AcronisCyberProtect 15
AcronisCyberProtect 15
com
All trademarks and copyrights referred to are the property of their respective owners.
Distribution of substantively modified versions of this document is prohibited without the explicit
permission of the copyright holder.
Distribution of this work or derivative work in any standard (paper) book form for commercial
purposes is prohibited unless prior permission is obtained from the copyright holder.
Third party code may be provided with the Software and/or Service. The license terms for such
third-parties are detailed in the license.txt file located in the root installation directory. You can
always find the latest up-to-date list of the third party code and the associated license terms used
with the Software and/or Service at https://kb.acronis.com/content/7696
For detailed information about the features included in each edition, refer to "Acronis Cyber Protect
15 Editions Comparison including Cloud deployment".
All editions of Acronis Cyber Protect 15 are licensed by the number of protected workloads and their
type (workstation, server, and virtual host). Cyber Protect editions are only available with
subscription licenses. Cyber Backup editions are available both with subscription and perpetual
licenses. For more information about the available options, refer to "Licensing" (p. 21).
Perpetual license keys for version 15 cannot be used with backup agents from Acronis Cyber Backup
12.5. However, these agents will continue working with their old license keys, even when their
management server is upgraded to version 15.
Backup subscription licenses can be used with version 12.5 agents , even when the agents are
upgraded to version 15. Cyber Protect subscription licenses can be used only by version 15 agents.
Note
The features vary between different editions. Some of the features described in this documentation
may be unavailable with your license.
Important
The Cyber Protect features are only supported for machines on which a protection agent is
installed. For virtual machines protected in agentless mode, for example by Agent for Hyper-V,
Agent for VMware, or Agent for Scale Computing, only backup is supported.
Vulnerability assessment
Patch management
Disk health
Smart protection plans based on Acronis Cyber Protection Operations Center (CPOC) alerts
Backup scanning
Safe recovery
Remote desktop
* On macOS, static analysis for portable executable files is only supported for scheduled scans.
** On macOS, you can only use exclusions to specify files and folders that will not be scanned by
real-time protection or scheduled scans.
*** The vulnerability assessment depends on the availability of official security advisories for
specific distribution, for example https://lists.centos.org/pipermail/centos-announce,
https://lists.centos.org/pipermail/centos-cr-announce, and others.
Renewals for the legacy perpetual licenses are available. Some features, such as cloud deployment
or cloud-to-cloud backups are not available with a perpetual license.
A trial license is also available. It provides you access to all product features for 30 days from the
license activation.
For more details about the licensing options, refer to Acronis Cyber Protect 15: licensing and
upgrade/downgrade FAQ in our knowledge base. Acronis licensing policy is available
at https://www.acronis.com/company/licensing.html.
If there is a single management server in your Acronis environment, all your licenses are
automatically allocated to this server. If you have more than one management server, you must
allocate your licenses to the desired servers by using the centralized license management in the
cloud console (https://cloud.acronis.com).
All operations with licenses are automatically synchronized with the online management servers. To
synchronize an allocation change with an offline management server, create a new activation file. To
learn more about the different management servers and how to activate them, refer to "Types of
management servers" (p. 22) and "Activating a management server" (p. 23).
The management server assigns a license to a workload the first time you apply a protection plan to
this workload. If more than one license is allocated to the management server, it assigns the
workload the most appropriate one, depending on the workload type, operating system, and
required level of protection.
Note
You can also use a mixed deployment model by splitting a license quota between a cloud
management server and one or more on-premises management servers.
The license management is centralized and is done in the Acronis Cyber Protection service console
in the cloud, which is part of Acronis Cyber Cloud (https://cloud.acronis.com).
Here, on the Settings > License usage tab, you can, for example, allocate available licenses and
license quota to a specific management server, re-allocate licenses or their quotas to another
management server, or register offline management servers. You can find the new licenses that are
not yet allocated to any server and the licenses that were released by unregistered servers in the
Unallocated licenses section.
Use the same credentials also to log in to the local web console of your management server
(https://<IP address of your management server>:<port>) and to Acronis Customer Portal
(https://account.acronis.com).
The licensing information, such as allocated licenses, their quota, and expiration date, is also shown
in the local web console of the on-premises management servers, after a synchronization with your
Acronis account.
In Acronis Customer Portal, you can manage your purchased products―for example, by checking
the expiration date of your subscriptions, adding new license keys, registering license renewals, or
requesting an upgrade. You can also contact the Support team, download the product installation
files, and access the product documentation.
1. Log in to Acronis Customer Portal (https://account.acronis.com) by using your Acronis account
credentials.
2. In the navigation menu, click Products.
3. Click Add keys.
4. Enter one or more license keys, one per line, and then click Add.
The licenses are now added to your account and you can manage their usage in the Acronis Cyber
Protection service console in the cloud.
Note
If there is a single management server in your Acronis account, all your licenses are automatically
allocated to this server.
Important
Before upgrading to Acronis Cyber Protect Update 3, export your locally stored perpetual licenses
to a file, and then add them to your Acronis account.
You can also use the URL https://<IP address of your management server>:<port>/api/account_
server/v2/licensing/legacy/license_keys to check the license keys that you entered locally on this
server.
1. After installing Acronis Cyber Protect management server, log in to its local web console.
2. In the dialog box that opens, click Sign in.
3. Sign in to your Acronis account.
The management server is automatically registered and activated. To start protecting your
workloads, ensure that at least one license is allocated to this server.
Note
Online management servers require Internet access to synchronize the licensing information to
your Acronis account. If such a server stays offline for more than 30 days, its protection plans will
stop working and your workloads will become unprotected.
1. After installing Acronis Cyber Protect management server, log in to its local web console.
2. In the dialog box that opens, click Activation through file.
3. Under I do not have an activation file, click Download the registration file.
The registration file is downloaded to your machine.
4. On a machine with access to the Internet, log in to the Acronis Cyber Protection service console
in the cloud, and then navigate to Settings > License usage.
5. In the Register offline management server section, click Upload registration file.
6. Select the registration file that you downloaded from your offline management server.
7. In the dialog box that opens, click Download file.
An activation file is downloaded to your machine.
Note
If this offline management server is the only management server in your environment, the
licenses in your Acronis account will be automatically allocated to it. The activation file will
contain this information, so no additional allocation is required.
If this is not the only management server in your environment, after the registration, you must
allocate licenses by following the procedure in "Allocating licenses to a management server" (p.
25).
8. In the local web console of the offline management server, go to the Activation through file
dialog box.
Note
If the Activation through file dialog box is not open, navigate to Settings > License usage, and
then click Activate through file.
9. Under I have an activation file, click Upload file, and then select the activation file.
1. In the Acronis Cyber Protection service console in the cloud, click Settings > License usage.
2. Navigate to the management server that you want to allocate a license to.
3. Click Allocate licenses.
4. In the dialog box that opens, specify the license and the license quota that you want to allocate
to this server.
5. Click Allocate.
As a result, the licensing information is automatically synchronized with the management server
and you can protect your workloads by using the allocated license.
Note
If the number of used protection agents is bigger than the modified license quota allows, the least-
loaded agents will stop working. If the automatic selection does not fit your needs, reassign the
available licenses manually.
To allocate licenses to an offline management server, you need a second machine that has access to
Internet.
1. On a machine with the Internet access, log in to the Acronis Cyber Protection service console in
the cloud, and then click Settings > License usage.
2. Navigate to the management server that you want to allocate a license to.
3. Click Allocate licenses.
4. In the dialog box that opens, specify the license and the license quota that you want to allocate
to this server.
5. Click Allocate.
6. In the Activation file generated dialog box, click Download file.
The activation file is downloaded to your machine.
7. In the local console of the offline management server, navigate to Settings > License usage, and
then click Activate through file.
8. In the dialog box that opens, under I have an activation file, click Upload file, and then select
the activation file.
As a result, the licensing information is synchronized between your Acronis account and the offline
management server.
1. Decrease the license quota that is allocated to the original management server, and then
synchronize the change with your Acronis account.
The released license quota appears in the Unallocated licenses section in the Acronis Cyber
Protection service console in the cloud.
2. Allocate the license quota to the second management server, and then synchronize the change
with your Acronis account.
1. On a machine with access to the Internet, log in to the Acronis Cyber Protection service console
in the cloud, and then click Settings > License usage.
2. Navigate to the management server that you want to allocate a license to. Click Allocate
licenses.
3. In the dialog box that opens, modify the licenses and the license quota allocated to this server.
Click Save.
The new allocation is now pending. To cancel it, click Remove this allocation.
4. In the Allocate licenses to an offline management server dialog box, click Download file.
The activation file is downloaded to your machine.
5. In the local web console of the offline management server, navigate to Settings > License
usage, and then click Activate through file.
6. In the dialog box that opens, under I have an activation file, click Upload file, and then select
the activation file.
7. In the dialog box that opens, click Download confirmation file.
The confirmation file is downloaded to your machine.
8. In the Acronis Cyber Protection service console in the cloud, click Settings > License usage.
As a result, the licensing information is synchronized between your Acronis account and the offline
management server.
Note
If the number of used protection agents is bigger than the modified license quota allows, the least-
loaded agents will stop working. If the automatic selection does not fit your needs, reassign the
available licenses manually.
1. In the Acronis Cyber Protect local web console, click Devices, and then select the desired
workload.
2. Click Details, navigate to the License section, and then click Change.
3. Select the desired license, and then click Change.
1. In the Acronis Cyber Protection service console in the cloud, click Settings > License usage.
2. Navigate to the desired management server, and then click Unregister.
As a result, all licenses that were allocated to the unregistered server are released and reverted to
the unallocated state. In the Acronis Cyber Protection service console in the cloud you can allocate
them to other management servers. In the Acronis Cyber Protect local web console the licenses are
reset to zero.
To unregister an offline management server, you need a second machine that has access to the
Internet.
1. On a machine with Internet access, log in to the Acronis Cyber Protection service console in the
cloud, and then click Settings > License usage.
2. Navigate to the desired management server, and then click Unregister.
3. If you have access to this server, do the following:
a. Download the deactivation file.
b. In the local console of the management server that you want to unregister, go to Settings
> License usage, and then click Activate through file.
c. In the dialog box that opens, under I have an activation file, click Upload file, and then
select the deactivation file.
Important
The server will be removed from your account and you will not be able to register it again.
As a result, all licenses that were allocated to the unregistered server are released and reverted to
the unallocated state. In the Acronis Cyber Protection service console in the cloud you can allocate
them to other management servers. In the Acronis Cyber Protect local web console the licenses are
reset to zero.
Acronis Cyber Protect Management Server is the central point for managing all of your backups.
With the on-premises deployment, it is installed in your local network; with the cloud deployment, it
is located in one of the Acronis data centers. The web interface to this server is named a Cyber
Protect web console.
Acronis Cyber Protect Management Server is responsible for the communication with Cyber Protect
Agents and performs general plan management functions. Before every protection activity, agents
refer to the management server to verify the prerequisites. Sometimes, the connection to the
management server could be lost, which will prevent the deployment of new protection plans.
However, if a protection plan has already been deployed to a machine, the agent continues the
protection operations for 30 days after the communication with the management server is lost.
Both types of deployment require that a protection agent is installed on each machine that you
want to back up. The supported types of storage are also the same. The cloud storage space is sold
separately from the Acronis Cyber Protect licenses.
Installation in Windows is recommended because you will be able to deploy agents to other
machines from the management server. With the Advanced license, it is possible to create
organizational units and add administrators to them. This way, you can delegate protection
management to other people whose access permissions will be strictly limited to the corresponding
units.
Installation in Linux is recommended in a Linux-only environment. You will need to install an agent
locally on the machines that you want to back up.
Access to the account server enables you to create user accounts, set service usage quotas for
them, and create groups of users (units) to reflect the structure of your organization. Every user can
Administrator accounts can be created at the unit or organization level. Each account has a view
scoped to their area of control. Users have access only to their own backups.
The following table summarizes differences between the on-premises and cloud deployments. Each
column lists the features that are available only in the corresponding type of deployment.
l Acronis Cyber Infrastructure as a backup l Agent for Virtuozzo (backup of Virtuozzo virtual
l Tape devices and Acronis Storage Nodes as l Disaster recovery as a cloud service***
backup locations*
l Off-host data processing*
l Conversion of a backup to a virtual machine
l Upgrade from previous versions of Acronis
Cyber Protect, including Acronis Backup for
VMware
l Participation in the Acronis Customer Experience
**The OneDrive root folder is excluded from backup operations by default. If you select to back up
specific OneDrive files and folders, they will be backed up. Files that are not available on the device
will have invalid contents in the archive.
3.2 Components
3.2.1 Agents
Agents are applications that perform data backup, recovery, and other operations on the machines
managed by Acronis Cyber Protect.
Choose an agent, depending on what you are going to back up. The following table summarizes the
information, to help you decide.
Note that Agent for Windows is installed along with Agent for Exchange, Agent for SQL, Agent for
Active Directory, and Agent for Oracle. If you install, for example, Agent for SQL, you also will be able
to back up the entire machine where the agent is installed.
Agent availability
What are you going Which agent to
Where to install it?
to back up? install?
On-premises Cloud
Physical machines
Applications
On the machine
running the Mailbox
role of Microsoft
Exchange Server.*
If only mailbox
backup is required,
+
Exchange databases Agent for the agent can be
installed on any + No mailbox
and mailboxes Exchange
Windows machine backup
that has network
access to the
machine running the
Client Access role of
Microsoft Exchange
Server.
On a Windows
Microsoft Office 365 Agent for Office machine that is
+ +
mailboxes 365 connected to the
Internet.
Machines running
Agent for Active On the domain
Active Directory + +
Directory controller.
Domain Services
On the machine
Machines running
Agent for Oracle running Oracle + -
Oracle Database
Database.
Virtual machines
On a Windows
machine that has
Agent for
network access to
VMware + +
vCenter Server and
(Windows)
VMware ESXi virtual to the virtual
machines machine storage.**
Agent for
VMware (Virtual On the ESXi host. + +
Appliance)
Virtual machines
hosted on Windows + +
Azure
Virtual machines
+ +
hosted on Amazon EC2
Mobile devices
*During the installation, Agent for Exchange checks for enough free space on the machine where it
will run. Free space equal to 15 percent of the biggest Exchange database is temporarily needed
during a granular recovery.
**If your ESXi uses a SAN attached storage, install the agent on a machine connected to the same
SAN. The agent will back up the virtual machines directly from the storage rather than via the ESXi
host and LAN. For detailed instructions, refer to "LAN-free backup".
Availability
Component Function Where to install it?
On-premises Cloud
Performs antimalware
scan of backups in a
cloud storage, a local
or shared folder.
l Backup scanning
plans
l Backup scanning
details widget
l Corporate whitelist
l Safe recovery
l The Status column
in the list of
backups
Provides the
Command-Line On a machine running
command-line + +
Tool Windows or Linux.
interface.
Enables users to
Acronis Cyber
monitor backups On a machine running
Protect 15 + +
outside the web Windows or macOS.
Monitor
interface.
Stores backups. It is
On a machine running
Storage Node required for cataloging + -
Windows.
and deduplication.
Performs cataloging of
On a machine running
Catalog Service backups on storage + -
Windows.
nodes.
Enables booting
machines into On a machine running
PXE Server + -
bootable media Windows.
through the network.
Without another security solution, you can use Acronis Cyber Protect for complete cyber protection
or for traditional backup and recovery, depending on your license and your needs. For more
information about the features available with each license, refer to "Acronis Cyber Protect 15
Editions Comparison including Cloud deployment." You can adjust the scope of your protection
plans by enabling only the modules that you need.
Alternatively, you might want to enhance your cyber protection without disabling or removing your
current security solution. This is also possible – just ensure that you do not use the Antivirus and
antimalware module in your protection plans. All other modules can be used freely.
3.3.1 Limitations
l Antimalware scan of backups requires that you install Scan Service when installing Cyber Protect
Management Server.
l Remote access via HTML5 client is only available if Cyber Protect Management Server is installed
on a machine running Linux.
In other web browsers (including Safari browsers running in other operating systems), the user
interface might be displayed incorrectly or some functions may be unavailable.
Agents
Agent for SQL, Agent for Exchange (for database backup and application-aware
backup), Agent for Active Directory
Each of these agents can be installed on a machine running any operating system listed above and a
supported version of the respective application, with the following exception:
l Agent for SQL is not supported for on-premises deployment on Windows 7 Starter and Home
editions (x86, x64)
l Windows Server 2008 – Standard, Enterprise, Datacenter, Foundation, and Web editions (x86,
x64)
l Windows Small Business Server 2008
l Windows 7 – all editions
l Windows Server 2008 R2 – Standard, Enterprise, Datacenter, Foundation, and Web editions
l Windows MultiPoint Server 2010/2011/2012
l Windows Small Business Server 2011 – all editions
l Windows 8/8.1 – all editions (x86, x64), except for the Windows RT editions
l Windows Server 2012/2012 R2 – all editions
l Windows Storage Server 2008/2008 R2/2012/2012 R2
l Windows 10 – Home, Pro, Education, and Enterprise editions
Note
The following Linux distributions and kernel versions have been specifically tested. However, even if
your Linux distribution or kernel version is not listed below, it may still work correctly in all required
scenarios, due to the specifics of the Linux operating systems.
If you encounter issues while using Acronis Cyber Protect with your combination of Linux
distribution and kernel version, contact the Support team for further investigation.
Linux with kernel from 2.6.9 to 5.8 and glibc 2.3.4 or later, including the following x86 and x86_
64 distributions:
l Red Hat Enterprise Linux 4.x, 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
Important
Configurations with Stratis are not supported for the following Red Hat Enterprise Linux versions:
8.0, 8.1, 8.2, 8.3, 8,4.
l Ubuntu 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, 14.10, 15.04, 15.10,
16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04
Important
Configurations with Btrfs are not supported for SUSE Linux Enterprise Server 12 and SUSE Linux
Enterprise Server 15.
l Debian 4.x, 5.x, 6.x, 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.11, 9.0, 9.1,
9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 10
l CentOS 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
Important
Configurations with Stratis are not supported for the following CentOS versions: 8.0, 8.1, 8.2, 8.3,
8,4.
l CentOS Stream 8
l Oracle Linux 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4* – both Unbreakable Enterprise Kernel and Red Hat
Compatible Kernel
l CloudLinux 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
l ClearOS 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
l AlmaLinux 8.4*
l ALT Linux 7.0
Before installing the product on a system that does not use RPM Package Manager, such as an
Ubuntu system, you need to install this manager manually; for example, by running the following
command (as the root user): apt-get install rpm
VMware ESXi 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, 7.0
In Windows
l Windows 7 – all editions (x86, x64)
l Windows Server 2008 R2 – Standard, Enterprise, Datacenter, and Foundation editions
l Windows Home Server 2011
l Windows MultiPoint Server 2010/2011/2012
l Windows Small Business Server 2011 – all editions
l Windows 8/8.1 – all editions (x86, x64), except for the Windows RT editions
l Windows Server 2012/2012 R2 – all editions
l Windows Storage Server 2008 R2/2012/2012 R2/2016
l Windows 10 – Home, Pro, Education, Enterprise, IoT Enterprise, and LTSC (formerly LTSB) editions
l Windows Server 2016 – all installation options, except for Nano Server
In Linux
Note
The following Linux distributions and kernel versions have been specifically tested. However, even if
your Linux distribution or kernel version is not listed below, it may still work correctly in all required
scenarios, due to the specifics of the Linux operating systems.
If you encounter issues while using Acronis Cyber Protect with your combination of Linux
distribution and kernel version, contact the Support team for further investigation.
Linux with kernel from 2.6.9 to 5.8 and glibc 2.3.4 or later, including the following x86_64
distributions.
l Red Hat Enterprise Linux 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
Important
Configurations with Stratis are not supported for the following Red Hat Enterprise Linux versions:
8.0, 8.1, 8.2, 8.3, 8,4.
l Ubuntu 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, 14.10, 15.04, 15.10,
16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04
l Fedora 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31
l SUSE Linux Enterprise Server 10, 11, 12, 15
Important
Configurations with Btrfs are not supported for SUSE Linux Enterprise Server 12 and SUSE Linux
Enterprise Server 15.
l Debian 5.x, 6.x, 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.11, 9.0, 9.1, 9.2,
9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 10
l CentOS 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
Important
Configurations with Stratis are not supported for the following CentOS versions: 8.0, 8.1, 8.2, 8.3,
8,4.
l CentOS Stream 8
l Oracle Linux 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4* – both Unbreakable Enterprise Kernel and Red Hat
Compatible Kernel
l CloudLinux 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*
To protect machines running Windows XP SP1 (x64), Windows XP SP2 (x64), or Windows XP SP3
(x86), use the regular Agent for Windows.
Agent for Windows XP SP2 requires an Acronis Cyber Backup 12.5 license. Acronis Cyber Protect 15
license keys are not supported.
Installation
Agent for Windows XP SP2 requires at least 550 MB of disk space and 150 MB of RAM. While backing
up, the agent typically consumes about 350 MB of memory. The peak consumption may reach 2 GB,
depending on the amount of data being processed.
Agent for Windows XP SP2 can be installed only locally on the machine that you want to back up. To
download the agent setup program, click the account icon in the top-right corner, and then click
Downloads > Agent for Windows XP SP2.
Cyber Protect Monitor and Bootable Media Builder cannot be installed. To download the bootable
media ISO file, click the account icon in the top-right corner > Downloads > Bootable media.
If you updated Windows XP from SP2 to SP3, uninstall Agent for Windows XP SP2, and then install
the regular Agent for Windows.
Limitations
l Only disk-level backup is available. Individual files can be recovered from a disk or volume
backup.
l Schedule by events is not supported.
l Conditions for protection plan execution are not supported.
l Only the following backup destinations are supported:
o Cloud storage
o Local folder
o Network folder
o Secure Zone
l The Version 12 backup format and the features that require the Version 12 backup format are
not supported. In particular, physical data shipping is not available. The Performance and
backup window option, if enabled, applies only the green-level settings.
l Selection of individual disks/volumes for recovery and manual disk mapping during a recovery
are not supported in the web interface. This functionality is available under bootable media.
l Off-host data processing is not supported.
l Agent for Windows XP SP2 cannot perform the following operations with backups:
o Converting backups to a virtual machine
o Mounting volumes from a backup
o Extracting files from a backup
o Export and manual validation of a backup.
You can perform these operations by using another agent.
l Backups created by Agent for Windows XP SP2 cannot be run as a virtual machine.
The SQL Server Express editions of the above SQL server versions are supported as well.
*In order to use SharePoint Explorer with these versions, you need a SharePoint recovery farm to
attach the databases to.
The backups or databases from which you extract data must originate from the same SharePoint
version as the one where SharePoint Explorer is installed.
Because SAP HANA does not support recovery of multitenant database containers by using storage
snapshots, this solution supports SAP HANA containers with only one tenant database.
Note
The following hypervisor vendors and versions supported via the Backup from inside a guest OS
method have been specifically tested. However, even if you run a hypervisor from a vendor or
hypervisor with a version that is not listed below, the Backup from inside a guest OS method may
still work correctly in all required scenarios.
If you encounter issues while using Acronis Cyber Protect with your combination of hypervisor
vendor and version, contact the Support team for further investigation.
Backup at a
hypervisor Backup from
Platform
level (agentless inside a guest OS
backup)
VMware
VMware vSphere versions: 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, 7.0
VMware vSphere editions:
VMware Workstation
+
VMware ACE
VMware Player
Microsoft
Scale Computing
Citrix
Citrix XenServer 4.1.5, 5.5, 5.6, 6.0, 6.1, 6.2, 6.5, 7.0, 7.1, 7.2, Only fully
7.3, 7.4, 7.5, 7.6 virtualized (aka
HVM) guests.
Paravirtualized
(aka PV) guests are
not supported.
Red Hat Enterprise Virtualization (RHEV) 2.2, 3.0, 3.1, 3.2, 3.3,
3.4, 3.5, 3.6 +
Red Hat Virtualization (RHV) 4.0, 4.1
Parallels
Parallels Workstation +
Oracle
Nutanix
Amazon
Microsoft Azure
* In these editions, the HotAdd transport for virtual disks is supported on vSphere 5.0 and later. On
version 4.1, backups may run slower.
** Backup at a hypervisor level is not supported for vSphere Hypervisor because this product
restricts access to Remote Command Line Interface (RCLI) to read-only mode. The agent works
during the vSphere Hypervisor evaluation period while no serial key is entered. Once you enter a
serial key, the agent stops functioning.
Limitations
l Fault tolerant machines
Agent for VMware backs up a fault tolerant machine only if fault tolerance was enabled in
VMware vSphere 6.0 and later. If you upgraded from an earlier vSphere version, it is enough to
disable and enable fault tolerance for each machine. If you are using an earlier vSphere version,
install an agent in the guest operating system.
l Independent disks and RDM
Agent for VMware does not back up Raw Device Mapping (RDM) disks in physical compatibility
mode or independent disks. The agent skips these disks and adds warnings to the log. You can
avoid the warnings by excluding independent disks and RDMs in physical compatibility mode
from the protection plan. If you want to back up these disks or data on these disks, install an
agent in the guest operating system.
l Pass-through disks
Agent for Hyper-V does not back up pass-through disks. During backup, the agent skips these
disks and adds warnings to the log. You can avoid the warnings by excluding pass-through disks
In Red Hat Enterprise Linux, CentOS, and Fedora, the packages normally will be installed by the
setup program. In other distributions, you need to install the packages if they are not installed or do
not have the required versions.
1. Run the following command to find out the kernel version and the required GCC version:
cat /proc/version
This command returns lines similar to the following: Linux version 2.6.35.6 and gcc version
4.5.1
2. Run the following command to check whether the Make tool and the GCC compiler are installed:
make -v
gcc -v
For gcc, ensure that the version returned by the command is the same as in the gcc version in
step 1. For make, just ensure that the command runs.
3. Check whether the appropriate version of the packages for building kernel modules is installed:
l In Red Hat Enterprise Linux, CentOS, and Fedora, run the following command:
In either case, ensure that the package versions are the same as in Linux version in step 1.
4. Run the following command to check whether the Perl interpreter is installed:
perl --version
If you see the information about the Perl version, the interpreter is installed.
If you see the information about the library version, the library is installed.
Linux
Package names How to install
distribution
kernel-devel
The setup program will download and install the
gcc
packages automatically by using your Red Hat
make
subscription.
Red Hat elfutils-libelf-devel
Enterprise Linux
Run the following command:
perl
yum install perl
kernel-devel
gcc The setup program will download and install the
make packages automatically.
CentOS elfutils-libelf-devel
Fedora
Run the following command:
perl
yum install perl
The packages will be downloaded from the distribution's repository and installed.
l The machine does not have an active Red Hat subscription or Internet connection.
l The setup program cannot find the kernel-devel or gcc version corresponding to the kernel
version. If the available kernel-devel is more recent than your kernel, you need to either update
the kernel or install the matching kernel-devel version manually.
l You have the required packages on the local network and do not want to spend time for
automatic search and downloading.
Obtain the packages from your local network or a trusted third-party website, and install them as
follows:
l In Red Hat Enterprise Linux, CentOS, or Fedora, run the following command as the root user:
1. Run the following command to determine the kernel version and the required GCC version:
cat /proc/version
2. Obtain the kernel-devel and gcc packages that correspond to this kernel version:
kernel-devel-2.6.35.6-45.fc14.i686.rpm
gcc-4.5.1-4.fc14.i686.rpm
make-3.82-3.fc14.i686
4. Install the packages by running the following commands as the root user:
You can specify all these packages in a single rpm command. Installing any of these packages may
require installing additional packages to resolve dependencies.
Disk-level encryption software encrypts data on the fly. This is why data contained in the backup is
not encrypted. Disk-level encryption software often modifies system areas: boot records, or
partition tables, or file system tables. These factors affect disk-level backup and recovery, the ability
of the recovered system to boot and access to Secure Zone.
You can back up the data encrypted by the following disk-level encryption software:
To ensure reliable disk-level recovery, follow the common rules and software-specific
recommendations.
If you only need to recover one partition of a multi-partitioned disk, do so under the operating
system. Recovery under bootable media may make the recovered partition undetectable for
Windows.
