers > Recovery servers, and then select the
recovery server.
2. Click Edit.
3. In the Automated test failover section, in the Schedule field, select Never.
4. Click Save.
Performing a failover
Note
The availability of this feature depends on the service quotas that are enabled for your account.
A failover is a process of moving a workload from your premises to the cloud, and also the state
when the workload remains in the cloud.
When you initiate a failover, the recovery server starts in the production network. To avoid
interference and unwanted issues, ensure that the original workload is not online or cannot be
accessed via VPN.
To avoid a backup interference into the same cloud archive, manually revoke the protection plan
from the workload that is currently in Failover state. For more information about revoking plans,
see Revoking a protection plan.
You can perform failover only from recovery points that were created after the recovery server of
the device was created.
At least one recovery point must be created before failing over to a recovery server. The maximum
number of recovery points that is supported is 100.
You can follow the instructions below or watch the video tutorial.
To perform a failover
Important
It is critical to understand that the server is available in both the Finalization and Failover
states. During the Finalization state, you can access the server console by clicking the Console
is ready link. The link is available in the VM State column on the Disaster Recovery > Servers
screen, and in the server's Details view. For details, see "How failover works" (p. 685).
6. Ensure that the recovery server is started by viewing its console. Click Disaster Recovery >
Servers, select the recovery server, and then click Console.
Once the recovery server is finalized, a new protection plan is automatically created and applied to
it. This protection plan is based on the protection plan that was used for creating the recovery
server, with certain limitations. In this plan, you can change only the schedule and retention rules.
For more information, refer to "Backing up the cloud servers".
If you want to cancel failover, select the recovery server and click Cancel failover. All changes
starting from the failover moment except the recovery server backups will be lost. The recovery
server will return back to the Standby state.
If you want to perform failback, select the recovery server and click Failback.
l If only the DHCP host was failed over to the cloud, while the rest local servers are still on the local
site, then you must log in to the DHCP host in the cloud and turn off the DHCP server on it. Thus,
there will be no conflicts and only the VPN gateway will work as the DHCP server.
l If your cloud servers already got the IP addresses from the DHCP host, then you must log in to
the DHCP host in the cloud and turn off the DHCP server on it. You must also log in to the cloud
servers and renew the DHCP lease to assign new IP addresses allocated from the correct DHCP
server (hosted on the VPN gateway).
Note
The instructions are not valid when your cloud DHCP server is configured with the Custom DHCP
option, and some of the recovery or primary servers get their IP address from this DHCP server.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
During the failback process to a target virtual machine, you can transfer the backup data to your
local site while the virtual machine in the cloud continues to run. This technology helps you to
achieve a very short downtime period, which is estimated and displayed in the Cyber Protect
console. You can view it and use this information to plan your activities and, if necessary, warn your
clients about an upcoming downtime period.
The failback process to target virtual machines and target physical machines is different. For more
information about the phases of the failback process, see "Failback to a target virtual machine" (p.
692) and "Failback to a target physical machine" (p. 697).
Note
Runbook operations support the failback to a physical machine only. This means that if you start
the failback process by executing a runbook that includes a Failback server step, the procedure
will require a manual interaction - you must manually recover the machine, and confirm or cancel
the failback process from the Disaster Recovery > Servers tab.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Note
To minimize the total time for the failback process, we recommend that you start the data
transfer phase immediately after you set up your local servers, and then continue configuring
the network and setting up the rest of the local infrastructure during the data transfer phase.
2. Data transfer. During this phase, the data is transferred from the cloud site to the local site
while the virtual machine in the cloud continues to run. You can start the next phase -
switchover, at any time during the data transfer phase, but you should consider the following
relations:
The longer you remain in the data transfer phase,
l the longer the virtual machine in the cloud continues to run
l the bigger amount of data will be transferred to your local site
l the higher the cost you will pay (you spend more compute points)
l the shorter the downtime period that you will experience during the switchover phase.
If you want to minimize the downtime, start the switchover phase after more than 90 % of the
data is transferred to the local site.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can perform failback to a target virtual machine on your local site.
Prerequisites
l The agent that you will use to perform failback is online and is not currently used for another
failback operation.
l Your Internet connection is stable.
Parameter Description
Backup size Amount of data that will be transferred to your local site during the
failback process.
After you start the failback process to a target virtual machine, the
Backup size will be increasing during the data transfer phase, because
the virtual machine in the cloud will continue to run and generate new
data.
To calculate the estimated downtime period during the failback process to
a target virtual machine, take 10% of the Backup size value (as we
recommend that you start the switchover phase after 90% of the data is
transferred to your local site), and divide it by the value of your Internet
speed.
Note
The value of the Internet speed will decrease when you perform several
failback processes at the same time.
Target Type of workload on your local site to which you will recover the cloud
server: Virtual machine or Physical machine.
Path (For Microsoft Hyper-V hosts) Folder on the host where your machine will
be stored.
Ensure that there is enough free memory space on the host for the
machine.
Datastore (For VMware ESXi hosts) Datastore on the host where your machine will
be stored.
Ensure that there is enough free memory space on the host for the
machine.
Target Name of the target machine. By default, the target machine name is the
machine same as the recovery server name.
name The target machine name must be unique on the selected Target
machine location.
5. Click Start data transfer, and then in the confirmation window, click Start.
The Data transfer phase starts. The console displays the following information:
l Progress. The parameter shows how much data is already transferred to the local site, and
the total amount of data that must be transferred. Note that the total amount of data includes
the data from the last backup before the data transfer phase was started, and the backups of
the newly generated data (backup increments), as the virtual machine continues to run during
the data transfer phase. For this reason, both values of the Progress parameter increase with
time.
l Downtime estimation. The parameter shows how much time the virtual machine will be
unavailable, if you start the switchover phase now. The value is calculated based on the values
of the Progress, and decreases with time.
6. Click Switchover, and then in the confirmation window, click Switchover again.
The switchover phase starts. The console displays the following information:
l Progress. The parameter shows the progress of restoring the virtual machine on the local site.
l Estimated time to finish. The parameter shows the approximate time when the switchover
phase will be completed and you will be able to turn on the virtual machine on the local site.
Note
If no backup plan is applied to the virtual machine in the cloud, a backup will be performed
automatically during the switchover phase, which will cause a longer downtime.
Note
Applying a protection plan on the recovered server is not part of the failback process. After the
failback process completes, apply a protection plan on the recovered server to ensure that it is
protected again. You may apply the same protection plan that was applied on the original
server, or a new protection plan that has the Disaster Recovery module enabled.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The failback process to a target physical machine differs from the failback process to a target virtual
machine. The data transfer from the backup in the cloud to the local site is not part of the
automated workflow, and is done manually after the virtual machine in the cloud is turned off. For
this reason, when performing failback to a physical machine, expect a longer downtime period.
The failback process to a target physical machine consists of the following phases:
1. Planning. During this phase, you restore the IT infrastructure at your local site, such as the hosts
and the network configurations, configure the failback parameters, and plan when to start the
data transfer.
2. Switchover. During this phase, the virtual machine in the cloud is turned off and the newly
generated data is backed up. If no backup plan is applied on the recovery server, a backup will be
performed automatically during the switchover phase, and that will slow down the process.
When the backup is complete, you recover the machine to the local site manually. You can either
recover the disk by using bootable media, or recover the entire machine from the cloud backup
storage.
3. Validation. During this phase, you verify that the physical machine is working correctly, and
confirm the failback. After the confirmation, the virtual machine on the cloud site is deleted, and
the recovery server returns to the Standby state.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
You can perform failback to a target physical machine on your local site.
Note
The value of the Internet speed will decrease when you perform several failback processes at
the same time.
6. Click Switchover, and then in the confirmation window, click Switchover again.
The virtual machine on the cloud site is turned off.
Note
If no backup plan is applied to the virtual machine in the cloud, a backup will be performed
automatically during the switchover phase, which will cause a longer downtime.
7. Recover the server from a backup to the physical machine on your local site.
l If you are using bootable media, proceed as described in "Recovering disks by using bootable
media" in the Cyber Protection User Guide. Ensure that you sign in to the cloud by using the
account for which the server is registered and that you select the most recent backup.
l If the target machine is online, you can use the Cyber Protect console. On the Backup storage
tab, select the cloud storage. In Machine to browse from, select the target physical machine.
The selected machine must be registered for the same account for which the server is
registered. Find the most recent backup of the server, click Recover entire machine, and
then set up other recovery parameters. For detailed instructions, refer to "Recovering a
machine" in the Cyber Protection User Guide.
8. Ensure that the recovery is completed and the recovered machine works properly, and click
Machine is restored.
9. If everything is working as expected, click Confirm failback, and then in the confirmation
window, click Confirm again.
The recovery server and recovery points become ready for the next failover. To create new
recovery points, apply a protection plan to the new local server.
Note
Applying a protection plan on the recovered server is not part of the failback process. After the
failback process completes, apply a protection plan on the recovered server to ensure that it is
protected again. You may apply the same protection plan that was applied on the original
server, or a new protection plan that has the Disaster Recovery module enabled.
When creating a recovery server, you can specify the password to be used for automatic disaster
recovery operations. It will be saved to the Credentials store, a secure storage of credentials that
can be found in Settings > Credentials section.
Note
Some features might require additional licensing, depending on the applied licensing model.
You can perform failover of Microsoft Azure virtual machines to Acronis Cyber Protect Cloud. For
more information, see "Performing a failover" (p. 689).
After that, you can perform failback from Acronis Cyber Protect Cloud back to Azure virtual
machines. The failback process is same as the failback process to a physical machine. For more
information, see "Performing failback to a physical machine" (p. 697).
Note
To register a new Azure virtual machine for failing back, you can use the Acronis Backup VM
extension that is available in Azure.
You can configure a Multisite IPsec VPN connectivity between Acronis Cyber Protect Cloud and the
Azure VPN gateway. For more information, see "Configuring Multi-site IPsec VPN" (p. 660).
Prerequisites
l One of the connectivity types to the cloud site must be set.
Type vCPU RAM (GB) Maximum total amount of disk space (GB)
F1 1 2 500
F2 1 4 1000
F3 2 8 2000
F4 4 16 4000
F5 8 32 8000
F6 16 64 16000
F7 16 128 32000
F8 16 256 64000
Note
You can see the compute points for every option. The number of compute points reflects the
cost of running the primary server per hour. For more information, see "Compute points" (p.
642).
5. [Optional] Change the virtual disk size. If you need more than one hard disk, click Add disk, and
then specify the new disk size. Currently, you can add no more than 10 disks for a primary
server.
6. Specify the cloud network in which the primary server will be included.
7. Select the DHCP option.
Custom The IP address of the server will be provided by your own DHCP server in
the cloud.
Note
If you use a DHCP server, add this IP address to the server exclusion list in order to avoid IP
address conflicts.
If you use a custom DHCP server, you must specify the same IP address in IP address in
production network as the one configured in the DHCP server. Otherwise, test failover will not
work properly, and the server will not be reachable via a public IP address.
Note
If you clear the Use Public IP address check box or delete the recovery server, its public IP
address will not be reserved.
The primary server becomes available in the production network. You can manage the server by
using its console, RDP, SSH, or TeamViewer.
To start or stop the server, click Power on or Power off on the primary server panel.
To edit the primary server settings, stop the server, and then click Edit.
To apply a protection plan to the primary server, select it and on the Plan tab click Create. You will
see a predefined protection plan where you can change only the schedule and retention rules. For
more information, refer to "Backing up the cloud servers".
You can find the following information about each cloud server by selecting it.
Column Description
name
Status The status reflecting the most severe issue with a cloud server (based on the active
alerts)
VM state The power state of a virtual machine associated with a cloud server
Active The location where a cloud server is hosted. For example, Cloud.
RPO The maximum time interval allowed between the last suitable recovery point for failover
threshold and the current time. The value can be set within 15-60 minutes, 1-24 hours, 1-14 days.
RPO The RPO compliance is the ratio between the actual RPO and RPO threshold. The RPO
compliance compliance is shown if the RPO threshold is defined.
It is calculated as follows:
where
Depending on the value of the ratio between the actual RPO and RPO threshold, the
following statuses are used:
l Compliant. The RPO compliance < 1x. A server meets the RPO threshold.
l Exceeded. The RPO compliance <= 2x. A server violates the RPO threshold.
l Severely exceeded. The RPO compliance <= 4x. A server violates the RPO threshold
more than 2x times.
l Critically exceeded. The RPO compliance > 4x. A server violates the RPO threshold
more than 4x times.
l Pending (no backups). The server is protected with the protection plan but the
backup is being created and not completed yet.
Actual RPO The time passed since the last recovery point creation
Last recovery The date and time when the last recovery point was created
point
You can configure inbound rules after you provision a public IP address for the cloud server. By
default, TCP port 443 is allowed, and all other inbound connections are denied. You can change the
default firewall rules, and add or remove Inbound exceptions. If a public IP is not provisioned, you
can only view the inbound rules, but cannot configure them.
You can configure outbound rules after when you provision Internet access for the cloud server. By
default, TCP port 25 is denied, and all other outbound connections are allowed. You can change the
default firewall rules, and add or remove outbound exceptions. If Internet access is not provisioned,
you can only view the outbound rules, but cannot configure them.
l Permit ping: ICMP echo-request (type 8, code 0) and ICMP echo-reply (type 0, code 0)
l Permit ICMP need-to-frag (type 3, code 4)
l Permit TTL exceeded (type 11, code 0)
Action Description
Note
Changing the default action invalidates and removes the configuration of existing inbound
rules.
b. [Optional] If you want to save the existing exceptions, in the confirmation window, select
Firewall Description
parameter
Protocol Select the protocol for the connection. The following options are
supported:
l TCP
l UDP
l TCP+UDP
Server port Select the ports to which the rule applies. You can specify the
following:
l a specific port number (for example, 2298)
l a range of port numbers (for example, 6000-6700)
l any port number. Use * if you want the rule to apply to any port
number.
Client IP Select the IP addresses to which the rule applies. You can specify the
address following:
l a specific IP address (for example, 192.168.0.0)
l a range of IP addresses using the CIDR notation (for example,
192.168.0.0/24)
l any IP address. Use * if you want the rule to apply to any
IP address.
7. If you want to remove an existing inbound exception, click the bin icon next to it.
8. If you want to change the default action for the outbound connections:
a. In the Outbound drop-down field, select the default action.
Action Description
Note
Changing the default action invalidates and removes the configuration of existing outbound
rules.
Firewall Description
parameter
Protocol Select the protocol for the connection. The following options are
supported:
l TCP
l UDP
l TCP+UDP
Server port Select the ports to which the rule applies. You can specify the
following:
l a specific port number (for example, 2298)
l a range of port numbers (for example, 6000-6700)
l any port number. Use * if you want the rule to apply to any port
number.
Client IP Select the IP addresses to which the rule applies. You can specify the
address following:
l a specific IP address (for example, 192.168.0.0)
l a range of IP addresses using the CIDR notation (for example,
192.168.0.0/24)
l any IP address. Use * if you want the rule to apply to any
IP address.
10. If you want to remove an existing outbound exception, click the bin icon next to it.
11. Click Save.
When you delete a primary server, its backups are also deleted.
A recovery server is backed up only in the failover state. Its backups continue the backup sequence
of the original server. When a failback is performed, the original server can continue this backup
sequence. So, the backups of the recovery server can only be deleted manually or as a result of
applying the retention rules. When a recovery server is deleted, its backups are always kept.
Note
The backup plans for cloud servers are performed according to UTC time.
Orchestration (runbooks)
Note
Some features might require additional licensing, depending on the applied licensing model.
A runbook is a set of instructions describing how to spin up the production environment in the
cloud. You can create runbooks in the Cyber Protect console. To access the Runbooks tab, select
Disaster recovery > Runbooks.
Creating a runbook
You can follow the instruction below or watch the video tutorial.
To start creating a runbook, click Create runbook > Add step > Add action. You can use drag and
drop to move actions and steps. Do not forget to give a distinctive name to the runbook. While
creating a long runbook, click Save from time to time. Once you are finished, click Close.
l An operation to be performed with a cloud server (Failover server, Start server, Stop server,
Failback server). To define this operation, you need to choose the operation, the cloud server,
and the operation parameters.
l A manual operation that you need to describe verbally. Once the operation is completed, a user
must click the confirmation button to allow the runbook to proceed.
l Execution of another runbook. To define this operation, you need to choose the runbook.
Note
In this product version a user has to perform a failback manually. A runbook shows the prompt
when it is required.
Action parameters
All operations with cloud servers have the following parameters:
Completion check
You can add completion checks to the Failover server and Start server actions, to ensure that the
server is available and provides the necessary services. If any of the checks fail, the action is
considered failed.
l Ping IP address
The software will ping the production IP address of the cloud server until the server replies or the
timeout expires, whichever comes first.
l Connect to port (443 by default)
The software will try to connect to the cloud server by using its production IP address and the
port you specify, until the connection is established or the timeout expires, whichever comes first.
This way, you can check if the application that listens on the specified port is running.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
To access the list of operations, hover on a runbook and click the ellipsis icon. When a runbook is
not running, the following operations are available:
Executing a runbook
Every time you click Execute, you are prompted for the execution parameters. These parameters
apply to all failover and failback operations included in the runbook. The runbooks specified in the
Execute runbook operations inherit these parameters from the main runbook.
Antimalware protection in Cyber Protection provides you with the following benefits:
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Important
EICAR test file is detected only when the Advanced Antimalware option is enabled in the
protection plan. However, not detecting the EICAR file does not affect the antimalware capabilities
of Cyber Protection.
Supported platforms
Active protection, antivirus and antimalware features are supported on the following platforms.
Note
For Windows 7, you must install the following updates from Microsoft
before installing the protection agent.
Debian 9.x
Note
Antimalware protection for Linux and macOS is available with the Advanced Antimalware pack.
For more information about the supported operating systems and their versions, see "Supported
platforms" (p. 712).
* Static analysis for portable executable files is supported only for scheduled scans on macOS.
*** File/folder exclusions are only supported for the case when you specify files and folders that will
not be scanned by real-time protection or scheduled scans on macOS.
**** Firewall management is supported on Windows 8 and later. Windows Server is not supported.
***** Microsoft Defender Antivirus management is supported on Windows 8.1 and later.
Active Protection
Active Protection
(Only Active
Yes No Protection and
antimalware
components)
For more information about the supported operating systems and their versions, see "Supported
platforms" (p. 712).
The Antivirus & Antimalware module protects your Windows, Linux, and macOS machines from
all recent malware threats. See the full list of supported antimalware features in "Supported
platforms" (p. 712).
Antivirus & Antimalware protection is supported and registered in Windows Security Center.
Scanning types
You can configure antivirus and antimalware protection to run constantly in the background or on
demand.
Real-time protection
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Real-time protection checks all files that are being executed or opened on a machine to prevent
malware threats.
To prevent potential compatibility and performance issues, real-time protection cannot work in
parallel with other antivirus solutions that also use real-time protection features. The statuses of
other installed antivirus solutions are determined through Windows Security Center. If the Windows
machine is already protected by another antivirus solution, real-time protection is automatically
turned off.
To enable real-time protection, disable or uninstall the other antivirus solution. Real-time protection
can replace Microsoft Defender real-time protection automatically.
Note
On machines running Windows Server operating systems, Microsoft Defender will not be turned off
automatically when real-time protection is enabled. An administrator must turn off the Microsoft
Defender manually to avoid potential compatibility issues.
l Smart on-access detection means that the antimalware program runs in the background and
actively and constantly scans your machine system for viruses and other malicious threats for the
entire duration that your system is powered on. Malware will be detected in both cases when a
file is being executed and during various operations with the file such as opening it for reading or
editing.
l On-execution detection means that only executable files will be scanned at the moment they are
run to ensure they are clean and will not cause any damage to your machine or data. Copying of
an infected file will remain unnoticed.
After antimalware scanning completes, you can see details about the workloads that were affected
by threats in the Monitoring > Overview > Recently affected widget.
Note
This section includes information for all available settings and features, which might not be
supported on all operating systems. For more information about the supported operating systems
and features, see "Supported platforms" (p. 712).
Some features might require additional licensing, depending on the applied licensing model.
Active Protection
Active Protection protects a system from ransomware and cryptocurrency mining malware.
Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware
performs mathematical calculations in the background, thus stealing the processing power and
network traffic.
Note
A protection agent must be installed on the protected machine. For more information about the
supported operating systems and features, see "Supported platforms" (p. 712).
l Notify only
The software will generate an alert about the process.
Advanced antimalware
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The Advanced Antimalware switch enables local signature-based engine. This engine uses
enhanced database of virus signatures to improve the efficiency of antimalware detection in both
quick and full scans.
Antivirus and Antimalware protection for macOS and Linux also requires the local signature-based
engine. For Windows, Antivirus and Antimalware protection is available with or without this engine.
If a file was originally located on a mapped drive, it cannot be saved to the original location when
extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder
specified in this setting. The default folder is C:\ProgramData\Acronis\Restored Network Files for
Windows, and Library/Application Support/Acronis/Restored Network Files/ for macOS. If this
folder does not exist, it will be created. If you want to change this path, specify a local folder.
Network folders, including folders on mapped drives, are not supported.
Server-side protection
This setting defines whether Active protection protects network folders that are shared by you from
the external incoming connections from other servers in the network that may potentially bring
threats.
Note
Server-side protection is not supported for Linux.
Self-protection
Self-protection prevents unauthorized changes to the software's own processes, registry records,
executable and configuration files, and backups located in local folders. We recommend that you do
not disable this feature.
Administrators can enable Self-protection, without enabling Active Protection. Default setting:
Enabled.
Note
Self-protection is not supported for Linux.
Password protection
Password protection prevents unauthorized users or software from uninstalling Agent for Windows
or modifying its components. These actions are only possible with a password that an administrator
can provide.
For more information about how to enable Password protection, refer to Preventing unauthorized
uninstallation or modification of agents.
Administrators can enable Cryptomining process detection, without enabling Active Protection.
Default setting: Enabled.
Note
Cryptomining process detection is not supported for Linux.
l Notify only
The software generates an alert about the process suspected of cryptomining activities.
l Stop the process
The software generates an alert and stops the process suspected of cryptomining activities.
Quarantine
Quarantine is a folder for keeping suspicious (probably infected) or potentially dangerous files
isolated.
Remove quarantined files after – Defines the period in days after which the quarantined files will
be removed.
Behavior engine
AcronisCyber Protection protects your system by using behavioral heuristics to identify malicious
processes: it compares the chain of actions performed by a process with the chains of actions
recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its
typical behavior.
Note
Behavior engine is not supported for Linux.
l Notify only
The software will generate an alert about the process suspected of malware activity.
l Stop the process
The software will generate an alert and stop the process suspected of malware activity.
l Quarantine
The software will generate an alert, stop the process, and move the executable file to the
quarantine folder.
Exploit prevention
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Exploit prevention detects and prevents infected processes from spreading and exploiting the
software vulnerabilities on Windows systems. When an exploit is detected, the software can
generate an alert and stop the process suspected of exploit activities.
Exploit prevention is available only with agent versions 12.5.23130 (21.08, released in August 2020)
or later.
Default setting: Enabled for newly created protection plans, and Disabled for existing protection
plans, created with previous agent versions.
Note
Exploit prevention is not supported for Linux.
Under Enabled Action on detection, select what to do when an exploit is detected, and then click
Done.
l Notify only
The software will generate an alert about the process suspected of malware activity.
l Stop the process
The software will generate an alert and stop the process suspected of malware activity.
Under Enabled exploit prevention techniques, enable or disable the methods that you want to be
applied, and then click Done.
l Memory protection
Detects and prevents suspicious modifications of the execution rights on memory pages.
Malicious processes apply such modifications to page properties, to enable the execution of shell
codes from non-executable memory areas like stack and heaps.
l Return-oriented programming (ROP) protection
Detects and prevents attempts for use of the ROP exploit technique.
l Privilege escalation protection
Detects and prevents attempts for elevation of privileges made by an unauthorized code or
application. Privilege escalation is used by malicious code to gain full access of the attacked
machine, and then perform critical and sensitive tasks. Unauthorized code is not allowed to
access critical system resources or modify system settings.
l Code injection protection
Detects and prevents malicious code injection into remote processes. Code injection is used to
hide malicious intent of an application behind clean or benign processes, to evade detection by
antimalware products.
Note
Processes that are listed as trusted processes in the Exclusions list will not be scanned for exploits.
It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.
This setting lets you specify the processes that are allowed to modify the backup files, even though
these files are protected by self-protection. This is useful, for example, if you remove backup files or
move them to a different location by using a script.
If this setting is disabled, the backup files can be modified only by processes signed by the backup
software vendor. This allows the software to apply retention rules and to remove backups when a
user requests this from the web interface. Other processes, no matter suspicious or not, cannot
modify the backups.
If this setting is enabled, you can allow other processes to modify the backups. Specify the full path
to the process executable, starting with the drive letter.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Real-time protection constantly checks your machine system for viruses and other threats for the
entire time that you system is powered on.
Important
Real-time protection is available only when the local signature-based engine is turned on. For real-
time protection, you need to enable both the Real-time protection switch and the Advanced
Antimalware switch.
l Smart on-access – Monitors all system activities and automatically scans files when they are
accessed for reading or writing, or whenever a program is launched.
l On-execution – Automatically scans only executable files when they are launched to ensure that
they are clean and will not cause any damage to your computer or data.
Action on detection:
l Quarantine
The software generates an alert and moves the executable file to the quarantine folder.
l Notify only
The software generates an alert about the process that is suspected to be malware.
Scan mode:
l Full
The full scan takes much longer to finish in comparison to the quick scan because every file will
be checked.
l Quick
The quick scan only scans the common areas where malware normally resides on the machine.
l Custom
The custom scan checks the files/folders that were selected by the administrator to the
Protection plan.
You can schedule all three scans Quick, Full , and Custom in one protection plan.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions". You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
Note
Start conditions are not supported for Linux.
Scan only new and changed files – only newly created and modified files will be scanned.
Note
Scan removable drives is not supported for Linux.
Protection exclusions
Protection exclusions enable you to eliminate false positives when a trusted program is considered
ransomware or malware. You can define trusted and blocked items by adding them to the
protection exclusions list.
In the trusted items list, you can add files, processes and folders to consider them as safe in the
system, and to prevent any future detections for these.
In the blocked items list, you can add processes and hashes. This option guarantees that those
processes will be blocked, and your workload will be safe.
Hash When a hash is added to the blocked When a hash is added to the trusted
list, the system will stop the process, list, the system will know what
based on the provided hash. processes have to be ignored by
monitoring, based on the provided
For example, when you add this MD5
hash.
hash,
938c2cc0dcc05f2b68c4287040cfcf71, For example, when you add this MD5
the process associated with this hash hash,
will be blocked. 938c2cc0dcc05f2b68c4287040cfcf71,
the process associated with this hash
will be trusted and excluded from
monitoring.
Process When a process is added to the When a process is added to the trusted
blocked list, the system will know that list, the system will know that those
those processes must to be monitored, processes have to be excluded from
and the processes will always be monitoring.
blocked.
Note
For example, if you add this path
Processes signed by Microsoft are
C:\Users\user1\application\nppInstalle
always trusted.
r.exe to the blocked list, this specific
process will be blocked, and when you For example, if you add this path
will try to open it, it will not be allowed C:\Users\user1\application\nppInstaller
to start. .exe, this specific process will be
excluded from monitoring, and
Note
Specify the full path to the process executable, starting with the drive letter. For example,
C:\Windows\Temp\er76s7sdkh.exe.
Note
Local network paths are supported. e.g: \\localhost\folderpath\file.exe
l Select the Hash option to add MD5 hashes to the list of trusted items. The Add hash window
opens.
o Here you can insert MD5 hashes on separate lines to be included as trusted in the
Protection exclusions list. Based on these hashes, Cyber Protection will exclude the
processes described by the MD5 hashes from being monitored.
Note
These processes will not be able to start as long as Active Protection is enabled on the
machine.
l To block hashes, select the Hash option. The Add hash window is displayed.
o In the Hash field, enter the hash for each process on a new line. In the Description field,
enter a short description so that you can recognize your change in the list of blocked items.
Wildcards
For specifying folders, you can use the wildcard characters * and ?. The asterisk (*) substitutes for
zero or more characters. The question mark (?) substitutes for exactly one character. Environment
variables, such as %AppData%, cannot be used.
You can use a wildcard (*) to add items to the exclusion lists.
C:\*.pdf
D:\folders\file.*
C:\Users\*\AppData\Roaming
*.docx
*:\folder\
Variables
You can also use variables to add items to the Protection exclusions list, with the following
limitations:
l For Windows, only SYSTEM variables are supported. User specific variables, for example,
%USERNAME%, %APPDATA% are not supported. Variables with {username} are not supported.
l %WINDIR%\Media
l %public%
l %CommonProgramFiles%\Acronis\
Description
You can use the Description field to make notes on the exclusions that you added in the protection
exclusions list. Some suggestions on the notes you may make:
If there are multiple items added in a single entry, there can only be 1 comment captured for the
multiple items.
In all other editions of the Cyber Protection service, Active Protection is part of the Antivirus &
Antimalware module of the protection plan.
Note
A protection agent must be installed on the protected machine. For more information about the
supported operating systems and features, see "Supported platforms" (p. 712).
How it works
Active Protection monitors processes running on the protected machine. When a third-party
process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and
performs additional actions, as specified in the protection plan.
In addition, Active Protection prevents unauthorized changes to the backup software's own
processes, registry records, executable and configuration files, and backups located in local folders.
To identify malicious processes, Active Protection uses behavioral heuristics. Active Protection
compares the chain of actions performed by a process with the chains of events recorded in the
l Action on detection
l Self-protection
l Network folder protection
l Server-side protection
l Cryptomining process detection
l Exclusions
Note
Active Protection for Linux supports the following settings: Action on detection, Network folder
protection, and Exclusions. Network folder protection is always on and not configurable.
Action on detection
In Action on detection, select the action that the software will perform when detecting a
ransomware activity, and then click Done.
l Notify only
The software will generate an alert about the process.
l Stop the process
The software will generate an alert and stop the process.
l Revert using cache
The software will generate an alert, stop the process, and revert the file changes by using the
service cache.
Self-protection
Self-protection prevents unauthorized changes to the software's own processes, registry records,
executable and configuration files, and backups located in local folders. We recommend that you do
not disable this feature.
Administrators can enable Self-protection, without enabling Active Protection. Default setting:
Enabled.
Note
Self-protection is not supported for Linux.
For more information about how to enable Password protection, refer to Preventing unauthorized
uninstallation or modification of agents.
If a file was originally located on a mapped drive, it cannot be saved to the original location when
extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder
specified in this setting. The default folder is C:\ProgramData\Acronis\Restored Network Files for
Windows, and Library/Application Support/Acronis/Restored Network Files/ for macOS. If this
folder does not exist, it will be created. If you want to change this path, specify a local folder.
Network folders, including folders on mapped drives, are not supported.
Server-side protection
This setting defines whether Active protection protects network folders that are shared by you from
the external incoming connections from other servers in the network that may potentially bring
threats.
Note
Server-side protection is not supported for Linux.
Cryptomining malware degrades the performance of useful applications, increases electricity bills,
may cause system crashes and even hardware damage due to abuse. To protect your workloads, we
recommend that you add cryptomining malware to the Harmful processes list.
Administrators can enable Cryptomining process detection, without enabling Active Protection.
Default setting: Enabled.
Note
Cryptomining process detection is not supported for Linux.
l Notify only
The software generates an alert about the process suspected of cryptomining activities.
l Stop the process
The software generates an alert and stops the process suspected of cryptomining activities.
Protection exclusions
Protection exclusions enable you to eliminate false positives when a trusted program is considered
ransomware or malware. You can define trusted and blocked items by adding them to the
protection exclusions list.
In the blocked items list, you can add processes and hashes. This option guarantees that those
processes will be blocked, and your workload will be safe.
Hash When a hash is added to the blocked When a hash is added to the trusted
list, the system will stop the process, list, the system will know what
based on the provided hash. processes have to be ignored by
monitoring, based on the provided
For example, when you add this MD5
hash.
hash,
938c2cc0dcc05f2b68c4287040cfcf71, For example, when you add this MD5
the process associated with this hash hash,
will be blocked. 938c2cc0dcc05f2b68c4287040cfcf71,
the process associated with this hash
will be trusted and excluded from
monitoring.
Process When a process is added to the When a process is added to the trusted
blocked list, the system will know that list, the system will know that those
those processes must to be monitored, processes have to be excluded from
and the processes will always be monitoring.
blocked.
Note
For example, if you add this path
Processes signed by Microsoft are
C:\Users\user1\application\nppInstalle
always trusted.
r.exe to the blocked list, this specific
process will be blocked, and when you For example, if you add this path
will try to open it, it will not be allowed C:\Users\user1\application\nppInstaller
to start. .exe, this specific process will be
excluded from monitoring, and
antivirus will not interfere with this
process.
Note
Specify the full path to the process executable, starting with the drive letter. For example,
C:\Windows\Temp\er76s7sdkh.exe.
Note
Local network paths are supported. e.g: \\localhost\folderpath\file.exe
l Select the Hash option to add MD5 hashes to the list of trusted items. The Add hash window
opens.
o Here you can insert MD5 hashes on separate lines to be included as trusted in the
Protection exclusions list. Based on these hashes, Cyber Protection will exclude the
processes described by the MD5 hashes from being monitored.
Note
These processes will not be able to start as long as Active Protection is enabled on the
machine.
l To block hashes, select the Hash option. The Add hash window is displayed.
o In the Hash field, enter the hash for each process on a new line. In the Description field,
enter a short description so that you can recognize your change in the list of blocked items.
You can use a wildcard (*) to add items to the exclusion lists.
C:\*.pdf
D:\folders\file.*
C:\Users\*\AppData\Roaming
*.docx
*:\folder\
Variables
You can also use variables to add items to the Protection exclusions list, with the following
limitations:
l For Windows, only SYSTEM variables are supported. User specific variables, for example,
%USERNAME%, %APPDATA% are not supported. Variables with {username} are not supported.
For more information, see https://ss64.com/nt/syntax-variables.html.
l For macOS, environment variables are not supported.
l For Linux, environment variables are not supported.
l %WINDIR%\Media
l %public%
l %CommonProgramFiles%\Acronis\
Description
You can use the Description field to make notes on the exclusions that you added in the protection
exclusions list. Some suggestions on the notes you may make:
URL filtering
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Malware is often distributed by malicious or infected sites and uses the so called Drive-by download
method of infection.
The URL filtering functionality allows you to protect machines from threats like malware and
phishing coming from the Internet. You can protect your organization by blocking user access to the
websites that may have malicious content.
The URL filtering also allows you to control web usage to comply with the external regulations and
internal company policies. You can configure access to the websites depending on the category they
relate to. The URL filtering supports currently 44 website categories and allows to manage access to
them.
Currently, the HTTP/HTTPS connections on Windows machines will be checked by the protection
agent.
Note
To prevent possible compatibility issues with protection agent builds 15.0.26692 (release C21.03
HF1) and earlier, the URL filtering functionality will be automatically disabled if another antivirus
solution is detected, or if the Windows Security Center service is not present on the system.
In later protection agents, the compatibility issues are resolved so URL filtering is always enabled
according to the policy.
How it works
A user enters a URL link in a browser. The Interceptor gets the link and sends in to the protection
agent. The agent gets the URL, parses it, and then checks the verdict. The Interceptor redirects a
user to the page with the message with available actions to manually proceed to the requested
page.
1. You create a protection plan with the enabled URL filtering module.
2. Specify the URL filtering settings (see below).
3. Assign the protection plan to the machines.
l Block – block access to the malicious website. A user will not be able to access the website and a
warning alert will be generated.
l Always ask user – ask a user whether to proceed to the website anyway or return back.
Categories to filter
There are 44 website categories for which you can configure access:
Show all notifications for blocked URLs by categories – if enabled, you will get all notifications
shown in the tray for blocked URLs by categories. If a website has several sub-domains, then the
system also generates notifications for them, therefore the number of notifications may be big.
2 Message boards This category covers forums, discussion boards, and question-answer
type websites. This category does not cover the specific sections on
company websites where customers ask questions.
3 Personal websites This category covers personal websites, as well as all types of blogs:
individual, group, and even company ones. A blog is a journal published
on the World Wide Web. It consists of entries (“posts”), typically displayed
in reverse chronological order so that the most recent post appears first.
4 Corporate/business This is a broad category that covers corporate websites that typically do
websites not belong to any other category.
5 Computer software This category covers websites offering computer software, typically either
open-source, freeware, or shareware. It may also cover some online
software stores.
8 Entertainment This category covers websites that provide information related to artistic
activities and museums, as well as websites that review or rate content
such as movies, music, or art.
9 File sharing This category covers file-sharing websites where a user can upload files
and share them with others. It also covers torrent-sharing websites and
torrent trackers.
10 Finance This category covers websites belonging to all banks around the world
that provide online access. Some credit unions and other financial
institutions are covered as well. However, some local banks may be left
uncovered.
11 Gambling This category covers gambling websites. These are the “online casino” or
“online lottery” type website, which typically requires payment before a
user can gamble for money in online roulette, poker, blackjack, or similar
games. Some of them are legitimate, meaning there is a chance to win;
and some are fraudulent, meaning that there is no chance to win. It also
detects “beating tips and cheats” websites that describe the ways to
make money on gambling and online lottery websites.
14 Hacking This category covers websites that provide the hacking tools, articles, and
discussion platforms for hackers. It also covers websites offering exploits
for common platforms that facilitate Facebook or Gmail account hacking.
15 Illegal activities This category is a broad category related to hate, violence and racism,
and it is intended to block the following categories of websites:
16 Health and fitness This category covers websites associated with medical institutions,
websites related to disease prevention and treatment, websites that offer
information or products about weight loss, diets, steroids, anabolic or
HGH products, as well as websites providing information on plastic
surgery.
17 Hobbies This category covers websites that present resources related to activities
typically performed during an individual’s free time, such as collecting,
arts and crafts, and cycling.
18 Web hosting This category covers free and commercial website hosting services that
allow private users and organizations to create and publish web pages.
19 Illegal downloads This category covers websites related to software piracy, including:
20 Instant messaging This category covers instant messaging and chat websites that allow
users to chat in real-time. It will also detect yahoo.com and
gmail.com since they both contain an embedded instant messenger
service.
22 Mature content This category covers the content that was labeled by a website creator as
requiring a mature audience. It covers a wide range of websites from the
Kama Sutra book and sex education websites, to hardcore pornography.
23 Narcotics This category covers websites sharing information about recreational and
illegal drugs. This category also covers websites covering development or
growing drugs.
24 News This category covers news websites that provide text and video news. It
strives to cover both global and local news websites; however, some
small local news websites may not be covered.
25 Online dating This category covers online dating websites – paid and free - where users
can search for other people by using some criteria. They may also post
their profiles to let others search them. This category includes both free
and paid online dating websites.
26 Online payments This category covers websites offering online payments or money
transfers. It detects popular payment websites like PayPal or
Moneybookers. It also heuristically detects the webpages on the regular
websites that ask for the credit card information, allowing detection of
hidden, unknown, or illegal online stores.
27 Photo sharing This category covers photo-sharing websites whose primary purpose is to
let users upload and share photos.
28 Online stores This category covers known online stores. A website is considered an
online store if it sells goods or services online.
30 Portals This category covers websites that aggregate information from multiple
sources and various domains, and that usually offer features such as
search engines, e-mail, news, and entertainment information.
31 Radio This category covers websites that offer Internet music streaming
services, from online radio stations to websites that provide on-demand
(free or paid) audio content.
32 Religion This category covers websites promoting religion or a sect. It also covers
the discussion forums related to one or multiple religions.
33 Search engines This category covers search engine websites, such as Google, Yahoo, and
Bing.
34 Social networks This category covers social network websites. This includes
MySpace.com, Facebook.com, Bebo.com, etc. However, specialized social
networks, like YouTube.com, will be listed in the Video/Photo category.
35 Sport This category covers websites that offer sports information, news, and
tutorials.
37 Tabloids This category is mainly designed for soft pornography and celebrity
gossip websites. A lot of the tabloid-style news websites may have
subcategories listed here. Detection for this category is also based on
heuristics.
38 Waste of time This category covers websites where individuals tend to spend a lot of
time. This can include websites from other categories such as social
networks or entertainment.
39 Traveling This category covers websites that present travel offers and travel
equipment, as well as travel destination reviews and ratings.
40 Videos This category covers websites that host various videos or photos, either
uploaded by users or provided by various content providers. This
includes websites like YouTube, Metacafe, Google Video, and photo
websites like Picasa or Flickr. It will also detect videos embedded in other
websites or blogs.
41 Violent cartoons This category covers websites discussing, sharing, and offering violent
cartoons or manga that may be inappropriate for minors due to violence,
explicit language, or sexual content.
This category doesn't cover the websites that offer mainstream cartoons
such as “Tom and Jerry”.
42 Weapons This category covers websites offering weapons for sale or exchange,
43 Email This category covers websites that provide email functionality as a web
application.
44 Web proxy This category covers websites that provide web proxy services. This is a
“browser inside a browser” type website when a user opens a web page,
enters the requested URL into a form, and clicks “Submit”. The web proxy
site downloads the actual page and shows it inside the user browser.
These are the following reasons this type is detected (and might need to
be blocked):
Since the SDK analyzes the HTML page (if provided), and not just URLs,
for some categories the SDK will still be able to detect the content. Other
reasons, however, cannot be avoided just by using the SDK.
URL exclusions
URLs that are known as safe can be added to the list of the trusted domain. URLs that represent a
threat can be added to the list of the blocked domain.
In the Domain field, enter each domain on a new line. In the Description field, enter a short
description so that you can recognize your change in the list of blocked items.
Note
Local network paths are supported. For example, \\localhost\folderpath\file.exe.
Description
You can use the Description field to make notes on the exclusions that you added in the URL
exclusions list. Some suggestions on the notes you may make:
If there are multiple items added in a single entry, there can only be 1 comment captured for the
multiple items.
The Microsoft Defender Antivirus (WDA) module allows you to configure Microsoft Defender
Antivirus security policy and track its status via the Cyber Protect console.
This module is applicable for the workloads on which Microsoft Defender Antivirus is installed.
This module is applicable for the workloads on which Microsoft Security Essentials is installed.
The settings for Microsoft Security Essentials are similar to the settings for Microsoft Defender
Antivirus, but you cannot configure real-time protection, and cannot define exclusions via the Cyber
Protect console.
Schedule scan
Specify the schedule for scheduled scanning.
Scan mode:
l Full – a full check of all files and folders additionally to the items scanned in the quick scan. It
required more machine resources for execution compared to the quick scan.
l Quick – a quick check of the in-memory processes and folders where malware is typically found.
It required less machine resources for execution.
Define the time and day of week when the scan will be performed.
Daily quick scan – define the time for the daily quick scan.
Start the scheduled scan when the machine is on but not in use
Check for the latest virus and spyware definitions before running a scheduled scan
For more details about the setting for Microsoft Defender Antivirus, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#scheduled-scans-settings
Default actions
Define the default actions to be performed for the detected threats of different severity levels:
Real-time protection
Enable Real-time protection to detect and stop malware from installing or running on workloads.
Scan all downloads – if selected, scanning is performed for all downloaded files and attachments.
Allow full scan on mapped network drives – if selected, mapped network drives will be fully
scanned.
Allow email scanning – if enabled, the engine will parse the mailbox and mail files, according to
their specific format, in order to analyze the mail bodies and attachments.
For more details about the real-time protection settings for Microsoft Defender Antivirus, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-
time-protection-settings
Advanced
Specify the advanced scan settings:
l Scan archive files – include archived files such as .zip or .rar files into scanning.
l Scan removable drives – scan removable drives during full scans.
l Create a system restore point – in some cases an important file or registry entry could be
removed as "false positive", then you will be able to recover from a restore point.
l Remove quarantined files after – define the period after which the quarantined files will be
removed.
l Send file samples automatically when a further analysis is required:
o Always prompt – you will be asked for confirmation before file sending.
o Send safe samples automatically – most samples will be sent automatically except files that
may contain personal information. Such files will require additional confirmation.
o Send all samples automatically – all samples will be sent automatically.
l Disable Windows Defender Antivirus GUI – if selected, the WDA user interface will not be
available to a user. You can manage the WDA policies via Cyber Protect console.
l MAPS (Microsoft Active Protection Service) – online community that helps you choose how to
respond to potential threats.
o I don't want to join MAPS – no information will be sent to Microsoft about the software that
was detected.
o Basic membership – basic information will be sent to Microsoft about the software that was
detected.