If the recovered system fails to boot, rebuild Master Boot Record as described in the following
Microsoft knowledge base article: https://support.microsoft.com/kb/2622803
While backing up, an agent typically consumes about 350 MB of memory (measured during a 500-
GB volume backup). The peak consumption may reach 2 GB, depending on the amount and type of
data being processed.
Backing up to big archives (600 GB or more) requires about 1 GB of RAM per 1 TB of archive size.
A management server with one registered machine consumes 200 MB of memory. Each of the
newly registered machines adds about 2 MB. Thus, a server with 100 registered machines consumes
approximately 400 MB above the operating system and running applications. The maximum
number of registered machines is 900-1000. This limitation originates from the management
server's embedded SQLite.
You can overcome this limitation by specifying an external Microsoft SQL Server instance during the
management server installation. With an external SQL database, up to 8000 machines can be
registered without significant performance degradation. The SQL Server will then consume about 8
GB of RAM. For better backup performance, we recommend managing the machines by groups,
with up to 500 machines in each.
The following table summarizes the file systems that can be backed up and recovered. The
limitations apply to both the agents and bootable media.
Supported by
Linux-
File system WinPE Mac Limitations
based
Agents bootable bootable
bootable
media media
media
HFS+ - - +
l Supported
starting with
macOS High
Sierra 10.13
Agent for l Disk
Mac configuration
APFS - - +
should be re-
created
manually when
recovering to a
non-original
machine or
bare metal.
l Files cannot be
JFS - + - excluded from
a disk backup
Agent for
l Fast
Linux
incremental/
differential
ReiserFS3 - + - backup cannot
be enabled
l Files cannot be
excluded from
a disk backup
l Fast
All agents incremental/
differential
backup cannot
be enabled
XFS + + + l Volumes
cannot be
resized during
a recovery
l Recovering files
from a backup
stored on a
tape is not
supported
Agent for
Linux swap - + - No limitations
Linux
l Only
+ + +
disk/volume
exFAT All agents Bootable backup is
media supported
cannot be l Files cannot be
excluded from
The software automatically switches to the sector-by-sector mode when backing up drives with
unrecognized or unsupported file systems. A sector-by-sector backup is possible for any file system
that:
l is block-based
l spans a single disk
l has a standard MBR/GPT partitioning scheme
If the file system does not meet these requirements, the backup fails.
Data Deduplication
In Windows Server 2012 and later, you can enable the Data Deduplication feature for an NTFS
volume. Data Deduplication reduces the used space on the volume by storing duplicate fragments
of the volume's files only once.
You can back up and recover a data deduplication–enabled volume at a disk level, without
limitations. File-level backup is supported, except when using Acronis VSS Provider. To recover files
from a disk backup, either run a virtual machine from your backup, or mount the backup on a
machine running Windows Server 2012 or later, and then copy the files from the mounted volume.
The Data Deduplication feature of Windows Server is unrelated to the Acronis Backup Deduplication
feature.
Visit our Knowledge Base for a list of ports, services, and processes that Acronis Cyber Protect uses:
l For Windows, see Acronis Cyber Protect 15: Windows services and processes
(https://kb.acronis.com/content/65663).
l For Linux, see Acronis Cyber Protect 15: Linux components, services, and processes
(https://kb.acronis.com/content/67276).
Installation in Windows
To install the management server
1. Log on as an administrator and start the Acronis Cyber Protect setup program.
2. [Optional] To change the language the setup program is displayed in, click Setup language.
3. Accept the terms of the license agreement and select whether the machine will participate in the
Acronis Customer Experience Program (ACEP).
4. Leave the default setting Install a protection agent and management server.
To start using your management server, activate it by signing in to your Acronis account or through
an activation file.
Common settings
l The components to be installed.
Component Description
Management Server Management Server is the central point for managing all of your
backups. With the on-premise deployment, it is installed in your local
network.
Agent for Windows This agent backs up disks, volumes, files and will be installed on
Windows machines. It will be always installed, not selectable.
Agent for Hyper-V This agent backs up Hyper-V virtual machines and will be installed on
Hyper-V hosts. It will be installed if selected and detected Hyper-V
role on a machine.
Agent for Exchange This agent backs up Exchange databases and mailboxes and will be
installed on machines running the Mailbox role of Microsoft Exchange
Server. I will be installed if selected and application detected on a
machine.
Agent for Active Directory This agent backs up the data of Active Directory Domain Services and
will be installed on domain controllers. It will be installed if selected
and application detected on a machine.
Agent for VMware (Windows) This agent backs up VMware virtual machines and will be installed on
Windows machines that have network access to vCenter Server. It will
be installed if selected.
Agent for Office 365 This agent backs up Microsoft Office 365 mailboxes to a local
destination and will be installed on Windows machines. It will be
installed if selected.
Agent for Oracle This agent backs up Oracle databases and will be installed on
machines running Oracle Database. It will be installed if selected.
Cyber Protect Monitor This component enables a user to monitor execution of running tasks
in the notification area and will be installed on Windows machines. It
will be installed if selected.
Command-line tool Cyber Protect supports the command-line interface with the acrocmd
utility. acrocmd does not contain any tools that physically execute the
commands. It only provides the command-line interface to Cyber
Protect components - agents and the management server. It will be
installed if selected.
1. Included in the Backup Operators and Administrators groups. On a Domain Controller, the
user must be included in the group Domain Admins.
2. Granted the Full Control permission on the folder %PROGRAMDATA%\Acronis (in Windows XP and
Server 2003, %ALLUSERSPROFILE%\Application Data\Acronis) and on its subfolders.
3. Granted the Full Control permission on certain registry keys in the following key: HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis.
4. Assigned the following user rights:
l Log on as a service
l Adjust memory quotas for a process
l Replace a process level token
l Modify firmware environment values
The ASN user must have local administrator rights on the machine where Acronis Storage Node is
installed.
Note that it is not recommended to change logon accounts manually after the installation is
completed.
Agent installation
l Whether the agent will connect to the Internet through an HTTP proxy server, when backing up to
and recovering from the cloud storage.
If a proxy server is required, specify its host name or IP address and the port number. If your
proxy server requires authentication, specify the proxy server credentials.
Installation in Linux
Preparation
1. Before installing the product on a system that does not use RPM Package Manager, such as an
Ubuntu system, you need to install this manager manually; for example, by running the following
command (as the root user): apt-get install rpm.
2. If you want to install Agent for Linux along with the management server, ensure that the
necessary Linux packages are installed on the machine.
3. Choose the database to be used by the management server.
Limitation
Management servers that run on Linux machines do not support remote installation of protection
agents, which is used, for example, in the autodiscovery procedure. For more information about a
possible workaround, refer to our knowledge base: https://kb.acronis.com/content/69553.
Installation
To install the management server, you need at least 4 GB of free disk space.
To start using your management server, activate it by signing in to your Acronis account or through
an activation file.
l CentOS
l Acronis Cyber Protect components:
o Management Server
o Agent for Linux
o Agent for VMware (Linux)
The appliance is provided as a .zip archive. The archive contains the .ovf and .iso files. You can
deploy the .ovf file to an ESXi host or use the .iso file to boot an existing virtual machine. The archive
also contains the .vmdk file that should be placed in the same directory with .ovf.
Note
VMware Host Client (a web client used to manage standalone ESXi 6.0+) does not allow deploying
OVF templates with an ISO image inside. If this is your case, create a virtual machine that meets the
requirements below, and then use the .iso file to install the software.
Limitation
Management servers that run on Linux machines, including Acronis Cyber Protect appliance, do not
support remote installation of protection agents, which is used, for example, in the autodiscovery
procedure. For more information about a possible workaround, refer to our knowledge
base: https://kb.acronis.com/content/69553.
As a result, CentOS and Acronis Cyber Protect will be installed on the machine.
Further actions
After the installation is completed, the software displays the links to the Cyber Protect web console
and the Cockpit web console. Connect to the Cyber Protect web console to start using Acronis Cyber
Protect: add more devices, create backups plans, and so on.
To add ESXi virtual machines, click Add > VMware ESXi, and then specify the address and
credentials for the vCenter Server or stand-alone ESXi host.
There are no Acronis Cyber Protect settings that are configured in the Cockpit web console. The
console is provided for convenience and troubleshooting.
As a result, Acronis Cyber Protect will be updated. If the CentOS version in the .iso file is also newer
than the version on the disk, the operating system will be updated before updating Acronis Cyber
Protect.
If the management server is installed in Linux, you will be asked to select the setup program based
on the type of the machine that you want to add. Once the setup program is downloaded, run it
locally on that machine.
The operations described later in this section are possible if the management server is installed in
Windows. In most cases, the agent will be silently deployed to the selected machine.
Preparation
1. For successful installation on a remote machine running Windows Vista or later, the option
Control panel > Folder options > View > Use Sharing Wizard must be disabled on that
machine.
2. For successful installation on a remote machine that is not a member of an Active Directory
domain, User Account Control (UAC) must be disabled on that machine. For more information on
how to disable it, refer to "Requirements on User Account Control (UAC)" > To disable UAC.
3. By default, the credentials of the built-in administrator account are required for remote
installation on any Windows machine. To perform remote installation by using the credentials of
another administrator account, User Account Control (UAC) remote restrictions must be disabled.
For more information on how to disable them, refer to "Requirements on User Account Control
(UAC)" > To disable UAC remote restrictions.
4. File and Printer Sharing must be enabled on the remote machine. To access this option:
l On a machine running Windows 2003 Server: go to Control panel > Windows Firewall >
Exceptions > File and Printer Sharing.
l On a machine running Windows Vista, Windows Server 2008, Windows 7, or later: go to
Control panel > Windows Firewall > Network and Sharing Center > Change advanced
sharing settings.
5. Acronis Cyber Protect uses TCP ports 445, 25001, and 43234 for remote installation.
Port 445 is automatically opened when you enable File and Printer Sharing. Ports 43234 and
25001 are automatically opened through Windows Firewall. If you use a different firewall, make
sure that these three ports are open (added to exceptions) for both incoming and outgoing
requests.
After the remote installation is complete, port 25001 is automatically closed through Windows
Firewall. Ports 445 and 43234 need to remain open if you want to update the agent remotely in
the future. Port 25001 is automatically opened and closed through Windows Firewall during each
update. If you use a different firewall, keep all the three ports open.
Installation packages
Agents are installed from installation packages. The management server takes the packages from
the local folder specified in the following registry key: HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\RemoteInstallationFiles\<product build number>. The default
location is %ProgramFiles%\Acronis\RemoteInstallationFiles\<product build number>.
You may need to download the installation packages in the following situations:
l Components for remote installation were not installed during the management server
installation.
l Installation packages were manually removed from the location specified in the registry key.
l You need to add a 32-bit machine to the 64-bit management server or vice versa.
l You need to update agents on a 32-bit machine from the 64-bit management server or vice versa,
by using the Agents tab.
1. In the Cyber Protect web console, click the account icon in the top-right corner > Downloads.
2. Select Offline installer for Windows. Pay attention to the required bitness – 32-bit or 64-bit.
3. Save the installer to the packages location.
5. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
To disable UAC
Note
For security reasons, it is recommended that after finishing the management operation – for
example, remote installation, both of the settings be reverted to their original state: EnableLUA=1
and LocalAccountTokenFilterPolicy = 0
5. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
Preparation
Follow the preparatory steps described in the "Adding a machine running Windows" section.
Installation
1. Click All devices > Add.
2. Click VMware ESXi.
3. Select Remotely install on a machine running Windows.
4. Select the deployment agent.
5. Specify the host name or IP address of the target machine, and the credentials of an account
with administrative privileges on that machine.
6. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
l You can register Agent for VMware (Virtual Appliance) by specifying the management server in
the virtual appliance UI. See step 3 under "Configuring the virtual appliance" in the "Deploying
Agent for VMware (Virtual Appliance) from an OVF template" section.
l Agent for VMware (Windows) is registered during its local installation.
6. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
1. Deploy an Agent for Scale Computing HC3 (Virtual Appliance) in the cluster.
2. Configure its connection both to this cluster and to the Cyber Protect management server.
Installation in Windows
To install Agent for Windows, Agent for Hyper-V, Agent for Exchange, Agent for SQL, or Agent for
Active Directory
1. Log on as an administrator and start the Acronis Cyber Protect setup program.
2. [Optional] To change the language the setup program is displayed in, click Setup language.
3. Accept the terms of the license agreement and select whether the machine will participate in the
Acronis Customer Experience Program (ACEP).
7. If prompted, select whether the machine with the agent will be added to the organization or to
one of the units.
This prompt appears if you administer more than one unit, or an organization with at least one
unit. Otherwise, the machine will be silently added to the unit you administer or to the
organization. For more information, refer to "Administrators and units".
To install Agent for VMware (Windows), Agent for Office 365, Agent for Oracle, or Agent for
Exchange on a machine without Microsoft Exchange Server
1. Log on as an administrator and start the Acronis Cyber Protect setup program.
2. [Optional] To change the language the setup program is displayed in, click Setup language.
4. Select Install a protection agent, and then click Customize installation settings.
5. Next to What to install, click Change.
6. Select the check box corresponding to the agent that you want to install. Clear the check boxes
for the components that you do not want to install. Click Done to continue.
7. Specify the management server where the machine with the agent will be registered:
a. Next to Acronis Cyber Protect Management Server, click Specify.
b. Specify the host name or IP address of the machine where the management server is
installed.
c. Specify the credentials of a management server administrator or a registration token.
For more information on how to generate a registration token, refer to "Deploying agents
through Group Policy".
If you are not a management server administrator, you still can register the machine, by
selecting the Connect without authentication option. This works on the condition that the
management server allows anonymous registration, which may be disabled.
d. Click Done.
8. If prompted, select whether the machine with the agent will be added to the organization or to
one of the units.
This prompt appears if you administer more than one unit, or an organization with at least one
unit. Otherwise, the machine will be silently added to the unit you administer or to the
organization. For more information, refer to "Administrators and units".
9. [Optional] Change other installation settings as described in "Customizing installation settings".
10. Click Install to proceed with the installation.
11. After the installation completes, click Close.
12. [Only when installing Agent for VMware (Windows)] Perform the procedure described in
"Configuring an already registered Agent for VMware".
13. [Only when installing Agent for Exchange] Open the Cyber Protect web console, click Add >
Microsoft Exchange Server > Exchange mailboxes, and then specify the machine where the
Client Access server role (CAS) of Microsoft Exchange Server is enabled. For more information,
refer to "Mailbox backup".
Preparation
1. Before installing the product on a system that does not use RPM Package Manager, such as an
Ubuntu system, you need to install this manager manually; for example, by running the following
command (as the root user): apt-get install rpm.
2. Ensure that the necessary Linux packages are installed on the machine.
1. As the root user, run the appropriate installation file (an .i686 or an .x86_64 file).
2. Accept the terms of the license agreement.
3. Specify the components to install:
a. Clear the Acronis Cyber Protect Management Server check box.
b. Select the check boxes for the agents that you want to install. The following agents are
available:
l Agent for Linux
l Agent for Oracle
Agent for Oracle requires that Agent for Linux is also installed.
c. Click Next.
4. Specify the management server where the machine with the agent will be registered:
a. Specify the host name or IP address of the machine where the management server is
installed.
b. Specify the user name and password of a management server administrator or choose
anonymous registration.
Specifying the credentials makes sense if your organization has units, in order to add the
machine to the unit managed by the specified administrator. With anonymous registration,
the machine is always added to the organization. For more information, refer to
"Administrators and units".
Specifying the credentials is necessary if anonymous registration on the management server
is disabled.
c. Click Next.
5. If prompted, select whether the machine with the agent will be added to the organization or to
one of the units, and then press Enter.
This prompt appears if the account specified in the previous step administers more than one
unit or an organization with at least one unit.
6. If UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (the one of the root user or
"acronis") should be used.
Note
The installation generates a new key that is used for signing the kernel modules. You must enroll
this new key to the Machine Owner Key (MOK) list by restarting the machine. Without enrolling
the new key, your agent will not be operational. If you enable the UEFI Secure Boot after the
agent is installed, you need to reinstall the agent.
Installation in macOS
To install Agent for Mac
As a result, the .mst transform is generated and the .msi and .cab installation packages are
extracted to the folder you specified.
Here:
l <package name> is the name of the .msi file. This name is AB.msi or AB64.msi, depending on the
operating system bitness.
l <transform name> is the name of the transform. This name is AB.msi.mst or AB64.msi.mst,
depending on the operating system bitness.
Here, <package name> is the name of the .msi file. This name is AB.msi or AB64.msi, depending on
the operating system bitness.
Available parameters and their values are described in "Unattended installation or uninstallation
parameters".
Examples
l Installing Agent for Windows, Command-Line Tool, and Cyber Protect Monitor. Registering the
machine with the agent on a previously installed management server.
In addition to these parameters, you can use other parameters of msiexec, as described at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa367988(v=vs.85).aspx.
Installation parameters
The components to be installed, separated by commas without space characters. All of the
specified components must be extracted from the setup program prior to installation.
Component
Must be installed together
Component Bitness name /
with
description
32-
AcronisCentralizedManagementSer Managemen
WebConsole bit/64-
ver t Server
bit
32-
AcronisCentralizedManagementS
WebConsole bit/64- Web Console
erver
bit
32- Components
AcronisCentralizedManagementS
ComponentRegisterFeature bit/64- for Remote
erver
bit Installation
32- Core
AgentsCoreComponents bit/64- components
bit for agents
32-
Agent for
BackupAndRecoveryAgent AgentsCoreComponents bit/64-
Windows
bit
32-
Agent for
ArxAgentFeature BackupAndRecoveryAgent bit/64-
Exchange
bit
32-
Agent for
ArsAgentFeature BackupAndRecoveryAgent bit/64-
SQL
bit
32-
Agent for
OracleAgentFeature BackupAndRecoveryAgent bit/64-
Oracle
bit
32-
Agent for
ArxOnlineAgentFeature AgentsCoreComponents bit/64-
Office 365
bit
32-
Agent for
HyperVAgent AgentsCoreComponents bit/64-
Hyper-V
bit
Agent for
32-
VMware
ESXVirtualAppliance bit/64-
(Virtual
bit
Appliance)
32-
Command-
CommandLineTool bit/64-
Line Tool
bit
32- Cyber
TrayMonitor BackupAndRecoveryAgent bit/64- Protect
bit Monitor
32- Bootable
BackupAndRecoveryBootableComp
bit/64- Media
onents
bit Builder
32-
PXEServer bit/64- PXE Server
bit
Storage
StorageServer BackupAndRecoveryAgent 64-bit
Node
Catalog
CatalogBrowser JRE 8 Update 111 or later 64-bit
Service
TARGETDIR=<path>
REBOOT=ReallySuppress
CURRENT_LANGUAGE=<language ID>
The product language. Available values are as follows: en, en_GB, cs, da, de, es_ES, fr, ko, it,
hu, nl, ja, pl, pt, pt_BR, ru, tr, zh, zh_TW.
ACEP_AGREEMENT={0,1}
If the value is 1, the machine will participate in the Acronis Customer Experience Program
(ACEP).
The host name or IP address of the machine where the management server is installed.
Agents, Storage Node, and Catalog Service specified in the ADDLOCAL parameter will be registered on
this management server. The port number is mandatory if it is different from the default value
(9877).
REGISTRATION_TOKEN=<token>
The registration token that was generated in the Cyber Protect web console as
described in Deploying agents through Group Policy.
REGISTRATION_TENANT=<unit ID>
The unit within the organization. Agents, Storage Node, and Catalog Service
specified in the ADDLOCAL parameter will be added to this unit.
To learn a unit ID, in the Cyber Protect web console, click Settings > Accounts,
select the unit, and click Details.
REGISTRATION_REQUIRED={0,1}
The installation result in case the registration fails. If the value is 1, the installation
fails. If the value is 0, the installation completes successfully even though the component was not
registered.
REGISTRATION_CA_SYSTEM={0,1}|REGISTRATION_CA_BUNDLE={0,1}|REGISTRATION_PINNED_PUBLIC_
KEY=<public key value>
These mutually exclusive parameters define the method of the management server
certificate check during the registration. Check the certificate if you want to verify the authenticity of
the management server to prevent MITM attacks.
If the value is 1, the verification uses the system CA, or the CA bundle delivered with
the product, correspondingly. If a pinned public key is specified, the verification uses this key. If the
value is 0 or the parameters are not specified, the certificate verification is not performed, but the
registration traffic remains encrypted.
If the parameter is specified, the installation log in the verbose mode will be saved to the
specified file. The log file can be used for analyzing the installation issues.
AMS_ZMQ_PORT=<port number>
The port that will be used for communication between the product components. By default,
7780.
SQL_INSTANCE=<instance>
The database to be used by the management server. You can select any edition of Microsoft
SQL Server 2012, Microsoft SQL Server 2014, or Microsoft SQL Server 2016. The instance you choose
can also be used by other programs.
Credentials of a Microsoft SQL Server login account. The management server will
use these credentials to connect to the selected SQL Server instance. Without these parameters, the
management server will use the credentials of the management server service account (AMS User).
l AMS_USE_SYSTEM_ACCOUNT={0,1}
If the value is 1, the system account will be used.
l AMS_CREATE_NEW_ACCOUNT={0,1}
If the value is 1, a new account will be created.
l AMS_SERVICE_USERNAME=<user name> and AMS_SERVICE_PASSWORD=<password>
The specified account will be used.
The HTTP proxy server to be used by the agent. Without these parameters, no proxy server
will be used.
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
HTTP_PROXY_ONLINE_BACKUP={0,1}
If the value is 0, or the parameter is not specified, the agent will use the proxy server only for
backup and recovery from the cloud. If the value is 1, the agent also will connect to the management
server through the proxy server.
SET_ESX_SERVER={0,1}
The host name or IP address of the vCenter Server or the ESXi host.
l MMS_USE_SYSTEM_ACCOUNT={0,1}
If the value is 1, the system account will be used.
l MMS_CREATE_NEW_ACCOUNT={0,1}
If the value is 1, a new account will be created.
l MMS_SERVICE_USERNAME=<user name> and MMS_SERVICE_PASSWORD=<password>
The specified account will be used.
l ASN_USE_SYSTEM_ACCOUNT={0,1}
If the value is 1, the system account will be used.
l ASN_CREATE_NEW_ACCOUNT={0,1}
If the value is 1, a new account will be created.
l ASN_SERVICE_USERNAME=<user name> and ASN_SERVICE_PASSWORD=<password>
The specified account will be used.
Uninstallation parameters
REMOVE={<list of components>|ALL}
If the value is ALL, all of the product components will be uninstalled. Additionally, you can
specify the following parameter:
DELETE_ALL_SETTINGS={0, 1}
If the value is 1, the product's logs, tasks, and configuration settings will be removed.
Here, <package name> is the name of the installation package (an .i686 or an .x86_64 file).
3. [Only when installing Agent for Linux] If UEFI Secure Boot is enabled on the machine, you are
informed that you need to restart the system after the installation. Be sure to remember what
password (the one of the root user or "acronis") should be used. During the system restart, opt
for MOK (Machine Owner Key) management, choose Enroll MOK, and then enroll the key by
using the recommended password.
If you enable UEFI Secure Boot after the agent installation, repeat the installation including step 3.
Otherwise, backups will fail.
Installation parameters
Common parameters
{-i |--id=}<list of components>
--language=<language ID>
The product language. Available values are as follows: en, en_GB, cs, da, de, es_ES, fr, ko, it,
hu, nl, ja, pl, pt, pt_BR, ru, tr, zh, zh_TW.
{-d|--debug}
{-t|--strict}
If the parameter is specified, any warning that occurs during the installation results in the
installation failure. Without this parameter, the installation completes successfully even in the case
of warnings.
{-n|--nodeps}
If the parameter is specified, absence of required Linux packages will be ignored during the
installation.
The port that will be used by a web browser to access the management server. By default,
9877.
--ams-tcp-port=<port number>
The port that will be used for communication between the product components. By default,
7780.
l --skip-registration
o Does not register the agent on the management server.
l {-C |--ams=}<host name or IP address>
o The host name or IP address of the machine where the management server is installed. The
agent will be registered on this management server.
If you install the agent and the management server within one command, the agent
will be registered on this management server regardless of the -C parameter.
--token=<token>
The registration token that was generated in the Cyber Protect web console
as described in Deploying agents through Group Policy.
--unit=<unit ID>
The unit within the organization. The agent will be added to this unit.
--reg-transport={https|https-ca-system|https-ca-bundle|https-pinned-public-
key}
If the value is https or the parameter is not specified, the certificate check is
not performed, but the registration traffic remains encrypted. If the value is nothttps, the check uses
the system CA, or the CA bundle delivered with the product or the pinned public key,
correspondingly.
The pinned public key value. This parameter should be specified together or
instead of the --reg-transport=https-pinned-public-key parameter.
Uninstallation parameters
{-u|--uninstall}
--purge
Information parameters
{-?|--help}
--usage
--product-info
Examples
l Installing Management Server.
./AcronisCyberProtect_15_64-bit.x86_64 -a -i AcronisCentralizedManagementServer
./AcronisCyberProtect_15_64-bit.x86_64 -a -i AcronisCentralizedManagementServer --
web-server-port 6543 --ams-tcp-port 8123
l Installing Agent for Linux and registering it on the specified Management Server.
l Installing Agent for Linux and registering it on the specified Management Server, in the specified
unit.
1. Create a temporary directory where you will mount the installation file (.dmg).
mkdir <dmg_root>
Here, the <dmg_file> is the name of the installation file. For example, AcronisCyberProtect_15_
MAC.dmg.
3. Run the installer.
Examples
l
mkdir mydirectory
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -a
<management server address:port>
Here:
the <management server address:port> is the host name or the IP address of the machine where
the Acronis Cyber Protect Management Server is installed. The port number is mandatory if it is
different from the default one (9877).
This option is only available if anonymous registration is enabled on the management server. If it
is disabled, you need to register the machine under a specific administrator account or by using a
registration token. For more information about the anonymous registration, refer to "Configuring
anonymous registration".
l Register the agent under a specific administrator account.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -a
<management server address:port> -u <user name> -p <password>
Here:
the <user name> and <password> are the credentials for the administrator account under which
the agent will be registered.
l Register the agent in a specific unit.
If the anonymous registration is disabled on the management server, you need to add the
credentials for an administrator account:
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -a
<management server address:port> -u <user name> -p <password> --tenant <unit ID>
To learn the unit ID, in the Cyber Protect web console, click Settings > Accounts, select the
desired unit, and then click Details.
Important
Administrators can register agents by specifying the unit ID only at their level of the organization
hierarchy. Unit administrators can register machines in their own units and their subunits.
Organization administrators can register machines in all units. For more information about the
different administrator accounts, refer to "Administering user accounts and organization units".
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -a
<management server address:port> --token <token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the Cyber Protect web console, as described in "Deploying agents through
Group Policy".
Important
In macOS 10.14 or later, you need to grant the protection agent full disk access. To do so, go to
Applications >Utilities, and then run Cyber Protect Agent Assistant. Then, follow the
instructions in the application window.
Examples
Registration with a user name and password.
l
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -a
https://10.250.144.179:9877 -u johndoe -p johnspassword
To uninstall the Agent for Mac and remove all logs, tasks and configuration settings, run the
following command:
l
sudo /Library/Application\ Support/BackupClient/Acronis/Cyber\ Protect\ Agent\
Uninstall.app/Contents/MacOS/AgentUninstall /confirm /purge
To register a machine
At the command prompt of the machine where the agent is installed, run one of the following
commands:
o Here, the <user name> and <password> are the credentials for the administrator account under
which the agent will be registered.
l To register the machine in a specific unit, specify the unit ID:
o To learn the unit ID, in the Cyber Protect web console, click Settings > Accounts, select the
desired unit, and then click Details.
If the anonymous registration is disabled on the management server, you need to add the
credentials for an administrator account:
Important
Administrators can only register agents at their level of the organization hierarchy. Unit
administrators can register agents in their own units and their subunits. Organization
administrators can register agents in all units. For more information about the different
administrator accounts, refer to "Administering user accounts and organization units".
To unregister a machine
At the command prompt of the machine where the agent is installed, run the command:
Windows
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877 -u johndoe -p johnspassword
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877 --tenant 590b1dd7-8adb-11ea-bf44-0050569deecf
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877 -u johndoe -p johnspassword --tenant 590b1dd7-8adb-11ea-
bf44-0050569deecf
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o register -a
https://10.250.144.179:9877 --token 3B4C-E967-4FBD
"%ProgramFiles%\Acronis\RegisterAgentTool\register_agent.exe" -o unregister
Linux
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877 -u johndoe -p "johns password"
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register –a
https://10.250.144.179:9877 -u johndoe -b -p am9obnNwYXNzd29yZA==
Each time you sign in to the Cyber Protect web console, Acronis Cyber Protect checks whether a new
version is available on the Acronis website. If so, the Cyber Protect web console shows a download
link for the new version at the bottom of each page under the Devices, Plans, and Backup storage
tabs. The link is also available on the Settings > Agents page.
To enable or disable the automatic checks for updates, change the Updates system setting.
To check for updates manually, click the question mark icon in the top-right corner > About > Check
for updates or the question mark icon > Check for updates.
l An account activation link. Click the link and set the password for the account. Remember your
login that is shown on the account activation page.
l A link to the Cyber Protect web console login page. Use this link to access the console in the
future. The login and password are the same as in the previous step.
3.9.2 Preparation
Step 1
Choose the agent, depending on what you are going to back up. For the information about the
agents, refer to the "Components" section.
Step 2
Download the setup program. To find the download links, click All devices > Add.
The Add devices page provides web installers for each agent that is installed in Windows. A web
installer is a small executable file that downloads the main setup program from the Internet and
saves it as a temporary file. This file is deleted immediately after the installation.
If you want to store the setup programs locally, download a package containing all agents for
installation in Windows by using the link at the bottom of the Add devices page. Both 32-bit and 64-
bit packages are available. These packages enable you to customize the list of components to install.
These packages also enable unattended installation, for example, via Group Policy. This advanced
scenario is described in "Deploying agents through Group Policy".
All setup programs require an Internet connection to register the machine in the Cyber Protection
service. If there is no Internet connection, the installation will fail.
Step 3
Before the installation, ensure that your firewalls and other components of your network security
system (such as a proxy sever) allow both inbound and outbound connections through the following
TCP ports:
l 443 and 8443 These ports are used for accessing the Cyber Protect web console, registering the
agents, downloading the certificates, user authorization, and downloading files from the cloud
storage.
l 7770...7800 The agents use these ports to communicate with the management server.
l 44445 and 55556 The agents use this port for data transfer during backup and recovery.
If a proxy server is enabled in your network, refer to the "Proxy server settings" section to
understand whether you need to configure these settings on each machine that runs a protection
agent.
The minimum Internet connection speed required for managing an agent from the cloud is 1 Mbit/s
(not to be confused with the data transfer rate acceptable for backing up to the cloud). Consider this
if you use a low-bandwidth connection technology such as ADSL.
TCP ports required for backup and replication of VMware virtual machines
l TCP 443 Agent for VMware (both Windows and Virtual Appliance) connects to this port on the
ESXi host/vCenter server to perform VM management operations, such as create, update, and
delete VMs on vSphere during backup, recovery, and VM replication operations.
l TCP 902 Agent for VMware (both Windows and Virtual Appliance) connects to this port on the
ESXi host to establish NFC connections to read/write data on VM disks during backup, recovery,
and VM replication operations.
l TCP 3333 If the Agent for VMware (Virtual Appliance) is running on the ESXi host/cluster that is
the target for VM replication, VM replication traffic does not go directly to the ESXi host on port
902. Instead, the traffic goes from the source Agent for VMware to TCP port 3333 on the Agent for
VMware (Virtual Appliance) located on the target ESXi host/cluster.
The source Agent for VMware that reads data from the original VM disks can be anywhere else
and can be of any type: Virtual Appliance or Windows.
The service that is responsible for accepting VM replication data on the target Agent for VMware
(Virtual Appliance) is called “Replica disk server.” This service is responsible for the WAN
optimization techniques, such as traffic compression and deduplication during VM replication,
including replica seeding (see Seeding an initial replica). When no Agent for VMware (Virtual
Step 4
On the machine where you plan to install the Cyber Protection agent, verify that the following local
ports are not in use by other processes.
l 127.0.0.1:9999
l 127.0.0.1:43234
l 127.0.0.1:9850
Note
You do not have to open them in the Firewall.
The Active Protection service is listening at TCP port 6109. Verify that it is not in use by another
process.
l In Linux: /opt/Acronis/etc/aakore.yaml
l In Windows: \ProgramData\Acronis\Agent\etc\aakore.yaml
Because the agent registers itself in the cloud during the installation, the proxy server settings must
be provided during the installation or in advance.
Note
Updating the protection definitions (antivirus and antimalware definitions; advanced detection
definitions; vulnerability assessment and patch management definitions) is not possible when using
a proxy server.
In Windows
If a proxy server is configured in Windows (Control panel > Internet Options > Connections), the
setup program reads the proxy server settings from the registry and uses them automatically. Also,
you can enter the proxy settings during the installation, or specify them in advance by using the
1. Create a new text document and open it in a text editor, such as Notepad.
2. Copy and paste the following lines into the file:
[HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Global\HttpProxy]
"Enabled"=dword:00000001
"Host"="proxy.company.com"
"Port"=dword:000001bb
"Login"="proxy_login"
"Password"="proxy_password"
3. Replace proxy.company.com with your proxy server host name/IP address, and 000001bb with the
hexadecimal value of the port number. For example, 000001bb is port 443.
4. If your proxy server requires authentication, replace proxy_login and proxy_password with the
proxy server credentials. Otherwise, delete these lines from the file.
5. Save the document as proxy.reg.
6. Run the file as an administrator.
7. Confirm that you want to edit the Windows registry.
8. If the protection agent is not installed yet, you can now install it. Otherwise, do the following to
restart the agent:
a. In the Start menu, click Run, and then type: cmd
b. Click OK.
c. Run the following commands:
In Linux
Run the installation file with the parameters --http-proxy-host=ADDRESS --http-proxy-port=PORT --
http-proxy-login=LOGIN--http-proxy-password=PASSWORD. To change the proxy settings after the
installation, use the procedure described below.
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
3. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
4. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
5. Save the file.
6. Restart the agent by executing the following command in any directory:
In macOS
You can enter the proxy settings during the installation, or specify them in advance by using the
procedure described below. To change the proxy settings after the installation, use the same
procedure.
In bootable media
When working under bootable media, you may need to access the cloud storage via a proxy server.
To specify the proxy server settings, click Tools > Proxy server, and then specify the proxy server
host name/IP address, port, and credentials.
In Windows
1. Ensure that the machine is connected to the Internet.
2. Log on as an administrator and start the setup program.
3. [Optional] Click Customize installation settings and make the appropriate changes if you want:
l To change the components to install (in particular, to disable installation of Cyber Protect
Monitor and Command-Line Tool).
l To change the method of registering the machine in the Cyber Protection service. You can
switch from Use Cyber Protect console (default) to Use credentials or Use registration
token.
l To change the installation path.
l To change the account for the agent service.
l To verify or change the proxy server host name/IP address, port, and credentials. If a proxy
server is enabled in Windows, it is detected and used automatically.
4. Click Install.
5. [Only when installing Agent for VMware] Specify the address and access credentials for the
vCenter Server or stand-alone ESXi host whose virtual machines the agent will back up, and then
click Done. We recommend using an account that has the Administrator role assigned.
Otherwise, provide an account with the necessary privileges on the vCenter Server or ESXi.
6. [Only when installing on a domain controller] Specify the user account under which the agent
service will run, and then click Done. For security reasons, the setup program does not
automatically create new accounts on a domain controller.
7. If you kept the default registration method Use Cyber Protect console in step 3, wait until the
registration screen appears, and then proceed to the next step. Otherwise, no more actions are
required.
9. Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program, and then click Register the machine.
As a result, the machine will be assigned to the account that was used to log in to the Cyber
Protect web console.
In Linux
1. Ensure that the machine is connected to the Internet.
2. As the root user, run the installation file.
If a proxy server is enabled in your network, when running the file, specify the server host
name/IP address and port in the following format: --http-proxy-host=ADDRESS --http-proxy-
port=PORT --http-proxy-login=LOGIN--http-proxy-password=PASSWORD.
If you want to change the default method of registering the machine in the Cyber Protection
service, run the installation file with one of the following parameters:
l --register-with-credentials - to ask for a user name and password during the installation
l --token=STRING - to use a registration token
l --skip-registration - to skip the registration
3. Select the check boxes for the agents that you want to install. The following agents are available:
l Agent for Linux
l Agent for Virtuozzo
Agent for Virtuozzo cannot be installed without Agent for Linux.
4. If you kept the default registration method in step 2, proceed to the next step. Otherwise, enter
the user name and password for the Cyber Protection service, or wait until the machine will be
registered by using the token.
As a result, the machine will be assigned to the account that was used to log in to the Cyber
Protect web console.
7. If UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (the one of the root user or
"acronis") should be used.
Note
During the installation, a new key is generated, used to sign the snapapi module, and registered
as a Machine Owner Key (MOK). The restart is mandatory in order to enroll this key. Without
enrolling the key, the agent will not be operational. If you enable UEFI Secure Boot after the
agent installation, repeat the installation including step 6.
In macOS
1. Ensure that the machine is connected to the Internet.
2. Double-click the installation file (.dmg).
3. Wait while the operating system mounts the installation disk image.
4. Double-click Install.
5. If a proxy server is enabled in your network, click Protection agent in the menu bar, click Proxy
server settings, and then specify the proxy server host name/IP address, port, and credentials.
6. If prompted, provide administrator credentials.
7. Click Continue.
8. Wait until the registration screen appears.
10. Tip Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the machine will be assigned to the account that was used to log in to the Cyber Protect
web console.
If you chose the Create a new account or Use the following account option, ensure that the
domain security policies do not affect the related accounts' rights. If an account is deprived of the
user rights assigned during the installation, the component may work incorrectly or not work.
1. Included in the Backup Operators and Administrators groups. On a Domain Controller, the
user must be included in the group Domain Admins.
2. Granted the Full Control permission on the folder %PROGRAMDATA%\Acronis (in Windows XP and
Server 2003, %ALLUSERSPROFILE%\Application Data\Acronis) and on its subfolders.
3. Granted the Full Control permission on certain registry keys in the following key: HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis.
4. Assigned the following user rights:
l Log on as a service
l Adjust memory quotas for a process
Important
Ensure that the user which you have added to the Log on as service user right is not listed in the
Deny log on as a service policy in Local Security Policy.
Note that it is not recommended to change logon accounts manually after the installation is
completed.
During the installation, you can use a file known as a transform (an .mst file). A transform is a file
with installation parameters. As an alternative, you can specify installation parameters directly on
the command line.
Command template:
Here:
Command example:
Here, <package name> is the name of the .msi file. All available parameters and their values are
described in "Unattended installation or uninstallation parameters".
msiexec /x <package name> <PARAMETER 1>=<value 1> ... <PARAMETER N>=<value n>
The .msi package must be of the same version as the product that you want to uninstall.
The components to be installed, separated by commas and without space characters. All of
the specified components must be extracted from the setup program prior to installation.
Component
Must be installed together
Component Bitness name /
with
description
Core
MmsMspComponents 32-bit/64-bit components for
agents
Agent for
BackupAndRecoveryAgent MmsMspComponents 32-bit/64-bit
Windows
Agent for
ArxAgentFeature BackupAndRecoveryAgent 32-bit/64-bit
Exchange
Agent for
AcronisESXSupport MmsMspComponents 64-bit VMware ESX(i)
(Windows)
Command-Line
CommandLineTool 32-bit/64-bit
Tool
Cyber Protect
TrayMonitor BackupAndRecoveryAgent 32-bit/64-bit
Monitor
TARGETDIR=<path>
REBOOT=ReallySuppress
If the parameter is specified, the installation log in the verbose mode will be saved to the
specified file. The log file can be used for analyzing the installation issues.
CURRENT_LANGUAGE=<language ID>
The product language. Available values are as follows: en, bg, cs, da, de, es, fr, hu,
id, it, ja, ko, ms, nb, nl, pl, pt, pt_BR, ru, fi, sr, sv, tr, zh, zh_TW.
If this parameter is not specified, the product language will be defined by your system language on
the condition that it is in the list above. Otherwise, the product language will set to English (en).
This is the URL for the Cyber Protect service. You can use this parameter either with the
REGISTRATION_LOGIN and REGISTRATION_PASSWORD parameters, or with the REGISTRATION_TOKEN one.
l When you use REGISTRATION_ADDRESS with the REGISTRATION_TOKEN parameter, specify the exact
datacenter address. This is the URL that you see once you are logged in to the Cyber Protect
service. For example, https://eu2-cloud.company.com.
Credentials for the account under which the agent will be registered in the Cyber Protect
service. This cannot be a partner administrator account.
REGISTRATION_PASSWORD_ENCODED
REGISTRATION_TOKEN
REGISTRATION_REQUIRED={0,1}
Defines how the installation will finish if the registration fails. If the value is 1, the installation
also fails. The default value is 0, so if you don't specify this parameter, the installation completes
successfully even though the agent is not registered.
l MMS_USE_SYSTEM_ACCOUNT={0,1}
If the value is 1, the agent will run under the Local System account.
l MMS_CREATE_NEW_ACCOUNT={0,1}
If the value is 1, the agent will run under a newly created account named Acronis Agent User.
l MMS_SERVICE_USERNAME=<user name> and MMS_SERVICE_PASSWORD=<password>
Use these parameters to specify an existing account under which the agent will run.
For more information on logon accounts, refer to "Changing the logon account on Windows
machines".
SET_ESX_SERVER={0,1}
l If the value is 0, Agent for VMware being installed will not be connected to a vCenter Server or an
ESXi host. If the value is 1, specify the following parameters:
o ESX_HOST=<host name>
The host name or IP address of the vCenter Server or the ESXi host.
o ESX_USER=<user name> and ESX_PASSWORD=<password>
Credentials to access the vCenter Server or ESXi host.
The HTTP proxy server to be used by the agent. Without these parameters, no proxy server
will be used.
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
HTTP_PROXY_ONLINE_BACKUP={0,1}
Uninstallation parameters
REMOVE={<list of components>|ALL}
The components to be removed, separated by commas and without space characters. If the
value is ALL, all of the product components will be uninstalled.
DELETE_ALL_SETTINGS={0, 1}
If the value is 1, the product's logs, tasks, and configuration settings will be removed.
Examples
l Installing Agent for Windows, Command-Line Tool, and Cyber Protection Monitor. Registering the
machine in the Cyber Protect service by using a user name and password.
l Installing Agent for Windows, Command-Line Tool, and Cyber Protection Monitor. Creating a new
logon account for the agent service in Windows. Registering the machine in the Cyber Protect
service by using a token.
l Installing Agent for Windows, Command-Line Tool, Agent for Oracle and Cyber Protection
Monitor. Registering the machine in the Cyber Protect service by using a user name and encoded
in base64 password.
l Installing Agent for Windows, Command-Line Tool, and Cyber Protection Monitor. Registering the
machine in the Cyber Protect service by using a token. Setting an HTTP proxy.
l Uninstalling all the agents and deleting their logs, tasks, and configuration settings.
1. Open Terminal.
l To start the installation by specifying the parameters on the command line, run the following
command:
Here, <package name> is the name of the installation package (an .i686 or an .x86_64 file). All
available parameters and their values are described in "Unattended installation or uninstallation
parameters".
l To start the installation with parameters that are specified in a separate text file, run the following
command:
This approach might be useful if you don't want to enter sensitive information on the command
line. In this case, you can specify the configuration settings in a separate text file and ensure that
only you can access it. Put each parameter on a new line, followed by the desired value, for
example:
--rain=https://cloud.company.com
--login=johndoe
--password=johnspassword
--auto
or
-C
https://cloud.company.com
If the same parameter is specified both on the command line and in the text file, the command
line value precedes.
3. If UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (that of the root user or
"acronis") should be used. During the system restart, opt for MOK (Machine Owner Key)
management, choose Enroll MOK, and then enroll the key by using the recommended password.
If you enable UEFI Secure Boot after the agent installation, repeat the installation, including step 3.
Otherwise, backups will fail.
The minimal configuration for unattended installation includes -a and registration parameters (for
example, --login and --password parameters; --rain and --token parameters). You can use more
parameters to customize you installation.
Installation parameters
The components to be installed, separated by commas and without space characters. The
following components are available in the .x86_64 installation package:
Both Agent for Virtuozzo and Agent for Oracle require that Agent for Linux is also installed.
The installation and registration process will complete without any further user interaction.
When using this parameter, you must specify the account under which the agent will be registered
in the Cyber Protect service, either by using the --token parameter, or by using the --login and --
password parameters.
{-t|--strict}
If the parameter is specified, any warning that occurs during the installation results in
installation failure. Without this parameter, the installation completes successfully even in the case
of warnings.
{-n|--nodeps}
The absence of required Linux packages will be ignored during the installation.
{-d|--debug}
--options-file=<location>
The installation parameters will be read from a text file instead of the command line.
--language=<language ID>
The product language. Available values are as follows: en, bg, cs, da, de, es, fr, hu, id,
it, ja, ko, ms, nb, nl, pl, pt, pt_BR, ru, fi, sr, sv, tr, zh, zh_TW.
If this parameter is not specified, the product language will be defined by your system language on
the condition that it is in the list above. Otherwise, the product language will set to English (en).
Credentials for the account under which the agent will be registered in the Cyber Protect
service. This cannot be a partner administrator account.
l --token=<token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the web console, as described in "Deploying agents through Group Policy".
You cannot use the --token parameter along with --login, --password, and --register-with-
credentials parameters.
o {-C|--rain=}<service address>
The URL of the Cyber Protect service.
You don't need to include this parameter explicitly when you use --login and --password
parameters for registration, because the installer uses the correct address by default – this
However, when you use {-C|--rain=} with the --token parameter, you must specify the exact
datacenter address. This is the URL that you see once you are logged in to the Cyber Protect
service. For example:
l --register-with-credentials
If this parameter is specified, the installer's graphical interface will start. To finish the
registration, enter the user name and password for the account under which the agent will be
registered in the Cyber Protect service. This cannot be a partner administrator account.
l --skip-registration
Use this parameter if you need to install the agent but you plan to register it in the Cyber
Protect service later. For more information on how to do this, refer to "Registering machines
manually".
The HTTP proxy server that the agent will use for backup and recovery from the cloud, and
for connection to the management server. Without these parameters, no proxy server will be used.
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
--tmp-dir=<location>
Specifies the folder where the temporary files are stored during the installation. The default
folder is /var/tmp.
{-s|--disable-native-shared}
Redistributable libraries will be used during the installation, even though they might have
already been present on your system.
--skip-prereq-check
There will be no check of whether the packages required for compiling the snapapi module
are already installed.
--force-weak-snapapi
--skip-svc-start
The services will not start automatically after the installation. Most often, this parameter is
used with the --skip-registration one.
--usage
{-v|--version}
--product-info
--snapapi-list
--components-list
{-e|--ssl=}<path>
{-p|--port=}<port>
Specifies the port on which agent.exe listens for connections. The default port is 9876.
Uninstallation parameters
{-u|--uninstall}
--purge
Uninstalls the product and removes its logs, tasks, and configuration settings. You don't
need to specify the --uninstall parameter explicitly when you use the --purge one.
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and registering them by
using credentials.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --login=johndoe --
password=johnspassword
l Installing Agent for Oracle and Agent for Linux, and registering them by using a registration
token.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -i
BackupAndRecoveryAgent,OracleAgentFeature -a --rain=https://eu2-cloud.company.com --
token=34F6-8C39-4A5C
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle with configuration settings in
a separate text file.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --options-
file=/home/mydirectory/configuration_file
l Uninstalling Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and removing all its logs,
tasks, and configuration settings.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --purge
1. Create a temporary directory where you will mount the installation file (.dmg).
mkdir <dmg_root>
Examples
l
mkdir mydirectory
l Register the agent under a specific account, by using a user name and password.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a
<service address> -u <user name> -p <password>
Here:
The <Cyber Protect service address> is the address that you use to log in to the Cyber Protect
service. For example:
The <user name> and <password> are the credentials for the account under which the agent will be
registered. This cannot be a partner administrator account.
l Register the agent by using a registration token.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a
<service address> --token <token>
Important
If you use macOS 10.14 or later, grant the protection agent full disk access. To do so, go to
Applications >Utilities, and then run Cyber Protect Agent Assistant. Then, follow the
instructions in the application window.
Examples
Registration with a user name and password.
l
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a
https://cloud.company.com -u johndoe -p johnspassword
To remove all logs, tasks and configuration settings during the uninstallation, run the following
command:
l
sudo /Library/Application\ Support/BackupClient/Acronis/Cyber\ Protect\ Agent\
Uninstall.app/Contents/MacOS/AgentUninstall /confirm /purge
To register a machine
At the command prompt of the machine where the agent is installed, run one of the following
commands:
o Here, the <user name> and <password> are the credentials for the specific account under which
the agent will be registered. This cannot be a partner administrator account.
The <service address> is the URL that you use to log in to the Cyber Protect service. For
example, https://cloud.company.com.
To unregister a machine
Examples
Windows
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o unregister
Linux
macOS
<path to the registration tool> -o register -t cloud -a <service address> -u <user name>
-p <"password">
<path to the registration tool> -o register -t cloud -a <service address> -u <user name>
-b -p <encoded password>
l Automate the installation of protection agents and the registration of machines to the
management server by detecting the machines in your Active Directory domain or local network.
l Install and update protection agents on multiple machines.
l Use synchronization with Active Directory, in order to reduce the efforts for provisioning
resources and managing machines in a large Active Directory domain.
3.10.1 Prerequisites
To perform autodiscovery, you need at least one machine with an installed protection agent in your
local network or Active directory domain. This agent is used as a discovery agent.
Remote installation of agents is supported only for machines running Windows (Windows XP is not
supported). For remote installation on a machine running Windows Server 2012 R2, you must have
Windows update KB2999226 installed on this machine.
During an Active Directory scan, the discovery agent, in addition to the list above, collects
information about the Organizational Unit (OU) of the machines and more detailed information
about their name and operating system. However, the IP and MAC addresses are not collected.
5. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
6. Verify that you can connect to the machines by using the provided credentials.
The machines that are shown in the Cyber Protect web console, fall into the following categories:
l Discovered – Machines that are discovered, but a protection agent is not installed on them.
l Managed – Machines on which a protection agent is installed.
l Unprotected – Machines to which a protection plan is not applied. Unprotected machines
include both discovered machines and managed machines with no protection plan applied.
l Protected – Machines to which a protection plan is applied.
To discover machines
156.85.34.10
156.85.53.32
156.85.53.12
EN-L00000100
EN-L00000101
After adding machine addresses manually or importing them from a file, the agent tries to ping
the added machines and define their availability.
9. Select what to do after the discovery:
l Install agents and register machines. You can select which components to install on the
machines by clicking Select components. For more details, refer to "Selecting components
for installation". You can install up to 100 agents simultaneously.
On the Select components screen, define the account under which the services will run by
specifying Logon account for the agent service. You can select one of the following:
o Use Service User Accounts (default for the agent service)
Service User Accounts are Windows system accounts that are used to run services. The
advantage of this setting is that the domain security policies do not affect these accounts'
user rights. By default, the agent runs under the Local System account.
o Create a new account
The account name will be Agent User for the agent.
o Use the following account
If you install the agent on a domain controller, the system prompts you to specify existing
accounts (or the same account) for the agent. For security reasons, the system does not
automatically create new accounts on a domain controller.
Important
Note that remote installation of agent works without any preparations only if you specify the
credentials of the built-in administrator account (the first account created when the operating
system is installed). If you want to define any custom administrator credentials, then you must
do additional manual preparations as described in Adding a machine running Windows >
Preparation.
11. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
When the discovery of machines is initiated, you will find the corresponding task in Dashboard >
Activities > Discovering machines activity.
Component Description
Mandatory component
Agent for Windows This agent backs up disks, volumes, files and will be installed on
Windows machines. It will be always installed, not selectable.
Additional components
Agent for Hyper-V This agent backs up Hyper-V virtual machines and will be installed
on Hyper-V hosts. It will be installed if selected and detected Hyper-V
role on a machine.
Agent for SQL This agent backs up SQL Server databases and will be installed on
machines running Microsoft SQL Server. It will be installed if
selected and application detected on a machine.
Agent for Exchange This agent backs up Exchange databases and mailboxes and will be
installed on machines running the Mailbox role of Microsoft
Exchange Server. I will be installed if selected and application
detected on a machine.
Agent for Active Directory This agent backs up the data of Active Directory Domain Services
and will be installed on domain controllers. It will be installed if
selected and application detected on a machine.
Agent for VMware (Windows) This agent backs up VMware virtual machines and will be installed
on Windows machines that have network access to vCenter Server.
It will be installed if selected.
Agent for Office 365 This agent backs up Microsoft Office 365 mailboxes to a local
destination and will be installed on Windows machines. It will be
installed if selected.
Agent for Oracle This agent backs up Oracle databases and will be installed on
machines running Oracle Database. It will be installed if selected.
Cyber Protect Monitor This component enables a user to monitor execution of running
tasks in the notification area and will be installed on Windows
machines. It will be installed if selected.
Bootable Media Builder This component enables users to create bootable media and will be
installed on Windows machines, if selected.
This section is divided into subsections by the discovery method used. The full list of machine
parameters is shown below (it may vary depending on the discovery method):
Name Description
Name The name of the machine. The IP address will be shown if the name of
the machine could not be discovered.
Discovery type The discovery method that was used to detect the machine.
Organizational unit The organizational unit in Active Directory that the machine belongs
to. This column is shown if you view the list of machines in
Unmanaged machines > Active Directory.
There is an Exceptions section, where you can add the machines that must be skipped during the
discovery process. For example, if you do not need the exact machines to be discovered, you can
add them to this list.
To add a machine to Exceptions, select it in the list and click Add to exceptions. To remove a
machine from Exceptions, go to Unmanaged machines > Exceptions, select the machine, and
click Remove from exceptions.
You can install the protection agent and register a batch of discovered machines in Cyber Protect by
selecting them in the list and clicking Install and register. The opened wizard also allows you to
assign the protection plan to a batch of machines.
After the protection agent is installed on machines, those machines will be shown in the Devices >
Machines with agents section.
To check your protection status, go to Dashboard > Overview and add the Protection status
widget or the Discovered machine widget.
l In Control Panel > Network and Sharing Center > Advanced sharing settings, turn on
network discovery.
l Verify that the Function Discovery Provider Host service is running on the machine that does
discovery and on the machines to be discovered.
l Verify that the Function Discovery Resource Publication service is running on the machines to
be discovered.
The appliance's own virtual disks occupy no more than 6 GB. Thick or thin disk format does not
matter, it does not affect the appliance performance.
Note
vStorage APIs must be installed on the ESXi host to enable virtual machine backups. See
https://kb.acronis.com/content/14931.
It is normal to use both the virtual appliance and Agent for VMware (Windows) at the same time, as
long as they are connected to the same vCenter Server or they are connected to different ESXi hosts.
Avoid cases when one agent is connected to an ESXi directly and another agent is connected to the
vCenter Server which manages this ESXi.
We do not recommend using locally attached storage (i.e. storing backups on virtual disks added to
the virtual appliance) if you have more than one agent. For more considerations, see "Using a locally
attached storage".
In on-premises deployments
After the management server is installed, the virtual appliance's OVF package is located in the folder
%ProgramFiles%\Acronis\ESXAppliance (in Windows) or /usr/lib/Acronis/ESXAppliance (in
Linux).
In cloud deployments
1. Click All devices > Add > VMware ESXi > Virtual Appliance (OVF).
The .zip archive is downloaded to your machine.
2. Unpack the .zip archive.
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Otherwise, skip this step.
3. Network settings
The agent's network connection is configured automatically by using Dynamic Host
Configuration Protocol (DHCP). To change the default configuration, under Agent options, in
eth0, click Change and specify the desired network settings.
4. vCenter/ESX(i)
Under Agent options, in vCenter/ESX(i), click Change and specify the vCenter Server name or
IP address. The agent will be able to back up and recover any virtual machine managed by the
vCenter Server.
If you do not use a vCenter Server, specify the name or IP address of the ESXi host whose virtual
machines you want to back up and recover. Normally, backups run faster when the agent backs
up virtual machines hosted on its own host.