For more details about the advanced settings for Microsoft Defender Antivirus, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#advanced-settings
Exclusions
You can define the following files and folders to be excluded from scanning:
l Processes – any file that the defined process reads from or writes to will be excluded from
scanning. You need to define a full path to the executable file of the process.
l Files and folders – the specified files and folders will be excluded from scanning. You need to
define a full path to a folder or file, or define the file extension.
For more details about the exclusion settings for Microsoft Defender Antivirus, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#exclusion-settings
Firewall management
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Firewall management allows you to easily configure firewall settings on protected workloads.
This functionality in Cyber Protect is provided through a built-in Microsoft Defender Firewall
component of Microsoft Windows. Microsoft Defender Firewall blocks unauthorized network traffic
flowing into or out of your workloads.
Firewall management is applicable for the workloads on which Microsoft Defender Firewall is
installed.
Windows
l Windows 8
l Windows 8.1
l Windows 10
l Windows 11
Microsoft Defender Firewall status in the Firewall management area of the protection plan
panel is displayed as On or Off, depending on whether you enabled or disabled the firewall
management.
You might also access the protection plan panel from the Management tab. However, this capability
is not available in all editions of the Cyber Protection service.
Quarantine
Quarantine is a special isolated folder on a machine's hard disk where the suspicious files detected
by Antivirus and Antimalware protection are placed to prevent further spread of threats.
Quarantine allows you to review suspicious and potentially dangerous files from all machines and
decide whether they should be removed or restored. The quarantined files are automatically
removed if the machine is removed from the system.
Name Description
Date quarantined The date and time when the file was placed in Quarantine.
Protection plan The protection plan according to which the suspicious file was placed in Quarantine.
l Delete – permanently remove a quarantined file from all machines. You can delete all files with
the same file hash. You can restore all files with the same file hash. Group the files by hash, select
needed files and then delete them.
l Restore – restore a quarantined file to the original location without any modifications. If
currently there is a file with the same name in the original location, then it will be overwritten with
the restored file. Note that the restored file will be added to the whitelist and skipped during
further antimalware scans.
For workloads with Antivirus and Antimalware enabled in the protection plan, right-click the
files/folders on which you want to scan.
Note
This option is available only to administrators of the workload.
Corporate whitelist
An antivirus solution might identify legitimate corporate-specific applications as suspicious. To
prevent these false positives detections, the trusted applications are manually added to a whitelist,
which is time consuming.
Cyber Protection can automate this process: backups are scanned by the Antivirus and Antimalware
protection module and the scanned data are analyzed, so that such applications are moved to the
whitelist, and false positive detections are prevented. Also, the company-wide whitelist improves the
further scanning performance.
The whitelist is created for each customer, and is based only on this customer's data.
The whitelist can be enabled and disabled. When it is disabled, the files added to it are temporarily
hidden.
Note
Only accounts with the administrator role (for example, Cyber Protection administrator; company
administrator; partner administrator who acts on behalf of a company administrator; unit
administrator) can configure and manage the whitelist. This functionality is not available for a read-
only administrator account or a user account.
Whitelist settings
When you enable the Automatic generation of whitelist switch, you must specify one of the
following levels of heuristic protection:
l Low
Corporate applications will be added to the whitelist only after a significant amount of time and
checks. Such applications are more trusted. However, this approach increases the possibility of
false positive detections. The criteria to consider a file as clean and trusted are high.
l Default
Corporate applications will be added to the whitelist according to the recommended protection
level, to reduce possible false positive detections. The criteria to consider a file as clean and
trusted are medium.
l High
Corporate applications will be added to the whitelist faster, to reduce possible false positive
detections. However, this does not guarantee that the software is clean, and it might later be
recognized as suspicious or malware. The criteria to consider a file as clean and trusted are low.
If you are unsure about an item that you added, you can check it in the VirtusTotal analyzer. When
you click Check on VirusTotal, the site analyzes suspicious files and URLs to detect types of
malware by using the file hash of the item that you added. You can view the hash in the File hash
(MD5) string.
The Machines value represents the number of machines where such hash was found during
backup scanning. This value is populated only if an item came from Backup scanning or Quarantine.
This field remains empty if the file has been added manually to the whitelist.
To perform an antimalware scan, you need to configure a backup scanning plan. For more
information about how to do this, refer to "Backup scanning plans" (p. 178).
Every backup scanning plan creates a scanning task for the cloud agent and adds this task to a
queue, which is one per data center. Scanning tasks are processed according to their order in the
queue. Also, the scanning time depends on the backup size. That is why there is a delay between
creating a backup scanning plan and completing the scan.
l Not scanned
l No malware
l Malware detected
You can check the results of a backup scan in the Backup scanning details (threats) widget. You
can find it in the Cyber Protect console, on the Monitoring > Overview tab.
Limitations
l Antimalware scan is supported for Entire machine or Disks/volumes backups of the following
workloads:
o Windows machines on which a protection agent is installed.
o Windows virtual machines that are backed up at the hypervisor level (agentless backup) by
Agent for Hyper-V and Agent for VMware (Windows).
Antimalware scan is not supported for backups created by virtual appliances, such as Agent for
VMware (Virtual appliance), Agent for Virtuozzo, Agent for Scale Computing HC3.
l Only volumes with the NTFS file system, and GPT or MBR partitioning are scanned.
l Only the default cloud storage is supported as backup location. Local storages and partner-
owned cloud storages are not supported.
l When you select backups to scan, you can select backup sets that include a Continuous data
protection (CDP) backup. However, only non-CDP backups in these backup sets will be scanned.
For more information about the CDP backups, refer to "Continuous data protection (CDP)" (p.
365).
l When you perform safe recovery of an entire machine, you can select a backup set that includes
If an Advanced protection feature is enabled for you to use, it appears in the protection plan marked
with the Advanced feature icon . When you try to enable the feature, you will be prompted that
additional billing applies.
If an Advanced protection feature is not enabled for you, the following icon appears next to the
feature name in the protection plan . A message will prompt you to contact your administrator
to enable the required Advanced protection pack for you.
Note
When you disable the last enabled Advanced protection feature in your protection plan, core
functionality of the corresponding Advanced protection pack is disabled. You are prompted to
confirm your choice. Make sure you do not lose the core functionality of Advanced protection
packs. See the table below.
Advanced Protects your workloads continuously and ensures that even last-minute changes of
Backup your work will not be lost
l One-click recovery
l Continuous data protection
l Backup support for Microsoft SQL Server clusters and Microsoft Exchange clusters –
Always On Availability Groups (AAG) and Database Availability Groups (DAG)
l Backup support for MariaDB, MySQL, Oracle DB, and SAP HANA
l Data protection map and compliance reporting
l Off-host data processing
l Group management for Microsoft 365 and Google Workspace workloads
l Backup frequency for Microsoft 365 and Google Workspace workloads
l Remote operations with bootable media
Advanced Data Prevents leakage of sensitive information from the protected workloads
Loss
l Content-aware prevention of data loss from workloads via peripheral devices and
Prevention
network communication
l Pre-built automatic detection of personally identifiable information (PII), protected
health information (PHI), and Payment Card Industry Data Security Standard (PCI
DSS) data, as well as documents in the “Marked as Confidential” category
l Automatic data loss prevention policy creation with optional end user assistance
l Adaptive data loss prevention enforcement with automatic learning-based policy
adjustment
l Cloud-based centralized audit logging, alerting, and end user notifications
Advanced Data Loss Prevention features can be included in any protection plan for a customer
tenant if the Protection service and the Advanced Data Loss Prevention pack are enabled for this
customer.
The data flow policy contains rules that specify which data flows are allowed and which are
prohibited, thus preventing unauthorized transfers of sensitive information when the Data Loss
Prevention module is enabled in a protection plan and running in Enforcement mode.
Each sensitivity category in the policy contains one default rule, marked with an asterisk (*) and one
or more explicit (non-default) rules that define the data flows for specific users or groups. Read
more about the types of policy rules in the Fundamentals guide.
The data flow policy is usually created automatically while Advanced Data Loss Prevention is running
in observation mode. The time required for building a representative data flow policy is
approximately one month, but it could differ, depending on the business processes in your
organization. The data flow policy can also be created, configured, or edited manually by a company
or unit administrator.
Allow all All transfers of sensitive data from user workloads are treated as necessary for the
business process and safe. A new rule is created for every detected data flow that does
not match an already defined rule in the policy.
Justify All transfers of sensitive data from user workloads are treated as necessary for the
all business process, but risky. Therefore, for every intercepted transfer of sensitive data to
any recipient or destination both inside and outside the organization that does not match
a previously created data flow rule, the user must provide a one-time business
justification. When the justification is submitted, a new data flow rule is created in the data
flow policy.
Mixed The Allow all logic is applied for all internal sensitive data flows, and the Justify all logic is
Note
For more information about internal and external data see Automated detection of
destination
6. Save the protection plan and apply it to the workloads from which you want to collect data to
build the policy.
Note
Data leakage is not prevented during observation mode.
1. In the Cyber Protect console, navigate to Protection > Data flow policy.
2. Click New data flow rule.
The New data flow rule pane expands on the right.
3. Select a sensitivity category, add a sender and a recipient, and define the permission for data
transfers for the selected category, sender, and recipient.
Option Description
Allow Allow this sender to transfer data of this sensitivity category to this recipient.
Exception Do not allow this sender to transfer data of this sensitivity category to this recipient,
but allow the sender to submit an exception to the rule for a specific transfer.
When this sender tries to transfer data of this sensitivity category to this recipient,
block the transfer and ask the sender to submit an exception to allow this transfer.
When the exception is submitted, the data transfer is allowed to proceed.
Important
All subsequent data transfers between this sender and recipient for this sensitivity
category will be allowed for five minutes after the exception is submitted.
Deny Do not allow this sender to transfer data of this sensitivity category to this recipient,
and do not allow the sender to request an exception to the rule.
4. (Optional) Select an action that should be executed when the rule is triggered.
Action Description
Write in log Store an event record in the audit log when the rule is triggered. We
recommend to select this action for rules with Exception permission.
Generate an alert Generate an alert in the Cyber Protect Alerts tab when the rule is triggered.
If notifications are enabled for the administrator, an email notification will
be sent as well.
Notify the end user Notify the user in real time with an on-screen warning when they trigger the
when a data transfer rule.
is denied
5. Click Save.
6. Repeat steps 2 to 5 to create multiple rules of different sensitivity categories and options, and
verify that the resulting rules correspond to the options that you selected.
l Sensitive
o Protected Health Information (PHI)
o Personally Identifiable Information (PII)
o Payment Card Industry Data Security Standard (PCI DSS),
o Marked as Confidential
l Non-sensitive
For more information on the data flow policy concept and features, see the Fundamentals guide.
Rule structure
Each policy rule consists of the following elements.
l Sensitivity Category
o Protected Health Information (PHI)
o Personally Identifiable Information (PII)
o Payment Card Industry Data Security Standard (PCI DSS)
o Marked as Confidential
See "Sensitive data definitions" (p. 768)
l Sender - specifies the initiator of a data transfer controlled by this rule. It may be a single user, a
list of users, or user group.
o Any internal - a user group that includes all internal users of the organization.
o Contact / From organization - a Windows account in the organization, recognized by
Advanced Data Loss Prevention, as well as all other accounts (including those used by third-
party communication applications) that a given Windows account has used earlier.
o Contact / Custom identity - identifier of an internal user specified in one of the following
formats: email, Skype ID, ICQ identifier, IRC identifier, Jabber e-mail, Mail.ru Agent e-mail, Viber
phone number, Zoom e-mail.
The following wild cards can be used for specifying a group of contacts:
Warning!
When No action is selected and the rule is triggered:
l no event record is added to the audit log;
l no alert is sent to the administrator;
l no onscreen notification is displayed to the end user.
Allow Data transfers that match the combination of sensitivity category, sender, and recipient
(permissive) defined in the rule are allowed.
Exception Data transfers that match the combination of sensitivity category, sender, and recipient
(prohibitive) defined in the rule are not allowed, but the sender can submit an exception to the rule to
allow a specific transfer.
Important
All subsequent data transfers between this sender and recipient for this sensitivity
category will be allowed for five minutes after the exception is submitted.
Deny Data transfers that match the combination of sensitivity category, sender, and recipient
(prohibitive) defined in the rule are not allowed, and the sender does not have the option to submit an
exception.
In addition, a priority flag can be assigned to the Allow and Exception permissions to increase the
policy management flexibility. With this setting, you can override the permissions set for specific
groups in other data flow rules in the policy. You can use it to apply a group data flow rule only to
some of its members. To achieve this, you must create a data flow rule for specific users that you
want to exclude from the group rules, and then prioritize their permissions over the data flow
restrictions configured in the rules for the group to which these users belong. For information on
permission priorities when combining rules, see "Combining data flow policy rules" (p. 761).
Important
Before switching a company or unit policy from Observation to Enforcement mode, it is crucial to
adjust the default rules for each sensitive data category from the permissive to a prohibitive state.
Default rules are marked with an asterisk (*) in the Data flow policy view. Read more about the
types of policy rules in the Fundamentals guide.
Permissions
If а data transfer matches more than one rule and these rules have different permissions for the
same data category, the overriding rule is the one with higher priority permission, according to the
following permission priority list (in descending order):
If а data transfer matches more than one rule and these rules have different permissions for
different data categories, the following logic is applied for the override:
1. The most restrictive rule permission is defined for each of the sensitivity categories that the data
transfer matches.
2. The most restrictive of the rule permissions defined in point 1 is enforced.
Example
PCI Deny
During the policy review, the partner administrator presents the baseline data flow policy to the
client, who reviews each data flow in the policy and validates its consistency with their business
processes. The validation does not require any technical skills, because the representation of policy
rules in the Cyber Protect console is intuitively clear: each rule describes who are the sender and the
recipient of a sensitive data flow.
Based on client’s instructions, the partner administrator manually adjusts the baseline policy by
editing, deleting, and creating data flow policy rules. After client’s approval, the reviewed policy is
enforced on protected workloads by switching the protection plan applied to these workloads to the
Enforcement mode.
Before enforcing a reviewed policy, it is important to change the Allow permission in all
automatically created default policy rules for sensitive data categories to Deny or Exception. The
Deny permission cannot be overriden by users, while the Exception permission blocks a transfer
matching the rule but allows users to override the block in an emergency situation by submitting a
business-related exception.
The Advanced DLP policy management workflow allows administrators to automate policy renewals
for the entire company, a unit, a user, or a part of users in a unit.
The renewal process consists of the following steps that must be performed by a Company
administrator or a Partner who manages the company workloads.
Renewing the policy for one or more users in the company or unit
User-level policies can be renewed by using any option of the Observation mode, as well as the
adaptive enforcement mode.
The renewal process consists of the following steps that must be performed by a Company
administrator or a Partner who manages the company workloads.
1. Delete all non-default rules in the policy enforced for the company (or unit) that have the user as
their single sender.
2. Remove the user from the sender lists of all non-default data flow rules in the enforced policy.
3. Create a new protection plan with Advanced DLP in observation mode and apply it to the user's
workload to start the renewal (observation) period.
The duration of the renewal period depends on how long it could take for the user to have
performed all or 90-95% of their regular business activities that involve transferring sensitive
data from their workloads.
4. When the renewal period ends, review the new rules related to this user that have been added
to the enforced policy, adjust them if necessary, and get them approved by the client.
5. Switch the protection plan applied to the user's workload to the Strict enforcement mode or
the Adaptive enforcement mode - depending on which option the client considers as optimal
for preventing data leakage from the user's workload.
Alternatively, you can re-apply to the user's workload the protection plan applied to the company
(or unit).
Note
This policy renewal method has the following specifics: the enforced company (unit) policy rules for
sender groups with the user's membership (i.e. Any internal) are also enforced over data transfers
from this user during the renewal. As a result, the renewal will not create new individual rules for
the user that would contradict with or match these already existing policy rules for sender groups.
Which of these two methods is more effective for user policy renewals for a particular client
depends on its specific IT security requirements
The renewal process consists of the following steps that must be performed by a Company
administrator or a Partner who manages the company workloads.
1. Delete all non-default rules in the policy enforced for the company (unit) that have the user as
their single sender.
2. Remove the user from the sender lists of all non-default data flow rules in the enforced policy.
3. For all default rules in the policy enforced for the company (or unit), set their permission to
Exception, and select the Write in log action in the Action field.
4. If the protection plan currently applied to the user's workload is set to the Strict enforcement
mode, create a new protection plan with Advanced DLP and apply it to the user's workload in the
Adaptive enforcement mode to start the renewal period.
The duration of the renewal period depends on how long it could take for the user to have
performed all or 90-95% of their regular business activities that involve transferring sensitive
data from their workloads.
5. When the renewal period ends, review the new rules related to this user that have been added
to the enforced policy, adjust them if necessary, and get them approved by the client.
6. Switch the protection plan applied to the user's workload to the Strict enforcement mode or
leave it in the Adaptive enforcement mode - depending on which option the client considers as
optimal for preventing data leakage from the user's workload.
Alternatively, you can re-apply to the user's workload the protection plan applied to the company
(or unit).
l Device control stops controlling user access to those local channels in which Advanced DLP
inspects the content of transferred data.
l User access to the following local channels and peripherals in the allowlist is enforced by Device
Control:
o Optical drives
o Floppy drives
o MTP-connected mobile devices
o Bluetooth adapters
o Windows clipboard
o Screenshot captures
o USB devices and device types (except for Removable storage and Encrypted)
Allow all All transfers of sensitive data from user workloads are treated as necessary for the
business process and safe. A new rule is created for every detected data flow that does
not match an already defined rule in the policy.
Justify All transfers of sensitive data from user workloads are treated as necessary for the
all business process, but risky. Therefore, for every intercepted transfer of sensitive data
to any recipient or destination both inside and outside the organization that does not
match a previously created data flow rule, the user must provide a one-time business
justification. When the justification is submitted, a new data flow rule is created in the
data flow policy.
Mixed The Allow all logic is applied for all internal transfers of sensitive data, and the Justify all
logic is applied for all external transfers of sensitive data.
For definition of internal destinations, see "Automated detection of destination" (p. 767)
l To enforce the existing data flow policy, select Enforcement mode, and then select how
strictly to enforce the data flow policy rules:
Option Description
Strict The data flow policy is enforced as is and will not be extended with new
enforcement permissive policy rules when previously unobserved sensitive data flows are
detected. See Strict enforcement in the Fundamentals guide.
Adaptive The enforced policy continues its automatic adaptation to those business
enforcement operations that were not performed during the observation period or to
(Enforcement changes in business processes. This mode allows the enforced data flow policy
with learning) to expand based on newly learned data flows detected on the workloads. See
Adaptive enforcement in the Fundamentals guide.
Important
Before switching a company or unit policy from Observation to Enforcement mode, it is
crucial to adjust the default rules for each sensitive data category from the permissive to a
prohibitive state. Default rules are marked with an asterisk (*) in the Data flow policy view.
Read more about the types of policy rules in the Fundamentals guide.
Advanced settings
You can use the advanced settings in protection plans with Advanced Data Loss Prevention to
increase the quality of data content inspection in channels controlled by Advanced Data Loss
Prevention, as well as exclude from any preventive controls data transfers to peripheral device
types in the allowlist, categories of network communications, destination hosts, as well as data
transfers initiated by applications in the allowlist. You can configure the following advanced settings:
Warning!
This option is used if issues with a specific Device type or Protocol occur. Do not enable it unless
advised by a Support representative.
The Security level indicator of Advanced settings displayed in the Create protection plan view
and in the "Details" view of a protection plan has the following logic of level indication:
For each intercepted data transfer, Advanced Data Loss Prevention detects automatically if the
destination HTTP, FTP, or SMB server is internal by performing a DNS request and comparing the
FQDN names of the machine where the Data Loss Prevention agent runs and the remote server. If
the DNS request fails, it also checks if the protected workload and the remote server are in the same
network. Servers that have the same domain name (or are in the same subnetwork) as the machine
where the Data Loss Prevention agent runs are considered internal.
Non-corporate emails are treated as external communication unless the recipient account is known.
Known email addresses are updated as Data Loss Prevention monitors the user activity on the
network and updates the database at the back end with data for email addresses associated with
the user.
Communications via messengers are treated as external communications unless the recipient
account is known. Known accounts are updated as Data Loss Prevention monitors the user activity
on the network and updates the database at the back end with data for accounts associated with
the user.
To reduce the number of false positives, identical matches are counted as one match for all groups
of the described logical expressions.
Important
The logical expressions used for content identification are provided for information only and do not
describe the solution in full detail.
Supported languages
l US, UK, English-International
l Finnish
l Italian
l French
l Polish
l Russian
l Hungarian
l Norwegian
l Spanish
Supported languages
l US, UK, English-International
l Bulgarian
l Chinese
l Czech
l Danish
l Dutch
l Finnish
l French
l German
l Hungarian
l Indonesian
l Italian
l Korean
l Malay
Note
Only unique matches are counted by content detection.
The logical expression consists of the following strings joined by the logical operator OR. The
operator OR is used to join different groups if logical operator AND is not explicitly specified.
Supported languages
This sensitivity group is language - independent. Тhe PCI DSS data is in English in all countries.
Marked as Confidential
Data marked as confidential is detected through keywords group.
The Match condition is weight-based, and every word has weight == 1. The content detection is
considered positive when Match if weight > 3.
Supported languages
l English
l Bulgarian
l Chinese Simplified
l Chinese Traditional
l Czech
l Danish
l Dutch
Keyword groups
The keyword group for each language contains the country-specific equivalents of the following
keywords that are used for the English language (case-insensitive).
l confidential
l internal distribution
l not for distribution
l do not distribute
l not for public
l not for external distribution
l for internal use only
l highly qualified documentation
l private
l privileged information
l for internal use only
l for official use only
l Sensitive data transfers - shows a total number of sensitive data transfer operations to internal
and external recipients. The chart is divided by the type of permission: allowed, justified or
blocked. You can customize this widget by selecting the desired time range (1 day, 7 days, 30
days, or this month).
l Outbound sensitive data categories - shows a total number of sensitive data transfers to
external recipients. The chart is divided by sensitive categories: Protected Health Information
(PHI), Personally Identifiable Information (PII), PCI DSS and Marked as Confidential (Confidential).
l Top senders of outbound sensitive data - shows a total number of sensitive data transfers
from the organization to external recipients and a list of the top five users with the largest
number of transfers (along with these numbers). This statistic includes both allowed and justified
transfers. You can customize this widget by selecting the desired time range (1 day, 7 days, 30
days, or this month).
l Top senders of blocked sensitive data transfers - shows a total number of blocked sensitive
data transfers and a list of the top five users with the largest number of attempted transfers
(along with these numbers). You can customize this widget by selecting the desired time range (1
day, 7 days, 30 days, or this month).
l Recent DLP events - shows details of recent Data loss prevention events for the selected time
range. You can customize this widget using the following options:
o Range (date posted) (1 day, 7 days, 30 days, or this month).
o Name of the workload
o Operation status (allowed, justified, or blocked)
o Sensitivity (PHI, PII, Confidential, PCI DSS)
o Destination type (external, internal)
o Grouping (workload, user, channel, destination type)
Note
Copying of built-in sensitivities inside one tenant will create a new sensitivity that consists of
same detectors (they become Custom once copied)
File type a. There are two lists: Supported file types and Selected file types. By clicking a
content “plus” icon to the right of the supported file type you will move it to the Selected file
detector types list. You can also select multiple supported file types by clicking on the
checkmarks next to their names and then using Add selected button in the top right
corner.
b. To remove a file type from the Selected file types list, click on a trashcan icon to the
right of its name. You can also remove multiple file types at once using checkmarks
and Remove selected button.