Specify the credentials that the agent will use to connect to the vCenter Server or ESXi. We
recommend using an account that has the Administrator role assigned. Otherwise, provide an
account with the necessary privileges on the vCenter Server or ESXi.
You can click Check connection to ensure the access credentials are correct.
If you have more than one agent in a cluster, the virtual machines are automatically evenly
distributed between the agents, so that each agent manages an equal number of machines.
Automatic redistribution takes place when a load imbalance among the agents reaches 20 percent.
This may happen, for example, when a machine or an agent is added or removed. For example, you
realize that you need more agents to help with throughput and you deploy an additional virtual
appliance to the cluster. The management server will assign the most appropriate machines to the
new agent. The old agents' load will reduce. When you remove an agent from the management
server, the machines assigned to the agent are distributed among the remaining agents. However,
this will not happen if an agent gets corrupted or is deleted manually from the Scale Computing HC3
cluster. Redistribution will start only after you remove such an agent from the Cyber Protect web
interface.
l In the Agent column for each virtual machine in the All devices section
l In the Assigned virtual machines section of the Details panel when an agent is selected in
Settings > Agents
4. Specify the Scale Computing HC3 cluster address and credentials:
l DNS name or IP address of the cluster.
l In the User name and Password fields, enter the credentials for the Scale Computing HC3
account that has the appropriate roles assigned.
You can click Check connection to ensure the access credentials are correct.
Operation Role
VM Create/Edit
VM Delete
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
In this section, you will find out how to set up a Group Policy object to deploy agents onto machines
in an entire domain or in its organizational unit.
Every time a machine logs on to the domain, the resulting Group Policy object will ensure that the
agent is installed and registered.
3.13.1 Prerequisites
Before proceeding with agent deployment, ensure that:
l You have an Active Directory domain with a domain controller running Microsoft Windows Server
2003 or later.
l You are a member of the Domain Admins group in the domain.
1. Sign in to the Cyber Protect web console by using the credentials of the account to which the
machines should be assigned.
2. Click All devices > Add.
3. Scroll down to Registration token, and then click Generate.
4. Specify the token lifetime, and then click Generate token.
5. Copy the token or write it down. Be sure to save the token if you need it for further use.
You can click Manage active tokens to view and manage the already generated tokens. Please
be aware that for security reasons, this table does not display full token values.
As a result, the .mst transform is generated and the .msi and .cab installation packages are
extracted to the folder you created.
Note
During the update, any backups that are in progress will fail.
To find the agent version, select the machine, and then click Details.
You can update agents by using the Cyber Protect web console or by repeating their installation in
any available way. To update multiple agents simultaneously, use the following procedure.
8. Select the name or IP address that the agent will use to access the management server.
By default, the server name is chosen. You may need to change this setting if the DNS server is
unable to resolve the name to the IP address, which results in an agent registration failure.
9. [Only in on-premises deployments] The update progress is shown on the Activities tab.
Note
During the update, any backups that are in progress will fail.
Direct upgrade is only available from Acronis Backup 12.5 Update 4 (build 12730 and later). Other
product versions cannot be upgraded directly. For more information about the available upgrade
options, refer to this KB article: https://kb.acronis.com/content/65178.
Note
We recommended that you back up your system before upgrading. This will allow you to roll back to
the original configuration in case of upgrade failure.
The management server in Acronis Cyber Protect 15 is backward compatible and supports the
version 12.5 agents. However, these agents do not support the Cyber Protect features.
Upgrading agents does not interfere with existing backups and their settings.
If you want to remove all of the product components from a machine, follow the steps described
below.
Warning!
In on-premises deployments, be very careful when selecting the components to uninstall.
If you uninstall the management server by mistake, the Cyber Protect web console will become
unavailable and you will no longer be able to back up and recover the machines that were
registered on the uninstalled management server.
However, if during this operation the connection to the management server is lost – due to a
network problem, for example – the agent might be uninstalled but its machine might still be shown
in the web console. In this case, you need to remove the machine from the web console manually.
An administrator can minimize the network bandwidth traffic by selecting one or several agents in
the environment and assigning the Updater role to them. Thus, the dedicated agents will connect to
the Internet and download updates. All other agents will connect to the dedicated updater agents
by using peer-to-peer technology, and then download the updates from them.
The agents without the Updater role will connect to the Internet if there is no dedicated updater
agent in the environment, or if the connection to a dedicated updater agent cannot be established
for about five minutes.
Before assigning the Updater role to an agent, ensure that the machine on which the agent runs is
powerful enough, and has a stable high-speed Internet connection and enough disk space.
1. On agent machine where you plan to enable the Updater role, apply the following firewall rules:
l Inbound (incoming) "updater_incoming_tcp_ports": allow connection to TCP ports 18018 and
6888 for all firewall profiles (public, private, and domain).
l Inbound (incoming) "updater_incoming_udp_ports": allow connection to UDP port 6888 for all
firewall profiles (public, private, and domain).
2. Restart the Acronis Agent Core Service.
3. Restart the Firewall Service.
If you do not apply these rules and the firewall is enabled, peer agents will download the updates
from the Cloud.
1. The agent with the Updater role checks by schedule the index file to update the core
components.
2. The agent with the Updater role starts to download and distribute updates to all agents.
You can assign the Updater role to multiple agents in the environment. Thus, if an agent with the
Updater role is offline, other agents with this role can serve as the source for definition updates.
The following diagram illustrates the options for downloading protection updates. To the left, an
agent is assigned the Updater role. That agent connects to the Internet to download the protection
updates, and its peer agents connect to the Updater agent to obtain the latest updates. To the right,
l Antimalware
l Vulnerability assessment
l Patch management
To change the definition updates setting, navigate to Settings > Protection > Protection
definitions update > Schedule.
Schedule type:
1. On the management server machine, modify the atp-database-mirror.json file to set the enable_
user_config option to true.
l On Windows machines: %programdata%\Acronis\AtpDatabaseMirror\atp-database-mirror.json
l On Linux machines: /var/lib/Acronis/AtpDatabaseMirror/atp-database-mirror.json
{
"sysconfig":
{
...
"enable_user_config": true
}
...
}
2. Modify the config.json file to configure the location to which you want to download protection
definitions.
l On Windows machines: %programdata%\Acronis\AtpDatabaseMirror\config.json
l On Linux machines: /var/lib/Acronis/AtpDatabaseMirror/config.json
By default, the configuration file is empty. Enter the following value in the file:
"mirror_temp_dir": "<path_to_download_cyber_protect_database>"
For example:
{
"mirror_temp_dir": "C:\\temp"
}
The path that you enter can be absolute or relative from the app data directory.
If the folder cannot be created or the management server cannot write to the selected directory, the
default location will be used.
In Outdated update files and patch management data, specify after what period to remove
cached data.
l Updater role – define storage size for cache on the machines with the Updater role.
l Other roles – define storage size for cache on other machines.
l The Cloud
The protection agents connect to the Internet and download the latest protection definitions
from the Acronis Cloud. By default, all agents that are registered on the management server,
check for updates and distribute them. For more information about the Updater role, refer to
"Protection settings" (p. 146) section above.
l Cyber Protect Management Server
When this option is selected, the agents do not need access to the internet. They only connect to
the management server where the protection definitions are stored. However, the management
server needs to be connected to the Internet in order to download the latest protection
definitions.
l Custom web servers
This option is intended for troubleshooting and testing purposes only. You need to select it only
when instructed to do so by the Acronis support team. The support team will also provide you
with the URLs that you must specify in the following fields:
o Antivirus and antimalware definitions
o Advanced detection definitions
o Vulnerability assessment and patch management definitions
Both the HTTP and the HTTPS protocols are supported on the same TCP port, which can be
configured during the management server installation. The default port is 9877.
You can configure the management server to prohibit accessing the Cyber Protect web console via
HTTP and to use a third-party SSL certificate.
In any case, your account must be in the list of the management server administrators. By default,
this list contains the Administrators group on the machine running the management server. For
more information, refer to "Administrators and units".
{
"type": "sspi",
4. Navigate to the "checksum" section, and then change the "sum" value as follows:
"sum": "FWY/8e8C6c0AgNl0BfCrjgT4v2uj7RQNmaIYbwbjpzU="
5. Restart Acronis Service Manager Service as described in "Using a certificate issued by a trusted
certificate authority."
If your account was created by the backup administrator, you need to activate the account and set
the password by clicking the link in your activation email.
We recommend configuring your web browser for Integrated Windows Authentication. Otherwise,
the browser will ask for a user name and password.
Otherwise, add the console's login page to the list of Trusted sites and enable the Automatic
logon with current user name and password setting.
The step-by-step instructions are provided later in this section. Because these browsers use
Windows settings, it is also possible to configure them by using Group Policy in an Active Directory
domain.
l To configure a protection agent that uses a self-signed Secure Socket Layer (SSL) certificate
generated by the management server.
l To change the self-signed SSL certificate generated by the management server to a certificate
issued by a trusted certificate authority, such as GoDaddy, Comodo, or GlobalSign. If you do this,
the certificate used by the management server will be trusted on any machine. The browser
security alert will not appear when logging in to the Cyber Protect web console by using the
HTTPS protocol.
Optionally, you can configure the management server to prohibit accessing the Cyber Protect web
console via HTTP, by redirecting all users to HTTPS.
1. On the machine with the agent, open the file /etc/Acronis/BackupAndRecovery.config for
editing.
2. Navigate to the CurlOptions key and set the value for VerifyPeer to 0. Ensure that the value for
VerifyHost is also set to 0.
3. Save your edits.
4. Restart the Managed Machine Service (MMS) by executing the following command in any
directory:
1. On the machine with the agent, stop the Managed Machine Service (MMS):
a. Go to Applications > Utilities > Terminal
b. Run the following command:
"tls": {
"cert_file": "cert.pem",
"key_file": "key.pem",
"passphrase": "",
"auto_redirect": false
}
5. Between the quotation marks in the "cert_file" line, specify the full path to the certificate file.
For example:
l In Windows (note the forward slashes): "cert_file": "C:/certificate/local-domain.ams.pem"
l In Linux: "cert_file": "/home/user/local-domain.ams.pem"
6. Between the quotation marks in the "key_file" line, specify the full path to the private key file.
For example:
l In Windows (note the forward slashes): "key_file": "C:/certificate/private.key"
l In Linux: "key_file": "/home/user/private.key"
7. If the private key is encrypted, between the quotation marks in the "passphrase" line, specify the
private key passphrase. For example: "passphrase": "my secret passphrase"
8. If you want to prohibit accessing the Cyber Protect web console via HTTP, by redirecting all users
to HTTPS, change the "auto_redirect" value from false to true. Otherwise, skip this step.
9. Save the api_gateway.json file.
Important
Please be careful and do not accidentally delete any commas, brackets, and quotation marks in
the configuration file.
1. In the Start menu, click Run, and then type: cmd
2. Click OK.
3. Run the following commands:
The table view is enabled automatically when the number of machines becomes large.
Both views provide access to the same features and operations. This document describes access to
operations from the table view.
l Backup – allows you to back up your data sources to local or cloud storage.
l Antivirus & Antimalware protection – allows you to check your machines with the built-in
antimalware solution.
l URL filtering – allows you to protect your machines from threats coming from the Internet by
blocking access to malicious URLs and content to be downloaded.
l Windows Defender Antivirus – allows you to manage the settings of Windows Defender Antivirus
to protect your environment.
l Microsoft Security Essentials – allows you to manage the settings of Microsoft Security Essentials
to protect your environment.
l Vulnerability assessment – automatically checks the Microsoft and third-party products installed
on your machines for vulnerabilities and notifies you about them.
l Patch management – allows you to install patches and updates for the Microsoft and third-party
products on your machines to close the discovered vulnerabilities.
l Data protection map – allows you to discover the data in order to monitor the protection status
of important files.
The protection plan allows you to protect your data sources completely from external and internal
threats. By enabling and disabling different modules and setting up the module settings, you can
build flexible plans satisfying various business needs.
1. In the Cyber Protect web console, go to Devices > All devices.
2. Select the machines that you want to protect.
3. Click Protect, and then click Create plan.You will see the protection plan with the default
settings.
The Backup, Antivirus & Antimalware protection, Vulnerability assessment, Patch management, and
Data protection map modules can be performed on demand by clicking Run now.
l Create a new plan, apply it, and disable all already applied conflicting plans.
l Create a new plan and disable it.
When you edit a plan on a device or devices with already applied plans that conflict with the
changes made, you can resolve a conflict with one of the following ways:
l Save changes to the plan and disable all already applied conflicting plans.
l Save changes to the plan and disable it.
License issue
The assigned quota on a device must be appropriate for the protection plan to be performed,
updated, or applied. To resolve the license issue, do one of the following:
l Disable the modules that are unsupported by the assigned quota and continue using the
protection plan.
l Change the assigned quota manually: go to Devices > <Particular device> > Details > Service
quota. Then, revoke the existing quota and assign a new one.
l Rename a plan
l Enable/disable modules and edit each module settings
l Enable/disable a plan
A disabled plan will not be carried out on the device to which it is applied.
This action is convenient for administrators who intend to protect the same device with the same
plan later. The plan is not revoked from the device and to restore the protection, the
administrator must only re-enable the plan.
l Apply a plan to devices or group of devices
l Revoke a plan from a device
A revoked plan is not applied to a device anymore.
This action is convenient for administrators who do not need to protect quickly the same device
with the same plan again. To restore the protection of a revoked plan, the administrator must
know the name of this plan, select it from the list of available plans, and then re-apply it to the
desired device.
l Import/export a plan
Note
You can only import protection plans created in Acronis Cyber Protect 15. Protection plans
created in older versions are incompatible with Acronis Cyber Protect 15.
l Delete a plan
1. If you want to edit the protection plan for all machines to which it is applied, select one of these
machines. Otherwise, select the machines for which you want to edit the protection plan.
2. Click Protect.
3. Select the protection plan that you want to edit.
4. Click the ellipsis icon next to the protection plan name, and then click Edit.
5. To modify the plan parameters, click the corresponding section of the protection plan panel.
6. Click Save changes.
7. To change the protection plan for all machines to which it is applied, click Apply the changes to
this protection plan. Otherwise, click Create a new protection plan only for the selected
devices.
1. Select the machines that you want to revoke the protection plan from.
2. Click Protect.
3. If several protection plans are applied to the machines, select the protection plan that you want
to revoke.
4. Click the ellipsis icon next to the protection plan name, and then click Revoke.
1. Select any machine to which the protection plan that you want to delete is applied.
2. Click Protect.
3. If several protection plans are applied to the machine, select the protection plan that you want to
delete.
4. Click the ellipsis icon next to the protection plan name, and then click Delete.
As a result, the protection plan is revoked from all of the machines and completely removed
from the web interface.
A protection plan can be applied to multiple machines at the time of its creation, or later.
Note
In on-premises deployments, if only the Standard licenses are present on the management server, a
protection plan cannot be applied to multiple physical machines. Each physical machine must have
its own protection plan.
To create the first protection plan with the Backup module enabled
The following table summarizes the available Backup module parameters. Use the table to create a
protection plan that best fits your needs.
ITEMS TO SCHEDULE
Network folder
SFTP server*
selection
(physical NFS* incremental
Policy rules
machines) (Single-file)*
Secure Zone*
File filters
Always full
Managed
location* Weekly full, Daily
incremental
Tape device*
Monthly full,
Cloud Weekly
Local folder
differential, Daily
Network folder incremental
(GFS)
Disks/volumes Policy rules SFTP server*
Custom (F-D-I)
(virtual machines) File filters NFS*
Managed
location*
rule/per backup set)
Tape device*
By number of backups
location* incremental
(GFS)
Tape device
Always
Local folder incremental
(Single-file)*
Direct Network folder
ESXi configuration Custom (F-D-I)
selection SFTP server
NFS*
Managed
location*
databases selection
Exchange Direct
Cloud
mailboxes selection
Local folder Always
Network folder incremental
(Single-file)
Managed By backup age (single
location* rule/per backup set)
Office 365 Direct
mailboxes selection By number of backups
Keep indefinitely
7.1.1 Limitations
NFS
l Backup to NFS shares is not available in Windows.
l The Always incremental (single-file) backup scheme for Files (physical machines) is not
available when backing up to NFS shares.
Managed location
l A managed location with enabled deduplication or encryption cannot be selected as the
destination:
o If the backup scheme is set to Always incremental (single-file)
o If the backup format is set to Version 12
o For disk-level backups of machines running macOS
o For backups of Exchange mailboxes and Office 365 mailboxes.
l The By total size of backups retention rule is not available for a managed location with enabled
deduplication.
A file-level backup is not sufficient for recovery of the operating system. Choose file backup if you
plan to protect only certain data (the current project, for example). This will reduce the backup size,
thus saving storage space.
There are two ways of selecting files: directly on each machine or by using policy rules. Either
method allows you to further refine the selection by setting the file filters.
Direct selection
1. In What to back up, select Files/folders.
2. Click Items to back up.
3. In Select items for backup, select Directly.
4. For each of the machines included in the protection plan:
a. Click Select files and folders.
b. Click Local folder or Network folder.
The share must be accessible from the selected machine.
c. Browse to the required files/folders or enter the path and click the arrow button. If prompted,
specify the user name and password for the shared folder.
Backing up a folder with anonymous access is not supported.
d. Select the required files/folders.
e. Click Done.
Examples:
Note
The OneDrive root folder is excluded from backup operations by default. If you select to back up
specific OneDrive files and folders, they will be backed up. Files that are not available on the device
will have invalid contents in the archive.
There are two ways of selecting disks/volumes: directly on each machine or by using policy rules.
You can exclude files from a disk backup by setting the file filters.
Direct selection
Direct selection is available only for physical machines. To enable direct selection of disks and
volumes on a virtual machine, you must install the Cyber Protection agent in its guest operating
system.
To select a logical volume, specify its path as it appears after running the ls /dev/mapper command
under the root account. For example:
This output shows two logical volumes, lv1 and lv2, that belong to the volume group vg_1. To back
up these volumes, enter:
/dev/mapper/vg_1-lv1
/dev/mapper/vg-l-lv2
With the sector-by-sector (raw mode) backup option enabled, a disk backup stores all the disk
sectors. The sector-by-sector backup can be used for backing up disks with unrecognized or
unsupported file systems and other proprietary data formats.
Windows
A volume backup stores all files and folders of the selected volume independent of their attributes
(including hidden and system files), the boot record, the file allocation table (FAT) if it exists, the root
and the zero track of the hard disk with the master boot record (MBR).
A disk backup stores all volumes of the selected disk (including hidden volumes such as the vendor's
maintenance partitions) and the zero track with the master boot record.
The following items are not included in a disk or volume backup (as well as in a file-level backup):
l The swap file (pagefile.sys) and the file that keeps the RAM content when the machine goes into
hibernation (hiberfil.sys). After recovery, the files will be re-created in the appropriate place with
the zero size.
l If the backup is performed under the operating system (as opposed to bootable media or backing
up virtual machines at a hypervisor level):
o Windows shadow storage. The path to it is determined in the registry value VSS Default
Provider which can be found in the registry key HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup. This
means that in operating systems starting with Windows Vista, Windows Restore Points are not
backed up.
o If the Volume Shadow Copy Service (VSS) backup option is enabled, files and folders that are
specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
registry key.
Linux
A volume backup stores all files and directories of the selected volume independent of their
attributes, a boot record, and the file system super block.
A disk backup stores all disk volumes as well as the zero track with the master boot record.
Mac
A disk or volume backup stores all files and directories of the selected disk or volume, plus a
description of the volume layout.
l System metadata, such as the file system journal and Spotlight index
l The Trash
l Time machine backups
Physically, disks and volumes on a Mac are backed up at a file level. Bare metal recovery from disk
and volume backups is possible, but the sector-by-sector backup mode is not available.
The virtual machines running on the host are not included in the backup. They can be backed up
and recovered separately.
Prerequisites
l SSH must be enabled in the Security Profile of the ESXi host configuration.
l You must know the password for the 'root' account on the ESXi host.
Limitations
l ESXi configuration backup is not supported for VMware vSphere 7.0.
l An ESXi configuration cannot be backed up to the cloud storage.
1. Click Devices > All devices, and then select the ESXi hosts that you want to back up.
2. Click Backup.
3. In What to back up, select ESXi configuration.
4. In ESXi 'root' password, specify a password for the 'root' account on each of the selected hosts
or apply the same password to all of the hosts.
You can select particular files for continuous data protection from the data selected for a backup.
The system will back up every change of these files. You can recover these files to the last change
time.
Currently, the Continuous data protection functionality is supported for the following operating
systems:
The supported file system: NTFS only, local folders only (shared folders are not supported).
The Continuous data protection option is not compatible with the Application backup option.
How it works
Let's call the backup that is created on continuous basis the CDP backup. For the CDP backup to be
created, a full backup or incremental backup have to be created preliminarily.
When you first run the protection plan with the Backup module and Continuous data protection
enabled, a full backup is created first. Right after that the CDP backup for the selected or changed
files/folders will be created. The CDP backup always contains data selected by you in the latest state.
When you make changes to the selected files/folders, no new CDP backup is created, all changes are
recorded to the same CDP backup.
When the time comes for a scheduled incremental backup, the CDP backup is dropped, and a new
CDP backup is created after the incremental backup is done.
Thus, the CDP backup always stays as the latest backup in the backup chain having the latest actual
state of the protected files/folders.
The following backup destinations are supported for continuous data protection:
l Local folder
l Network folder
l Location defined by a script
l Cloud storage
l Acronis Cyber Infrastructure
l You can select the applications from the predefined categories or specify other applications by
defining the path to the application executable file. Use one of the following formats:
C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
1. Machine to browse from – specify the machine whose files/folders you want to select for
continuous data protection.
Click Select files and folders to select files/folders on the specified machine.
In the text field, you can also specify rules for selecting files/folders that will be backed up. For
more details how to define rules, refer to "Selecting files/folders". When ready, click Done.
2. Click Create.
As a result, the protection plan with continuous data protection enabled will be assigned to the
selected machine. After the first regular backup, the backups with the latest copy of the protected
by CDP data will be created on the continuous basis. Both, the data defined via Applications and
Files/folders, will be backed up.
Continuously backed-up data are retained according to the retention policy defined for the Backup
module.
You can recover either an entire machine or files/folders from a CDP backup. In first case, you will
get an entire machine in the latest state, in the second case – files/folders in the latest state.
Important
Backup to Acronis Cyber Infrastructure is not available for macOS machines.
WScript.echo("\\\\bkpsrv\\" + WScript.CreateObject
("WScript.Network").ComputerName);
o The following VBScript script outputs the backup location for a machine in the format
\\bkpsrv\<machine name>:
WScript.echo("\\bkpsrv\" + WScript.CreateObject("WScript.Network").ComputerName);
As a result, the backups of each machine will be saved in a folder of the same name on the server
bkpsrv.
Should the disk experience a physical failure, the backups located in the Secure Zone may be lost.
That's why Secure Zone should not be the only location where a backup is stored. In enterprise
environments, Secure Zone can be thought of as an intermediate location used for backup when an
ordinary location is temporarily unavailable or connected through a slow or busy channel.
l Enables recovery of a disk to the same disk where the disk's backup resides.
l Offers a cost-effective and handy method for protecting data from software malfunction, virus
attack, human error.
l Eliminates the need for a separate media or network connection to back up or recover the data.
This is especially useful for roaming users.
l Can serve as a primary destination when using replication of backups.
As is apparent from the above, specifying the maximum possible Secure Zone size is not advisable.
You will end up with no free space on any volume, which might cause the operating system or
applications to work unstably and even fail to start.
Important
Moving or resizing the volume from which the system is booted requires a reboot.
1A new backup format, in which the initial full and subsequent incremental backups are saved to a single .tib file,
instead of a chain of files. This format leverages the speed of the incremental backup method, while avoiding its main
disadvantage–difficult deletion of outdated backups. The software marks the blocks used by outdated backups as
"free" and writes new backups to these blocks. This results in extremely fast cleanup, with minimal resource
consumption. The single-file backup format is not available when backing up to locations that do not support random-
access reads and writes, for example, SFTP servers.
6. [Optional] Enable the Password protection switch and specify a password.
The password will be required to access the backups located in Secure Zone. Backing up to
Secure Zone does not require a password, unless the backup if performed under bootable
media.
7. Click Create.
The software displays the expected partition layout. Click OK.
8. Wait while the software creates Secure Zone.
You can now choose Secure Zone in Where to back up when creating a protection plan.
As a result, Secure Zone will be deleted along with all backups stored in it.
Deployment
In order to use Acronis Cyber Infrastructure, deploy it on bare metal on your premises. At least five
physical servers are recommended to take full advantage of the product. If you only need the
gateway functionality, you can use one physical or virtual server, or configure a gateway cluster with
as many servers as you want.
Ensure that the time settings are synchronized between the management server and Acronis Cyber
Infrastructure. The time settings for Acronis Cyber Infrastructure can be configured during
deployment. Time synchronization via Network Time Protocol (NTP) is enabled by default.
You can deploy several instances of Acronis Cyber Infrastructure and register them on the same
management server.
Registration
The registration is performed in the Acronis Cyber Infrastructure web interface. Acronis Cyber
Infrastructure can be registered only by organization administrators and only in the organization.
Once registered, the storage becomes available to all of the organization units. It can be added as a
backup location to any unit or to the organization.
The reverse operation (deregistration) is performed in the Acronis Cyber Protect interface. Click
Settings > Storage nodes, click the required Acronis Cyber Infrastructure, and then click Delete.
When adding a location, you create and enter its name. Should you need to add an existing location
to a new or different management server, select the Use an existing location... check box, click
Browse, and then select the location from the list.
If several instances of Acronis Cyber Infrastructure are registered on the management server, it is
possible to select an Cyber Infrastructure instance when adding a location.
Access to Acronis Cyber Infrastructure via the command-line interface is not available.
In terms of available backup schemes and operations with backups, Acronis Cyber Infrastructure is
similar to the cloud storage. The only difference is that backups can be replicated from Acronis
Cyber Infrastructure during execution of a protection plan.
Documentation
The full set of the Acronis Cyber Infrastructure documentation is available on the Acronis web site.
7.5 Schedule
Important
Some of the features described in this section are only available for on-premises deployments.
The schedule employs the time settings (including the time zone) of the operating system where the
agent installed. The time zone of Agent for VMware (Virtual Appliance) can be configured in the
agent's interface.
For example, if a protection plan is scheduled to run at 21:00 and applied to several machines
located in different time zones, the backup will start on each machine at 21:00 local time.
If you want to change the backup frequency, move the slider, and then specify the backup schedule.
You can schedule the backup to run by events, instead of by time. To do this, select the event type in
the schedule selector. For more information, refer to "Schedule by events".
Important
The first backup is full, which means that it is the most time-consuming. All subsequent backups are
incremental and take significantly less time.
1A new backup format, in which the initial full and subsequent incremental backups are saved to a single .tib file,
instead of a chain of files. This format leverages the speed of the incremental backup method, while avoiding its main
disadvantage–difficult deletion of outdated backups. The software marks the blocks used by outdated backups as
"free" and writes new backups to these blocks. This results in extremely fast cleanup, with minimal resource
consumption. The single-file backup format is not available when backing up to locations that do not support random-
access reads and writes, for example, SFTP servers.
With any backup scheme, you can schedule the backup to run by events, instead of by time. To do
this, select the event type in the schedule selector. For more information, refer to "Schedule by
events".
l Specify the backup start conditions, so that a scheduled backup is performed only if the
conditions are met. For more information, refer to "Start conditions".
l Set a date range for when the schedule is effective. Select the Run the plan within a date range
check box, and then specify the date range.
l Disable the schedule. While the schedule is disabled, the retention rules are not applied unless a
backup is started manually.
l Introduce a delay from the scheduled time. The delay value for each machine is selected
randomly and ranges from zero to the maximum value you specify. You may want to use this
setting when backing up multiple machines to a network location, to avoid excessive network
load.
Click the gear icon, then Backup options > Scheduling. Select Distribute backup start times
within a time window, and then specify the maximum delay. The delay value for each machine
is determined when the protection plan is applied to the machine and remains the same until you
edit the protection plan and change the maximum delay value.
Note
In cloud deployments, this option is enabled by default, with the maximum delay set to 30
minutes. In on-premises deployments, by default all backups start exactly as scheduled.