8. Instead of creating a new content detector from scratch you can also reuse an existing one
(either built-in or existing custom sensitivity) by cloning it and adjusting its parameters.
l To clone an existing content detector, click a checkmark next to its name and then select
Clone from the Action drop down menu (indicated by an ellipsis) in the top left corner. You
can select multiple items at a time to clone more than one content detector.
Note
Copying of built-in content detector causes the detector to become custom.
EDR detects suspicious activity on the workload, including attacks that have gone unnoticed. EDR
then generates incidents, which provide a step-by-step overview of each attack, helping you
understand how an attack happened and how to prevent it from happening again. With easy-to-
understand interpretations of each stage in the attack, the time spent on investigating attacks can
be reduced to a matter of minutes.
Existing EDR solutions do help prevent these "silent failures" by finding and removing attackers
quickly. However, they typically require a high level of security expertise or expensive Security
Operation Center (SOC) analysts, and analysis of incidents can be extremely time-consuming.
The Acronis Advanced Security + EDR functionality overcomes these limitations by detecting attacks
that have gone unnoticed, and helping you understand how an attack happened and how to
prevent it from happening again. In turn, this reduces the time spent on investigating attacks.
l Full visibility: Understand what happened and how it happened, even for attacks that have gone
unnoticed. The evolution of each attack is also visually mapped out, step-by-step (from the initial
point of entry to viewing the data that was targeted and/or exfiltrated), enabling you to quickly
understand the scope and impact of an incident. For more information, see "How to investigate
incidents in the cyber kill chain" (p. 791).
l Minimize investigation time: Reduce incident investigation time from hours to just a matter of
minutes. EDR details each step of the attack in clear, easy-to-understand human language, in turn
helping reduce the need for expensive experts or additional headcount. For more information,
see "Investigating incidents" (p. 790)
l Check for known threats on your workloads: You can automatically search your workloads for
threats from malware, vulnerabilities, and other types of global events that may affect your data
protection. These threats are referred to as Incidents of Compromise (IOCs), and are based on
threat data received from the Cyber Protection Operations Center (CPOC). For more information,
Features
Endpoint Detection and Response (EDR) includes the following features:
For more information about the Incidents page, see "Reviewing incidents" (p. 783).
For more information, see "How to investigate incidents in the cyber kill chain" (p. 791).
Check for publicly disclosed attacks on your workloads using threat feeds
EDR includes the ability to review existing, known attacks in threat feeds against your workloads.
These threat feeds are automatically generated based on threat data received from the Cyber
Protection Operations Center (CPOC); EDR enables you to verify whether or not a threat is impacting
your workload, and then take the necessary steps to nullify the threat.
For more information, see "Check for indicators of compromise (IOCs) from publicly known attacks
on your workloads" (p. 801).
l The current threat status, including the number of incidents that need to be investigated.
l The evolution of attacks by severity, indicating possible attack campaigns.
l The efficiency rate of closing down incidents.
l The most targeted tactics used to attack your customers.
l The network status of the workload, meaning whether it is isolated or connected.
Software requirements
Endpoint Detection and Response (EDR) supports the following operating systems:
To enable EDR
4. In the displayed dialog, click Enable. Note that when EDR is enabled, other protection modules
are also enabled, as shown in the displayed dialog.
5. The Advanced Security + EDR pack icon, as shown below, is added to the list of protection
packs required for the implementation of the protection plan, depending on additional packs
you select.
The table below describes the general workflow when working with EDR. Initially, you will review and
prioritize any new incidents, investigate them further in the cyber kill chain, and then take the
relevant remediation actions.
Reviewing incidents
Endpoint Detection and Response (EDR) provides an incident list that includes both prevention (or
malware) and suspicious detections on a workload. The incident list gives you a quick-glance
overview of any attacks or threats that are affecting your workloads, including threats that are yet to
be mitigated.
The incident list, as shown below, is accessed from the Protection menu in the Cyber Protect
console. For further information about reviewing the incidents in the incident list, see "Viewing
which incidents are currently not mitigated" (p. 786) To learn more about when an incident is
created, see What exactly are incidents?.
This enables you to view attack events together in one single incident, and understand the logical
steps that the attacker performed. In addition, it helps speed up the investigation time for an attack.
When EDR is enabled in the protection plan, security incidents are created when:
l A prevention layer stops something: These incidents are automatically closed by the system,
according to the protection plan settings. However, you can investigate what exactly the malware
did before it was stopped. For example, ransomware is stopped when it starts to encrypt files, but
prior to that it could have stolen credentials or installed a service.
l Suspicious activity is detected by EDR: These are detections that should be investigated and
remediated. By reviewing the visually enhanced cyber kill chain (for more information, see "How
to investigate incidents in the cyber kill chain" (p. 791)), you can easily apply the relevant
remediation actions.
l View which incidents are currently not mitigated: Quickly understand from the incident list if any
attacks are currently in progress. Any incidents that are not mitigated, as indicated in the Threat
status column, should be looked at immediately (by default, the incident list is filtered to display
these incidents).
l Understand the scope and impact of incidents: Based on your filtering of newly opened or
ongoing attacks, understand the severity for the filtered incidents as well as the impact on your
business.
Once you have a refined list of the most important incidents, you can then analyze incident details
to get a better understanding of a specific incident , as well as the techniques used by the attacker
to achieve their objective. For more information, see "Analyze incident details" (p. 788).
Note
By default, the incident list is sorted according to the Updated column, which details the date and
time the incident was last updated with new detections recorded inside the incident. Note that any
existing incident can be updated at any time, even if the incident was previously closed. You can
also filter the list to show newly opened or ongoing attacks according to your requirements, as
described in the procedure below.
You can then refine the displayed incident list further by applying filters. For example, if you want to
filter the list according to threat status and a specific level of severity, select the relevant filter
options. Once you have filtered the incidents that are of interest to you, you can then investigate
them, as described in "Investigating incidents" (p. 790).
You can also use the Threat status widget, as shown below, for a quick glance overview of the
current threat status. Note that the data displayed in this widget reflects the filters you applied; see
"To filter the incident list" (p. 785).
l Review which incidents are more critical in the Severity column. The severity of an incident can
be one of Critical, High, or Medium.
o Critical: There is a severe risk of malicious cyber activity with the risk of compromising critical
hosts in your environment.
o High: There is a high risk of malicious cyber activity with the risk of severe damage in your
environment.
o Medium: There is an increased risk of malicious cyber activity.
Note
When determining the severity, the EDR algorithm takes into consideration the workload type
as well as the scope of each step of the attack. For example, an incident which includes steps
related to credential theft is set to Critical.
l Determine which attack techniques are in use in the Attack info column, and understand if there
is a common theme or pattern to the attacks.
l Confirm how likely an incident is a true malicious attack; the Positivity level column includes a
score of between 1-10 (the higher the score, the more likely the attack is a true malicious attack).
After you have found the incidents that need immediate attention, you can then investigate them,
as described in "Investigating incidents" (p. 790)
You can also use the Severity history and Detection by tactics widgets for a quick glance
overview of the severity and attack techniques.
1. In the Cyber Protect console, go to Protection > Incidents. The Incident list is displayed.
2. Click on the incident you want to review. The details for the selected incident are displayed.
3. In the displayed Overview tab, you can review the incident and workload details, including the
current threat status and severity. You can also define the Investigation state (select from one
of Investigating, Not started (the default state), False positive, or Closed), and select a user to
Investigating incidents
Endpoint Detection and Response (EDR) enables you to investigate an entire incident, including all of
the attack stages and objects (processes, registries, scheduled tasks, and domains) impacted by an
attack. These objects are represented by nodes in the easy-to-understand cyber kill chain, as shown
below. Use the cyber kill chain to quickly understand what exactly happened, and when it
happened.
Each and every step of an attack is viewed in the cyber kill chain, which provides you with a detailed
interpretation of how and why the incident happened. The cyber kill chain uses easy to understand
sentences and graphs that help explain each step of the attack, in turn helping to minimize
investigation time.
You can quickly understand the scope and impact of an incident, with the attack evolution mapped
to the MITRE framework. This enables you to analyze what happened in each step of an attack,
including:
Note
Each object impacted in the attack, whether it is a process, registry, scheduled task or domain, is
represented by a node in the cyber kill chain.
2. In the displayed list of incidents, click in the far right column of the incident you want to
investigate. The cyber kill chain for the selected incident is displayed.
3. View a summary of the incident in the threat status bar at the top of the page. The threat status
bar includes the following information:
l Current threat status: The threat status is automatically defined by the system. Any incident
that is Not mitigated should be investigated as soon as possible.
An incident is set to Not mitigated when a restore from backup has not been successfully
completed or when at least one detection has not been successfully remediated by a stop
process, quarantine, or rollback action.
l Incident severity: Critical, High, or Medium. For more information, see "Reviewing incidents"
(p. 783).
l Current investigation state: One of Investigating, Not started (the default state), False
positive, or Closed. You should change the state when you start investigating the incident so
that other colleagues are aware of any changes to the incident.
l Positivity level: Indicates how likely an incident is a true malicious attack, between a range of
1-10. For more information, see "Reviewing incidents" (p. 783).
l When the incident was created and updated: Date and time the incident was detected, or
when the incident was last updated with new detections recorded inside the incident.
4. Click the Legend tab to view the various nodes that make up the kill chain graph, and define
which nodes to view. For further information, see "Understanding and customizing the cyber kill
chain view" (p. 792).
5. Investigate and remediate the incident by performing the following steps. Note that this is the
typical workflow for investigating and remediating an incident, but may vary according to each
incident and your own requirements.
a. Investigate each stage of the attack in the Attack stages tab. For further information, see
"How to navigate attack stages" (p. 795).
b. Click Remediate entire incident to apply remediation actions. For further information, see
"Remediate an entire incident" (p. 804).
You can also remediate individual nodes in the cyber kill chain, as described in "Response
actions for individual cyber kill chain nodes" (p. 809).
c. Review actions taken to mitigate the incident in the Activities tab. For further information,
see "Understand the actions taken to mitigate an incident" (p. 798).
2. There are four main colors used in the legend, which enable you to quickly understand what
happened to each node in the cyber kill chain, as shown below. These color-coded nodes are
also included in the attack stages, as described in "How to navigate attack stages" (p. 795).
1. In the expanded Legend section, ensure is displayed next to the nodes you want to display in
the cyber kill chain. If the displayed icon is , click the icon to change it to .
2. To hide a node in the cyber kill chain, click . The icon changes to and the node is not
displayed in the cyber kill chain.
Each attack stage summarizes what exactly happened, and what were the objects (referred to as
nodes in the cyber kill chain) targeted. For example, if a downloaded file was masquerading as
Each stage of the attack provides you with the information you need to resolve three crucial
questions:
More importantly, the interpretation provided ensures the time spent on investigating an incident is
greatly reduced, as you no longer need to go through each security event from a timeline or graph
node and then try to create an interpretation of the attack.
The attack stages also include information about compromised files that contain sensitive
information, such as credit card numbers and social security numbers, as shown in the Collection
stage in the example below.
For more information, see "What information is included in an attack stage?" (p. 795).
To investigate a specific attack stage further, click anywhere in the attack stage to navigate to the
relevant node in the cyber kill chain graph. For more information about navigating the cyber kill
chain graph and specific nodes, see "Investigate individual nodes in the cyber kill chain" (p. 796).
Note
If an attack stage is not a known MITRE
ATT&CK technique, the header text won't be
linked. This is relevant for generic
techniques such as files detected in a
random folder.
Note
Each attack stage is a single detection event. The content listed in each stage (header, timestamp,
technique) is generated according to specific parameters in the detection event, and which are
based on attack stage templates stored by Endpoint Detection and Response (EDR).
For example, you can determine how likely an incident is a true malicious attack, and confirm its
reputation with relevant links to VirusTotal and Google. Based on your investigation, you can also
2. In the displayed list of incidents, click in the far right column of the incident you want to
investigate. The cyber kill chain for the selected incident is displayed.
3. Navigate to the relevant node, and click it to display the sidebar for the node.
Note
Click the node to expand it and display associated nodes.
For example. clicking the powershell.exe node in the example below opens the sidebar for the
node. You can also click the arrow icon next to the node to view the associated nodes, including
files and registry values, that may be affected by the powershell.exe node. In turn, you can click
on these associated nodes to investigate further.
o Reputation: Enables you to confirm how likely an incident is a true malicious attack; the
Positivity level score displays a range of 1-10 (the higher the score, the more likely the
attack is a true malicious attack). Click the Go to VirusTotal link to view more information
about the attack on VirusTotal. Additionally, click the Go to Google link to see content
related to the threat (based on the hashes in the file, which are based on different
algorithms; these are included in the Details section (see below)).
o Details: Includes details about the node, including its type, name and current state, path to
the node, and any file hashes and digital signatures (such as MD5 and certificate serial
numbers).
l Scripting Activities: Includes details of any scripts invoked or loaded in the attack. Click to
copy the script to your clipboard for further investigation.
Note
The Scripting Activities tab is only displayed for process nodes that run commands or
scripts (such as cmd or PowerShell commands).
To understand the response actions taken, you can view all the response actions applied to an
entire incident, or view the actions applied to a specific node in the incident cyber kill chain.
2. In the displayed list of incidents, click in the far right column of the incident you want to
investigate. The cyber kill chain for the selected incident is displayed.
3. Click the Activities tab.
The list of response actions already applied to the incident is displayed.
l
Click to show / hide the list of completed actions.
Ensure is displayed next to the actions you want to display. If you want to hide an action
from the displayed list, click again to change it to .
3. To get a complete understanding of what actions were applied and why, you may need to scroll
through the applied response actions for the node. For example, for remote desktop connection
actions, you can view who started the action and when, the duration of the action, and its overall
status (if it succeeded, failed, or succeeded with errors).
Check for indicators of compromise (IOCs) from publicly known attacks on your
workloads
Endpoint Detection and Response (EDR) includes the ability to review existing, known attacks in
threat feeds against your workloads. These threat feeds are automatically generated based on
threat data received from the Cyber Protection Operations Center (CPOC); EDR enables you to verify
whether or not a threat is impacting your workload, and then take the necessary steps to nullify the
threat.
You can access threat feeds from the Monitoring menu in the Cyber Protect console. For more
information, see "Threat feed" (p. 272).
To review specific threat details and confirm if they impact your workloads, click on a threat feed.
You can view the number of IOCs detected and workloads affected, and drilldown to workloads that
contain unmitigated IOCs.
Note
If the protection plan does not have EDR enabled, this additional threat feed functionality, as shown
below, is not displayed.
Search for indicators of compromise Click the switch to enable the automatic search for IOCs on
(IOCs) your workloads.
When this option is enabled, the Action on detection and
Generate alert options are also displayed.
Action on detection From the dropdown list, select the action to be taken on the
relevant files when a threat is discovered on a workload:
l No action
l Quarantine
l Delete
l Isolate workloads
4. Click Apply.
4. In the displayed Workloads page, click on the relevant workload and review its details. You can
run specific functionality on the workload, including defining additional URLs to filter (see "URL
filtering" (p. 736)), and blocking malicious processes (refer to the Exclusions section in "Antivirus
and antimalware protection settings" (p. 717)).
For example, if a threat feed indicates that a workload has been affected by an IOC, first locate
and analyze the IOC, as described in "Review and analyze discovered IOCs" (p. 803). Then go to
the protection plan for the workload and define additional protection, such as blocking malicious
file hashes or processes.
Remediating incidents
Endpoint Detection and Response (EDR) enables you to remediate entire incidents, or the individual
attack points of an incident.
By remediating an entire incident, you can choose the remediation(s) that you want to execute
globally on the incident. If you need to manage the incident in more granular detail, you can
remediate individual attack points as required. For example, you may want to isolate the network of
a workload to stop lateral movement or command and control (C&C) activities; this ensures that
even though the workload is isolated, all Acronis Cyber Protect technologies are still functional and
an investigation can be launched.
2. In the displayed list of incidents, click in the far right column of the incident you want to
investigate. The cyber kill chain for the selected incident is displayed.
3. Click Remediate entire incident. The Remediate entire incident dialog is displayed.
4. In the Analyst verdict section, based on your investigation of the incident, select one of the
following:
l True positive: Select if you are sure the attack is a legitimate attack. Once selected, you then
add remediation and prevention actions, as described in the following steps.
Note
After selecting False positive, you can only define prevention actions. For more information,
see "Remediate a false positive incident" (p. 808).
5. In the Remediation actions section, perform the following remediation steps. Note that they
must be performed in sequential order; for example, you cannot select Step 2 before Step 1 is
completed.
a. Step 1 - Stop threats: Select the check box to stop all processes related to the threat.
b. Step 2 - Quarantine threats: Once the threat is stopped, select the check box to quarantine
all malicious and suspicious processes and files.
c. Step 3 - Rollback changes: After threats have been quarantined, select the check box to
delete any new registry entries, scheduled tasks or files created by the threat (and any of its
children threats). The rollback process then reverts any modifications made by the threat (or
its children) to the registry, scheduled tasks and/or files existing on the workload prior to the
attack. To optimize speed, the rollback process tries to recover items from the local cache.
Items that fail to be recovered will be recovered by the system from backup images.
Note
The rollback process recovers from items in the local cache only. Rollback from backup
archives will be available in future releases.
When selected, you can also click Affected items to view all items (files, registry, or
scheduled tasks) affected by the rollback, the actions applied (Delete, Recover, or None),
and if the items are being restored from the local cache or backup images.
d. Recover workload: Select the check box to recover a workload if any of the above
remediation steps fail, whether completely or partially.
7. Select the Change investigation state of the incident to: Closed check box. If not selected,
the investigation state remains in its previous state.
8. Click Remediate. The remediation actions you selected are executed, step by step, with the
progress of each remediation step shown in the Remediate entire incident dialog.
Once clicked, the button displays Go to activities. Click Go to activities to review all response
actions applied to the incident. For more information, see "Understand the actions taken to
mitigate an incident" (p. 798).
1. In the cyber kill chain for the selected incident, click Remediate entire incident. The Remediate
entire incident dialog is displayed.
2. In the Analyst verdict section, select False positive.
3. In the Prevention actions section, select the Add to allowlist check box. From the displayed
protection plan list, select the relevant protection plans.
This prevention action ensures all detections of the incident will be prevented from being
detected for the selected protection plans.
4. Select the Change investigation state of the incident to: False positive check box.
5. Click Remediate.
Once clicked, the button displays Go to activities. Click Go to activities to review the response
actions applied to the incident. For more information, see "Understand the actions taken to
mitigate an incident" (p. 798).
Note
To apply global response actions to an entire incident, see "Remediate an entire incident" (p. 804).
Response actions are divided into the following categories, although not all nodes include all of the
following categories:
l Remediate: Actions in this category enable you to apply an immediate response to the attack,
and include managing network isolation for a workload, and the deletion and quarantining of
files, processes, and registry values.
l Investigate: Actions in this category (applicable to workloads only) enable you to run a Forensic
backup, or remote desktop connection for a more in-depth investigation.
l Investigate: Actions in this category (applicable to workloads only) enable you to run a remote
desktop connection for a more in-depth investigation.
l Recovery: Actions in this category (applicable to workloads only) enable you to respond to
intensive attacks by running a recovery from backup, or Disaster Recovery failover.
l Prevent: Actions in this category enable you to prevent future threats or false positives by adding
them to a protection plan allowlist or blocklist.
Note
If an incident is closed, you cannot apply a response action to a node. However, you can reopen a
closed incident by changing its investigation state to Investigating. When reopened, you can then
apply response actions.
The following table describes each of the node types in the cyber kill chain, the applicable categories
for each node, and the response actions available.
Investigate l Forensic
backup
l Remote
desktop
connection
Investigate l Remote
desktop
connection
Recovery l Recovery
from backup
l Disaster
Recovery
failover
Prevent l Patch
Prevent l Add to
allowlist
l Add to
blocklist
Prevent l Add to
allowlist
l Add to
blocklist
l Manage network isolation: Enables you to manage the network isolation of a workload to stop
lateral movement or Command and Control (C&C) activities. For more information, see "Manage
the network isolation of a workload" (p. 811).
l Patch: Enables you to patch a workload to prevent future vulnerability exploitations in future
potential attacks. For more information, see "Patch a workload" (p. 814).
1. In the cyber kill chain, click the workload node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Manage network isolation.
4. In the Immediate action after isolation drop-down list, select from one of:
l Isolate only
l Isolate and backup workload
l Isolate and backup workload with forensic data
l Isolate and power off workload
For more information about defining where to backup the workload and encryption options, see
"Managing the backup and recovery of workloads and files" (p. 354).
5. [Optional] In the Message to display field, add a message to display to end users when they
access the isolated workload. For example, you can inform users that the workload is now
isolated and that network access in and out of the workload is currently not available. Note that
this message is also displayed as a tray monitor notification, and remains displayed until the
user dismisses the message.
6. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab
(for a single node or the entire incident), and can help you (or your colleagues) recall why you
took the action when you revisit the incident.
7. Click Manage network exclusions to add ports, URLs, host names, and IP addresses that will
have access to the workload during the isolation. For more information, see how to manage
network exclusions.
8. Click Isolate.
The workload is isolated. This action can also be viewed in the Activities tabs of both the
individual node and the entire incident. For more information, see "Understand the actions
taken to mitigate an incident" (p. 798).
Note
The workload is also shown as Isolated under the Workloads menu in the Cyber Protect
console. You can also isolate single or multiple workloads from the Workloads > Workloads
with agents menu; select the relevant workload(s) and in the right sidebar select Manage
network isolation. In the displayed dialog, you can manage network exclusions and click
Isolate or Isolate all to isolate the selected workload(s).
Note
If the isolated workload is currently offline you can still reconnect it back to the network; when
the workload goes back online it is automatically put into the Connected state.
Note
If the recovery point you select is encrypted, you will be prompted for the password.
5. [Optional] Select the Automatically restart the workload if required check box. This option is
relevant only if you selected Recover > Entire workload in Step 4.
Note
You can also connect single or multiple isolated workloads from the Workloads > Workloads
with agents menu in the Cyber Protect console; select the relevant workload(s) and in the right
sidebar select Manage network isolation. In the displayed dialog, click Connect or Connect all
to reconnect the selected workload(s) to the network.
Note
Even if all Acronis Cyber Protect technologies are working when the workload is in isolation, there
may be scenarios in which you need additional network connections to be established (for example,
you may need to upload a file from the workload to a shared directory). In these scenarios, you can
add a network exclusion, but make sure any threats are removed before you add the exclusion.
1. In the Remediate section of the Response actions tab, click Manage network exclusions.
2. In the Network exclusions sidebar, add the relevant exclusions. For each of the options available
(Ports, URL address, and Hostname / IP address), do the following:
a. Click Add and then enter the relevant port(s), URL addresses, or Hostname / IP addresses.
b. In the Traffic direction drop-down list, select one of Incoming and outgoing connections,
Incoming connections only, or Outgoing connections only.
c. Click Add.
3. Click Save.
Patch a workload
EDR automatically detects if a workload requires a patch, and enables you to patch the workload to
prevent vulnerability exploitations in future potential attacks. Note that this feature is available only
if the partner's workload has a subscription for Advanced Management.
To patch a workload
To restart a workload
1. In the cyber kill chain, click the workload node you want to set a restart schedule for.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Restart workload.
4. In the Restart timeout field, click the displayed link, and then select one of the following:
l Set timeout: In the Restart timeout dialog, set the restart period for the workload, and then
click Save.
l Restart immediately: Select to restart the workload immediately.
5. [Optional] Select the Fail if end-user is logged in check box to ensure the workload is not
restarted if the user is logged in.
6. In the Message to display field, add a message to display to users when they access the isolated
workload.
7. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab
(for a single node or the entire incident), and can help you (or your colleagues) recall why you
took the action when you revisit the incident.
8. Click Restart.
1. In the cyber kill chain, click the workload node you want to run a forensic backup on.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Investigate section, click Forensic backup.
4. [Optional] In the Backup name field, click the edit icon to edit the backup name.
5. In the Forensic options field, click the displayed link. In the displayed Forensic options dialog,
select one of the following:
l Collect raw memory dump
l Collect kernel memory dump
You can also select the Snapshot of running processes check box to add information about the
processes running at the moment the backup starts. This information is stored in a backup
image.
Click Save to close the Forensic options dialog.
6. In the Where to back up field, click the displayed link to define a location for the backup.
7. [Optional] Click the Encryption option to enable encryption. In the displayed dialog, enter the
password for the encrypted backup and select the relevant encryption algorithm.
8. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab
(for a single node or the entire incident), and can help you (or your colleagues) recall why you
took the action when you revisit the incident.
1. In the cyber kill chain, click the workload node you want to remotely connect to.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Investigate section, click Remote desktop connection.
1. In the cyber kill chain, click the workload node you want to recover.
2. In the displayed sidebar, click the Response Actions tab.
4. In the Recovery point field, click Select and then perform the following steps:
a. In the displayed sidebar, select the relevant recovery point.
b. Click Recover > Entire workload to recover all the files and folders on the workload.
Or
Click Recover > Files/folders to recover specific files and folders on the workload. You are
then prompted to select the relevant files or folders. Once selected, you can view the items
selected for recovery by clicking the relevant value in the Items to be recovered field.
Note
If the recovery point you select is encrypted, you will be prompted for the password.
5. [Optional] Select the Automatically restart the workload check box. This option is relevant
only if you selected Recover > Entire workload in Step 4.
6. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab
(for a single node or the entire incident), and can help you (or your colleagues) recall why you
took the action when you revisit the incident.
7. Click Start recovery.
The process to recover the workload starts. The progress for this action can be viewed in the
Activities tabs of both the individual node and the entire incident. For more information, see
"Understand the actions taken to mitigate an incident" (p. 798).
1. In the cyber kill chain, click the workload node you want to recover.
2. In the displayed sidebar, click the Response Actions tab.
Note
If you have an Advanced Disaster Recovery subscription, you can select the relevant recovery
server (the offline VM) created in Disaster Recovery. If you do not have a subscription, you will be
prompted to configure Disaster Recovery.
5. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab
(for a single node or the entire incident), and can help you (or your colleagues) recall why you
took the action when you revisit the incident.
6. Click Failover.
The workload is switched to the recovery server. This action can be viewed in the Activities tabs
of both the individual node and the entire incident. For more information, see "Understand the
actions taken to mitigate an incident" (p. 798).
1. In the cyber kill chain, click the process node you want to remediate.
Note
Windows critical processes or non-running processes cannot be stopped and are disabled in the
cyber kill chain.
Note
The related application is closed and any unsaved data will be lost.
This action can also be viewed in the Activities tabs of both the individual node and the entire
incident. For more information, see "Understand the actions taken to mitigate an incident" (p.
798).
1. In the cyber kill chain, click the process node you want to quarantine.
Note
Windows critical processes cannot be quarantined and are disabled in the cyber kill chain.
4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the
entire incident), and can help you (or your colleagues) recall why you took the action when you
revisit the incident.
5. Click Quarantine.The process is stopped and then quarantined.
Note
The process is added to and managed in the quarantine section available under antimalware
protection.
This action can also be viewed in the Activities tabs of both the individual node and the entire
incident. For more information, see "Understand the actions taken to mitigate an incident" (p.
798).
To rollback changes
1. In the cyber kill chain, click the process node you want to rollback changes for.
Note
This action is available for detection nodes (shown as red or yellow nodes) only.
Note
The rollback process recovers from items in the local cache only. Rollback from backup archives
will be available in future releases.
4. To view the items affected by the rollback changes, click the Affected items link. The displayed
dialog shows all items (files, registry, scheduled tasks) that the rollback will revert and with what
action (Delete, Recover, or None). In addition, you can see whether the restored items will be
recovered from the local cache or backup recovery points.
1. In the cyber kill chain, click the file node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Delete.
4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the
entire incident), and can help you (or your colleagues) recall why you took the action when you
revisit the incident.
1. In the cyber kill chain, click the file node you want to remediate.
2. In the displayed sidebar, go to Response Actions.
3. In the Remediate section, click Quarantine.
4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the
entire incident), and can help you (or your colleagues) recall why you took the action when you
revisit the incident.
5. Click Quarantine.
The file is quarantined. This action can also be viewed in the Activities tabs of both the
individual node and the entire incident. For more information, see "Understand the actions
taken to mitigate an incident" (p. 798).
1. In the cyber kill chain, click the node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Delete.
You can add a node to an allowlist if you consider the node safe and want to prevent any future
detections for it. Add a node to a blocklist to stop the node from running in the future.
This option is available for the following cyber kill chain nodes:
l Process
l File
l Network
1. In the cyber kill chain, click the process, file, or domain node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Prevent section, click the arrow icon next to Add to blocklist.
4. Select the relevant protection plan(s) you want to apply this action to.
5. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the
entire incident), and can help you (or your colleagues) recall why you took the action when you
revisit the incident.
1. In the cyber kill chain, click the process, file, or domain node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Prevent section, click the arrow icon next to Add to allowlist.
4. Select the relevant protection plan(s) you want to apply this action to.
5. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the
entire incident), and can help you (or your colleagues) recall why you took the action when you
revisit the incident.
6. Click Add.
The action is implemented and the process, file, or domain will be prevented from detection in
the future. This action can also be viewed in the Activities tabs of both the individual node and
the entire incident. For more information, see "Understand the actions taken to mitigate an
incident" (p. 798).
Vulnerability assessment scanning is supported for machines with the following operating systems:
l Windows. For more information, see "Supported Microsoft and third-party products" (p. 828).
l macOS. For more information, see "Supported Apple and third-party products" (p. 830).
l Linux (CentOS 7/Virtuozzo/Acronis Cyber Infrastructure) machines. For more information, see
"Supported Linux products" (p. 831).
Use the Patch management (PM) functionality to manage patches (updates) for applications and
operating systems installed on your machines, and keep your systems up-to-date. In the patch
management module you can automatically or manually approve update installations on your
machines.
Patch management is supported for machines with the Windows operating systems. For more
information, see "Supported Microsoft and third-party products" (p. 828).
Vulnerability assessment
The vulnerability assessment process consists of the following steps:
1. You create a protection plan with the enabled vulnerability assessment module, specify the
Vulnerability assessment settings, and assign the plan to machines.
2. The system, by schedule or on demand, sends a command to run the vulnerability assessment
scanning to the protection agents installed on machines.
3. The agents get the command, start scanning machines for vulnerabilities, and generate the
scanning activity.
4. After the vulnerability assessment scanning is completed, the agents generate the results and
send them to the monitoring service.
5. The monitoring service processes the data from the agents and shows the results in the
vulnerability assessment widgets and list of found vulnerabilities.
6. When you get a list of found vulnerabilities, you can process it and decide which of the found
vulnerabilities must be fixed.
You can monitor the results of the vulnerability assessment scanning in Monitoring> Overview >
Vulnerabilities / Existing vulnerabilities widgets.
Windows Server OS
l Internet Explorer
l Microsoft EDGE
l Windows Media Player
l .NET Framework
l Visual Studio and Applications
l Components of operating system
Server applications
l Microsoft Teams
l Zoom
l Skype
l Slack
l Webex
l NordVPN
l TeamViewer
For more information about the supported third-party products for Windows OS, refer to List of
third-party products supported by Patch Management (62853).
l Virtuozzo 7.x
l CentOS 7.x
l CentOS 8.x
You can specify the following settings in the Vulnerability assessment module.
What to scan
Define which software products you want to scan for vulnerabilities:
l Windows machines:
o Microsoft products
o Windows third-party products (for more information about the supported third-party
products for Windows OS, refer to List of third-party products supported by Patch
Management (62853))
l macOS machines:
o Apple products
o macOS third-party products
l Linux machines:
o Scan Linux packages
Schedule
Define the schedule according to which to perform the vulnerability assessment scan on the
selected machines:
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions". You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
Note
Start conditions are not supported for Linux.
After a vulnerability assessment scan, you can see a list of found vulnerabilities. You can process the
information and decide which of the found vulnerabilities must be fixed.
To monitor the results of the vulnerability assessment, see the Monitoring > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
1. In the Cyber Protect console, create a protection plan and enable the Vulnerability assessment
module.
2. Specify the vulnerability assessment settings:
l What to scan – select Scan Linux packages.
l Schedule – define the schedule for performing the vulnerability assessment.
For more information about the Schedule options, see "Vulnerability assessment settings" (p.
831).
3. Assign the plan to the Linux machines.
After a vulnerability assessment scan, you can see a list of found vulnerabilities. You can process the
information and decide which of the found vulnerabilities must be fixed.
To monitor the results of the vulnerability assessment, see the Monitoring > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
1. In the Cyber Protect console, create a protection plan and enable the Vulnerability assessment
module.
2. Specify the vulnerability assessment settings:
l What to scan – select Apple products, macOS third-party products, or both.
l Schedule – define the schedule for performing the vulnerability assessment.
After a vulnerability assessment scan, you can see a list of found vulnerabilities. You can process the
information and decide which of the found vulnerabilities must be fixed.
To monitor the results of the vulnerability assessment, see the Monitoring > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
Name Description
Severity The severity of found vulnerability. The following levels can be assigned according to the
Common Vulnerability Scoring System (CVSS):
l Critical: 9 - 10 CVSS
l High: 7 - 9 CVSS
l Medium: 3 - 7 CVSS
l Low: 0 - 3 CVSS
l None
Published The date and time when the vulnerability was published in Common Vulnerabilities and
Exposures (CVE).
Detected The first date when an existing vulnerability was detected on machines.
You can find the description of found vulnerability by clicking its name in the list.
Patch management
Note
The availability of this feature depends on the service quotas that are enabled for your account.
For more information about the supported third-party products for Windows OS, refer to List of
third-party products supported by Patch Management (62853).
Cyber Protection introduces peer-to-peer technology to minimize network bandwidth traffic. You
can choose one or more dedicated agents that will download updates from the Internet and
distribute them among other agents in the network. All agents will also share updates with each
other as peer-to-peer agents.
How it works
You can configure either automatic or manual patch approval. In the scheme below, you can see the
automatic and manual patch approval workflows.
1. First, you need to perform at least one vulnerability assessment scan by using the protection
plan with the Vulnerability assessment module enabled. After the scan was performed, the
lists of found vulnerabilities and available patches are composed by the system.
2. Then, you can configure the automatic patch approval or use manual patch approval approach.
3. Define how to install patches – according to a schedule or on-demand. There are three
alternative ways to install patches on-demand:
l Go to the list of patches (Software management > Patches) and install the necessary
patches.
l Go to the list of vulnerabilities (Software management > Vulnerabilities) and start the
remediation process which includes patch installation.
l Go to the list of devices (Devices > All devices), select the particular machines that you want
to update, and install the patches on them.
Note
The availability of this feature depends on the service quotas that are enabled for your account.
The following settings can be specified for the patch management module.
Microsoft products
To install the Microsoft updates on the selected machines, enable the Update Microsoft products
option.
l All updates
l Only Security and Critical updates
l Updates of specific products: you can define custom settings for different products. If you want
to update specific products, for each product you can define which updates to install by category,
severity, or approval status.
For Microsoft products, patch distribution uses the Windows API service. Patches and updates are
not downloaded or stored internally or on distribution agents. Instead, they are downloaded from
Microsoft CDN. Thus, even with the Updater role assigned, the agent cannot download and
distribute patches.
l Only last major updates allows you to install the latest available version of the update.
l Only last minor updates allows you to install the minor version of the update.
l Updates of specific products: you can define custom settings for different products. If you want
to update specific products, for each product you can define which updates to install by category,
severity, or approval status.
For Windows third-party products, patches are distributed directly to the managed workloads from
an internal Acronis database. In case the Updater role is assigned to an agent, this agent will be
used to download and distribute patches.
Schedule
Define the schedule according to which the updates will be installed on the selected machines.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions". You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time is 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
Note
Start conditions are not supported for Linux.
Reboot after update – define whether reboot is initiated after installing updates:
Pre-update backup
Run backup before installing software updates – the system will create an incremental backup
of machine before installing any updates on it. If there were no backups created earlier, then a full
backup of machine will be created. It allows you to prevent such cases when the installation of
updates was unsuccessful and you need to get back to the previous state. For the Pre-update
backup option to work, the corresponding machines must have both the patch management and
the backup module enabled in a protection plan and the items to back up – entire machine or
boot+system volumes. If you select inappropriate items to back up, then the system will not allow
you to enable the Pre-update backup option.
Name Description
l Critical
l High
l Medium
l Low
l None
l Critical update – broadly released fixes for specific problems addressing critical,
non-security related bugs.
l Security update – broadly released fixes for specific products addressing security
issues.
l Definition update – updates to virus or other definition files.
l Update rollup – cumulative set of hotfixes, security updates, critical updates, and
updates packaged together for easy deployment. A rollup generally targets a
Approval status The approval status is mainly needed for automatic approval scenario and to be able
to define in the protection plan which updates to install by status.
l Approved – the patch was installed on at least one machine and validated as ok
l Declined – the patch is not safe and may corrupt a machine system
l Not defined – the patch status is unclear and should be validated
Vulnerabilities The number of vulnerabilities. If you click on it, you will be redirected to the list of
vulnerabilities.
How it works
You should have two environments: test and production. The test environment is used for testing
the patch installation and ensuring that they do not break anything. After you tested patch
1. For each vendor whose products you are planning to update, you most read and accept the
license agreements. Otherwise, automatic patch installation will not be possible.
2. Configure the settings for automatic approval.
3. Prepare the protection plan (for example, "Test patching") with the enabled Patch management
module and apply it to the machines in the test environment. Specify the following condition of
patch installation: the patch approval status must be Not defined. This step is needed to
validate the patches and check if the machines work properly after patch installation.
4. Prepare the protection plan (for example, "Production patching") with the enabled Patch
management module and apply it to the machines in the production environment. Specify the
following condition of patch installation: the patch status must be Approved.
5. Run the Test patching plan and check the results. The approval status for those machines that
have no issues can be preserved as Not defined while the status for machines working
incorrectly must be set to Declined.
6. According to the number of days set in the Automatic approval option, those patches that were
Not defined will become Approved.
7. When the Production patching plan is launched, only those patches that are Approved will be
installed on the production machines.
Step 1. Read and accept the license agreements for the products that you
want to update
1. In the Cyber Protect console, go to Software management > Patches.
2. Select the patch, then read and accept the license agreement.
Important
For all the products to be updated, define Approval status as Not defined. When the time to
update comes, the agent will install only Not defined patches on the selected machines in the
test environment.
Important
For all the products to be updated, define Approval status as Approved. When the time to
update comes, the agent will install only Approved patches on the selected machines in the
production environment.
As a result, only the approved patches will be installed on the selected machines.
l Go to the list of patches (Software management > Patches) and install the necessary patches.
l Go to the list of vulnerabilities (Software management > Vulnerabilities) and start the
remediation process which includes patch installation as well.
l Go to the list of devices (Devices > All devices), select the particular machines that you want to
update, and install patches on them.
The Lifetime in list option defines how long the detected available patch will be kept in the list of
patches. The patch is removed from the list if it is successfully installed on all the machines where its
absence is detected or the defined lifetime expires.
Software inventory
The software inventory feature is available for devices on which the Advanced pack is enabled, or
which have the (Legacy) Cyber Protect license. The feature enables you to view all the software
applications that are installed on all Windows and macOS devices.
To obtain the software inventory data, you can run automatic or manual scans on the devices.
l browse and compare the information about all applications that are installed on the company
devices
l determine if an application needs to be updated
l determine if an unused application needs to be removed
l ensure that the software version on multiple company devices is the same
l monitor changes in the software status between consecutive scans.
The Software inventory scanning feature is enabled by default for all devices that have the required
license, but you can change the setting when necessary.
Note
Customer tenants can enable or disable the software inventory scanning. Unit tenants can only view
the software inventory scanning settings, but cannot change them.
Prerequisites
l The device uses Windows or macOS operating system.
l The device has the required (Legacy) Cyber Protect license or has the Advanced Management
pack activated.
To run a software inventory scan from the Software tab in the Inventory screen
Prerequisites
l The devices use Windows or macOS operating system.
l The devices have the required (Legacy) Cyber Protect license or have the Advanced Management
pack activated.
l Software inventory scan on the devices has finished successfully.
To view all software applications that are available on all Windows and macOS company devices
Last run For macOS devices only. Date and time when the application was last
active.
System type For Windows devices only. Bit type of the application.
l X86 for 32-bit applications.
l X64 for 64-bit applications.
3. To group the data by application, in the Group by: drop-down field, select Applications.
4. To narrow the information displayed on the screen, use one or a combination of the filters.
a. Click Filter.
b. Select one or a combination of several filters.
The following table describes the filters in the Software inventory screen.
Filter Description
Date installed Date when the application is installed. Use this filter if
you want to view all applications that are installed on a
specific date on specific devices or on all devices.
Scan date Date of the software inventory scan. Use this filter if you
want to view the information about the software on
specific devices or on all devices that are scanned on
that date.
c. Click Apply.
5. To browse through the whole software inventory list, use the pagination in the lower left part of
the screen.
Prerequisites
l The device uses Windows or macOS operating system.
l The device has the required (Legacy) Cyber Protect license or has the Advanced Management
pack activated.
l Software inventory scan on the device has finished successfully.
To view the software inventory of a single device from the Software Inventory screen
Hardware inventory
The hardware inventory feature enables you to view all the hardware components that are available
on:
l physical Windows and macOS devices with a license that supports the Hardware inventory
feature.
l virtual Windows and macOS machines running on the following virtualization platforms: VMware,
Hyper-V, Citrix, Parallels, Oracle, Nutanix, Virtuozzo, and Virtuozo Hybrid Infrastructure. For more
information about the supported versions of the virtualization platforms, see "Supported
virtualization platforms" (p. 29).
Note
The Hardware inventory feature for virtual machines is not supported in the Cyber Protect legacy
editions.
The hardware inventory feature is supported only for devices on which a protection agent is
installed.
To obtain the hardware inventory data, you can run automatic or manual scans on the devices.
The hardware inventory scanning feature is enabled by default, but you can change the setting
when necessary.
Note
Customer tenants can enable or disable the hardware inventory scanning. Unit tenants can only
view the hardware inventory scanning settings, but cannot change them.
Note
Hardware inventory scanning of virtual machines is supported only when the current date and time
of the virtual machine corresponds to the current date and time in UTC. To ensure that the virtual
machine uses the correct time settings, disable the Time synchronization option of the virtual
machine, set the current date, time, and time zone, and then restart Acronis Agent Core Service
and Acronis Managed Machine Service.
Prerequisites
l (For all devices) The device uses a Windows or macOS operating system.
l (For all devices) The devices have a license that supports the Hardware inventory feature. Note
that the Hardware inventory feature for virtual machines is not supported in the (Legacy) Cyber
Protect editions.
l (For all devices) A protection agent is installed on the device.
l (For virtual machines) The machine runs on one of the supported virtualization platforms. For
more information, see "Hardware inventory" (p. 850).
To view all hardware components that are available on the Windows and macOS company
devices
Note
The view is a set of columns which determines what data is visible in the screen. The predefined
views are Standard and Hardware. You can create and save custom views which include
different sets of columns, and are more convenient for your needs.
The following table describes the data that is visible in the Hardware view.
Column Description
Disk storage Used storage, and total storage of all the disks of
the device.
3. To add columns in the table, click the column options icon, and select the columns that you want
to be visible in the table.
4. To narrow the information displayed on the screen, use one or more filters.
a. Click Search.
b. Click the arrow, and then click Hardware.
c. Select one or a combination of several filters.
The following table describes the Hardware filters.