Note
Because the schedule is based on a successful backup event, if a backup fails, the scheduler will
not run the job again until an operator runs the plan manually and the run completes
successfully.
Note
The backup will not run at a system shutdown because shutting down is not the same as logging
off.
The table below lists the events available for various data under Windows, Linux, and macOS.
Disks/volumes
Windows,
(virtual – – – – –
Linux
machines)
ESXi Windows,
– – – – –
configuration Linux
Office 365
Windows – – – – Windows
mailboxes
Exchange
databases and Windows – – – – Windows
mailboxes
For example, you may want to set up a protection plan that will automatically perform an
emergency full backup of your data as soon as Windows discovers that your hard disk drive is about
to fail.
To browse the events and view the event properties, use the Event Viewer snap-in available in the
Computer Management console. To be able to open the Security log, you must be a member of
the Administrators group.
Event properties
Log name
Specifies the name of the log. Select the name of a standard log (Application, Security, or
System) from the list, or type a log name—for example: Microsoft Office Sessions
Event source
Specifies the event source, which typically indicates the program or the system component
that caused the event—for example: disk
Any event source that contains the specified string will trigger the scheduled backup. This
option is not case sensitive. Thus, if you specify the string service, both Service Control Manager
and Time-Service event sources will trigger a backup.
Event type
Event ID
Specifies the event number, which typically identifies the particular kind of events among
events from the same source.
For example, an Error event with Event source disk and Event ID 7 occurs when Windows
discovers a bad block on a disk, whereas an Error event with Event source disk and Event ID 15
occurs when a disk is not ready for access yet.
When Windows detects a bad block on a hard disk, it records an event with the event source disk
and the event number 7 into the System log; the type of this event is Error.
When creating the plan, type or select the following in the Schedule section:
Important
To ensure that such a backup will complete despite the presence of bad blocks, you must make the
backup ignore bad blocks. To do this, in Backup options, go to Error handling, and then select the
Ignore bad sectors check box.
To access these settings, click Show more when setting up a schedule for a protection plan.
The scheduler behavior, in case the condition (or any of multiple conditions) is not met, is defined by
the Backup start conditions backup option. To handle the situation when the conditions are not met
for too long and further delaying the backup is becoming risky, you can set the time interval after
which the backup will run irrespective of the condition.
The table below lists the start conditions available for various data under Windows, Linux, and
macOS.
User is
Windows – – – – –
idle
The
backup Windows,
Windows, Windows,
location's Linux, Windows Windows Windows
Linux Linux
host is macOS
available
Users
Windows – – – – –
logged off
Save
battery Windows – – – – –
power
Do not
start
when on
Windows – – – – –
metered
connectio
n
Do not
start
when
connecte
Windows – – – – –
d to the
following
Wi-Fi
networks
Check
device IP Windows – – – – –
address
User is idle
"User is idle" means that a screen saver is running on the machine or the machine is locked.
As a result,
(1) If the user becomes idle before 21:00, the backup will start at 21:00.
(2) If the user becomes idle between 21:00 and 23:00, the backup will start immediately after the
user becomes idle.
(3) If the user is still active at 23:00, the backup will start at 23:00.
This condition is effective for network folders, the cloud storage, and locations managed by a
storage node.
This condition does not cover the availability of the location itself — only the host availability. For
example, if the host is available, but the network folder on this host is not shared or the credentials
for the folder are no longer valid, the condition is still considered met.
Example
Data is backed up to a network folder every workday at 21:00. If the machine that hosts the folder is
not available at that moment (for instance, due to maintenance work), you want to skip the backup
and wait for the scheduled start on the next workday.
As a result:
(1) If 21:00 comes and the host is available, the backup will start immediately.
(2) If 21:00 comes but the host is unavailable, the backup will start on the next workday if the host is
available.
(3) If the host is never available on workdays at 21:00, the backup will never start.
Example
Run the backup at 20:00 every Friday, preferably when all users are logged off. If one of the users is
still logged on at 23:00, run the backup anyway.
As a result:
(1) If all users are logged off at 20:00, the backup will start at 20:00.
(2) If the last user logs off between 20:00 and 23:00, the backup will start immediately after the user
logs off.
(3) If any user is still logged on at 23:00, the backup will start at 23:00.
Example
A company uses different locations on the same network-attached storage for backing up users'
data and servers. The workday starts at 08:00 and ends at 17:00. Users' data should be backed up as
soon as the users log off, but not earlier than 16:30. Every day at 23:00 the company's servers are
backed up. So, all the users' data should preferably be backed up before this time, in order to free
network bandwidth. It is assumed that backing up user's data takes no more than one hour, so the
latest backup start time is 22:00. If a user is still logged on within the specified time interval, or logs
off at any other time – do not back up the users' data, i.e., skip backup execution.
l Event: When a user logs off the system. Specify the user account: Any user.
l Condition: Fits the time interval from 16:30 to 22:00.
l Backup start conditions: Skip the scheduled backup.
As a result:
(1) if the user logs off between 16:30 and 22:00, the backup will start immediately following the
logging off.
(2) if the user logs off at any other time, the backup will be skipped.
Example
Data is backed up every workday at 21:00. If the device is not connected to a power source (for
instance, the user is attending a late meeting), you want to skip the backup to save the battery
power and wait until the user connects the device to a power source.
As a result:
(1) If 21:00 comes and the device is connected to a power source, the backup will start immediately.
(2) If 21:00 comes and the device is running on battery power, the backup will start as soon as the
device is connected to a power source.
As an additional measure to prevent backups over mobile hotspots, when you enable the Do not
start when on metered connection condition, the condition Do not start when connected to
the following Wi-Fi networks is enabled automatically. The following network names are specified
by default: "android", "phone", "mobile", and "modem". You can delete these names from the list by
clicking on the X sign.
Example
Data is backed up every workday at 21:00. If the device is connected to the Internet by using a
metered connection (for instance, the user is on a business trip), you want to skip the backup to
save the network traffic and wait for the scheduled start on the next workday.
As a result:
(1) If 21:00 comes and the device is not connected to the Internet by using a metered connection,
the backup will start immediately.
(2) If 21:00 comes and the device is connected to the Internet by using a metered connection, the
backup will start on the next workday.
(3) If the device is always connected to the Internet by using a metered connection on workdays at
21:00, the backup will never start.
The restriction applies to all networks that contain the specified name as a substring in their name,
case-insensitive. For example, if you specify "phone" as the network name, the backup will not start
when the device is connected to any of the following networks: "John's iPhone", "phone_wifi", or
"my_PHONE_wifi".
This condition is useful to prevent backups when the device is connected to the Internet by using a
mobile phone hotspot.
As an additional measure to prevent backups over mobile hotspots, the Do not start when
connected to the following Wi-Fi condition is enabled automatically when you enable the Do not
start when on metered connection condition. The following network names are specified by
default: "android", "phone", "mobile", and "modem". You can delete these names from the list by
clicking on the X sign.
Example
Data is backed up every workday at 21:00. If the device is connected to the Internet by using a
mobile hotspot (for example, a laptop is connected in the tethering mode), you want to skip the
backup and wait for the scheduled start on the next workday.
As a result:
(1) If 21:00 comes and the machine is not connected to the specified network, the backup will start
immediately.
(3) If the machine is always connected to the specified network on workdays at 21:00, the backup
will never start.
With either option, you can specify several ranges. Only IPv4 addresses are supported.
This condition is useful in the event of a user being overseas, to avoid large data transit charges.
Also, it helps to prevent backups over a Virtual Private Network (VPN) connection.
Example
Data is backed up every workday at 21:00. If the device is connected to the corporate network by
using a VPN tunnel (for instance, the user is working from home), you want to skip the backup and
wait until the user brings the device to the office.
As a result:
(1) If 21:00 comes and the machine IP address is not in the specified range, the backup will start
immediately.
(2) If 21:00 comes and the machine IP address is in the specified range, the backup will start as soon
as the device obtains a non-VPN IP address.
(3) If the machine IP address is always in the specified range on workdays at 21:00, the backup will
never start.
1A group of backups to which an individual retention rule can be applied. For the Custom backup scheme, the backup
sets correspond to the backup methods (Full, Differential, and Incremental). In all other cases, the backup sets are
Monthly, Daily, Weekly, and Hourly. A monthly backup is the first backup created after a month starts. A weekly
backup is the first backup created on the day of the week selected in the Weekly backup option (click the gear icon,
then Backup options > Weekly backup). If a weekly backup is the first backup created after a month starts, this backup
is considered monthly. In this case, a weekly backup will be created on the selected day of the next week. A daily
backup is the first backup created after a day starts, unless this backup falls within the definition of a monthly or
weekly backup. An hourly backup is the first backup created after an hour starts, unless this backup falls within the
definition of a monthly, weekly, or daily backup.
7.7 Encryption
We recommend that you encrypt all backups that are stored in the cloud storage, especially if your
company is subject to regulatory compliance.
Important
There is no way to recover encrypted backups if you lose or forget the password.
Saving the encryption settings on a machine affects the protection plans in the following way:
l Protection plans that are already applied to the machine. If the encryption settings in a
protection plan are different, the backups will fail.
l Protection plans that will be applied to the machine later. The encryption settings saved on
a machine will override the encryption settings in a protection plan. Any backup will be encrypted,
even if encryption is disabled in the protection plan settings.
This option can be used on a machine running Agent for VMware. However, be careful if you have
more than one Agent for VMware connected to the same vCenter Server. It is mandatory to use the
After the encryption settings are saved, they can be changed or reset as described below.
Important
If a protection plan that runs on this machine has already created backups, changing the encryption
settings will cause this plan to fail. To continue backing up, create a new plan.
1. Log on as an administrator (in Windows) or the root user (in Linux).
2. Run the following script:
l In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --set-
password <encryption_password>
Here, <installation_path> is the protection agent installation path. By default, it is
%ProgramFiles%\BackupClient in cloud deployments and %ProgramFiles%\Acronis in
on-premises deployments.
l In Linux: /usr/sbin/acropsh -m manage_creds --set-password <encryption_password>
The encryption key is then encrypted with AES-256 using an SHA-256 hash of the password as a key.
The password itself is not stored anywhere on the disk or in the backups; the password hash is used
for verification purposes. With this two-level security, the backup data is protected from any
unauthorized access, but recovering a lost password is not possible.
7.8 Notarization
Notarization enables you to prove that a file is authentic and unchanged since it was backed up. We
recommend that you enable notarization when backing up your legal document files or other files
that require proved authenticity.
Notarization is available only for file-level backups. Files that have a digital signature are skipped,
because they do not need to be notarized.
When configuring recovery, the notarized files will be marked with a special icon, and you can verify
the file authenticity.
When verifying the file authenticity, the agent calculates the hash of the file, and then compares it
with the hash that is stored in the hash tree inside the backup. If these hashes do not match, the file
is considered not authentic. Otherwise, the file authenticity is guaranteed by the hash tree.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
Conversion to a virtual machine is available only for disk-level backups. If a backup includes the
system volume and contains all of the information necessary for the operating system to start, the
resulting virtual machine can start on its own. Otherwise, you can add its virtual disks to another
virtual machine.
To perform a conversion to VMware ESXi, Hyper-V, or Scale Computing HC3, you need an ESXi,
Hyper-V, or Scale Computing HC3 host respectively and a protection agent (Agent for VMware, Agent
for Hyper-V, or Agent for Scale Computing HC3) that manages this host.
Conversion to VHDX files assumes that the files will be connected as virtual disks to a Hyper-V virtual
machine.
The following table summarizes the virtual machine types that can be created by the agents:
VMware ESXi + – – – – –
Microsoft
– + – – – –
Hyper-V
VMware
+ + + + – –
Workstation
VHDX files + + + + – –
Scale
Computing – – – – – +
HC3
Limitations
l Agent for Windows, Agent for VMware (Windows), and Agent for Hyper-V cannot convert backups
stored on NFS.
l Backups stored on NFS or on an SFTP server cannot be converted in a separate conversion plan.
l Backups stored in Secure Zone can be converted only by the agent running on the same machine.
l Backups can be converted to Scale Computing HC3 virtual machine only in a separate conversion
plan.
l Backups that contain Linux logical volumes (LVM) can be converted only if they were created by
Agent for VMware, Agent for Hyper-V, and Agent for Scale Computing HC3 and are directed to the
same hypervisor. Cross-hypervisor conversion is not supported.
l When backups of a Windows machine are converted to VMware Workstation or VHDX files, the
resulting virtual machine inherits the CPU type from the machine that performs the conversion.
As a result, the corresponding CPU drivers are installed in the guest operating system. If started
on a host with a different CPU type, the guest system displays a driver error. Update this driver
manually.
Regular conversion to ESXi and Hyper-V vs. running a virtual machine from a
backup
Both operations provide you with a virtual machine that can be started in seconds if the original
machine fails.
Regular conversion takes CPU and memory resources. Files of the virtual machine constantly occupy
space on the datastore (storage). This may be not practical if a production host is used for
conversion. However, the virtual machine performance is limited only by the host resources.
For information about prerequisites and limitations, please refer to "What you need to know about
conversion".
1. Decide from which backup location you want to perform the conversion.
2. On the protection plan panel, click Convert to VM under this location.
3. Enable the Conversion switch.
4. In Convert to, select the type of the target virtual machine. You can select one of the following:
l VMware ESXi
l Microsoft Hyper-V
l VMware Workstation
l VHDX files
5. Do one of the following:
l For VMware ESXi and Hyper-V: click Host, select the target host, and then specify the new
machine name template.
l For other virtual machine types: in Path, specify where to save the virtual machine files and
the file name template.
The default name is [Machine Name]_converted.
6. [Optional] Click Agent that will perform conversion, and then select an agent.
This may be the agent that performs the backup (by default) or an agent installed on another
machine. If the latter is the case, the backups must be stored in a shared location such as a
network folder, so that the other machine can access them.
7. [Optional] For VMware ESXi and Hyper-V, you can also do the following:
l Click Datastore for ESXi or Path for Hyper-V, and then select the datastore (storage) for the
virtual machine.
l Change the disk provisioning mode. The default setting is Thin for VMware ESXi and
Dynamically expanding for Hyper-V.
l Click VM settings to change the memory size, the number of processors, and the network
connections of the virtual machine.
8. Click Done.
l If you choose to save the virtual machine as a set of files: each conversion re-creates the
virtual machine from scratch.
l If you choose to create the virtual machine on a virtualization server: when converting an
incremental or differential backup, the software updates the existing virtual machine instead of
re-creating it. Such conversion is normally faster. It saves network traffic and CPU resource of the
host that performs the conversion. If updating the virtual machine is not possible, the software
re-creates it from scratch.
l If there has been a full backup since the last conversion, the virtual machine is re-created from
scratch, as described earlier in this section.
l Otherwise, the existing virtual machine is updated to reflect changes since the last conversion. If
updating is not possible (for example, if you deleted the intermediate snapshots, see below), the
virtual machine is re-created from scratch.
Intermediate snapshots
To be able to update the virtual machine, the software stores a few intermediate snapshots of it.
They are named Backup… and Replica… and should be kept. Unneeded snapshots are deleted
automatically.
The latest Replica… snapshot corresponds to the result of the latest conversion. You can go to this
snapshot if you want to return the machine to that state; for example, if you worked with the
machine and now want to discard the changes made to it.
This section describes backup replication as a part of the protection plan. For information about
creating a separate replication plan, refer to "Off-host data processing".
If you enable backup replication, each backup will be copied to another location immediately after
creation. If earlier backups were not replicated (for example, the network connection was lost), the
software also replicates all of the backups that appeared after the last successful replication.
Replicated backups do not depend on the backups remaining in the original location and vice versa.
You can recover data from any backup, without access to other locations.
l A local folder
l A network folder
l Secure Zone
l An SFTP server
l Locations managed by a storage node
l A local folder
l A network folder
l The cloud storage
l An SFTP server
l Locations managed by a storage node
l A tape device
Tip
You can set up replication of backups from the cloud storage by creating a separate replication plan.
For more information, refer to "Off-host data processing".
Restrictions
l Replicating backups from a location managed by a storage node to a local folder is not supported.
A local folder means a folder on the machine with the agent that created the backup.
l Replicating backups to a managed location with enabled deduplication is not supported for
backups that have the Version 12 backup format.
As follows from the above description, the operation will be performed only if the machine with the
agent is powered on.
The backup progress is shown in the Status column for the machine.
To modify the backup options, click the gear icon next to the protection plan name, and then click
Backup options.
SQL
and
Disk-level backup File-level backup Virtual machines
Exch
ange
Scale
Wind Lin ma Wind Lin ma ES Hyp Wind
Comp
ows ux cOS ows ux cOS Xi er-V ows
uting
Backup
+ + + + + + + + + -
consolidation
Backup file
+ + + + + + + + + +
name
Backup
+ + + + + + + + + +
format
Backup
+ + + + + + + + + +
validation
Changed
block + - - - - - + + + +
tracking (CBT)
Cluster
- - - - - - - - - +
backup mode
Compression
+ + + + + + + + + +
level
Email
+ + + + + + + + + +
notifications
Error handling
Re-attempt if
an error + + + + + + + + + +
occurs
Do not show
messages
and dialogs
+ + + + + + + + + +
while
processing
(silent mode)
Ignore bad
+ + + + + + + + + -
sectors
Re-attempt, if
an error
occurs during - - - - - - + + + -
VM snapshot
creation
File filters + + + + + + + + + -
File-level
backup - - - + + + - - - -
snapshot
Log SQL
- - - - - - + + -
truncation only
LVM
- + - - - - - - - -
snapshotting
Mount points - - - + - - - - - -
Multi-volume
+ + - + + - - - - -
snapshot
Performance
and backup + + + + + + + + + +
window
Physical Data
+ + + + + + + + + -
Shipping
Pre/Post
+ + + + + + + + + +
commands
Pre/Post data
capture + + + + + + + - - +
commands
SAN
hardware - - - - - - + - - -
snapshots
Scheduling
Distribute
start times
+ + + + + + + + + +
within a time
window
Limit the
- - - - - - + + + -
number of
Sector-by-
sector + + - - - - + + + -
backup
Splitting + + + + + + + + + +
Tape
+ + + + + + + + + +
management
Task failure
+ + + + + + + + + +
handling
Task start
+ + - + + - + + + +
conditions
Volume
Shadow Copy + - - + - - - + - +
Service (VSS)
Volume
Shadow Copy
Service (VSS) - - - - - - + + + -
for virtual
machines
Weekly
+ + + + + + + + + +
backup
Windows
+ - - + - - + + + +
event log
7.12.2 Alerts
This option determines whether to generate an alert if no successful backups were performed by
the protection plan for a specified period of time. In addition to failed backups, the software counts
backups that did not run on schedule (missed backups).
The alerts are generated on a per-machine basis and are displayed on the Alerts tab.
You can specify the number of consecutive days without backups after which the alert is generated.
Consolidation is the process of combining two or more subsequent backups into a single backup.
If this option is enabled, a backup that should be deleted during cleanup is consolidated with the
next dependent backup (incremental or differential).
Otherwise, the backup is retained until all dependent backups become subject to deletion. This
helps avoid the potentially time-consuming consolidation, but requires extra space for storing
backups whose deletion is postponed. The backups' age or number can exceed the values specified
in the retention rules.
Important
Please be aware that consolidation is just a method of deletion, but not an alternative to deletion.
The resulting backup will not contain data that was present in the deleted backup and was absent
from the retained incremental or differential backup.
Backups stored on tapes cannot be consolidated. Backups stored in the cloud storage, as well as
single-file backups (both version 11 and 12 formats), are always consolidated because their inner
structure makes for fast and easy consolidation.
However, if version 12 format is used, and multiple backup chains are present (every chain being
stored in a separate .tibx file), consolidation works only within the last chain. Any other chain is
deleted as a whole, except for the first one, which is shrunk to the minimum size to keep the meta
information (~12 KB). This meta information is required to ensure the data consistency during
simultaneous read and write operations. The backups included in these chains disappear from the
GUI as soon as the retention rule is applied, although they physically exist until the entire chain is
deleted.
In all other cases, backups whose deletion is postponed are marked with the trash can icon ( ) in
the GUI. If you delete such a backup by clicking the X sign, consolidation will be performed. Backups
stored on a tape disappear from the GUI only when the tape is overwritten or erased.
Version 11 One TIB file and one XML metadata Multiple TIB files and one XML metadata file
backup format file (traditional format)
Version 12 One TIBX file per backup chain (a full or differential backup, and all incremental
backup format backups that depend on it)
All files have the same name, with or without the addition of a timestamp or a sequence number.
You can define this name (referred to as the backup file name) when creating or editing a protection
plan.
Note
Timestamp is added to the backup file name only in the version 11 backup format.
After you change a backup file name, the next backup will be a full backup, unless you specify a file
name of an existing backup of the same machine. If the latter is the case, a full, incremental, or
differential backup will be created according to the protection plan schedule.
Note that it is possible to set backup file names for locations that cannot be browsed by a file
manager (such as the cloud storage or a tape device). This makes sense if you want to see the
custom names on the Backup storage tab.
The default backup file name for mailbox backup is [Mailbox ID]_mailbox_[Plan ID]A.
l [Machine Name] This variable is replaced with the name of the machine (the same name that is
shown in the Cyber Protect web console) for all types of backed up data, except for Office 365
mailboxes. For Office 365 mailboxes, it is replaced with the mailbox user's principal name (UPN).
l [Plan ID] This variable is replaced with a unique identifier of a protection plan. This value does
not change if the plan is renamed.
l [Unique ID] This variable is replaced with a unique identifier of the selected machine or mailbox.
This value does not change if the machine is renamed or the mailbox UPN is changed.
l [Mailbox ID] This variable is replaced with the mailbox UPN.
l "A" is a safeguard letter that is appended to prevent the name from ending with a digit.
The diagram below shows the default backup file name for mailboxes.
For the version 12 format with the Always incremental (single-file) backup scheme:
MyBackup.tibx
MyBackup.tibx
MyBackup-0001.tibx
For the version 11 format with the Always incremental (single-file) backup scheme:
MyBackup.xml
MyBackup.tib
MyBackup.xml
MyBackup_2016_9_13_14_49_20_403F.tib
MyBackup_2016_9_14_14_43_00_221F.tib
MyBackup_2016_9_15_14_45_56_300F.tib
...
Using variables
Besides the variables that are used by default, you can use the [Plan name] variable, which is
replaced with the name of the protection plan.
If multiple machines or mailboxes are selected for backup, the backup file name must contain the
[Machine Name], the [Mailbox ID], or the [Unique ID] variable.
Usage examples
l View user-friendly file names
You want to easily distinguish backups when browsing the backup location with a file manager.
l Continue an existing sequence of backups
Let's assume a protection plan is applied to a single machine, and you have to remove this
machine from the Cyber Protect web console or to uninstall the agent along with its configuration
settings. After the machine is re-added or the agent is reinstalled, you can force the protection
plan to continue backing up to the same backup or backup sequence. Just go this option, click
Select, and select the required backup.
The Browse button shows the backups in the location selected in the Where to back up section
of the protection plan panel. It cannot browse anything outside this location.
Note
The Select button is only available for protection plans that are created for and applied to a single
device.
This option is not effective for mailbox backups. Mailbox backups always have the new format.
l Automatic selection
Version 12 will be used unless the protection plan appends backups to the ones created by
earlier product versions.
l Version 12
A new format recommended in most cases for fast backup and recovery. Each backup chain (a
full or differential backup, and all incremental backups that depend on it) is saved to a single TIBX
file.
With this format, the retention rule By total size of backups is not effective.
l Version 11
A legacy format preserved for backward compatibility. It allows you to append backups to the
ones created by earlier product versions.
Note
You cannot back up Database Availability Groups (DAG) by using the backup format version 11.
Backing up of DAG is supported only in the version 12 format.
Version 11 One TIB file and one XML metadata Multiple TIB files and one XML metadata file
backup format file (traditional format)
Version 12 One TIBX file per backup chain (a full or differential backup, and all incremental
backup format backups that depend on it)
In-archive deduplication
The version 12 format supports in-archive deduplication.
In-archive deduplication uses client-side deduplication and brings the following advantages:
Note
In-archive deduplication is enabled by default for all backups in the TIBX format. You do not have to
enable it in the backup options, and you cannot disable it.
Validation calculates a checksum for every data block that can be recovered from the backup. The
only exception is validation of file-level backups that are located in the cloud storage. These backups
are validated by checking consistency of the metadata saved in the backup.
Validation is a time-consuming process, even for an incremental or differential backup, which are
small in size. This is because the operation validates not only the data physically contained in the
backup, but all of the data recoverable by selecting the backup. This requires access to previously
created backups.
While the successful validation means a high probability of successful recovery, it does not check all
factors that influence the recovery process. If you back up the operating system, we recommend
performing a test recovery under the bootable media to a spare hard drive or running a virtual
machine from the backup in the ESXi or Hyper-V environment.
This option determines whether to use Changed Block Tracking (CBT) when performing an
incremental or differential backup.
The CBT technology accelerates the backup process. Changes to the disk or database content are
continuously tracked at the block level. When a backup starts, the changes can be immediately
saved to the backup.
These options are effective only if the cluster itself (Microsoft SQL Server Always On Availability
Groups (AAG) or Microsoft Exchange Server Database Availability Group (DAG)) is selected for
backup, rather than the individual nodes or databases inside of it. If you select individual items
inside the cluster, the backup will not be cluster-aware and only the selected copies of the items will
be backed up.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the SYNCHRONIZED or SYNCHRONIZING states when the backup starts.
If all databases are skipped, the backup fails.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the HEALTHY or ACTIVE states when the backup starts. If all databases are
skipped, the backup fails.
A higher compression level means that the backup process takes longer, but the resulting backup
occupies less space. Currently, the High and Maximum levels work similarly.
The optimal data compression level depends on the type of data being backed up. For example,
even maximum compression will not significantly reduce the backup size if the backup contains
essentially compressed files, such as .jpg, .pdf or .mp3. However, formats such as .doc or .xls will be
compressed well.
This option is available only in on-premises deployments. In cloud deployments, the settings are
configured per account when an account is created.
You can either use the system settings or override them with custom values that will be specific for
this plan only. The system settings are configured as described in "Email notifications".
Important
When the system settings are changed, all protection plans that use the system settings are
affected.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds OR the specified number of attempts are performed, depending on which
comes first.
For example, if the backup destination on the network becomes unavailable or not reachable, the
program will attempt to reach the destination every 30 seconds, but no more than 30 times. The
attempts will be stopped as soon as the connection is resumed OR the specified number of
attempts is performed, depending on which comes first.
Cloud storage
If the cloud storage is selected as a backup destination, the option value is automatically set to
Enabled. Number of attempts: 300. Interval between attempts: 30 seconds.
In this case, the actual number of attempts is unlimited, but the timeout before the backup failure is
calculated as follows: (300 seconds + Interval between attempts) * (Number of attempts + 1).
Examples:
If the calculated timeout exceeds 30 minutes, and the data transfer has not started yet, the actual
timeout is set to 30 minutes.
With the silent mode enabled, the program will automatically handle situations requiring user
interaction (except for handling bad sectors, which is defined as a separate option). If an operation
cannot continue without user interaction, it will fail. Details of the operation, including errors, if any,
can be found in the operation log.
When this option is disabled, each time the program comes across a bad sector, the backup activity
will be assigned the Interaction required status. In order to back up the valid information on a
rapidly dying disk, enable ignoring bad sectors. The rest of the data will be backed up and you will
be able to mount the resulting disk backup and extract valid files to another disk.
When taking a virtual machine snapshot fails, the program re-attempts to perform the unsuccessful
operation. You can set the time interval and the number of attempts. The attempts will be stopped
as soon as the operation succeeds OR the specified number of attempts are performed, depending
on which comes first.
This option is not effective (always disabled) for volumes formatted with the JFS, ReiserFS3,
ReiserFS4, ReFS, or XFS file systems.
Incremental or differential backup captures only data changes. To speed up the backup process, the
program determines whether a file has changed or not by the file size and the date/time when the
file was last modified. Disabling this feature will make the program compare the entire file contents
to those stored in the backup.
File filters are available for both disk-level and file-level backup, unless stated otherwise.
File filters are not effective when applied to dynamic disks (LVM or LDM volumes) of a virtual
machine that is backed up by Agent for VMware, Agent for Hyper-V, or Agent for Scale Computing in
the agentless mode.
Note
This filter is not effective for file-level backup if Version 11 is selected in Backup format and the
backup destination is NOT cloud storage.
It is possible to use both options simultaneously. The latter option overrides the former, i.e. if you
specify C:\File.exe in both fields, this file will be skipped during a backup.
Criteria
l Full path
Specify the full path to the file or folder, starting with the drive letter (when backing up Windows)
or the root directory (when backing up Linux or macOS).
Both in Windows and Linux/macOS, you can use a forward slash in the file or folder path (as in
C:/Temp/File.tmp). In Windows, you can also use the traditional backslash (as in
C:\Temp\File.tmp).
A full path filter includes the drive letter (in Windows) or the root directory (in Linux or macOS).
For example, a file full path could be C:\Temp\File.tmp. A filter that includes the drive letter or
the root directory—for example C:\Temp\File.tmp or C:\Temp\*—will result in warning or
failure.
A filter that does not use the drive letter or the root directory (for example, Temp\* or
Temp\File.tmp) or a filter that starts with an asterisk (for example, *C:\) will not result in warning
or failure. However, if the operating system of the backed-up machine is not detected correctly,
these filters will not work, either.
l Name
Specify the name of the file or folder, such as Document.txt. All files and folders with that name
will be selected.
The criteria are not case-sensitive. For example, by specifying C:\Temp, you will also select C:\TEMP,
C:\temp, and so on.
You can use one or more wildcard characters (*, **, and ?) in the criterion. These characters can be
used both within the full path and in the file or folder name.
The asterisk (*) substitutes for zero or more characters in a file name. For example, the criterion
Doc*.txt matches files such as Doc.txt and Document.txt
[Only for backups in the Version 12 format] The double asterisk (**) substitutes for zero or more
characters in a file name and path, including the slash character. For example, the criterion
**/Docs/**.txt matches all txt files in all subfolders of all folders Docs.
The question mark (?) substitutes for exactly one character in a file name. For example, the criterion
Doc?.txt matches files such as Doc1.txt and Docs.txt, but not the files Doc.txt or Doc11.txt
This option defines whether to back up files one by one or by taking an instant data snapshot.
Note
Files that are stored on network shares are always backed up one by one.
l If only machines running Linux are selected for backup: Do not create a snapshot.
l Otherwise: Create snapshot if it is possible.
The backup option called Forensic data allows you to collect digital evidence that can be used in
forensic investigations. The following items can be used as digital evidence: a snapshot of the
unused disk space, memory dumps, and a snapshot of running processes. The Forensic data
functionality is available only for an entire machine backup.
Currently, the Forensic data option is available only for Windows machines with the following OS
versions:
Note
• After a protection plan with the Backup module is applied to a machine, the forensic data settings
cannot be modified. To use different forensic data settings, create a new protection plan.
• Backups with forensic data collection are not supported for machines that are connected to your
network through VPN and do not have direct access to the Internet.
l Cloud storage
l Local folder
Note
1. The local folder is supported only on an external hard disk connected via USB.
2. Local dynamic disks are not supported as a location for forensic backups.
l Network folder
Backups with forensic data are automatically notarized. Forensic backups allow investigators to
analyze disk areas that are usually not included in a regular disk backup.
1. Collects raw memory dump and the list of running processes.
2. Automatically reboots a machine into the bootable media.
3. Creates the backup that includes both the occupied and unallocated space.
4. Notarizes the backed-up disks.
5. Reboots into the live operating system and continues plan execution (for example, replication,
retention, validation and other).
1. In the Cyber Protect web console, go to Devices > All devices. Alternatively, the protection plan
can be created from the Plans tab.
2. Select the device and click Protect.
3. In the protection plan, enable the Backup module.
4. In What to back up, select Entire machine.
5. In Backup options, click Change.
6. Find the Forensic data option.
7. Enable Collect forensic data. The system will automatically collect a memory dump and create
a snapshot of running processes.
As a result, backups will include forensic data and you will be able to get them and analyze. Backups
with forensic data are marked and can be filtered among other backups in Backup storage >
Locations by using the Only with forensic data option.
You can use the provided memory dump with several of third-party forensic software, for example,
use Volatility Framework at https://www.volatilityfoundation.org/ for further memory analysis.
How it works
Notarization enables you to prove that a disk with forensic data is authentic and unchanged since it
was backed up.
During a backup, the agent calculates the hash codes of the backed-up disks, builds a hash tree,
saves the tree in the backup, and then sends the hash tree root to the notary service. The notary
service saves the hash tree root in the Ethereum blockchain database to ensure that this value does
not change.
When verifying the authenticity of the disk with forensic data, the agent calculates the hash of the
disk, and then compares it with the hash that is stored in the hash tree inside the backup. If these
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected disk is guaranteed to be authentic. Otherwise, the software displays a
message that the disk is not authentic.
The scheme below shows shortly the notarization process for backups with forensic data.
To verify the notarized disk backup manually, you can get the certificate for it and follow the
verification procedure shown with the certificate by using the tibxread tool.
1. Go to Backup storage and select the backup with forensic data.
2. Recover the entire machine.
3. The system opens the Disk Mapping view.
4. Click the Get certificate icon for the disk.
5. The system will generate the certificate and open a new window in the browser with the
certificate. Below the certificate you will see the instruction for manual verification of notarized
disk backup.
HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\BackupAndRecovery\Settings\OnlineBackup\FesAddressCache\Defa
ult\<tenant_login>\FesUri
For Linux:
/etc/Acronis/BackupAndRecovery.config
For macOS:
/Library/Application Support/Acronis/Registry/BackupAndRecovery.config
%allusersprofile%\Acronis\BackupAndRecovery\OnlineBackup\Default
For Linux:
/var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default
For macOS:
/Library/Application Support/Acronis/BackupAndRecovery/OnlineBackup/Default
l list backups
l list content
l get content
l calculate hash
list backups
Lists recovery points in a backup.
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--raw
--utc
--log=PATH
Output template:
<date> – the creation date of the backup. Its format is: DD.MM.YYYY HH24:MM:SS. In local timezone
by default (it can be changed by using the --utc option).
Output example:
list content
Lists content in a recovery point.
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--raw
--log=PATH
Output template:
<notarization_status> – the following statuses are possible: Without notarization, Notarized, Next
backup.
Output example:
get content
Writes content of the specified disk in the recovery point to the standard output (stdout).
SYNOPSIS:
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--disk=DISK_NUMBER
--raw
--log=PATH
--progress
calculate hash
Calculates the hash of the specified disk in the recovery point by using the SHA-256 algorithm and
writes it to the stdout.
SYNOPSIS:
Options
Options description
Option Description
--arc=BACKUP_ The backup file name that you can get from the backup properties in the web
NAME console. The backup file must be specified with the extension .tibx.
--disk=DISK_ Disk number (the same as was written to the output of the "get content" command)
NUMBER
--loc=URI A backup location URI. The possible formats of the "--loc" option are:
--log=PATH Enables writing the logs by the specified PATH (local path only, format is the same as
for --loc=URI parameter). Logging level is DEBUG.
-- An encryption password for your backup. If the backup is not encrypted, leave this
password=PASS value empty.
WORD
--raw Hides the headers (2 first rows) in the command output. It is used when the
command output should be parsed.
Output with"--raw":
For example:
1%
2%
3%
4%
...
100%
This option defines whether the SQL Server transaction logs are truncated after a successful backup.
When this option is enabled, a database can be recovered only to a point in time of a backup
created by this software. Disable this option if you back up transaction logs by using the native
backup engine of Microsoft SQL Server. You will be able to apply the transaction logs after a
recovery and thus recover a database to any point in time.
This option is effective for disk-level backup of volumes managed by Linux Logical Volume Manager
(LVM). Such volumes are also called logical volumes.
This option defines how a snapshot of a logical volume is taken. The backup software can do this on
its own or rely on Linux Logical Volume Manager (LVM).
This option is effective only when you select for backup a folder that is higher in the folder hierarchy
than the mount point. (A mount point is a folder on which an additional volume is logically
attached.)
l If such folder (a parent folder) is selected for backup, and the Mount points option is enabled, all
files located on the mounted volume will be included in the backup. If the Mount points option is
disabled, the mount point in the backup will be empty.
During recovery of a parent folder, the mount point content will or will not be recovered,
depending on whether the Mount points option for recovery is enabled or disabled.
l If you select the mount point directly, or select any folder within the mounted volume, the
selected folders will be considered as ordinary folders. They will be backed up regardless of the
state of the Mount points option and recovered regardless of the state of the Mount points
option for recovery.
Note
You can back up Hyper-V virtual machines residing on a cluster shared volume by backing up the
required files or the entire volume with file-level backup. Just power off the virtual machines to be
sure that they are backed up in a consistent state.
Example
Let's assume that the C:\Data1\ folder is a mount point for the mounted volume. The volume
contains folders Folder1 and Folder2. You create a protection plan for file-level backup of your
data.
If you select the check box for volume C and enable the Mount points option, the C:\Data1\ folder
in your backup will contain Folder1 and Folder2. When recovering the backed-up data, be aware of
proper using the Mount points option for recovery.
If you select the check box for volume C, and disable the Mount points option, the C:\Data1\ folder
in your backup will be empty.
If you select the check box for the Data1, Folder1 or Folder2 folder, the checked folders will be
included in the backup as ordinary folders, regardless of the state of the Mount points option.
This option applies to disk-level backup. This option also applies to file-level backup when the file-
level backup is performed by taking a snapshot. (The "File-level backup snapshot" option
determines whether a snapshot is taken during file-level backup).
This option determines whether to take snapshots of multiple volumes at the same time or one by
one.
When this option is enabled, snapshots of all volumes being backed up are created simultaneously.
Use this option to create a time-consistent backup of data spanning multiple volumes; for instance,
for an Oracle database.
When this option is disabled, the volumes' snapshots are taken one after the other. As a result, if the
data spans several volumes, the resulting backup may be not consistent.
This option is not available for backups executed by the cloud agents, such as website backups or
backups of servers located on the cloud recovery site.
You can configure this option separately for each location specified in the protection plan. To
configure this option for a replication location, click the gear icon next to the location name, and
then click Performance and backup window.
This option is effective only for the backup and backup replication processes. Post-backup
commands and other operations included in a protection plan (validation, conversion to a virtual
machine) will run regardless of this option.
When this option is disabled, backups are allowed to run at any time, with the following parameters
(no matter if the parameters were changed against the preset value):
When this option is enabled, scheduled backups are allowed or blocked according to the
performance parameters specified for the current hour. At the beginning of an hour when backups
are blocked, a backup process is automatically stopped and an alert is generated.
Even if scheduled backups are blocked, a backup can be started manually. It will use the
performance parameters of the most recent hour when backups were allowed.
Backup window
Each rectangle represents an hour within a week day. Click a rectangle to cycle through the
following states:
l Green: backup is allowed with the parameters specified in the green section below.
l Blue: backup is allowed with the parameters specified in the blue section below.
This state is not available if the backup format is set to Version 11.
l Gray: backup is blocked.
You can click and drag to change the state of multiple rectangles simultaneously.
The priority of a process running in a system determines the amount of CPU and system resources
allocated to that process. Decreasing the backup priority will free more resources for other
applications. Increasing the backup priority might speed up the backup process by requesting the
operating system to allocate more resources like the CPU to the backup application. However, the
resulting effect will depend on the overall CPU usage and other factors like disk in/out speed or
network traffic.
This option sets the priority of the backup process (service_process.exe) in Windows and the
niceness of the backup process (service_process) in Linux and OS X.
When this option is enabled, you can specify the maximum allowed output speed:
l As a percentage of the estimated writing speed of the destination hard disk (when backing up to a
local folder) or of the estimated maximum speed of the network connection (when backing up to
a network share or cloud storage).
This option is effective for disk-level backups and file backups created by Agent for Windows, Agent
for Linux, Agent for Mac, Agent for VMware, and Agent for Hyper-V. Backups created under bootable
media are not supported.
This option determines whether the first full backup created by the protection plan will be sent to
the cloud storage on a hard disk drive by using the Physical Data Shipping service. The subsequent
incremental backups can be performed over the network.
For detailed instructions about using the Physical Data Shipping service and the order creation tool,
refer to the Physical Data Shipping Administrator's Guide. To access this document in the Physical
Data Shipping service web interface, click the question mark icon.
Important
Once the initial full backup is done, the subsequent backups must be performed by the same
protection plan. Another protection plan, even with the same parameters and for the same
machine, will require another Physical Data Shipping cycle.
2. After the first backup is complete, use the Physical Data Shipping service web interface to
download the order creation tool and create the order.
To access this web interface, do one of the following:
l In on-premises deployments: log in to your Acronis account, and then click Go to Tracking
Console under Physical Data Shipping.
l In cloud deployments: log in to the management portal, click Overview > Usage, and then
click Manage service under Physical Data Shipping.
3. Package the drives and ship them to the data center.
4. Track the order status by using the Physical Data Shipping service web interface. Note that the
subsequent backups will fail until the initial backup is uploaded to the cloud storage.
Pre-backup Post-backup
Backup
command command
l Delete some temporary files from the disk before starting backup.
l Configure a third-party antivirus product to be started each time before the backup starts.
l Selectively copy backups to another location. This option may be useful because the replication
configured in a protection plan copies every backup to subsequent locations.
The agent performs the replication after executing the post-backup command.
The program does not support interactive commands, i.e. commands that require user input (for
example, "pause").
Pre-backup command
To specify a command/batch file to be executed before the backup process starts
Do not back
up until the
command Selected Selected Cleared Cleared
execution is
complete
Result
Post-backup command
To specify a command/executable file to be executed after the backup is completed
The following scheme illustrates when the pre/post data capture commands are executed.
Pre-data Post-data
Pre-backup Post-backup
capture Data capture capture
command command
command command
If the Volume Shadow Copy Service option is enabled, the commands' execution and the Microsoft
VSS actions will be sequenced as follows:
"Before data capture” commands -> VSS Suspend -> Data capture -> VSS Resume -> "After data
capture" commands.
By using the pre/post data capture commands, you can suspend and resume a database or
application that is not compatible with VSS. Because the data capture takes seconds, the database
or application idle time will be minimal.
1. Enable the Execute a command before the data capture switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Fail the
backup if the
command Selected Cleared Selected Cleared
execution
fails*
Do not
perform the
data capture
until the Selected Selected Cleared Cleared
command
execution is
complete
Result
1. Enable the Execute a command after the data capture switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Fail the
backup if the
command Selected Cleared Selected Cleared
execution
fails*
Do not back
up until the
command Selected Selected Cleared Cleared
execution is
complete
Result
This option determines whether to use the SAN snapshots when performing a backup.
If this option is disabled, the virtual disk content will be read from a VMware snapshot. The snapshot
will be kept for the whole duration of the backup.
If this option is enabled, the virtual disk content will be read from a SAN snapshot. A VMware
snapshot will be created and kept briefly, to bring the virtual disks into a consistent state. If reading
from a SAN snapshot is not possible, the backup will fail.
Prior to enabling this option, please check and carry out the requirements listed in "Using SAN
hardware snapshots".
7.12.25 Scheduling
This option defines whether backups start as scheduled or with a delay, and how many virtual
machines are backed up simultaneously.
This option defines whether an exact copy of a disk or volume on a physical level is created.
If this option is enabled, all disk or volume's sectors will be backed up, including unallocated space
and those sectors that are free of data. The resulting backup will be equal in size to the disk being
backed up (if the "Compression level" option is set to None). The software automatically switches to
the sector-by-sector mode when backing up drives with unrecognized or unsupported file systems.
Note
It will be impossible to perform a recovery of application data from the backups which were created
in the sector-by-sector mode.
7.12.27 Splitting
This option is effective for the Always full; Weekly full, Daily incremental; Monthly full, Weekly
differential, Daily incremental (GFS), and Custom backup schemes.
This option enables you to select the method of splitting of large backups into smaller files.
l Automatic
A backup will be split if it exceeds the maximum file size supported by the file system.
l Fixed size
Enter the desired file size or select it from the drop-down list.
If this check box is selected, at each backup, the software creates supplementary files on a hard disk
of the machine where the tape device is attached. File recovery from disk backups is possible as
long as these supplementary files are intact. The files are deleted automatically when the tape
storing the respective backups is erased, removed or overwritten.
The space occupied by these supplementary files depends on the number of files in the respective
backup. For a full backup of a disk containing approximately 20,000 files (the typical workstation
disk backup), the supplementary files occupy around 150 MB. A full backup of a server containing
250,000 files may produce around 700 MB of supplementary files. So if you are certain that you will
not need to recover individual files, you can leave the check box cleared to save the disk space.
If the supplementary files were not created during backup, or have been deleted, you still can create
them by rescanning the tapes where the backup is stored.
Move a tape back to the slot after each successful backup of each machine
The preset is: Enabled.
If you disable this option, a tape will remain in the drive after an operation using the tape is
completed. Otherwise, the software will move the tape back to the slot where it was before the
operation. If, according to the protection plan, other operations follow the backup (such as the
backup validation or replication to another location), the tape will be moved back to the slot after
completion of these operations.
If both this option and the Eject tapes after each successful backup of each machine option are
enabled, the tape will be ejected.
When this check box is selected, the software will eject tapes after any successful backup of each
machine. If, according to the protection plan, other operations follow the backup (such as the
Overwrite a tape in the stand-alone tape drive when creating a full backup
The preset is: Disabled.
The option applies only to stand-alone tape drives. When this option is enabled, a tape inserted into
a drive will be overwritten every time a full backup is created.
A tape pool contains tapes from all tape devices attached to a machine, be it a storage node or a
machine where a protection agent is installed, or both. When you select a tape pool as a backup
location, you indirectly select the machine to which the tape device(s) are attached. By default,
backups can be written to tapes through any tape drive on any tape device attached to that
machine. If some of the devices or drives are missing or not operational, the protection plan will use
those that are available.
You can click Only selected devices and drives, and then choose tape devices and drives from the
list. By selecting an entire device, you select all of its drives. This means that any of these drives can
be used by the protection plan. If the selected device or drive is missing or is not operational, and no
other devices are selected, the backup will fail.
By using this option, you can control backups performed by multiple agents to a large tape library
with multiple drives. For example, a backup of a large file server or file share may not start if
multiple agents back up their machines during the same backup window, because the agents
occupy all of the drives. If you allow the agents to use, say, drives 2 and 3, drive 1 becomes reserved
for the agent that backs up the share.
Multistreaming
The preset is: Disabled.
Multistreaming allows you to split the data from one agent into multiple streams, and then write
those streams to different tapes simultaneously. This results in quicker backups and is particularly
useful when the agent has higher throughput than the tape drive.
The Multistreaming check box is only available when you select more than one tape drive under
the Only selected devices and drives option. The number of selected drives is equal to the
number of simultaneous streams from an agent. If any selected drive is not available when a backup
starts, this backup will fail.
To recover a multistreamed or both multistreamed and multiplexed backup, you need at least the
same number of drives that were used to create this backup.
Multistreaming is available both for locally attached tape drives and tape drives that are attached to
a storage node.
Multiplexing
The preset is: Disabled.
Multiplexing allows you to write data streams from multiple agents to a single tape. This results in
better utilization of fast tape drives. By default, the multiplexing factor—that is, the number of
agents that send data to a single tape—is set to two. You can increase it up to ten.
Multiplexing is useful for large environments with many backup operations. It does not improve the
performance of a single backup.
To achieve the fastest backup in a large environment, you need to analyze the throughput of your
agents, network, and tape drives. Then, set the multiplexing factor accordingly, without over
multiplexing. For example, if your agents provide data at 70 Mbit/s, your tape drive writes at 250
Mbit/s, and there are no bottlenecks in you network, set the multiplexing factor to three. A
multiplexing factor of four will lead to over multiplexing and decreased backup performance.
Usually, the multiplexing factor is between two and five.
Because of their structure, multiplexed backups are slower to recover. The bigger the multiplexing
factor, the slower the recovery. Simultaneous recovery of multiple backups written to a single
multiplexed tape is not supported.
You can select one or more specific tape drives for multiplexing, or use the multiplexing option with
any available tape drive. Multiplexing is not available for locally attached tape drives.
You cannot change the multiplexing settings of an existing protection plan. To use different settings,
create a new protection plan.
In a protection plan, the following combinations of multistreaming and multiplexing are possible:
Use tape sets within the tape pool selected for backup
The preset is: Disabled.
Tapes within one pool can be grouped into so-called tape sets.
If you leave this option disabled, data will be backed up on all tapes belonging to a pool. If the
option is enabled, you can separate backups according to the predefined or custom rules.
l Use a separate tape set for each (choose a rule: Backup type, Device type, Device name,
Day in month, Day of week, Month of year, Year, Date)
If this variant is selected, you can organize tape sets according to a predefined rule. For example,
you can have separate tape sets for each day of the week or store backups of each machine on a
separate tape set.
l Specify a custom rule for tape sets
If this variant is selected, specify your own rule to organize tape sets. The rule can contain the
following variables:
[Resource Name] Backups of each machine will be Names of the machines registered
stored on a separate tape set. on the management server.
l For example, if you specify the rule as [Resource Name]-[Backup Type], you will have a separate
tape set for each full, incremental, and differential backup of each machine to which the
protection plan is applied.
You can also specify tape sets for individual tapes. In this case, the software will first write backups
on tapes whose tape set value coincides with the value of the expression specified in the protection
plan. Then, if necessary, other tapes from the same pool will be taken. After that, if the pool is
replenishable, tapes from the Free tapes pool will be used.
For example, if you specify tape set Monday for Tape 1, Tuesday for Tape 2, etc. and specify [Weekday]
in the backup options, the corresponding tape will be used on the respective day of the week.
If this option is enabled, the program will try to execute the protection plan again. You can specify
the number of attempts and the time interval between the attempts. The program stops trying as
soon as an attempt completes successfully OR the specified number of attempts is performed,
depending on which comes first.
This option determines the program behavior in case a task is about to start (the scheduled time
comes or the event specified in the schedule occurs), but the condition (or any of multiple
conditions) is not met. For more information about conditions refer to "Start conditions".
The preset is: Wait until the conditions from the schedule are met.
To handle the situation when the conditions are not met for too long and further delaying the task is
becoming risky, you can set the time interval after which the task will run irrespective of the
The option defines whether a Volume Shadow Copy Service (VSS) provider has to notify VSS-aware
applications that the backup is about to start. This ensures the consistent state of all data used by
the applications; in particular, completion of all database transactions at the moment of taking the
data snapshot by the backup software. Data consistency, in turn, ensures that the application will be
recovered in the correct state and become operational immediately after recovery.
Disable this option if your database is incompatible with VSS. Snapshots are taken faster, but data
consistency of the applications whose transactions are not completed at the time of taking a
snapshot cannot be guaranteed. You may use Pre/Post data capture commands to ensure that the
data is backed up in a consistent state. For instance, specify pre-data capture commands that will
suspend the database and flush all caches to ensure that all transactions are completed; and specify
post-data capture commands that will resume the database operations after the snapshot is taken.
Note
If this option is enabled, files and folders that are specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot registry
key are not backed up. In particular, offline Outlook Data Files (.ost) are not backed up because they
are specified in the OutlookOST value of this key.
l If you use Agent for Exchange or third-party software for backing up the Exchange Server data.
This is because the log truncation will interfere with the consecutive transaction log backups.
l If you use third-party software for backing up the SQL Server data. The reason for this is that the
third-party software will take the resulting disk-level backup for its "own" full backup. As a result,
the next differential backup of the SQL Server data will fail. The backups will continue failing until
the third-party software creates the next "own" full backup.
l If other VSS-aware applications are running on the machine and you need to keep their logs for
any reason.
Enabling this option does not result in the truncation of Microsoft SQL Server logs. To truncate the
SQL Server log after a backup, enable the Log truncation backup option.
If this option is enabled, transactions of all VSS-aware applications running in a virtual machine are
completed before taking snapshot. If a quiesced snapshot fails after the number of re-attempts
specified in the "Error handling" option, and application backup is disabled, a non-quiesced
snapshot is taken. If application backup is enabled, the backup fails.
If this option is disabled, a non-quiesced snapshot is taken. The virtual machine will be backed up in
a crash-consistent state. We recommend that you keep this option enabled at all times, even for
virtual machines that do not run VSS-aware applications. Otherwise, even file-system consistency
cannot be guaranteed inside the captured backup.
Note
This option does not affect Scale Computing HC3 virtual machines. For them, quiescing depends on
whether the Scale tools are installed on the virtual machine or not.
This option defines whether the agents have to log events of the backup operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
Virtual machine (VMware, Hyper-V or Scale Computing Using the web interface
HC3)
Using bootable media
Safe recovery allows you to prevent the recurrence of such infections by using the integrated
antimalware scanning and malware deletion during the recovery process.
Limitations:
l Safe recovery is only supported for physical and virtual Windows machines with Agent for
Windows installed inside them.
l Only backups of type Entire machine or Disks/volumes are supported.
l Only volumes with NTFS file system are supported. Non-NTFS partitions will be recovered without
being scanned for malware.
l Safe recovery is not supported for Continous data protection (CDP) backups. A machine will be
recovered based on the last regular backup, without the data in the CDP backup. To recover the
CDP data, run a Files/folders recovery.
1. Scan the image backup for malware and mark the infected files. One of the following statuses is
assigned to the backup:
l No malware – No malware was found in the backup during scanning.
l Malware detected – Malware was found in the backup during scanning.
l Not scanned – The backup was not scanned for malware.
2. Recover the backup to the selected machine.
3. Delete the detected malware.
We highly recommend that you create and test a bootable media as soon as you start using disk-
level backup. Also, it is a good practice to re-create the media after each major update of the
protection agent.
You can recover either Windows or Linux by using the same media. To recover macOS, create a
separate media on a machine running macOS.
1. Download the bootable media ISO file. To download the file, click the account icon in the top-
right corner > Downloads > Bootable media.
2. Do any of the following:
Alternatively, you can create bootable media by using Bootable Media Builder.
1. On a machine where Agent for Mac is installed, click Applications > Rescue Media Builder.
2. The software displays the connected removable media. Select the one that you want to make
bootable.
Warning!
All data on the disk will be erased.
Use bootable media instead of the web interface if you need to recover:
l macOS
l Any operating system to bare metal or to an offline machine
l The structure of logical volumes (volumes created by Logical Volume Manager in Linux). The
media enables you to recreate the logical volume structure automatically.
Recovery of an operating system requires a reboot. You can choose whether to restart the machine
automatically or assign it the Interaction required status. The recovered operating system goes
online automatically.
5. If you are unsatisfied with the mapping result or if the disk mapping fails, click Disk mapping to
re-map the disks manually.
The mapping section also enables you to choose individual disks or volumes for recovery. You
can switch between recovering disks and volumes by using the Switch to... link in the top-right
corner.
This behavior can be changed by using the VM power management recovery option (click Recovery
options > VM power management).
3. Click Manage this machine locally or click Rescue Bootable Media twice, depending on the
media type you are using.
4. If a proxy server is enabled in your network, click Tools > Proxy server, and then specify the
proxy server host name/IP address and port. Otherwise, skip this step.
5. On the welcome screen, click Recover.
6. Click Select data, and then click Browse.
8. Select the backup from which you want to recover the data. If prompted, type the password for
the backup.
9. In Backup contents, select the disks that you want to recover. Click OK to confirm your
selection.
10. Under Where to recover, the software automatically maps the selected disks to the target disks.
If the mapping is not successful or if you are unsatisfied with the mapping result, you can re-map
disks manually.
Note
Changing disk layout may affect the operating system bootability. Please use the original
machine's disk layout unless you feel fully confident of success.
11. [For macOS only] To recover an APFS-formatted Data volume as a bootable macOS system, in
the macOS Installation section, keep the check box Install macOS on the recovered macOS
Data volume selected.
After the recovery, the system reboots and the macOS installation starts automatically. You need
an Internet connection for the installer to download the necessary files.
If you do not need to recover the APFS-formatted Data volume as a bootable system, clear the
Install macOS on the recovered macOS Data volume check box. You can still make this
volume bootable later, by installing macOS on it manually.
12. [For Linux only] If the backed-up machine had logical volumes (LVM) and you want to reproduce
the original LVM structure:
a. Ensure that the number of the target machine disks and each disk capacity are equal to or
exceed those of the original machine, and then click Apply RAID/LVM.