Filter Description
Processor Multiple selection is possible. Use this filter if you want to view the
model hardware data of the devices which have the specified processor model.
Processor Use this filter if you want to view the hardware data of the devices which
cores have the specified number of processor cores.
Disk total Use this filter if you want to view the hardware data of the devices which
size have the specified total storage size.
Memory Use this filter if you want to view the hardware data of the devices which
capacity have the specified RAM capacity.
d. Click Apply.
5. To sort the data in an ascending order, click a column name.
Prerequisites
l (For all devices) The device uses Windows or macOS operating system.
l (For all devices) The devices have a license that supports the Hardware inventory feature. Note
that the Hardware inventory feature for virtual machines is not supported in the Cyber Protect
legacy editions.
l (For all devices) A protection agent is installed on the device.
l (For all devices) Hardware inventory scan on the device has finished successfully.
l (For virtual machines) The machine runs on one of the supported virtualization platforms. For
more information, see "Hardware inventory" (p. 850).
device.
You can use the remote desktop functionality to perform the following tasks.
l Connect to remote Windows, macOS, and Linux workloads by using NEAR in observe mode.
l Connect to remote Windows workloads by using RDP.
l Connect to remote macOS workloads by using Screen sharing in observe or curtain mode.
l Connect to managed workloads and remotely control them by using cloud remote connections.
l Connect to unmanaged workloads and remotely control them by using direct remote
connections.
l Connect to unmanaged remote workloads by using Acronis Quick Assist.
l Connect to remote workloads by using different authentication methods: with remote workload
credentials, by asking for permission to observe or control, or with an access code (for Quick
Assist).
l Observe multiple monitors at the same time in multi-view.
l Record remote sessions (when connected via NEAR).
l View the session history report.
For more information about the features that are part of the Standard and Advanced Management
packs, see "Supported remote desktop and assistance features" (p. 857).
You can use the remote assistance functionality to perform the following tasks.
l Connect to remote Windows, macOS, and Linux workloads by using NEAR in control mode.
l Connect to remote macOS workloads by using Screen sharing in control mode.
l Provide remote assistance to workloads by using cloud remote connections.
l Transfer files between the local and remote workloads.
l Perform basic management actions on the remote workload: restart, shut down, sleep, empty
recycle bin, and log out the remote user.
l Monitor the remote workload by periodically taking screenshots of its desktop.
For more information about the features that are part of the Standard protection and Advanced
Management, see "Supported remote desktop and assistance features" (p. 857).
For example, you can create a remote management plan that has only the RDP protocol enabled
and apply it to some workloads. In that way, you will be able to remotely connect to these
workloads without activating the Advanced Management license per workload, and without paying
any additional fees.
On the other hand, you can create another remote management plan that has the NEAR and Screen
sharing protocols enabled. In this case, the Advanced Management license per workload will be
activated, and you will be charged for each workload to which this remote management plan is
applied.
For more information about remote management plans and working with them, see "Remote
management plans" (p. 865).
Note
The remote desktop and assistance functionality requires:
l a one-time installation of Connect Client on the managing (host) workload. The system will
suggest you to download the client when you attempt performing a remote action (remote
control or remote assistance) on a target workload for the first time. Alternatively, you can
download Connect Client from the Downloads window in the Protection console. For more
information about the settings that you can configure, see "Configuring the Connect Client
settings" (p. 891).
l installation of Connect Agent on the managed workloads. The Connect Agent is a module that is
part of the Protection agent, starting from version 15.0.31266.
l for macOS remote workloads, the required system permissions should be granted to the
Connect Agent. For more information, see "Installing protection agents in macOS" (p. 76).
l running the Acronis Quick Assist application on the unmanaged workloads. You can download
Acronis Quick Assist from the website.
For more information about the supported platforms by each remote desktop and assistance
component, see "Supported platforms" (p. 860).
Remote connections
from No No No Yes
Windows/macOS/Linux to
macOS
Session management
Supported platforms
The following table lists the supported operating systems by each of component of the remote
desktop and assistance functionality.
NEAR
NEAR is a highly secure protocol developed by Acronis that has the following characteristics.
l
H.264
NEAR implements three quality modes: Smooth, Balanced and Sharp. In Smooth mode, NEAR
uses hardware H.264 encoding on macOS and Windows to encode the desktop picture, and
falling back to software encoder if hardware encoder is not available. The picture size is currently
limited to Full HD resolution (1920x1080).
l
Adaptive codec
In Balanced and Sharp quality modes, NEAR uses Adaptive codec, which provides full picture
quality in 32 bit, compared to the 'video' mode used by H.264.
In Balanced mode, the picture quality is automatically adjusted according to your current
network conditions and retains the current framerate.
In Sharp mode, the picture is full quality, but it might be with a reduced framerate, if your
network, processor, or video card are overloaded.
Adaptive codec is using OpenCL on Windows and macOS when it is available in their graphics
drivers.
l
Sound transfer
NEAR is capable of capturing the remote computer sound and transfer that to host. For more
information about enabling remote sound redirection on Windows, macOS, and Linux, see
"Remote sound redirection" (p. 862).
l
Different login options
You can use the following methods to log in to the remote workload.
l
Security
Your data is always two-way encrypted with AES encryption in NEAR.
RDP
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that enables
connecting to the remote Windows computer over a network connection.
Screen sharing
Screen sharing is a VNC client by Apple included as part of macOS version 10.5 and later.
Note
For macOS 10.15 Catalina, the Microphone permission must be granted to the Connect Agent. For
more information about granting the Microphone permission to the Connect Agent, see "Granting
the required system permissions to the Connect Agent" (p. 78).
The agent works with the following sound capture drivers: Soundflower or Blackhole.
Note
Connect Client currently supports only the 2-channel version of Blackhole.
Alternatively, if Homebrew is installed on the workload, you can install Blackhole by running the
following command:
Note
While the sound of a remote macOS workload is redirected, the user who is logged in to the remote
workload will not hear the sound.
Direct connections are established via TCP/IP in the local area network (LAN) between Connect
Client and the remote workload that does not have an agent installed. They do not require Internet
access.
Cloud connections are established between Connect Client and the agent or Quick Assist on the
workload via Acronis Cloud.
The following table provides more info about the cloud connection options.
Curtain
The following table provides more info about the direct connection options.
via RDP from Connect Client to RDP server Remote desktop unmanaged
workloads
If no remote management plan is applied on a workload, the remote desktop and assistance
functionality will be limited to remote actions (restart, shut down, sleep, empty recycle bin, and log
out remote user).
Note
The availability of the settings that you can configure in the remote management plan depends on
the service pack that is applied on the tenant. To access all settings, activate the Advanced
Management pack. For more information about the features that are part of the Standard and
Advanced Management packs, see "Supported remote desktop and assistance features" (p. 857).
Note
The availability of the remote management plan's settings depends on the service quota that is
assigned to the tenant. If you are using the standard functionality, you can only configure
connections via RDP.
Prerequisites
2FA is enabled for your user account.
Lock the workload when If you select this setting, the Windows, macOS
the user disconnects from remote workload will be
the console session locked when you disconnect
from the console session.
Allow only one user at a If you select this setting, Windows, macOS, Linux
time to connect using connections using NEAR and
NEAR or to transfer files file transfers will not be
possible while there is an
active remote connection to
the workload.
Allow the workload's If you select this setting, the Windows, macOS
administrator to connect administrator will be allowed
to any non-admin user to connect to any standard
session user session on the
workload.
If both Allow the
workload's administrator
to connect to any non-
admin user session and
Allow system session
creation are clear, you will
only be able to connect to
active administrator sessions
on the remote macOS
workloads.
Allow clipboard If you select this setting, you Windows, macOS, Linux
synchronization will be able to transfer data
between your clipboard and
the clipboard of the remote
workload. For example, you
will be able to copy some
text from a file on the
remote workload and paste
it in a file on your workload,
and the opposite.
Setting Description
Show if the workload is controlled If you select this setting, a notification will be
remotely displayed on the desktop of the remote
workload when there is an active remote
desktop connection to the workload.
Ask for the user's permission to take If you select this setting, the user of the
screenshots of the workload remote workload will be notified when the
administrator requests screenshot
transmission from the workload.
7. Click Workload management, select the features that you want to be available on the remote
workloads, and then click Done.
8. Click Display settings, select or clear the check boxes to enable or disable the corresponding
setting, and then click Done.
Note
The Display settings are only available for connections via NEAR.
9. If you want the information about the users who last logged in to the workloads to be visible in
the workload's details, click Toolbox, select Show last logged-in users, and then click Done.
For more information about the last logged-in users, see "Find the last logged in user" (p. 352).
10. [Optional] To add workloads to the plan:
Lock the workload when If you select this setting, the Windows, macOS
the user disconnects from remote workload will be
the console session locked when you disconnect
from the console session.
Allow only one user at a If you select this setting, Windows, macOS, Linux
time to connect using connections using NEAR and
NEAR or to transfer files file transfers will not be
possible while there is an
active remote connection to
the workload.
Allow the workload's If you select this setting, the Windows, macOS
administrator to connect administrator will be allowed
to any non-admin user to connect to any standard
session user session on the
workload.
If both Allow the
workload's administrator
to connect to any non-
admin user session and
Allow system session
creation are clear, you will
only be able to connect to
active administrator sessions
Allow clipboard If you select this setting, you Windows, macOS, Linux
synchronization will be able to transfer data
between your clipboard and
the clipboard of the remote
workload. For example, you
will be able to copy some
text from a file on the
remote workload and paste
it in a file on your workload,
and the opposite.
8. Click Security settings, select or clear the check boxes to enable or disable the corresponding
setting, and then click Done.
Setting Description
Show if the workload is controlled If you select this setting, a notification will be
remotely displayed on the desktop of the remote
workload when there is an active remote
desktop connection to the workload.
Ask for the user's permission to take If you select this setting, the user of the
screenshots of the workload remote workload will be notified when the
administrator requests screenshot
transmission from the workload.
9. Click Workload management, select the features that you want to be available on the remote
workloads, and then click Done.
10. Click Display settings, select or clear the check boxes to enable or disable the corresponding
setting, and then click Done.
Note
The Display settings are only available for connections via NEAR.
11. If you want the information about the users who last logged in to the workloads to be visible in
the workload's details, click Toolbox, select Show last logged-in users, and then click Done.
For more information about the last logged-in users, see "Find the last logged in user" (p. 352).
12. Click Create.
Prerequisites
2FA is enabled for your user account.
Prerequisites
2FA is enabled for your user account.
View details
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click View details.
Edit
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Edit.
Activities
1. In the Remote managementplans screen, click the More actions icon of the remote
management plan.
2. Click Activities.
3. Click an activity to view more details about it.
Alerts
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Alerts.
Rename
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Rename.
3. Enter the new name of the plan, and then click Proceed.
Enable
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Enable.
Disable
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Disable.
Delete
Prerequisites
2FA is enabled for your user account.
1. In the Remote management plans screen, click the More actions icon of the remote
management plan.
2. Click Delete.
3. Select I confirm, and then click Delete.
l Conflicting plans - this issue appears when another remote management plan is already applied
on the workload, as only one remote management plan can be applied on a workload.
l Incompatible operating system- this issue appears when the workload's operating system is not
supported.
l Unsupported agent - this issue appears when the version of the protection agent on the
workload is outdated and does not support the remote desktop functionality.
l Insufficient quota - this issue appears when there is not enough service quota in the tenant to
assign to the selected workloads.
If the remote management plan is applied to up to 150 individually selected workloads, you will be
prompted to resolve the existing conflicts before saving the plan. To resolve a conflict, remove the
root cause for it or remove the affected workloads from the plan. For more information, see
"Resolving compatibility issues with remote management plans" (p. 875). If you save the plan
without resolving the conflicts, it will be automatically disabled for the incompatible workloads, and
alerts will be shown.
If the remote management plan is applied to more than 150 workloads or to device groups, first it
will be saved, and then checked for compatibility. The plan will be automatically disabled for the
incompatible workloads, and alerts will be shown.
Note
This option is available only for customer administrators.
7. [To resolve compatibility issues with insufficient quota by removing workloads from the plan]
a. On the Insufficient quota tab, select the workloads that you want to remove.
b. Click Remove workloads from plan.
c. Click Remove, and then click Close.
8. [To resolve compatibility issues with insufficient quota by increasing the quota of the tenant]
Note
This option is available only for partner administrators.
Note
The credentials that are stored in the credentials store are not shared between different tenant
levels. They are shared only on the same tenant level for the same customer tenant or partner
tenant.
This means that if a customer tenant has several administrators, they will see and share the
credentials in the credentials store, while any other partner administrators, or customer
administrators of other tenants will not be able to view or use these credentials.
Adding credentials
You can add credentials and then use them for remote connections to multiple workloads.
Field Description
Credentials Identifier of the credentials that will be visible in the credentials store.
name
Username Username that will be used for remote connections to the target
workload.
Password Password that will be used for remote connections to the target
workload.
7. Click Save.
Deleting credentials
You can delete credentials that are not needed anymore.
You can perform the following actions on the remote managed workloads:
l connect for remote assistance or remote desktop by using NEAR in control or observe mode
l connect for remote desktop by using RDP in control mode
l connect for remote assistance or remote desktop by using Screen sharing in control, observe, or
curtain mode
l connect for remote desktop via a web client
l restart, shut down, sleep, empty recycle bin, log out remote user from the remote workloads
l transfer files between your workload and the remote workloads
l monitor them by taking screenshots
Setting Description
Audio This setting enables or disables the redirection of the remote workload
playback sound on your local workload.
Redirect If you select this setting, the printers from your workload will be available on
printers the remote workload.
Redirect This setting defines whether files from your local workload will be shared to
files remote workload.
Color This setting determines the number of colors in the picture that RDP will
depth transfer. Higher value requires higher bandwidth.
High color: 16 bit
True color:
l 24 bit for RDP connections via the web client
l 32 bit for RDP connections via Connect Client
Note
The availability of the connection protocols that you can use for remote connections depends on
the remote management plan configuration and on the remote workload's operating system.
4. Depending on whether or not Connect Client is installed on your workload, do one of the
following:
l If Connect Client is not installed, download it, install it, and then in the confirmation pop-up
that appears, select Allow.
Note
If you have assigned credentials to the workload, authentication will be done automatically and
this step will be skipped. For more information, see "Assigning credentials to a workload" (p.
878).
Authentication Description
option
With remote You will be allowed to establish the remote connection after you
workload provide username and password of an administrator user of the
credentials remote workload.
This option is available for NEAR, RDP, and Screen sharing.
You can use this option to authenticate for remote desktop and
remote assistance.
Ask for You will be allowed to establish the remote connection in observe
permission to mode after the user who is logged in on the remote workload allows it.
observe This option is available for NEAR and Screen sharing.
You can use this option to authenticate for remote assistance.
Ask for You will be allowed to establish the remote connection in control mode
permission to after the user who is logged in on the remote workload allows it.
control This option is available for NEAR and Screen sharing.
You can use this option to authenticate for remote assistance.
6. Click Connect, and then click the session to display (if more than one user session is available on
the workload).
Connect Client will open a new viewer window on which you will be able to see the remote
workload's desktop. The viewer has a toolbar with additional actions that you can perform on
the remote workload after the remote connection is established. For more information, see
"Using the toolbar in the Viewer window" (p. 889).
Prerequisites:
l Standard service quota is assigned to the workload.
l A remote management plan that has RDP enabled is applied to the managed workload.
l RDP is enabled on the managed workload.
Note
If you have assigned credentials to the workload, authentication will be done automatically and
this step will be skipped. For more information, see "Assigning credentials to a workload" (p.
878).
Transferring files
You can easily transfer files between the local workload and a managed workload.
Prerequisites
l A remote management plan that has the NEAR protocol and File transfer enabled is applied on
the workload.
l Advanced Management quota is applied on the workload.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
Authentication Description
option
With remote You will be allowed to establish the remote connection after you
workload provide username and password of an administrator user of the
credentials remote workload.
Ask for You will be allowed to transfer files after the user who is logged in on
permission to the remote workload allows it.
transfer files
6. In the File transfer window, browse files and drag and drop them to the desired destination.
Note
The files of the local workload are listed in the left pane, and the files of the remote workload are
listed in the right pane.
When a file transfer begins, it is listed in the Tasks pane.
7. [Optional] If you want to remove the completed tasks from the Tasks pane, click Clear finished.
8. When all transfers complete, close the window.
Prerequisites
l Standard service quota is applied to the workload.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
Sleep
Restart
Shut down
Prerequisites
l A remote management plan with the Screenshot transmission feature enabled is applied on the
workload.
l The Protection agent version is up to date and supports the Screenshot transmission feature.
l Advanced Management service quota is applied on the workload.
Note
The number of desktops that you can see simultaneously in the window depends on the size of
your monitor.
Prerequisites
l NEAR / Apple Screen Sharing is enabled in the remote management plans that are applied to the
workloads.
l Advanced Management service quota is applied on the workload.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
Authentication Description
option
With remote You will be allowed to establish the remote connection after you
workload provide username and password of an administrator user on the
credentials remote workload.
Ask for You will be allowed to establish the remote connection in observe
permission to mode after the user who is logged in on the remote workload allows it.
observe
6. If you want to use the same authentication method and credentials when connecting to all the
remote workloads that you selected in step 2, select Use on other computers.
7. Click Connect.
In toolbar of the multi-view window, you can select a view mode in which to connect to a
workload. This action will open a separate Viewer window for that workload.
Note
If any of the selected workloads is offline, or has an outdated version of the agent installed, it will
not be shown in the multi-view window.
All multi-view connections to remote workloads are in Observe view mode.
You can perform the following actions on the unmanaged remote workloads:
Note
The remotely connect to unmanaged workloads by using Quick Assist, ensure that:
Prerequisites
l The Advanced Management pack is assigned to your customer tenant.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
l The remote user has provided the workload ID and access code from Quick Assist.
l The remote user has downloaded and run Acronis Quick Assist.
Prerequisites
l The Advanced Management pack is assigned to your customer tenant.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
To connect to a workload for remote desktop or remote assistance by using its IP address
Note
Connections via RDP support the remote desktop action, and connections via Screen sharing
support both the remote desktop and remote assistance actions.
6. Click Connect.
7. In the Authentication window, provide the required credentials.
For Screen sharing connections, Connect Client will open a new viewer window on which you will be
able to see the remote workload's desktop. The viewer has a toolbar with additional actions that you
can perform on the remote workload after the remote connection is established. For more
information, see "Using the toolbar in the Viewer window" (p. 889).
Prerequisites
l The Advanced Management pack is assigned to your customer tenant.
l 2FA is enabled for your user account in Acronis Cyber Protect Cloud.
l The remote user has downloaded and run Acronis Quick Assist.
l The remote user has provided the computer ID and access code from Quick Assist.
8. [Optional] If you want to remove the completed tasks from the Tasks pane, click Clear finished.
9. When all transfers complete, close the window.
Icon Description
Actual size
Scales the remote workload's desktop so that one pixel of the remote
desktop corresponds to one pixel on the viewer window.
Zoom to fit
Take screenshot
Select display
Select the remote workload display that you want to view and the
desired resolution.
Image quality
Adjusts the remote screen image quality from black and white to the
highest possible on Screen Sharing connections.
Send Ctrl+Alt+Del
File Transfer
Pin toolbar
Full screen
Switches to the full screen mode and scales the remote workload to
completely fill your local screen.
Close
Closes the Viewer window and ends the remote control session.
Depending on connection type, additional options might be available when you click the Other icon.
Option Description
Clipboard auto sync When this option is on, the client will automatically synchronize your
local clipboard and the clipboard of the remote computer.
Send clipboard Send Clipboard replaces the remote computer clipboard contents
with the contents of the local clipboard.
Get clipboard
Get Clipboard transfers the contents of the remote computer
clipboard to the local clipboard.
Smart keyboard / Changes the keyboard input mode for the current connection.
Raw keys / Raw keys
Smart keyboard- the client transmits Unicode codes of the locally
with all shortcuts
typed symbols to the remote computer
Raw keys- the client uses the raw codes of the keyboard buttons you
press.
Raw keys with all shortcuts- the client disables local system
shortcuts so that they are also transmitted to the remote operating
system.
Keyboard focus on When enabled, the client only captures the keyboard input while your
mouse hover local mouse cursor is placed over the Viewer window.
Show connection When Show connection info is selected, a small information panel
info / Hide will appear over the remote desktop screen, showing the most
connection info essential information about current connection.
Remote sound Enables the client to redirect the sound from the remote computer to
the local one.
Preferences Configure the settings of Connect Client. For more information, see
"Configuring the Connect Client settings" (p. 891).
Option Description
Write Select this option to allow Connect Client to write verbose logs. If disabled, the
verbose client will only write general information to the log file.
logs
Proxy Select whether to use the default System proxy, or configure a Custom
settings SOCKSS proxy.
Option Description
Ask for Select this option if you want Connect Client to display a confirmation
confirmation message when you attempt closing the Viewer window in order to
when closing a prevent accidental closing.
viewer
When minimized Select whether to suspend the Viewer activity when minimized, in
order to reduce the CPU load.
When maximized Select whether to enable the full screen mode when maximized.
Clipboard Enable showing the Clipboard transfer indicator in the Viewer window
transfer whenever you copy or paste text and images.
Keyboard Mode Enable showing the Input mode indicator in the Viewer window title
whenever mouse and keyboard events are being sent to the remote
machine.
Send keyboard Choose whether to grab your local keyboard input whenever the
events Connect Client window is active or only when your local mouse
pointer is over it.
Close when idle Select the time interval of being idle after which to close the Viewer
window.
Option Description
Modifier Change the behavior of modifier keys with a pop-up menu. These settings
mappings are stored separately for NEAR, Screen sharing, and RDP connections.
Input mode For each type of connection (selected in the header of pane), select the
default keyboard input mode.
5. Click OK.
l when you try to connect to the workload remotely by asking for permission to observe. The user
who is logged in to the remote workload locally can allow or deny the request.
l when you try to exchange files between your workload and the remote workload by asking for
permission to transfer files. The user who is logged in to the remote workload locally can allow or
deny the request.
When you establish a remote desktop connection to a workload, the user who is logged in to the
workload will view a different connection notifier that contains the following information:
The user who is logged in to the remote workload locally can end the connection at any time by
clicking the Disconnect icon or the Close icon.
Note
The monitoring functionality requires an installation of Protection agent version 15.0.35324 or later
on the workloads.