Preparation
Prepare drivers
Before applying Universal Restore to a Windows operating system, make sure that you have the
drivers for the new HDD controller and the chipset. These drivers are critical to start the operating
system. Use the CD or DVD supplied by the hardware vendor or download the drivers from the
vendor’s website. The driver files should have the *.inf extension. If you download the drivers in the
*.exe, *.cab or *.zip format, extract them using a third-party application.
The best practice is to store drivers for all the hardware used in your organization in a single
repository sorted by device type or by the hardware configurations. You can keep a copy of the
repository on a DVD or a flash drive; pick some drivers and add them to the bootable media; create
the custom bootable media with the necessary drivers (and the necessary network configuration)
for each of your servers. Or, you can simply specify the path to the repository every time Universal
Restore is used.
l If the drivers are on a vendor's disc or other removable media, turn on the Search removable
media.
l If the drivers are located in a networked folder or on the bootable media, specify the path to the
folder by clicking Add folder.
In addition, Universal Restore will search the Windows default driver storage folder. Its location is
determined in the registry value DevicePath, which can be found in the registry key HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. This storage folder is usually
WINDOWS/inf.
Universal Restore will perform the recursive search in all the sub-folders of the specified folder, find
the most suitable HAL and HDD controller drivers of all those available, and install them into the
system. Universal Restore also searches for the network adapter driver; the path to the found driver
is then transmitted by Universal Restore to the operating system. If the hardware has multiple
network interface cards, Universal Restore will try to configure all the cards' drivers.
l The hardware has a specific mass storage controller such as RAID (especially NVIDIA RAID) or a
fibre channel adapter.
l You migrated a system to a virtual machine that uses a SCSI hard drive controller. Use SCSI
drivers bundled with your virtualization software or download the latest drivers versions from the
software manufacturer website.
l If the automatic drivers search does not help to boot the system.
Specify the appropriate drivers by clicking Add driver. The drivers defined here will be installed,
with appropriate warnings, even if the program finds a better driver.
If Universal Restore cannot find a compatible driver in the specified locations, it will display a
prompt about the problem device. Do one of the following:
l Add the driver to any of the previously specified locations and click Retry.
l If you do not remember the location, click Ignore to continue the process. If the result is not
satisfactory, reapply Universal Restore. When configuring the operation, specify the necessary
driver.
After that, you will be able to configure the network connection and specify drivers for the video
adapter, USB and other devices.
When Universal Restore is applied to a Linux operating system, it updates a temporary file system
known as the initial RAM disk (initrd). This ensures that the operating system can boot on the new
hardware.
Universal Restore adds modules for the new hardware (including device drivers) to the initial RAM
disk. As a rule, it finds the necessary modules in the /lib/modules directory. If Universal Restore
cannot find a module it needs, it records the module’s file name into the log.
Universal Restore may modify the configuration of the GRUB boot loader. This may be required, for
example, to ensure the system bootability when the new machine has a different volume layout
than the original machine.
The initial RAM disk is stored on the machine in a file. Before updating the initial RAM disk for the
first time, Universal Restore saves a copy of it to the same directory. The name of the copy is the
name of the file, followed by the _acronis_backup.img suffix. This copy will not be overwritten if
you run Universal Restore more than once (for example, after you have added missing drivers).
l Rename the copy accordingly. For example, run a command similar to the following:
mv initrd-2.6.16.60-0.21-default_acronis_backup.img initrd-2.6.16.60-0.21-default
l Specify the copy in the initrd line of the GRUB boot loader configuration.
Note
Search is not available for disk-level backups that are stored in the cloud storage.
Note
Symbolic links are not supported.
Limitations
l Backups of system state, SQL databases, and Exchange databases cannot be browsed.
l For a better downloading experience, download no more than 100 MB at a time. To quickly
retrieve larger amounts of data from the cloud, use the file recovery procedure.
[When browsing file-level backups] You can select the backup date and time in the next step,
under the gear icon located to the right of the selected file. By default, files are recovered from
the latest backup.
5. Browse to the required folder or use search to obtain the list of the required files.
6. Select the check boxes for the items you need to recover, and then click Download.
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section, or steps 1-5 of the "Downloading files from the cloud storage" section.
2. Ensure that the selected file is marked with the following icon: . This means that the file is
notarized.
3. Do one of the following:
l Click Verify.
The software checks the file authenticity and displays the result.
l Click Get certificate.
A certificate that confirms the file notarization is opened in a web browser window. The
window also contains instructions that allow you to verify the file authenticity manually.
Only one file version can be signed at a time. If the file was backed up multiple times, you must
choose the version to sign, and only this version will be signed.
For example, ASign can be used for electronic signing of the following files:
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section.
2. Ensure that the correct date and time is selected on the left panel.
3. Click Sign this file version.
4. Specify the password for the cloud storage account under which the backup is stored. The login
of the account is displayed in the prompt window.
The ASign service interface is opened in a web browser window.
5. Add other signees by specifying their email addresses. It is not possible to add or remove signees
after sending invitations, so ensure that the list includes everyone whose signature is required.
6. Click Invite to sign to send invitations to the signees.
Each signee receives an email message with the signature request. When all the requested
signees sign the file, it is notarized and signed through the notary service.
You will receive notifications when each signee signs the file and when the entire process is
complete. You can access the ASign web page by clicking View details in any of the email
messages that you receive.
7. Once the process is complete, go to the ASign web page and click Get document to download a
.pdf document that contains:
l The Signature Certificate page with the collected signatures.
l The Audit Trail page with history of activities: when the invitation was sent to the signees,
when each signee signed the file, and so on.
7. Select the backup from which you want to recover the data. If prompted, type the password for
the backup.
8. In Backup contents, select Folders/files.
9. Select the data that you want to recover. Click OK to confirm your selection.
10. Under Where to recover, specify a folder. Optionally, you can prohibit overwriting of newer
versions of files or exclude some files from recovery.
11. [Optional] Click Recovery options to specify additional settings.
12. Click OK to start the recovery.
Note
Tape Location takes a lot of space and might not fit in RAM when you rescan and recover under
Linux bootable media and WinPE bootable media. For Linux, you have to mount another location to
save the data on a disk or share. See Acronis Cyber Backup Advanced: Changing the TapeLocation
Folder (KB 27445). For Windows PE, there is no workaround at the moment.
Requirements
l This functionality is available only in Windows by using File Explorer.
l A protection agent must be installed on the machine from which you browse a backup.
l The backed-up file system must be one of the following: FAT16, FAT32, NTFS, ReFS, Ext2, Ext3,
Ext4, XFS, or HFS+.
l The backup must be stored in a local folder or on a network share (SMB/CIFS).
If you are recovering an ESXi configuration to a non-original host and the original ESXi host is still
connected to the vCenter Server, disconnect and remove this host from the vCenter Server to avoid
unexpected issues during the recovery. If you want to keep the original host along with the
recovered one, you can add it again after the recovery is complete.
The virtual machines running on the host are not included in an ESXi configuration backup. They can
be backed up and recovered separately.
l The environment the agent that performs recovery operates in (Windows, Linux, macOS, or
bootable media).
l The type of data being recovered (disks, files, virtual machines, application data).
SQL
Virtual
and
Disks Files machi
Excha
nes
nge
ESXi,
Hyper-
Boota Boota V,
Windo Linu Windo Linu mac Windo
ble ble Scale
ws x ws x OS ws
media media Compu
ting
HC3
Backup
+ + + + + + + + +
validation
Boot
+ - - - - - - + -
mode
Date and
time for - - - + + + + - -
files
Error
+ + + + + + + + +
handling
Flashback + + + - - - - + -
Full path
- - - + + + + - -
recovery
Mount
- - - + - - - - -
points
Performa
+ + - + + + - + +
nce
Pre/post
comman + + - + + + - + +
ds
SID
+ - - - - - - - -
changing
VM
power
- - - - - - - + -
manage
ment
"Tape
manage
ment" (p.
285) >
Use a disk - - - + + + - - -
cache to
accelerat
e the
recovery
Windows Hyper-V
+ - - + - - - +
event log only
Power on
after - - - - - - + - -
recovery
Validation calculates a checksum for every data block saved in the backup. The only exception is
validation of file-level backups that are located in the cloud storage. These backups are validated by
checking consistency of the meta information saved in the backup.
Validation is a time-consuming process, even for an incremental or differential backup, which are
small in size. This is because the operation validates not only the data physically contained in the
backup, but all of the data recoverable by selecting the backup. This requires access to previously
created backups.
Note
Validation is available for cloud storage located in an Acronis data center and provided by Acronis
partners.
This option enables you to select the boot mode (BIOS or UEFI) that Windows will use after the
recovery. If the boot mode of the original machine is different from the selected boot mode, the
software will:
l Initialize the disk to which you are recovering the system volume, according to the selected boot
mode (MBR for BIOS, GPT for UEFI).
l Adjust the Windows operating system so that it can start using the selected boot mode.
Recommendations
If you need to transfer Windows between UEFI and BIOS:
l Recover the entire disk where the system volume is located. If you recover only the system
volume on top of an existing volume, the agent will not be able to initialize the target disk
properly.
l Remember that BIOS does not allow using more than 2 TB of disk space.
Limitations
l Transferring between UEFI and BIOS is supported for:
o 64-bit Windows operating systems starting with Windows Vista SP1
o 64-bit Windows Server operating systems starting with Windows Server 2008 SP1
l Transferring between UEFI and BIOS is not supported if the backup is stored on a tape device.
When transferring a system between UEFI and BIOS is not supported, the agent behaves as if the As
on the backed-up machine setting is chosen. If the target machine supports both UEFI and BIOS,
you need to manually enable the boot mode corresponding to the original machine. Otherwise, the
system will not boot.
This option defines whether to recover the files' date and time from the backup or assign the files
the current date and time.
If this option is enabled, the files will be assigned the current date and time.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds OR the specified number of attempts are performed, depending on which
comes first.
When this option is enabled, you can specify a folder on the local disk (including flash or HDD drives
attached to the target machine) or on a network share where the log, system information, and crash
dump files will be saved. This file will help the technical support personnel to identify the problem.
The option defines which files and folders to skip during the recovery process and thus exclude
from the list of recovered items.
Note
Exclusions override the selection of data items to recover. For example, if you select to recover file
MyFile.tmp and to exclude all .tmp files, file MyFile.tmp will not be recovered.
This option defines whether to recover NTFS permissions for files along with the files.
You can choose whether to recover the permissions or let the files inherit their NTFS permissions
from the folder to which they are recovered.
8.8.8 Flashback
This option is effective when recovering disks and volumes on physical and virtual machines, except
for Mac.
If the option is enabled, only the differences between the data in the backup and the target disk
data are recovered. This accelerates data recovery to the same disk as was backed up, especially if
the volume layout of the disk has not changed. The data is compared at the block level.
For physical machines, comparing the data at the block level is a time-consuming operation. If the
connection to the backup storage is fast, it will take less time to recover the entire disk than to
calculate the data differences. Therefore, we recommend that you enable this option only if the
When recovering a physical machine, the preset depends on the backup location:
l If the backup location is the cloud storage, the preset is: Enabled.
l For other backup locations, the preset is: Disabled.
If this option is enabled, the full path to the file will be re-created in the target location.
Enable this option to recover files and folders that were stored on the mounted volumes and were
backed up with the enabled Mount points option.
This option is effective only when you select for recovery a folder that is higher in the folder
hierarchy than the mount point. If you select for recovery folders within the mount point or the
mount point itself, the selected items will be recovered regardless of the Mount points option
value.
Note
Please be aware that if the volume is not mounted at the moment of recovery, the data will be
recovered directly to the folder that has been the mount point at the time of backing up.
8.8.11 Performance
This option defines the priority of the recovery process in the operating system.
The priority of a process running in a system determines the amount of CPU and system resources
allocated to that process. Decreasing the recovery priority will free more resources for other
applications. Increasing the recovery priority might speed up the recovery process by requesting the
operating system to allocate more resources to the application that will perform the recovery.
However, the resulting effect will depend on the overall CPU usage and other factors like disk I/O
speed or network traffic.
l Launch the Checkdisk command in order to find and fix logical file system errors, physical errors
or bad sectors to be started before the recovery starts or after the recovery ends.
The program does not support interactive commands, i.e. commands that require user input (for
example, "pause".)
A post-recovery command will not be executed if the recovery proceeds with reboot.
Pre-recovery command
To specify a command/batch file to be executed before the recovery process starts
Result
Post-recovery command
To specify a command/executable file to be executed after the recovery is completed
Note
A post-recovery command will not be executed if the recovery proceeds with reboot.
We strongly recommend that you use the Use a disk cache to accelerate the recovery option
when you recover files from an image archive. Otherwise, restore operation can take a lot of time.
With this option, tape reading is performed sequentially, without interruptions and rewinding.
This option is not effective when recovery to a virtual machine is performed by Agent for VMware,
Agent for Hyper-V or Agent for Scale Computing HC3.
Microsoft does not officially support changing SID on a deployed or recovered system. So use this
option at your own risk.
Recovery to an existing virtual machine is not possible if the machine is online, and so the machine
is powered off automatically as soon as the recovery starts. Users will be disconnected from the
machine and any unsaved data will be lost.
Clear the check box for this option if you prefer to power off virtual machines manually before the
recovery.
After a machine is recovered from a backup to another machine, there is a chance the existing
machine's replica will appear on the network. To be on the safe side, power on the recovered virtual
machine manually, after you take the necessary precautions.
This option defines whether the agents have to log events of the recovery operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
This option enables booting the machine into the recovered operating system without user
interaction.
Backups that are stored in a shared location (such as an SMB or NFS share) are visible to all users
that have the read permission for the location.
In Windows, backup files inherit the access permissions from their parent folder. Therefore, we
recommend that you restrict the read permissions for this folder.
In the cloud storage, users have access only to their own backups. In a cloud deployment, an
administrator can view backups on behalf of any account that belongs to the same group and its
child groups. This account is indirectly chosen in Machine to browse from. The Backup storage
tab shows backups of all machines ever registered under the same account as this machine is
registered.
Backup locations that are used in protection plans are automatically added to the Backup storage
tab. To add a custom folder (for example, a detachable USB device) to the list of backup locations,
click Browse and specify the folder path.
Warning!
Do not try editing the backup files manually because this may result in file corruption and make the
backups unusable. Also, we recommend that you export backups or use the backup replication
instead of moving backup files manually.
1. On the Backup storage tab, select the location where the backups are stored.
The software displays all backups that your account is allowed to view in the selected location.
The backups are combined in groups. The group names are based on the following template:
<machine name> - <protection plan name>
2. Select a group from which you want to recover the data.
3. [Optional] Click Change next to Machine to browse from, and then select another machine.
Some backups can only be browsed by specific agents. For example, you must select a machine
running Agent for SQL to browse the backups of Microsoft SQL Server databases.
Important
Please be aware that the Machine to browse from is a default destination for recovery from a
physical machine backup. After you select a recovery point and click Recover, double check the
Target machine setting to ensure that you want to recover to this specific machine. To change
the recovery destination, specify another machine in Machine to browse from.
Mounting volumes in the read/write mode enables you to modify the backup content; that is, save,
move, create, delete files or folders, and run executables consisting of one file. In this mode, the
software creates an incremental backup that contains the changes you make to the backup content.
Please be aware that none of the subsequent backups will contain these changes.
10.2.1 Requirements
l This functionality is available only in Windows by using File Explorer.
l Agent for Windows must be installed on the machine that performs the mount operation.
l The backed-up file system must be supported by the Windows version that the machine is
running.
l The backup must be stored in a local folder, on a network share (SMB/CIFS), or in the Secure
Zone.
Note
Double-click a volume to browse its content. You can copy files and folders from the backup to
any folder on the file system.
5. Right-click a volume to mount, and then click one of the following:
l Mount
Note
Only the last backup in the archive (backup chain) can be mounted in read-write mode.
To unmount a volume
1. Browse to Computer (This PC in Windows 8.1 and later) by using File Explorer.
2. Right-click the mounted volume.
3. Click Unmount.
4. If the volume was mounted in the read/write mode, and its content was modified, select whether
to create an incremental backup containing the changes. Otherwise, skip this step.
The software unmounts the selected volume.
The result of an export operation is always a full backup. If you want to replicate the entire backup
chain to a different location and preserve multiple recovery points, use a backup replication plan.
The backup file name of the exported backup depends on the value of the backup format option:
l For the Version 12 format with any backup scheme, the backup file name is the same as that of
the original backup, except for the sequence number. If multiple backups from the same backup
chain are exported to the same location, a four-digit sequence number is appended to the file
names of all backups except for the first one.
l For the Version 11 format with the Always incremental (single-file) backup scheme, the
backup file name exactly matches the backup file name of the original backup. If multiple
The exported backup inherits the encryption settings and password from the original backup. When
exporting an encrypted backup, you must specify the password.
To export a backup
To delete backups of a machine that is online and present in the Cyber Protect web console
1. On the All devices tab, select a machine whose backups you want to delete.
2. Click Recovery.
3. Select the location to delete the backups from.
4. Do one of the following:
l To delete a single backup, select the backup to delete, click the gear icon, and then click
Delete.
l To delete all backups in the selected location, click Delete all.
5. Confirm your decision.
1. Log in to the cloud storage, as described in "Downloading files from the cloud storage".
2. Click the name of the machine whose backups you want to delete.
The software displays one or more backup groups.
3. Click the gear icon corresponding to the backup group that you want to delete.
4. Click Remove.
5. Confirm the operation.
Each section of the Plans tab contains all the plans of a specific type. The following sections are
available:
l Protection
l Backup scanning
l Backup replication
l Validation
l Cleanup
l Conversion to VM
l VM replication
l Bootable media. This section displays protection plans that were created for machines booted
from bootable media, and can only be applied to such machines.
In each section, you can create, edit, disable, enable, delete, start, and monitor the running of a
plan.
Cloning and stopping are available only for protection plans. Unlike stopping a backup from the
Devices tab, stopping a protection plan will stop the backups on all devices where this plan is
applied. If the backup start times for multiple devices are distributed within a time window, stopping
a protection plan will stop the running backups or prevent backups from starting.
You can also export a plan to a file and import a previously exported plan.
Separating the antimalware scanning, replication, validation, cleanup, and conversion plans from
protection plans gives you the flexibility:
If you are using a storage node, installing a dedicated agent on the same machine makes sense.
Unlike the backup and VM replication plans, which employ the time settings of machines running
the agents, the off-host data processing plans run according to the time settings of the management
server machine.
Supported locations
You can scan backups for malware in the following locations: Cloud storage, Local folder, and
Network folder. Only an agent installed on the scanned machine can access the Local folder
location.
For more information about the backup scanning and its limitations, refer to "Antimalware scan of
backups".
1. In the Cyber Protect web console, click Plans > Backup scanning.
2. Click Create plan.
3. [Optional] To modify the plan name, click the pencil icon next to the default name.
4. Select the scanning agent.
5. Select the backup location or individual backups to scan.
You can select multiple backup locations at a time. To include multiple individual backups in one
plan, you need to add the backups one by one.
6. [If Cloud storage or Network folder are selected] If prompted, provide the credentials to
access the backup storage.
7. [If an encrypted backup is selected] Provide the password to access the backup. If a vault or
multiple encrypted backups are selected, you can specify a single password. If the password is
not correct for a specific backup, an alert will be shown. Only backups for which a correct
password is provided will be scanned.
8. Configure the schedule for the scan.
9. When ready, click Create.
Supported locations
The following table summarizes backup locations supported by backup replication plans.
Cloud storage + +
Local folder + +
Network folder + +
Secure Zone – –
SFTP server – –
Managed location* + +
Tape device – +
* Check the restrictions described in topic "Considerations for users with the Advanced license" (p.
212).
11.1.3 Validation
Validation is an operation that checks the possibility of data recovery from a backup.
Validation of a backup location validates all the backups stored in the location.
If the validation fails, you can drill down to the details on the Activities section of the Overview tab.
Supported locations
The following table summarizes backup locations supported by validation plans.
Cloud storage + +
Local folder + +
Network folder + +
NFS folder – –
Secure Zone – –
SFTP server – –
Managed location + +
Tape device + –
11.1.4 Cleanup
Cleanup is an operation that deletes outdated backups according to the retention rules.
For information about prerequisites and limitations, please refer to "What you need to know about
conversion".
Note
To save storage space, each conversion to VHDX files overwrites the VHDX files in the target
location that were created during the previous conversion.
A machine can also be booted by using the network boot from Acronis PXE Server, Windows
Deployment Services (WDS) or Remote Installation Services (RIS). These servers with uploaded
bootable components can be thought of as a kind of bootable media too. You can create bootable
media or configure the PXE server or WDS/RIS by using the same wizard.
Note
The bootable media does not support hybrid drives.
Also, you can download a ready-made bootable media (Linux-based only). You can use the
downloaded bootable media only for recovery operations and access to Acronis Universal Restore.
You cannot back up data, validate or export backups, manage disks, or use scripts with it.
Downloaded bootable media is not suitable for macOS computers.
1. In the Cyber Protect web console, click the account icon in the top-right corner, and then click
Downloads.
2. Select Bootable media.
You can burn the downloaded ISO file to a CD/DVD or create a bootable USB flash drive by using
one of the free tools that are available online. Use ISO to USB or RUFUS if you need to boot an UEFI
machine, or Win32DiskImager for a BIOS machine. In Linux, using the dd utility makes sense.
If the Cyber Protect web console is not accessible, you can download the ready-made bootable
media from your account in Acronis Customer Portal:
12.3.1 Linux-based
Linux-based bootable media contains an Acronis Cyber Protect bootable agent based on Linux
kernel. The agent can boot and perform operations on any PC-compatible hardware, including bare
metal and machines with corrupted or non-supported file systems. The operations can be
configured and controlled either locally or remotely, in the Cyber Protect web console.
12.3.2 WinPE-based
WinPE-based bootable media contains a minimal Windows system called Windows Preinstallation
Environment (WinPE) and Acronis Plugin for WinPE, that is, a modification of Acronis Cyber Protect
agent that can run in the preinstallation environment.
WinPE proved to be the most convenient bootable solution in large environments with
heterogeneous hardware.
Advantages:
l Using Acronis Cyber Protect in Windows Preinstallation Environment provides more functionality
than using Linux-based bootable media. Having booted PC-compatible hardware into WinPE, you
can use not only Acronis Cyber Protect agent, but also PE commands and scripts, and other
plugins that you have added to the PE.
l PE-based bootable media helps overcome some Linux-related bootable media issues such as
support for certain RAID controllers or certain levels of RAID arrays only. Media based on WinPE
2.x and later allow dynamic loading of the necessary device drivers.
Limitations:
l Bootable media based on WinPE versions earlier than 4.0 cannot boot on machines that use
Unified Extensible Firmware Interface (UEFI).
l When a machine is booted with a PE-based bootable media, you cannot select optical media such
as CD, DVD, or Blu-ray Discs (BD) as a backup destination.
l The media builder enables you to create a customized, full-featured Linux-based and WinPE-
based bootable media with the backup functionality.
l Apart from creating physical bootable media, you can upload its components to Windows
Deployment Services (WDS) and use a network boot.
l The ready-made bootable media does not support storage node, tape locations, and SFTP
locations. If you want to use these storage locations in your local on-premises deployment, you
must create your own bootable media by using the Bootable Media Builder. See
https://kb.acronis.com/content/61566.
Kernel parameters
This window lets you specify one or more parameters of the Linux kernel. They will be automatically
applied when the bootable media starts.
These parameters are typically used when experiencing problems while working with the bootable
media. Normally, you can leave this field empty.
You can also specify any of these parameters by pressing F11 while in the boot menu.
Parameters
When specifying multiple parameters, separate them with spaces.
acpi=off
Disables Advanced Configuration and Power Interface (ACPI). You may want to use this
parameter when experiencing problems with a particular hardware configuration.
noapic
Disables Advanced Programmable Interrupt Controller (APIC). You may want to use this
parameter when experiencing problems with a particular hardware configuration.
vga=ask
Prompts for the video mode to be used by the bootable media's graphical user interface.
Without the vga parameter, the video mode is detected automatically.
vga=mode_number
Screen resolution and the number of colors corresponding to a mode number may be
different on different machines. We recommend using the vga=ask parameter first to choose a
value for mode_number.
quiet
Disables displaying of startup messages when the Linux kernel is loading, and starts the
management console after the kernel is loaded.
This parameter is implicitly specified when creating the bootable media, but you can remove
this parameter while in the boot menu.
Without this parameter, all startup messages will be displayed, followed by a command
prompt. To start the management console from the command prompt, run the command:
/bin/product
nousb
nousb2
Disables USB 2.0 support. USB 1.1 devices still work with this parameter. This parameter
allows you to use some USB drives in the USB 1.1 mode if they do not work in the USB 2.0 mode.
nodma
Disables direct memory access (DMA) for all IDE hard disk drives. Prevents the kernel from
freezing on some hardware.
nofw
nopcmcia
nomouse
module_name=off
Disables the module whose name is given by module_name. For example, to disable the use
of the SATA module, specify: sata_sis=off
pci=bios
Forces the use of PCI BIOS instead of accessing the hardware device directly. You may want
to use this parameter if the machine has a non-standard PCI host bridge.
pci=nobios
pci=biosirq
Uses PCI BIOS calls to get the interrupt routing table. You may want to use this parameter if
the kernel is unable to allocate interrupt requests (IRQs) or discover secondary PCI buses on the
motherboard.
These calls might not work properly on some machines. But this may be the only way to get
the interrupt routing table.
Specifies the keyboard layouts that can be used in the bootable media's graphical user
interface.
Without this parameter, only two layouts can be used: English (USA) and the layout that
corresponds to the language selected in the media's boot menu.
Belgian: be-BE
Czech: cz-CZ
English: en-GB
French: fr-FR
German: de-DE
Italian: it-IT
Polish: pl-PL
Portuguese: pt-PT
Russian: ru-RU
Spanish: es-ES
When working under bootable media, use CTRL + SHIFT to cycle through the available
layouts.
You can select one of the predefined scripts or create a custom script by following the scripting
conventions.
Predefined scripts
Bootable Media Builder provides the following predefined scripts:
The scripts can be found on the machine where Bootable Media Builder is installed, in the following
directories:
l In Windows: %ProgramData%\Acronis\MediaBuilder\scripts\
l In Linux: /var/lib/Acronis/MediaBuilder/scripts/
1. The user name and password for the cloud storage.
2. [Optional] A password that the script will use to encrypt or access the backups.
In Bootable Media Builder, you can specify a password that the script will use to encrypt or access
the backups.
1. The user name and password for the cloud storage.
2. The password if the backup is encrypted.
We recommend that you store backups of only one machine under this cloud storage account.
Otherwise, if a backup of another machine is newer than the backup of the current machine, the
script will choose that machine backup.
Custom scripts
Important
Creating custom scripts requires the knowledge of the Bash command language and JavaScript
Object Notation (JSON). If you are not familiar with Bash, a good place to learn it is
http://www.tldp.org/LDP/abs/html. The JSON specification is available at http://www.json.org.
Files of a script
Your script must be located in the following directories on the machine where Bootable Media
Builder is installed:
l In Windows: %ProgramData%\Acronis\MediaBuilder\scripts\
l In Linux: /var/lib/Acronis/MediaBuilder/scripts/
l <script_file>.sh - a file with your Bash script. When creating the script, use only a limited set of
shell commands, which you can find at https://busybox.net/downloads/BusyBox.html. Also, the
following commands can be used:
#!/bin/sh
. /ConfigurationFiles/bin/variables.sh
. /ConfigurationFiles/bin/<script_file>.sh
. /ConfigurationFiles/bin/post_actions.sh
Structure of autostart.json
timeout number No A timeout (in seconds) for the boot menu before
starting the script. If the pair is not specified, the
timeout will be ten seconds.
description string Yes The control label that is displayed above the control in
Bootable Media Builder.
default string if type No The default value for the control. If the pair is not
is string, specified, the default value will be an empty string or a
multiString, zero, based on the control type.
password, or
The default value for a check box can be 0 (the cleared
enum
state) or 1 (the selected state).
number if
type is number,
spinner, or
checkbox
order number Yes The control order in Bootable Media Builder. The
higher the value, the lower the control is placed relative
(non-
to other controls defined in autostart.json. The initial
negative)
value must be 0.
min number No The minimum value of the spin control in a spin box. If
the pair is not specified, the value will be 0.