Monitoring plans
To start monitoring the performance, hardware, software, system, and security parameters of your
managed workloads, apply a monitoring plan to them. The monitoring plans consist of different
monitors that you can enable and configure. Some monitors support the anomaly-based
monitoring type. For more information about monitoring plans, see "Monitoring plans" (p. 924). For
more information about the available monitors that you can configure in the monitoring plans, see
"Configurable monitors" (p. 895).
If the agent cannot collect data from a workload for some reason, the system will generate an alert.
Monitoring types
You must configure the monitoring type for each monitor that you enable in the plan. The
monitoring type determines the algorithm that the monitor will use to estimate the normal behavior
and deviation of the workload. There are two monitoring types: threshold-based and anomaly-
based. Some monitors support only the threshold-based monitoring type.
Threshold-based monitoring tracks if the values of the parameters are above or below a threshold
value that you configure. With this monitoring type, you are responsible for defining the correct
threshold values for the workloads. The system determines the normal behavior based on these
static threshold values and without considering other specific conditions that might cause the
behavior. For this reason, threshold-based monitoring might be less accurate as compared to
anomaly-based monitoring.
Anomaly-based monitoring uses machine learning to create the normal behavior patterns for a
workload and to detect abnormal behavior. For more information, see "Anomaly-based monitoring"
(p. 894).
Anomaly-based monitoring
Anomaly-based monitoring uses machine learning models to create the normal behavior patterns
for a workload and to detect anomalies (unexpected spikes in the time-series data) in the workload's
You can reset the machine learning models of a workload. In this case, the system will delete all data
and models for the monitors that are applied to the workload. For more information, see "Resetting
the machine learning models" (p. 933).
Configurable monitors
The monitoring functionality supports the following monitors, divided into six categories: Hardware,
Performance, Software, System, Security, and Custom.
Hardware
Performance
Software
selected macOS
process
(Running or
Stopped).
System
Security
Custom
Setting Description
Threshold-based monitoring
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
Disk free The threshold value and the Operator value determine the normal
space performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Enter an integer value in the range 1-100 (%). The default value is 20.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 30.
Anomaly-based monitoring
Model The period during which the system will train the machine learning models
training based on the data that is collected from the agents, and will then create the
period normal behavior pattern of the workload. The longer the model training
period, the more precise the long-term behavior pattern that the system will
Receive If you select this setting, you will receive alerts about anomalies during the
anomaly model training period. These alerts might be false, because the models are still
alerts being trained and might not be accurate enough.
during the
By default, the setting is selected.
training
period
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values are
level within a specific range. This filter operates independently from the anomaly
detection algorithm. Its purpose is to stop the anomalies that are in the
specified range from being processed by the anomaly detection algorithm.
1. The algorithm is trained using the data that is collected during the training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean value
and two times the standard deviation value.
l High — The high level equals the mean value and three times the standard
deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
Setting Description
Threshold-based monitoring
CPU temperature has The maximum value of the monitored metric. If the value is
exceeded (C°) exceeded, the system generates an alert.
Time period The system will generate an alert for a detected issue only if the
metric value is out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value
is 5.
Anomaly-based monitoring
Model training period The period during which the system will train the machine
learning models based on the data that is collected from the
agents, and will then create the normal behavior pattern of the
workload. The longer the model training period, the more
precise the long-term behavior pattern that the system will
create. We recommend that the minimum model training period
is twenty-one days.
Sensitivity level The sensitivity level acts as a preliminary filter for anomalies if
their values are within a specific range. This filter operates
independently from the anomaly detection algorithm. Its
purpose is to stop the anomalies that are in the specified range
from being processed by the anomaly detection algorithm.
l Low — The low level equals the mean value and the standard
deviation value.
l Normal — This is the default value. The normal level equals
the mean value and two times the standard deviation value.
l High — The high level equals the mean value and three times
the standard deviation value.
Anomaly duration The system will generate an alert for a detected anomaly only if
the abnormal behavior persists for the specified period.
Enter an integer value in the range 1-60 (min). The default value
is 15.
Setting Description
Threshold-based monitoring
GPU The maximum value of the monitored metric. If the value is exceeded, the
temperature system detects an anomaly.
has exceeded
Enter an integer value (C°). The default value is 80.
Time period The system will generate an alert for a detected issue only if the metric value
is out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Anomaly-based monitoring
Model training The period during which the system will train the machine learning models
period based on the data that is collected from the agents, and will then create the
normal behavior pattern of the workload. The longer the model training
period, the more precise the long-term behavior pattern that the system will
create. We recommend that the minimum model training period is twenty-
one days.
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values
level are within a specific range. This filter operates independently from the
anomaly detection algorithm. Its purpose is to stop the anomalies that are in
the specified range from being processed by the anomaly detection
algorithm.
1. The algorithm is trained using the data that is collected during the
training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean
value and two times the standard deviation value.
l High — The high level equals the mean value and three times the
standard deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the
duration abnormal behavior persists for the specified period.
Enter an integer value in the range 1-60 (min). The default value is 15.
Setting Description
Hardware Select one or multiple hardware components that you want to monitor for
components changes.
What to Specify the changes for which you want to monitor the selected hardware
monitor components. You can select multiple items from the list.
Setting Description
Threshold-based monitoring
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
l Less than
l Less than or equal to
CPU usage The threshold value and the Operator value determine the normal
threshold performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Enter an integer value in the range 1-100 (%). The default value is 90.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Anomaly-based monitoring
Model The period during which the system will train the machine learning models
training based on the data that is collected from the agents, and will then create the
period normal behavior pattern of the workload. The longer the model training period,
the more precise the long-term behavior pattern that the system will create.
We recommend that the minimum model training period is twenty-one days.
Receive If you select this setting, you will receive alerts about anomalies during the
anomaly model training period. These alerts might be false, because the models are still
alerts being trained and might not be accurate enough.
during the
By default, the setting is selected.
training
period
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values are
level within a specific range. This filter operates independently from the anomaly
detection algorithm. Its purpose is to stop the anomalies that are in the
specified range from being processed by the anomaly detection algorithm.
1. The algorithm is trained using the data that is collected during the training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean value
and two times the standard deviation value.
l High — The high level equals the mean value and three times the standard
deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
Enter an integer value in the range 1-60 (min). The default value is 15.
Setting Description
Threshold-based monitoring
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
Memory The threshold value and the Operator value determine the normal
usage performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Enter an integer value in the range 1-100 (%). The default value is 90.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Anomaly-based monitoring
Model The period during which the system will train the machine learning models
training based on the data that is collected from the agents, and will then create the
period normal behavior pattern of the workload. The longer the model training period,
the more precise the long-term behavior pattern that the system will create.
We recommend that the minimum model training period is twenty-one days.
Receive If you select this setting, you will receive alerts about anomalies during the
anomaly model training period. These alerts might be false, because the models are still
alerts being trained and might not be accurate enough.
during the
By default, the setting is selected.
training
period
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values are
level within a specific range. This filter operates independently from the anomaly
detection algorithm. Its purpose is to stop the anomalies that are in the
specified range from being processed by the anomaly detection algorithm.
1. The algorithm is trained using the data that is collected during the training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean value
and two times the standard deviation value.
l High — The high level equals the mean value and three times the standard
deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
Enter an integer value in the range 1-60 (min). The default value it 30 minutes.
Setting Description
Threshold-based monitoring
Read speed The operator is a conditional function that defines how to measure the
operator performance on the metric.
Read speed The threshold value and the Operator value determine the normal
threshold performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Read speed The system will generate an alert for a detected issue only if the metric value is
time period out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Write speed The operator is a conditional function that defines how to measure the
operator performance on the metric.
Write speed The threshold value and the Operator value determine the normal
threshold performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Write speed The system will generate an alert for a detected issue only if the metric value is
time period out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Anomaly-based monitoring
Model The period during which the system will train the machine learning models
training based on the data that is collected from the agents, and will then create the
period normal behavior pattern of the workload. The longer the model training period,
the more precise the long-term behavior pattern that the system will create.
We recommend that the minimum model training period is twenty-one days.
Receive If you select this setting, you will receive alerts about anomalies during the
anomaly model training period. These alerts might be false, because the models are still
alerts being trained and might not be accurate enough.
during the
By default, the setting is selected.
training
period
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values are
level within a specific range. This filter operates independently from the anomaly
detection algorithm. Its purpose is to stop the anomalies that are in the
specified range from being processed by the anomaly detection algorithm.
1. The algorithm is trained using the data that is collected during the training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean value
and two times the standard deviation value.
l High — The high level equals the mean value and three times the standard
deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
(Read
Enter an integer value in the range 1--60 (min).
speed)
The default value it 25.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
(Write
Enter an integer value in the range 1--60 (min).
speed)
The default value it 25.
Setting Description
Threshold-based monitoring
Incoming The operator is a conditional function that defines how to measure the
traffic performance on the metric.
operator
The following values are available.
Incoming The threshold value and the Operator value determine the normal
traffic performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Incoming The system will generate an alert for a detected issue only if the metric value is
traffic time out of the norm during the specified period.
period
Enter an integer value in the range 1-60 (min). The default value is 5.
Outgoing The operator is a conditional function that defines how to measure the
traffic performance on the metric.
operator
The following values are available.
Outgoing The threshold value and the Operator value determine the normal
traffic performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Outgoing The threshold value and the Operator value determine the normal
traffic time performance of the monitored metric. When the value of the monitored metric
period is out of the norm, the system generates an alert.
Enter an integer value in the range 1-60 (min). The default value is 5.
Anomaly-based monitoring
Model The period during which the system will train the machine learning models
training based on the data that is collected from the agents, and will then create the
period normal behavior pattern of the workload. The longer the model training
period, the more precise the long-term behavior pattern that the system will
create. We recommend that the minimum model training period is twenty-one
days.
Receive If you select this setting, you will receive alerts about anomalies during the
anomaly model training period. These alerts might be false, because the models are still
alerts being trained and might not be accurate enough.
during the
By default, the setting is selected.
training
period
Sensitivity The sensitivity level acts as a preliminary filter for anomalies if their values are
level within a specific range. This filter operates independently from the anomaly
detection algorithm. Its purpose is to stop the anomalies that are in the
specified range from being processed by the anomaly detection algorithm.
1. The algorithm is trained using the data that is collected during the training.
2. The algorithm performs anomaly detection on the training data.
3. A filtering process based on mean and standard deviation is applied.
4. Any anomalies that are in the specified interval are filtered.
5. From the remaining anomalous data points, the anomaly with the lowest
anomaly level is selected. This level (a float number between 0 and 1) is
recorded in the model.
l Low — The low level equals the mean value and the standard deviation
value.
l Normal — This is the default value. The normal level equals the mean value
and two times the standard deviation value.
l High — The high level equals the mean value and three times the standard
deviation value.
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
(Incoming)
Anomaly The system will generate an alert for a detected anomaly only if the abnormal
duration behavior persists for the specified period.
(Outgoing)
Enter an integer value in the range 1--60 (min).
Setting Description
Process Name of the process that you want to monitor. Enter the process name without
name the extension.
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
Threshold The threshold value and the Operator value determine the normal
performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Enter an integer value in the range 1-100 (%). The default value is 90.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Setting Description
Process Name of the process that you want to monitor. Enter the process name without
name the extension.
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
Threshold The threshold value and the Operator value determine the normal
performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Setting Description
Process The name of the process that you want to monitor. Enter the process name
name without the extension.
l Read speed
l Write speed
Read speed The operator is a conditional function that defines how to measure the
operator performance on the metric.
Read speed The threshold value and the Operator value determine the normal
threshold performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Read speed The system will generate an alert for a detected issue only if the metric value is
time period out of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 5.
Write The operator is a conditional function that defines how to measure the
speed performance on the metric.
operator
The following values are available.
Write The threshold value and the Operator value determine the normal
speed performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Write The system will generate an alert for a detected issue only if the metric value is
speed time out of the norm during the specified period.
period
Enter an integer value in the range 1-60 (min). The default value is 5.
Process Name of the process that you want to monitor. Enter the process name without
name the extension.
Incoming The operator is a conditional function that defines how to measure the
traffic performance on the metric.
operator
The following values are available.
Incoming The threshold value and the Operator value determine the normal
traffic performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Incoming The system will generate an alert for a detected issue only if the metric value is
traffic time out of the norm during the specified period.
period
Enter an integer value in the range 1-60 (min). The default value is 5.
Outgoing The operator is a conditional function that defines how to measure the
traffic performance on the metric.
operator
The following values are available.
Outgoing The threshold value and the Operator value determine the normal
traffic performance of the monitored metric. When the value of the monitored metric
threshold is out of the norm, the system generates an alert.
Outgoing The system will generate an alert for a detected issue only if the metric value is
traffic time out of the norm during the specified period.
period
Enter an integer value in the range 1-60 (min). The default value is 5.
Setting Description
Service The name of the Windows service that you want to monitor.
name
You can select a service name from the list of Windows services. The list is
populated by all agents of the tenant after software inventory scan completes
successfully on the workloads. You can also add a service name that is not in the
list. This is the only available option if software inventory scan was not performed
on the workloads.
Service If the service is in the selected status, the system will generate an event.
status
The following values are available.
l Running
l Stopped—This is the default value.
Time The system will generate an alert for a detected issue only if the metric value is out
period of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 1.
Setting Description
Process The name of the process that you want to monitor. Enter the name of the
name executable file without the extension.
Process If the process is in the selected status, the system will generate an event.
status
The following values are available.
l Running
l Stopped—This is the default value.
Time The system will generate an alert for a detected issue only if the metric value is out
period of the norm during the specified period.
Enter an integer value in the range 1-60 (min). The default value is 1.
Setting Description
Software This setting becomes available if you select the Specific software value for
names What software to monitor.
You can select a software application name from the list of Windows services.
The list is populated by all agents of the tenant after software inventory scan
completes successfully on the workloads. You can also add a software
application name that is not in the list. This is the only available option if
software inventory scan was not performed on the workloads.
Installation Specify if you want to monitor installed, not installed, or updated software.
status
The following values are available.
Setting Description
The workload The period (number of days) since the last restart of the workload. If the
has not been workload has not been restarted for a longer period than the period you
restarted for specify, the system will generate an alert.
Enter an integer value in the range 1-180 (days). The default value is 30.
Setting Description
Event log Select a certain event log from a list of Windows event logs that are available
name in Windows Event Viewer.
You can select the value from a list of event sources that are collected from
all agents of the tenant or enter a new source name manually.
If the software inventory scan is disabled for the tenant, the event source list
will be empty.
Matching In this field, you can specify whether to connect the Event IDs, Event type,
mode and Event description settings by using the Any or the All operator.
l Any —This is the default value. An alert will be generated only if any of the
selected criteria is matched.
l All — An alert will be generated if all the selected criteria are matched.
Event IDs Enter one or multiple event IDs separated by comma. If the system finds in
the event log any of the event codes that you entered in this field, it
generates an alert.
Event type Select one or multiple event types that you want to monitor.
Event Specific keywords or phrases in the event description for which you want to
description search. Each keyword or phrase that you enter must be enclosed in quotation
marks and must be separated by comma. If the system finds any of the
keywords or phrases that you entered, it will generate an alert.
Number of The minimum number of occurrences in the log that an event must have
occurrences during the time period for the system to generate an alert.
Time period The system will generate an alert for a detected issue only if the metric value
is out of the norm during the specified period.
Enter an integer value and then select the unit: minutes or hours. The default
value is 60 minutes.
Setting Description
Files or The paths to the files or folders that you want to monitor. You can also specify
folders to files or folders that you want to exclude from monitoring.
monitor
You can use the following wildcard characters.
l The full path should start from the drive letter followed by the :\ separator.
l You can use slash or backslash as a path separator character.
l The file or folder name must not end with a space or a period.
Specifying a specific location is not mandatory for exclusion filters. The files
entered without a specific location will be excluded in the monitored folders.
Operator The operator is a conditional function that defines how to measure the
performance on the metric.
Threshold The threshold value and the Operator value determine the normal
value performance of the monitored metric. When the value of the monitored metric
is out of the norm, the system generates an alert.
Time period The system will generate an alert for a detected issue only if the metric value is
out of the norm during the specified period.
Enter an integer value in the range 10-60 (min). The default value is 10.
If you enable this monitor, the system will generate an alert in the following cases.
If you enable this monitor, the system will generate an alert in the following cases.
l The built-in OS firewall (Windows Defender Firewall or macOS firewall) is disabled and no third-
party firewall is running.
l Windows Defender Firewall is disabled for public networks.
l Windows Defender Firewall is disabled for private networks.
l Windows Defender Firewall is disabled for domain networks.
Setting Description
Failed login The threshold value determines the boundaries for the normal performance
attempts of the monitored metric. When the threshold value is exceeded, the value is
threshold out of norm.
Time period The system will generate an alert for a detected issue only if the metric value
is out of the norm during the specified period.
Enter an integer value in the range 1-24 and select a unit: hours or days. The
default value is 12.
If you enable this monitor, the system will generate an alert when it identifies one of the following
conditions.
For security reasons, we recommend that you disable the AutoRun feature for removable media on
the workload. If the feature is enabled, the system will generate an alert.
Setting Description
Schedule The time when the script is run and, optionally, additional conditions that
should be met to run the script.
l Schedule by time — The script will run in the exact time, days, weeks, or
months that you specify. This is the default value.
Schedule type — Hourly, Daily, or Monthly
Run within a date range — A time range in which to run the script.
l When user logs in to the system — The script will run when a user logs in
to the workload.
l When user logs off the system — The script will run when a user logs out
of the workload.
l On the system startup — The script will run when the operating system of
the workload starts.
l When system is shut down — The script will run when the workload is
shut down.
l When system goes online — The script will run when the workload
becomes available online.
If start conditions are not met, run the task anyway after — By default,
this condition is enabled. The default value is 1 hour.
Maximum The maximum period during which the script can run on the workload.
duration
If the script does not complete during this period, the operation will fail.
Enter an integer value in the range 1-1440 (minutes). The default value is 3
minutes.
For more information about these values, see the Microsoft documentation.
Monitoring plans
Monitoring plans are plans that you apply on your managed workloads to enable and configure the
monitoring functionality.
If no monitoring plan is applied on a workload, the monitoring features will not be available for the
workload.
Note
The availability of the settings that you can configure in the monitoring plan depends on the service
pack that is applied on the tenant. To access all settings, activate the Advanced Management pack.
Prerequisites
The version of the agent that is installed on the workload supports the monitoring functionality.
Option Description
Recommended Select this option to create a monitoring plan with the default
monitoring configuration.
4. [Optional] To change the default name of the plan, click the pencil icon, enter the name of the
plan, and then click OK.
5. [Optional] To add a monitor to the plan, click Add monitor, click the monitor in the list, and then
click Add.
Note
The settings of the monitor will be populated automatically with the default values.
You can add maximum three monitors of the same type and up to 30 monitors in total to a
monitoring plan.
6. [Optional] In the monitor parameters screen, change the default settings of the monitor and
alerts, and then click Done.
7. [Optional] To delete a monitor, click the bin icon, and then click Delete.
8. [Optional] To add workloads to the plan:
a. Click Add workloads.
b. Select the workloads, and then click Add.
c. If there are compatibility issues that you want to resolve, follow the procedure as described in
"Resolving compatibility issues with monitoring plans" (p. 932).
9. Click Create.
Option Description
Recommended Select this option to create a monitoring plan with the default
monitoring configuration.
6. [Optional] To change the default name of the plan, click the pencil icon, enter the name of the
plan, and then click OK.
7. [Optional] If you want to change the default settings of the monitor and alerts, configure the new
values , and then click Done.
Note
You can add maximum three monitors of the same type and up to 30 monitors in total to a
monitoring plan.
8. [Optional] In the monitor parameters screen, change the default settings of the monitor and
alerts, and then click Done.
9. [Optional] To delete a monitor, click the bin icon, and then click Delete.
10. Click Create.
Prerequisites
l 2FA is enabled for your user account.
l The version of the agent that is installed on the workload supports the monitoring functionality.
l At least one monitoring plan is available.
Prerequisites
At least one monitoring plan is applied to the workload.
You can configure one or several automatic response actions on the alerted events. The maximum
number of automatic response actions per monitor can be 20.
The following table lists and describes all the automatic response actions available in the monitor
settings.
Restart the workload If you add this action, the system will restart Windows,
the workload remotely when the conditions macOS
are met.
Stop the process If you add this action, you can specify the Windows,
process to stop via manual input of process macOS
name.
Start the Windows service If you add this action, you can select which Windows
Windows service to start from the dynamic list
of services populated from the agents.
Stop the Windows service If you add this action, you can select which Windows
Windows service to stop from the dynamic list
of services populated from the agents.
Enable Windows Update If you add this action, the system will enable Windows
Windows Update when the conditions are
met.
This action is available only for Windows
Update status monitor.
Disable AutoRun on If you add this action, the system will disable Windows
removable drives the AutoRun feature on removable storage
media for the workload when the conditions
are met.
This action is available only for Autorun
feature status monitor.
View details
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click View details.
3. [Optional] If you want to view the details of a monitor that is enabled in the plan, click the
monitor name.
Edit
Prerequisites
2FA is enabled for your user account.
To edit a plan
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Edit.
3. [Optional] To delete a monitor from the plan, click the recycle bin icon that is situated to the right
of the monitor name.
4. [Optional] To enable or disable a monitor in the plan, use the toggle next to the monitor name.
5. [Optional] To edit the monitor parameters, do the following.
a. Click the monitor name.
b. Click the overview of the monitor parameters.
c. In the Monitor parameters screen, configure the parameters, and then click Done.
Note
You can configure different settings for each monitor. For more information, see
"Configurable monitors" (p. 895) and "Configuring monitoring alerts" (p. 934).
Activities
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Activities.
3. Click an activity to view more details about it.
Alerts
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Alerts.
Rename
Prerequisites
2FA is enabled for your user account.
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Rename.
3. Enter the new name of the plan, and then click OK.
Enable
Prerequisites
l 2FA is enabled for your user account.
l The monitoring plan is applied to at least one workload.
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Enable.
Disable
Prerequisites
2FA is enabled for your user account.
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Disable.
Prerequisites
2FA is enabled for your user account.
1. In the Monitoring plans screen, click the More actions icon of the monitoring plan.
2. Click Delete.
3. Select I confirm, and then click Delete.
l Incompatible operating system- this issue appears when the workload's operating system is not
supported.
l Unsupported agent - this issue appears when the version of the protection agent on the
workload is outdated and does not support the monitoring functionality.
l Insufficient quota - this issue appears when there is not enough service quota in the tenant to
assign to the selected workloads.
If the monitoring plan is applied to up to 150 individually selected workloads, you will be prompted
to resolve the existing conflicts before saving the plan. To resolve a conflict, remove the root cause
for it or remove the affected workloads from the plan. For more information, see "Resolving
compatibility issues with monitoring plans" (p. 932). If you save the plan without resolving the
conflicts, it will be automatically disabled for the incompatible workloads, and alerts will be shown.
If the monitoring plan is applied to more than 150 workloads or to device groups, first it will be
saved, and then checked for compatibility. The plan will be automatically disabled for the
incompatible workloads, and alerts will be shown.
Note
This option is available only for customer administrators.
6. [Optional] To resolve compatibility issues with insufficient quota by removing workloads from
the plan:
a. On the Insufficient quota tab, select the workloads that you want to remove.
b. Click Remove workloads from plan.
c. Click Remove, and then click Close.
7. [Optional] To resolve compatibility issues with insufficient quota by increasing the quota of the
tenant:
a. On the Insufficient quota tab, click Go to Management portal.
b. Increase the service quota for the customer.
Note
This option is available only for partner administrators.
You can perform the following actions with alerts on the Alerts dashboard:
Option Description
Critical These alerts have the highest priority and are related to issues that are
critical for the operation of the workload. Resolve these issues as soon
as possible.
Error An error alert is less severe and indicates that something is wrong or is
not behaving normally. Resolve the issues on time to prevent them
causing more severe issues.
Warning A warning alert indicates that there is some condition of which you
should be aware, but it might not be causing a problem yet. Resolve
these issues after you fix the issues that are causing critical and error
alerts.
This is the default value.
Informational These alerts have the lowest priority. The Informational severity does
not indicate a problem. Such alerts provide information about actions
that are related to a monitored object.
3. In Alert frequency, select how often the system should generate an alert when the condition is
met.
Option Description
Once until the The system will generate an alert one time until the check
check passes completes successfully.
This is the default value.
After X consecutive The system will generate an alert after X consecutive failed checks,
failures where X is an integer value.
4. In Alert message, click the pencil icon to edit the default alert message that will be used when
the system generates an alert. You can specify a custom alert message that contains variables.
For more information about the variables that you can use, see "Monitoring alert variables" (p.
935).
Note
You can configure more than one alert message for some of the monitors.
5. Enable Alert auto-resolution, if you want the system to automatically resolve the alert when the
monitored metric returns to normal state and the behavior is normal again. By default, the
setting is enabled.
The following table provides more information about the available variables.
monitor_name The name of the sub policy in the monitoring plan All monitors
threshold_unit The unit that is associated with the threshold value. All monitors that
For example, %, MB, or mb/s. support threshold-
based monitoring.
time_period The system will generate an alert for a detected All monitors that
issue only if the metric value is out of the norm support threshold-
during the specified period. based monitoring.
time_unit The unit that will be associated with the time period All monitors that
(sec/min/hours/day). support threshold-
based monitoring.
anomaly_unit The unit that will be associated with the anomaly All monitors that
value support anomaly-
based monitoring.
deviation_unit The unit that will be associated with the deviation All monitors that
value support anomaly-
based monitoring.
drive_name The drive for Windows, or partition for macOS Disk space,
hardware_ The model of the monitored component that was Hardware changes
model_old replaced
hardware_ The model of the new monitored component that Hardware changes
model_new was added
Memory usage by
process
Network usage by
process
Process status
software_ The version of the software application before the Installed software
version_old update
number_of_ The number of times an event appears in the log Windows event log
occurrences
The list of response actions available for a particular alert depends on the alert type, availability of
features for a particular tenant and the workload operating system.
The following table lists and describes all the manual response actions for your reference.
Browse disk space usage Opens a window with Disk space usage Windows,
trend graph, where you can: macOS
Browse files size growth Opens a window with File size growth graph, Windows,
trend where you can: macOS
Browse top 10 processes Opens a window with top 10 processes that Windows,
that loaded CPU have loaded the CPU and may have caused macOS
its overheating (The system snapshot at the
moment of alert generation).
Browse top 10 processes Opens a window with top 10 processes that Windows,
that loaded GPU have loaded the GPU and may have caused macOS
its overheating (The system snapshot at the
moment of alert generation).
Browse top 10 processes Opens a window with top 10 processes that Windows,
that loaded memory have loaded the memory (The system macOS
snapshot at the moment of alert generation).
Browse top 10 processes Opens a window with top 10 processes that Windows,
that loaded disk have loaded the disk (The system snapshot at macOS
the moment of alert generation).
Browse top 10 processes Opens a window with top 10 processes that Windows,
that loaded network have loaded the network interface adapter macOS
(The system snapshot at the moment of alert
generation).
Important
For security reasons, two-factor authentication is required to perform the following manual
response actions:
l Run a script
l Connect via NEAR
l Connect via RDP
l Restart workload
l Start Windows service
l Stop Windows service
l Stop process
l Enable Windows Update
l Disable AutoRun feature on removable drives
Note
If you want to change the recipients, click the Edit recipients.
Important
To add a new recipient to the plan or policy, create the user account of that recipient, and then
select it from the Recipients list.
4. In the Alert types field, select the types of monitoring alerts that will be sent to the selected
users.
Note
If email notification policy is disabled, the Enable option is displayed. If email notification policy
is enabled, the Disable option is available.
To view the monitors that are applied to a workload and the monitor data
Displayed Description
information
Last result The latest value of the monitored metric or the latest state of the
event
Last check The date and time when the monitor collected the last data
Alerts The number of generated and unresolved alerts for the monitor
Note
The widgets become visible on the tab 15 minutes (or the minimum monitor frequency that is
set for a monitor) after you apply a monitoring plan to the workload.
3. To view more details about the monitor, and if applicable, the historical data that was collected
for the monitored metric, in the monitor's widget, click the ellipsis icon, and then click Details.
For more information about the monitor details that you can see in the widgets, see "Monitor
widgets" (p. 942).
Monitor widgets
In the monitor widget, you can see the following details about the monitor.
Field Description
Monitoring The name of the monitoring plan that contains the monitor. The name of the
plan monitoring plan is a link that opens the monitoring plan in view mode.
Monitor The time interval at which the monitor collects data from the workload
frequency
Last result The latest value of the monitored metric or the latest state of the event
Last check The date and time when the monitor collected the last data
Last alert The date and time when the last alert was generated. The field is displayed
only if at least one alert has been generated for the monitor.
In addition, for monitors that collect time-series data, you can view the historical data for a selected
period (1 hour, 6 hours, 12 hours, 1 day, 1 week, or 1 month) in a graphical view.
The graph displays the actual values of the metrics during the period that you selected. If for some
reason the agent did not send the collected data to the cloud, the missing values will be displayed as
a dotted line that connects the data points with actual values that precede and succeed the missing
value.
For monitors that are using Anomaly-based monitoring, the graph displays the baselines area, a line
that shows the actual values of the metric, and the anomalies. The anomalies are the spikes or
values that are out of the baselines. The anomalies are displayed as red dots on the graph.
If you hover the mouse over the graph, you can see the actual value and the threshold values for a
specific time.
With the Enhanced security mode, all backups created in a customer tenant and its units are
automatically encrypted with the AES algorithm and a 256-bit key. Users can set the encryption
passwords only on the protected devices, and cannot set them in the protection plans.
Important
The Enhanced security mode cannot be disabled.
Limitations
l The Enhanced security mode is compatible only with agents version 15.0.26390 or higher.
l The Enhanced security mode is not available for devices running Red Hat Enterprise Linux 4.x or
5.x, and their derivatives.
l Cloud services cannot access encryption passwords. Due to this limitation, some features are not
available for tenants in the Enhanced security mode.
Unsupported features
The following features are not available for tenants in the Enhanced security mode:
1. During the installation of a protection agent (for Windows, macOS, and Linux).
2. By using the command line (for Windows and Linux).
This is the only way to set an encryption password on a virtual appliance.
For more information on how to set an encryption password with the Acropsh tool, refer to "To
save the encryption settings on a machine" (p. 397).
3. In the Cyber Protect Monitor (for Windows and macOS).
We recommend that you do not change the encryption password after backups are created,
because subsequent backups will fail. To continue protecting the same machine, you must create a
new protection plan for it. Changing both the encryption password and the protection plan will
result in creating new backups that are encrypted with the changed password. The backups that
were created before these changes will not be affected.
Alternatively, you can keep the applied protection plan, and change only the backup file name in it.
This will also result in creating new backups that are encrypted with the changed password. To learn
more about the backup file name, refer to "Backup file name" (p. 404).
Immutable storage
With immutable storage, you can access deleted backups during a specified retention period. You
can recover content from these backups, but you cannot change, move, or delete them. When the
retention period ends, the deleted backups are permanently erased.
These backups still use storage space and are charged accordingly.
l Governance mode
In this mode, an administrator can disable and re-enable immutable storage, and change its
mode and retention period.
l Compliance mode
After this mode is selected, immutable storage cannot be disabled, and its mode or retention
period cannot be changed anymore.
Warning!
Switching to Compliance mode is irreversible.
Limitations
l Immutable storage requires a protection agent version 21.12 (build 15.0.28532) or later.
l Only TIBX (Version 12) backups are supported.
Configuring the immutable storage settings requires two-factor authentication in the tenant to
which the administrator account belongs.
You can configure the immutable storage settings in the Cyber Protect console or in the
management portal. They both provide access to the same settings. To learn how to configure the
immutable storage settings in the management portal, refer to Configuring immutable storage in
the administrator guide.
Warning!
Selecting Compliance mode is irreversible.
8. To make your existing backups support immutable storage, update them by running their
protection plans.
Now, after you delete a backup, you will be able to access it during the retention period of
immutable storage.
Warning!
If you delete a backup without updating it after you enable the immutable storage, the backup
will be erased permanently.
Warning!
If you disable immutable storage, all deleted backups will be permanently erased. Deleting new
backups will also be permanent.
1. On the Backup storage tab, select the cloud storage that contains the deleted backup.
2. [Only for deleted backup sets] To see the deleted backup sets, click Show deleted.
3. Select the backup set containing the backup that you want to recover.
4. Click Show backups, and then click Show deleted.
5. Select the backup that you want to recover.
6. Proceed with the recovery operation, as described in "Recovery" (p. 446).
Failback
M
Switching a workload from a spare server (such
as a virtual machine replica or a recovery Module
server running in the cloud) back to the
Module is a part of protection plan providing a
production server.
particular data protection functionality, for
example, the backup module, the Antivirus &
Failover Antimalware protection module, and so on.
with each other in the production network. consisting of configurable steps that automate
disaster recovery actions.
Protection agent
S
Protection agent is the agent to be installed on
machines for data protection. Single-file backup format
V
Validation
Virtual machine
About the Physical Data Shipping service 435 Adding a Google Workspace organization 564
Accessing virtual appliances via the SSH Adding quarantined files to the whitelist 750
protocol 157
Adding VLANs 633
Action field values 345
Adding workloads to a static group 305
Action on detection 730
Adding workloads to monitoring plans 927
Action parameters 709
Adding workloads to the Cyber Protect
Actions 762 console 293
Actions with protection plans 195 Additional Cyber Protection tools 945
Agent for oVirt – required roles and ports 149 Applying a protection plan to a workload 196
Agent for Scale Computing HC3 27 Are the required packages already
installed? 64
Agent for Scale Computing HC3 – required
roles 135
Check for publicly disclosed attacks on your Components for unattended installation
workloads using threat feeds 780 (MSI) 96
Combining data flow policy rules 761 Configuring monitoring alerts 934
Connecting to managed workloads for remote Creating bootable media to recover operating
desktop or remote assistance 879 systems 617
Connecting to remote workloads via RDP 864 Creating physical bootable media 618
Connecting to unmanaged workloads via Creating the data flow policy and policy
Acronis Quick Assist 887
Creating the transform file and extracting the Default backup options 399
installation packages 156
Default protection plans 200
Creating WinPE or WinRE bootable media 628
Define response actions for a suspicious
Custom groups 302 file 824
Custom or ready-made bootable media? 617 Define response actions for a suspicious
process 820
Custom scripts 623
Define response actions for a suspicious
Custom sensitivity categories 776
registry entry 825
Cyber Disaster Recovery Cloud trial
Define response actions for an affected
version 642
workload 810
Cyber Protect console – partner level view 288
Define threat feed settings 802
Cyber Protect Monitor 28, 279
Defining how and what to protect 177
Cyber Protection 254
Deleting a group 322
Cyber Protection services installed in your
Deleting a Microsoft 365 organization 533
environment 169
Deleting a protection plan 199
Cyber Scripting 213
Deleting all alerts 276
D Deleting backups 481
Data flow policy structure 758 Deploying Agent for Synology 150
Data Loss Prevention events 773 Deploying Agent for Virtuozzo Hybrid
Infrastructure (Virtual Appliance) 136
Data protection map 264, 276
Deploying Agent for VMware (Virtual
Data protection map settings 277
Appliance) 127
Database backup 491
Deploying agents through Group Policy 153
Date and time for files 471
Deploying the OVA template 145
Default actions 745
Deploying the OVF template 128
Endpoint Detection and Response (EDR) 778 Fast incremental/differential backup 413
Exclude individual USB devices from access Firewall rules for cloud servers 703
control 329 Fits the time interval 385
Excluding processes from access control 342 Flashback 472
Exclusions 747 Forensic backup process 417
Executing a runbook 710 Forensic data 416
Existing vulnerabilities 266 Full-text search 570
Exporting backups 480 Full path recovery 473
Extensions and exception rules 278
G
Extracting files from local backups 466
General recommendations for local sites 662
Granting the required system permissions to How to get forensic data from a backup? 417
the Connect Agent 78
How to investigate incidents in the cyber kill
chain 791
H
How to navigate attack stages 795
H.264 861
How to perform failover of a DHCP server 691
Hardware inventory 850
How to perform failover of servers using local
Hardware inventory widgets 271 DNS 691
High Availability of a recovered machine 613 How to recover data to a mobile device 518
How creating Secure Zone transforms the How to review data via the Cyber Protect
disk 371 console 519
How do files get into the quarantine How to start backing up your data 518
folder? 748
How to use Endpoint Detection and Response
How failback works 691 (EDR) 782
How many agents are required for cluster- If you choose to create the virtual machine on a
aware backup and recovery? 495 virtualization server 193
How many agents are required for cluster data If you choose to save the virtual machine as a
backup and recovery? 493 set of files 192
How many agents do I need? 128, 132, 137, Ignore bad sectors 412
145
Ignore failed VSS writers 444
How remote installation of agents works 120
Immutable storage 947
How routing works 648, 651, 656
Immutable storage modes 947
How the encryption works 398
Implementing disaster recovery 639
How the regular conversion to a virtual
Important tips 391
machine works 192
In-archive deduplication 409
Inclusion and exclusion filters 414 Isolating a workload from the network 348
Installation parameters 98
L
Installing Agent for Synology 151
License issue 200
Installing and deploying Cyber Protection
agents 55 License management for on-premises
management servers 176
Installing and removing components with an
EXE file 82 Licensing alerts 249
Installing and removing components with an Limitations 31, 33-34, 36, 38-40, 137, 145, 151,
MSI file and direct selection 90 191, 213, 260, 358-359, 363, 365, 371,
462, 471, 526, 544, 549, 552, 563, 570,
Installing components with MSI and MST
573-574, 577-578, 583, 589, 603, 641,
files 90
752, 945
Installing protection agents 71
Limitations and known issues 561
Installing protection agents in Linux 74
Limitations for backup file names 405
Installing protection agents in macOS 76
Limitations for recovering files in the Cyber
Installing protection agents in Windows 72 Protect console 466
Installing the packages from the repository 65 Limiting the total number of simultaneously
backed-up virtual machines 614
Installing the packages manually 66
Linking workloads to specific users 352
Integrations for DirectAdmin, cPanel, and
Plesk 592 Linux 360
List of USB devices on a computer 342 Managing the target workloads for a plan 224
Local operations with bootable media 633 Managing virtualization environments 609
Manage the network isolation of a Microsoft 365 seats licensing report 527
workload 811
Microsoft Azure 41
Manage your incidents in the Incident
Microsoft Azure and Amazon EC2 virtual
page 779
machines 616
Managing discovered machines 125
Microsoft BitLocker Drive Encryption 42
Managing found vulnerabilities 834
Microsoft Defender Antivirus 744
Managing list of patches 840
Microsoft Defender Antivirus and Microsoft
Managing network exclusions 350 Security Essentials 744
Monitoring 232
O
Monitoring alert variables 935
Observing multiple managed workloads
Monitoring alerts 934
simultaneously 885
Monitoring plans 894, 924
Obtaining application ID and application
Monitoring the health and performance of secret 528
workloads 894
Off-host data processing 179
Monitoring types 894
On-demand patch installation 844
Monitoring workloads via screenshot
On what workloads, agents, and backup
transmission 884
locations are bottlenecks shown? 485
Mount points 425, 473
On Windows Event Log event 381
Mounting Exchange Server databases 509
One-click recovery 426
Mounting volumes from a backup 478
Operations with a primary server 702
Multi-site IPsec VPN connection 655
Operations with backups 476
Multi-site IPSec VPN log files 682
Operations with indexes 571
Multi-volume snapshot 426
Operations with indexes in cloud-to-cloud
Multitenancy support 290 backups 486
Parameters for legacy features 101 Point-to-site remote VPN access 656
Protecting Google Drive files 573 Quick glance overview in the dashboard 780
Receive alert notifications when a breach Recovering Exchange mailboxes and mailbox
happens 779 items 510
Recommendations and remediation steps 780 Recovering files in the Cyber Protect
console 461
Recommendations for the Active Directory
Domain Services availability 665 Recovering Google Drive and Google Drive
files 575
Recovering a machine 449
Recovering Google Drive files 576
Recovering a machine with One-click
recovery 429 Recovering instances 586
Recovering a team mailbox 557 Recovering mailbox items 513, 522, 531, 538,
572
Recovering a team site or specific items of a
site 560 Recovering mailbox items to PST files 541
Recovering a virtual machine 454 Recovering mailboxes 511, 521, 531, 537, 571
Recovering email messages and meetings 559 Recovering SQL databases to the original
machine 500
Recovering entire mailboxes to PST data
files 540 Recovering system databases 506
Recovering the entire server 586 Reinstalling the VPN gateway 670
Recovering the Exchange cluster data 496 Remediate a false positive incident 808
Recovery from the cloud storage 623 Remote operations with bootable media 634
Redirecting sound from a remote macOS Reported data according to widget type 284
workload 862
Reports 281
Redirecting sound from a remote Windows
Required permissions for unattended
workload 862
installation in macOS 105
Redistribution 606
Required ports 149
Registering and unregistering workloads
Required roles 149
manually 112
Requirements for ESXi virtual machines 489 Run as virtual machine 186
Resolving compatibility issues with monitoring Running a virtual machine from a backup
plans 932 (Instant Restore) 592
Resolving compatibility issues with remote Running cloud-to-cloud backups manually 178
management plans 875
Running pre‐freeze and post‐thaw scripts
Resolving compatibility issues with scripting automatically 607
plans 227
Running the machine 593
Resolving plan conflicts 199
Retention rules according to the backup Saving an agent log file 169
scheme 391
Scale Computing 34
Reverting to the original initial RAM disk 460
Scanning types 716
Review and analyze discovered IOCs 803
Schedule 222, 277, 831, 838
Review and mitigate IOCs on affected
Schedule and start conditions 222
workloads 802
Schedule by events 379
Reviewing incidents 783
Schedule by time 377
Revoking a plan from a group 323
Schedule scan 745
Revoking a protection plan 198
Scheduled scan 717
Selecting Exchange Server mailboxes 499 Settings of the CPU temperature monitor 902
Settings of the Disk space monitor 899 Software inventory widgets 270
Settings of the Disk transfer rate by process Software management tab 290
monitor 915
Software requirements 22, 640, 781
Settings of the Disk transfer rate monitor 909
Sound transfer 861
Settings of the Failed logins monitor 922
Special operations with virtual machines 592
Settings of the Files and folders size
Splitting 442
monitor 921
SQL Server high-availability solutions
Settings of the Firewall status monitor 922
overview 493
Settings of the GPU temperature monitor 903
Start conditions 223, 383
Settings of the Hardware changes monitor 905
Startup Recovery Manager 637
Settings of the Installed software monitor 919
Static groups 302
Settings of the Last system restart monitor 919
Static groups and dynamic groups 302
Settings of the Memory usage by process
Step 1 55
monitor 914
Step 1. Read and accept the license
Settings of the Memory usage monitor 907
agreements for the products that you
Settings of the Network usage by process want to update 842
monitor 916
Step 2 55
Settings of the Network usage monitor 911
Step 2. Configure the settings for automatic
Settings of the Process status monitor 918 approval 842
Settings of the Windows service status Step 3. Prepare the Test patching protection
monitor 918 plan 843
Site-to-site Open VPN - Additional Step 5. Run the Test patching protection plan
information 170 and check the results 844
Supported Linux products 831 Switching the Site-to-site connection type 671
Supported mobile devices 516 TCP ports required for backup and replication
of VMware virtual machines 56
Supported MySQL versions 29
Tenants in the Enhanced security mode 466
Supported operating systems 640
Test failover 686
Supported operating systems and
environments 22 Testing a replica 598
Supported plans for device groups 303 The Alerts dashboard 234
Supported platforms 712, 860 The backup location's host is available 384
The Cyber Protect console 286 Unattended installation with an MSI file 89
Transferring files via Acronis Quick Assist 888 Universal Restore in Windows 458
USB devices allowlist 338 Viewing backup status in vSphere Client 610
USB devices database management page 340 Viewing details about items in the whitelist 751
Useful tips 532, 564 Viewing the alert log of monitoring alerts 940
User is idle 384 Viewing the automated test failover status 689
User roles and Cyber Scripting rights 229 Viewing the distribution result 606
Using a locally attached storage 604 Viewing the hardware of a single device 854
Verifying file authenticity with Notary VPN gateway network configuration 651
Service 463, 582
Vulnerability assessment 828
View device control alerts 332
Vulnerability assessment for Linux
Wait until the conditions from the schedule are Which backup type do I need? 61
met 443
Whitelist settings 751
Weekly backup 446
Why are there monthly backups with an hourly
What's new in the Cyber Protect console 287 scheme? 392
What do I need to back up a website? 588 Why back up Microsoft 365 data? 523
Workloads 291