(for spinner
only)
max number No The maximum value of the spin control in a spin box. If
the pair is not specified, the value will be 100.
(for spinner
only)
step number No The step value of the spin control in a spin box. If the
pair is not specified, the value will be 1.
(for spinner
only)
required number No Specifies if the control value can be empty (0) or not (1).
If the pair is not specified, the control value can be
(for string,
empty.
multiString,
password, and
enum)
string A single-line, unconstrained text box used to enter or edit short strings.
multiString A multi-line, unconstrained text box used to enter or edit long strings.
spinner A single-line, numeric-only text box used to enter or edit numbers, with a spin
control. Also, called a spin box.
checkbox A check box with two states - the cleared state or the selected state.
The sample autostart.json below contains all possible types of controls that can be used to
configure variables for <script_file>.sh.
"variables": {
"var_string": {
"displayName": "VAR_STRING",
},
"var_multistring": {
"displayName": "VAR_MULTISTRING",
},
"var_number": {
"displayName": "VAR_NUMBER",
},
"var_spinner": {
"displayName": "VAR_SPINNER",
},
"var_enum": {
"displayName": "VAR_ENUM",
},
"var_password": {
"displayName": "VAR_PASSWORD",
},
"var_checkbox": {
"displayName": "VAR_CHECKBOX",
Registering the media enables you to manage the media via the Cyber Protect web console as if it
was a registered machine. Besides the convenience of remote access, this grants an administrator
the capability to trace all operations performed under bootable media. The operations are logged in
Activities, so it is possible to see who and when started an operation.
If the registration was not pre-configured, it is still possible to register the media after booting the
machine from it.
l IP address
l Subnet mask
l Gateway
l DNS server
l WINS server.
Once the bootable agent starts on a machine, the configuration is applied to the machine’s network
interface card (NIC). If the settings have not been pre-configured, the agent uses DHCP auto
configuration. You also have the ability to configure the network settings manually when the
bootable agent is running on the machine.
You can change the settings, except for the MAC address; or configure the settings for a non-
existent NIC, if need be.
Once the bootable agent starts on the server, it retrieves the list of available NICs. This list is sorted
by the slots the NICs occupy: the closest to the processor on top.
The bootable agent assigns each known NIC the appropriate settings, identifying the NICs by their
MAC addresses. After the NICs with known MAC addresses are configured, the remaining NICs are
assigned the settings that you have made for non-existent NICs, starting from the upper non-
assigned NIC.
You can customize bootable media for any machine, and not only for the machine where the media
is created. To do so, configure the NICs according to their slot order on that machine: NIC1 occupies
the slot closest to the processor, NIC2 is in the next slot and so on. When the bootable agent starts
on that machine, it will find no NICs with known MAC addresses and will configure the NICs in the
same order as you did.
Example
The bootable agent could use one of the network adapters for communication with the
management console through the production network. Automatic configuration could be done for
this connection. Sizeable data for recovery could be transferred through the second NIC, included in
the dedicated backup network by means of static TCP/IP settings.
If the port has not been pre-configured, the agent uses port 9876.
l to search the media for the drivers that best fit the target hardware
l to get the mass-storage drivers that you explicitly specify from the media. This is necessary when
the target hardware has a specific mass storage controller (such as a SCSI, RAID, or Fiber Channel
adapter) for the hard disk.
The drivers will be placed in the visible Drivers folder on the bootable media. The drivers are not
loaded into the target machine RAM, therefore, the media must stay inserted or connected
throughout the Universal Restore operation.
Adding drivers to bootable media is available when you are creating a removable media or its ISO or
detachable media, such as a flash drive. Drivers cannot be uploaded on WDS/RIS.
The drivers can be added to the list only in groups, by adding the INF files or folders containing such
files. Selecting individual drivers from the INF files is not possible, but the media builder shows the
file content for your information.
To add drivers:
1. Click Add and browse to the INF file or a folder that contains INF files.
2. Select the INF file or the folder.
3. Click OK.
The drivers can be removed from the list only in groups, by removing INF files.
To remove drivers:
You can create WinRE-based PE images without any additional preparation, or create PE images
after installing Windows Automated Installation Kit (AIK) or Windows Assessment and Deployment
Kit (ADK).
WinRE-based PE images
Creating of WinRE-based images is supported for the following operation systems:
l Windows 7 (64-bit)
l Windows 8, 8.1, 10 (32-bit and 64-bit)
l Windows Server 2012, 2016, 2019 (64-bit)
PE images
After installing Windows Automated Installation Kit (AIK) or Windows Assessment and Deployment
Kit (ADK), Bootable Media Builder supports WinPE distributions that are based on any the following
kernels:
Bootable Media Builder supports both 32-bit and 64-bit WinPE distributions. The 32-bit WinPE
distributions can also work on 64-bit hardware. However, you need a 64-bit distribution to boot a
machine that uses Unified Extensible Firmware Interface (UEFI).
Note
Disk management functionality is not available for bootable media based on Windows PE 4.0 and
later. Thus, disk management is supported for Windows 7 and earlier operating systems. To
perform disk management operations on Windows 8 and later, you need to install Acronis Disk
Director. For more information, refer to this KB article: https://kb.acronis.com/content/47031.
It is recommended that you familiarize yourself with the help documentation supplied with
Windows AIK. To access the documentation, select Microsoft Windows AIK -> Documentation
from the start menu.
3. Select Bootable media type: Windows PE or Bootable media type: Windows PE (64-bit). A
64-bit media is required to boot a machine that uses Unified Extensible Firmware Interface
(UEFI).
If you have selected Bootable media type: Windows PE, do the following first:
l Click Download the Plug-in for WinPE (32-bit).
l Save the plug-in to %PROGRAM_FILES%\Acronis\BootableComponents\WinPE32.
l Replace the default boot.wim file in your Windows PE folder with the newly created WIM file. For
the above example, type:
Warning!
Do not copy and paste this example. Type the command manually, otherwise it will fail.
For more information on customizing Windows PE 2.x and 3.x, see the Windows Preinstallation
Environment User's Guide (Winpe.chm). The information on customizing Windows PE 4.0 and later
is available in the Microsoft TechNet Library.
Changes made during a session will be lost after the machine reboots.
Adding VLANs
In the Network Settings window, you can add virtual local area networks (VLANs). Use this
functionality if you need access to a backup location that is included in a specific VLAN.
VLANs are mainly used to divide a local area network into segments. A NIC that is connected to an
access port of the switch always has access to the VLAN specified in the port configuration. A NIC
connected to a trunk port of the switch can access the VLANs allowed in the port configuration only
if you specify the VLANs in the network settings.
After you click OK, a new entry appears in the list of network adapters.
If you need to remove a VLAN, click the required VLAN entry, and then click Remove VLAN.
Registering the media is possible only if at least one Acronis Cyber Protect Advanced license is
added to the management server.
The registration parameters can be pre-configured in the Management server option of Bootable
Media Builder. If all the registration parameters are pre-configured, the media will appear in the
Cyber Protect web console automatically. If some of the parameters are pre-configured, some steps
in the following procedures may be not available.
1. Under a bootable media with Windows-like volume representation, a volume has the same drive
letter as in Windows. Volumes that don't have drive letters in Windows (such as the System
Reserved volume) are assigned free letters in order of their sequence on the disk.
If the bootable media cannot detect Windows on the machine or detects more than one, all
volumes, including those without drive letters, are assigned letters in order of their sequence on
the disk. Thus, the volume letters may differ from those seen in Windows. For example, the D:
drive under the bootable media might correspond to the E: drive in Windows.
Note
We recommend that you assign unique names to the volumes.
2. The bootable media with Linux-like volume representation shows local disks and volumes as
unmounted (sda1, sda2...).
3. Backups created using bootable media have simplified file names. Standard names are assigned
to the backups only if these are added to an existing archive with standard file naming or if the
destination does not support simplified file names.
4. The bootable media with a Linux-like volume representation cannot write backups to an NTFS-
formatted volume. Switch to a media with Windows-like volume representation if you need to do
so. To toggle the bootable media volume representations, click Tools > Change volume
representation.
5. Tasks cannot be scheduled. If you need to repeat an operation, configure it from scratch.
6. The log lifetime is limited to the current session. You can save the entire log or the filtered log
entries to a file.
7. Centralized vaults are not displayed in the folder tree of the Archive window.
To access a managed vault, type the following string in the Path field:
bsp://node_address/vault_name/
To access an unmanaged centralized vault, type the full path to the vault's folder.
After entering access credentials, you will see a list of archives located in the vault.
If you don't want to follow this procedure every time you boot a given hardware configuration, re-
create the bootable media with the appropriate mode number (in the example above, vga=0x318)
typed in the Kernel parameters window.
12.7.2 Backup
You can back up data only with a bootable media that you have created with Bootable Media
Builder, and by using your Acronis Cyber Protect license key. For more information about how to
create a bootable media, refer to Linux-based bootable media or Windows-PE based bootable
media, respectively.
2. To back up the local machine, click Manage this machine locally. For remote connections, refer
to Registering media on the management server.
Note
With the Linux-based bootable media you might see drive letters that are different from the
ones in Windows. Try identifying the drive or partition that you need by its size or label.
5. If you need to back up files or folders instead of disks, switch to Files in Data to back up.
Only disk/partition and file/folder backup are available under bootable media. Other types of
backups, such as database backup, are only available under the running operating system.
2. To recover data to the local machine, click Manage this machine locally. For remote
connections, refer to Registering media on the management server.
Note
To recover data to dissimilar hardware, you have to use Acronis Universal Restore.
Acronis Universal Restore is not available when the backup is located in Acronis Secure Zone.
Sometimes after the volume has been backed up and its image placed into a safe storage, the
machine disk configuration might change due to a HDD replacement or hardware loss. In such a
case, you can recreate the necessary disk configuration so that the volume image can be recovered
exactly “as it was” or with some alteration of the disk or volume structure you might consider
necessary.
You can perform disk management operations on a bare metal, on a machine that cannot boot or
on a non-Windows machine. You will need a bootable media that you have created with Bootable
Media Builder, and by using your Acronis Cyber Protect license key. For more information about
how to create a bootable media, refer to Linux-based bootable media or Windows-PE based
bootable media, respectively.
Note
Disk management functionality is not available for bootable media based on Windows PE 4.0 and
later. Thus, disk management is supported for Windows 7 and earlier operating systems. To
perform disk management operations on Windows 8 and later, you need to install Acronis Disk
Director. For more information, refer to this KB article: https://kb.acronis.com/content/47031.
2. To work on the local machine, click Manage this machine locally. For remote connections,
refer to Registering media on the management server.
l FAT 16/32
l NTFS
If you need to perform operations on a volume with a different file system, use Acronis Disk
Director. It provides more tools and utilities to manage disks and volumes with the following file
systems:
l FAT 16/32
l NTFS
l Ext2
l Ext3
l HFS+
l HFSX
l ReiserFS
l JFS
l Linux SWAP
Basic precautions
To avoid possible disk and volume structure damage or data loss, take all necessary precautions
and follow these guidelines:
1. Back up the disk on which volumes will be created or managed. Having your most important
data backed up to another hard disk, network share or removable media will allow you to work
on disk volumes knowing that your data is safe.
2. Test your disk to make sure it is fully functional and does not contain bad sectors or file system
errors.
3. Do not perform any disk/volume operations while running other software that has low-level disk
access.
Disk operations
With the bootable media, you can perform the following disk management operations:
l Disk Initialization - Initializes a new hardware that was added to the system
l Basic disk cloning - Transfers complete data from a source basic MBR disk to a target disk
l Disk conversion: MBR to GPT - Converts an MBR partition table to GPT
l Disk conversion: GPT to MBR - Converts a GPT partition table to MBR
l Disk conversion: Basic to Dynamic - Converts a basic disk to dynamic
l Disk conversion: Dynamic to Basic - Converts a dynamic disk to basic
Disk initialization
The bootable media shows a non-initialized disk as a gray block with a grayed icon, thus indicating
that the disk is unusable by the system.
To initialize a disk
Note
You can also clone disks by using the Acronis Cyber Protect Command-Line utility.
2. To clone a disk of the local machine, click Manage this machine locally. For remote connection,
refer to Registering media on the management server.
Note
You can clone only entire disks. Partition cloning is not available.
5. A list of possible target disks is displayed.The program allows you to select a target disk if it is
large enough to hold all the data from the source disk without any loss. Select a target disk, and
then click Next.
Important
If there is data on the target disk, you will see the warning: "The selected target disk is not empty.
The data on its volumes will be overwritten." If you proceed, all the data that is currently on the
target disk will be lost irrevocably.
9. If you chose to copy the NT signature, wait until the operation is completed and the computer is
turned off, and then disconnect either the source or the target hard disk drive from the machine.
Important
The basic MBR disk that contains the boot volume with the currently running operating system
cannot be converted to GPT.
Note
A GPT-partitioned disk reserves the space in the end of the partitioned area necessary for the
backup area, which stores copies of the GPT header and the partition table. If the disk is full and the
volume size cannot be automatically decreased, the conversion operation of the MBR disk to GPT
will faill.
The operation is irreversible. If you have a primary volume belonging to an MBR disk and convert
the disk first to GPT and then back to MBR, the volume will become logical and cannot be used as a
system volume.
1. MBR disk conversion: dynamic to basic using the Convert to basic operation.
2. Basic disk conversion: MBR to GPT using the Convert to GPT operation.
3. GPT disk conversion: basic to dynamic using the Convert to dynamic operation.
Important
The basic GPT disk that contains the boot volume with the currently running operating system
cannot be converted to MBR.
1. Right-click the disk that you want to clone, and then click Convert to MBR.
2. By clicking OK, you will add a pending operation of GPT to MBR disk conversion.
3. To complete the added operation, commit it. Exiting the program without committing the
operation will effectively cancel it.
Note
After the operation, the volumes on this disk will become logical. This change is irreversible.
1. Right-click the disk that you want to convert, and then click Convert to dynamic.
2. Click OK.
The conversion will be performed immediately and your machine will be rebooted, if necessary.
Note
A dynamic disk occupies the last megabyte of the physical disk to store the database, including the
four-level description (Volume-Component-Partition-Disk) for each dynamic volume. If during the
conversion to dynamic it turns out that the basic disk is full and the size of its volumes cannot be
decreased automatically, the operation will fail.
Conversion of disks comprising system volumes takes some time and any power loss, unintentional
turning off of the machine or accidental pressing of the Reset button during the procedure could
result in bootability loss.
In contrast to Windows Disk Manager, the program ensures bootability of an offline operating
system on the disk after the operation.
1. Right-click the disk that you want to convert, and then click Convert to basic.
2. Click OK.
The conversion will be performed immediately and your machine will be rebooted, if necessary.
Note
This operation is not available for dynamic disks that contain Spanned, Striped, or RAID-5 volumes.
After the conversion, the last 8Mb of disk space is reserved for a future conversion of the disk from
basic to dynamic. In some cases the possible unallocated space and the proposed maximum
volume size might differ (for example, when the size of one mirror establishes the size of the other
mirror, or the last 8Mb of disk space are reserved for the future conversion of the disk from basic to
dynamic).
Note
Conversion of disks comprising system volumes takes some and any power loss, unintentional
turning off of the machine or accidental pressing of the Reset button during the procedure could
result in bootability loss.
Volume operations
With the bootable media, you can perform the following operations on volumes:
Striped volumes are created for improved performance, not for their better reliability – they
don't contain redundant information.
12.7.10 RAID-5
A fault-tolerant volume whose data is striped across an array of three or more disks. The
disks don't need to be identical, but there must be equally sized blocks of unallocated space
available on each disk in the volume. Parity (a calculated value that can be used to reconstruct data
in case of failure) is also striped across the disk array and it is always stored on a different disk than
the data itself. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk
can be re-created from the remaining data and the parity. A RAID-5 volume provides reliability and
is able to overcome the physical disk size limitations with a higher than mirrored disk-to-volume size
ratio.
Create a volume
You might need a new volume to:
To create a volume
1. Right-click any unallocated space in a disk, and then click Create volume. The Create volume
wizard opens.
You can assign the volume Letter (by default – the first free letter of the alphabet) and optionally
– a Label (by default – none). You must also specify the File system and the Cluster size.
The possible file systems options are:
l FAT16 (disabled if the volume size has been set at more than 2 GB)
l FAT32 (disabled if the volume size has been set at more than 2 TB)
l NTFS
l Leave the volume unformatted.
When setting the cluster size, you can choose any number in the preset amount for each file
system. The cluster size that is suggested by default is best suited to the volume with the chosen
file system. If you set a 64K cluster size for FAT16/FAT32 or on 8KB-64KB cluster size for NTFS,
Windows can mount the volume, but some programs (for example, Setup programs) might
calculate its disk space incorrectly.
If you are creating a basic volume, which can be made a system volume, you can also select the
volume type — Primary (Active Primary) or Logical. Typically, Primary is selected when you
want to install an operating system to a volume. Select the Active (default) value if you want to
Note
A basic disk can contain up to four primary volumes. If they already exist, the disk will have to be
converted into dynamic, otherwise Active and Primary options will be disabled and you will
only be able to select the Logical volume type.
6. Click Commit, and then click Proceed in the Pending Operations window. Exiting the program
without committing the operation will effectively cancel it.
Delete a volume
To delete a volume
Note
All the information on this volume will be lost irrevocably.
3. By clicking OK, you will add a pending operation of volume deletion.
After a volume is deleted, its space is added to unallocated disk space. You can use it to create a
new volume or to change another volume's type.
1. Right-click the desired primary volume on a basic MBR, and then click Mark as active.
If there is no other active volume in the system, the pending operation of setting active volume
will be added. If another active volume is present in the system, you will receive a warning that
the previous active volume must be set passive first.
Note
Due to setting the new active volume, the former active volume letter might be changed and
some of the installed programs might stop running.
2. By clicking OK, you will add a pending operation of setting active volume.
Note
Even if you have the operating system on the new active volume, in some cases the machine will
not be able to boot from it. You will have to confirm your decision to set the new volume as
active.
3. To complete the added operation, commit it. Exiting the program without committing the
operation will effectively cancel it.
1. Right-click the desired volume, and then click Change letter.
2. In the Change Letter window, select a new letter .
3. By clicking OK, you will add a pending operation of volume letter assignement.
4. To complete the added operation, commit it. Exiting the program without committing the
operation will effectively cancel it.
1. Right-click the desired volume, and then click Change label.
2. Enter a new label in the Change label window text field.
3. By clicking OK, you will add a pending operation of changing the volume label.
4. To complete the added operation, commit it. Exiting the program without committing the
operation will effectively cancel it.
Format volume
You might want to format a volume if you want to change its file system:
l Тo save additional space which is being lost due to the cluster size on the FAT16 or FAT32 file
systems
l Аs a quick and more or less reliable way of destroying data, residing in this volume
Тo format a volume:
Pending operations
All operations are considered pending until you issue and confirm the Commit command. Thus you
can control all planned operations, double-check the intended changes, and cancel any operation
before is is executed, if necessary.
The Disk management view contains the toolbar with icons for Undo, Redo and Commit actions
intended for pending operations. These actions might also be launched from the Disk
management menu.
The Undo action lets you undo the latest operation in the list. While the list is not empty, this action
is available.
The Redo action lets you reinstate the last pending operation that was undone.
The Commit action forwards you to the Pending Operations window, where you will be able to
view the pending operation list.
Note
You will not be able to undo any actions or operations after you choose the Proceed operation!
If you don't want to proceed with the commitment, click Cancel. Then no changes will be made to
the pending operation list. Quitting the program without committing the pending operations also
effectively cancels them.
An iSCSI target server (or target portal) is a server that hosts an iSCSI device. An iSCSI target is a
component on the target server; this component shares the device and lists iSCSI initiators that are
allowed access to the device. An iSCSI initiator is a component on a machine; this component
provides interaction between the machine and an iSCSI target. When configuring access to an iSCSI
device on a machine booted with bootable media, you need to specify the iSCSI target portal of the
device and one of the iSCSI initiators listed in the target. If the target shares several devices, you will
get access to all of them.
Startup Recovery Manager is especially useful for traveling users. If a failure occurs, reboot the
machine, wait for the prompt "Press F11 for Acronis Startup Recovery Manager…" to appear, and
then press F11. The program will start and you can perform recovery.
You can also back up using Startup Recovery Manager, while on the move.
On machines with the GRUB boot loader installed, you select the Startup Recovery Manager from
the boot menu instead of pressing F11.
1. Select the machine that you want to activate Startup Recovery Manager on.
2. Click Details.
Note
The system disk (or, the /boot partition in Linux) should have at least 100 MB of free space to
activate Startup Recovery Manager.
Unless you use the GRUB boot loader and it is installed in the Master Boot Record (MBR), Startup
Recovery Manager activation overwrites the MBR with its own boot code. Thus, you may need to
reactivate third-party boot loaders if they are installed.
Under Linux, when using a boot loader other than GRUB (such as LILO), consider installing it to a
Linux root (or boot) partition boot record instead of the MBR before activating Startup Recovery
Manager. Otherwise, reconfigure the boot loader manually after the activation.
Deactivation disables the boot time prompt "Press F11 for Acronis Startup Recovery Manager…" (or,
the menu item in GRUB). If Startup Recovery Manager is not activated, you will need one of the
following to recover the system when it fails to boot:
Network booting:
l eliminates the need to have a technician onsite to install the bootable media into the system that
must be booted
Bootable components are uploaded to Acronis PXE Server using Acronis Bootable Media Builder. To
upload bootable components, start the Bootable Media Builder, and then follow the step-by-step
instructions described in "Linux-based bootable media".
Booting multiple machines from the Acronis PXE Server makes sense if there is a Dynamic Host
Control Protocol (DHCP) server on your network. Then the network interfaces of the booted
machines will automatically obtain IP addresses.
Limitation:
1. Log on as an administrator and start the Acronis Cyber Protect setup program.
2. [Optional] To change the language the setup program is displayed in, click Setup language.
3. Accept the terms of the license agreement and select whether the machine will participate in the
Acronis Customer Experience Program (ACEP).
Acronis PXE Server runs as a service immediately after installation. Later on it will automatically
launch at each system restart. You can stop and start Acronis PXE Server in the same way as other
Windows services.
On a machine that has an operating system on the hard disk, the BIOS must be configured so that
the network interface card is either the first boot device, or at least prior to the Hard Drive device.
The example below shows one of reasonable BIOS configurations. If you don’t insert bootable
media, the machine will boot from the network.
If the hardware has multiple network interface cards, make sure that the card supported by the
BIOS has the network cable plugged in.
1. Select the data categories that you want to back up. By default, all categories are selected.
2. [optional step] Enable Encrypt Backup to protect your backup by encryption. In this case, you
will need to also:
a. Enter an encryption password twice.
Note
Make sure you remember the password, because a forgotten password can never be
restored or changed.
l To preview a photo or a contact, click the respective data category name, and then click the
required data item.
l Database backup
This is a file-level backup of the databases and the metadata associated with them. The
databases can be recovered to a live application or as files.
l Application-aware backup
This is a disk-level backup that also collects the applications' metadata. This metadata enables
browsing and recovery of the application data without recovering the entire disk or volume. The
disk or volume can also be recovered as a whole. This means that a single solution and a single
protection plan can be used for both disaster recovery and data protection purposes.
For Microsoft Exchange Server, you can opt for Mailbox backup. This is a backup of individual
mailboxes via the Exchange Web Services protocol. The mailboxes or mailbox items can be
recovered to a live Exchange Server or to Microsoft Office 365. Mailbox backup is supported for
Microsoft Exchange Server 2010 Service Pack 1 (SP1) and later.
To protect only the content, you can back up the content databases separately.
Microsoft
SharePoint front- - - Entire machine
end web servers
Active Directory
- Entire machine -
Domain Services
14.5 Prerequisites
Before configuring the application backup, ensure that the requirements listed below are met.
To check the VSS writers state, use the vssadmin list writers command.
Note
Agent for Exchange needs a temporary storage to operate. By default, the temporary files are
located in %ProgramData%\Acronis\Temp. Ensure that you have at least as much free space on the
volume where the %ProgramData% folder is located as 15 percent of an Exchange database size.
Alternatively, you can change the location of the temporary files before creating Exchange backups
as described in: https://kb.acronis.com/content/40040.
l For physical machines, the Volume Shadow Copy Service (VSS) backup option is enabled.
l For virtual machines, the Volume Shadow Copy Service (VSS) for virtual machines backup option
is enabled.
l The virtual machine being backed up meets the requirements for application-consistent backup
and restore listed in the article "Windows Backup Implementations" in the VMware
documentation: https://code.vmware.com/docs/1674/virtual-disk-programming-
guide/doc/vddkBkupVadp.9.6.html
l VMware Tools is installed and up-to-date on the machine.
Select the databases as described below, and then specify other settings of the protection plan as
appropriate.
The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options.
An incremental backup contains the changed blocks of the database files, the checkpoint files, and a
small number of the log files that are more recent than the corresponding database checkpoint.
Because changes to the database files are included in the backup, there is no need to back up all the
transaction log records since the previous backup. Only the log that is more recent than the
checkpoint needs to be replayed after a recovery. This makes for faster recovery and ensures
successful database backup, even with circular logging enabled.
The transaction log files are truncated after each successful backup.
In a Failover Cluster Instance, SQL databases are located on a shared storage. This storage can only
be accessed from the active cluster node. If the active node fails, a failover occurs and a different
node becomes active.
In an availability group, each database replica resides on a different node. If the primary replica
becomes not available, a secondary replica residing on a different node is assigned the primary role.
Thus, the clusters are already serving as a disaster recovery solution themselves. However, there
might be cases when the clusters cannot provide data protection: for example, in case of a database
logical corruption, or when the entire cluster is down. Also cluster solutions do not protect from
harmful content changes, as they usually immediately replicate to all cluster nodes.
Note
After you install the agent on one of the nodes, the software displays the AAG and its nodes
under Devices > Microsoft SQL > Databases. To install Agents for SQL on the rest of the nodes,
select the AAG, click Details, and then click Install agent next to each of the nodes.
2. Select the AAG or database set to backup as described in "Selecting SQL databases".
You must select the AAG itself to backup all databases of the AAG. To backup a set of databases,
define this set of databases in all nodes of the AAG.
Warning!
The database set must be exactly the same in all nodes. If even one set is different, or not
defined on all nodes, the cluster backup will not work correctly.
Important
A database that is included in an Always On Availability Group cannot be overwritten during a
recovery because Microsoft SQL Server prohibits this. You need to exclude the target database
from the AAG before the recovery. Or, just recover the database as a new non-AAG one. When
the recovery is completed, you can reconstruct the original AAG configuration.
However, there might be cases when failover cluster solutions cannot provide data protection: for
example, in case of a database logical corruption, or when a particular database in a cluster has no
copy (replica), or when the entire cluster is down. Also cluster solutions do not protect from harmful
content changes, as they usually immediately replicate to all cluster nodes.
Cluster-aware backup
With cluster-aware backup, you back up only one copy of the clustered data. If the data changes its
location within the cluster (due to a switchover or a failover), the software will track all relocations of
this data and safely back it up.
DAG is a group of up to 16 Exchange Mailbox servers. Any node can host a copy of mailbox
database from any other node. Each node can host passive and active database copies. Up to 16
copies of each database can be created.
Note
After you install the agent on one of the nodes, the Cyber Protect web console displays the DAG and
its nodes under Devices > Microsoft Exchange > Databases. To install Agents for Exchange on the
rest of the nodes, select the DAG, click Details, and then click Install agent next to each of the
nodes.
Important
For cluster-aware backup, ensure to select the DAG itself. If you select individual nodes or
databases inside the DAG, only the selected items will be backed up and the Cluster backup mode
option will be ignored.
When you back up a machine running Microsoft SQL Server, Microsoft Exchange Server, or Active
Directory Domain Services, enable Application backup for additional protection of these
applications' data.
1. The applications are backed up in a consistent state and thus will be available immediately after
the machine is recovered.
2. You can recover the SQL and Exchange databases, mailboxes, and mailbox items without
recovering the entire machine.
3. The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options. The Exchange transaction logs are truncated on virtual
machines only. You can enable the VSS full backup option if you want to truncate Exchange
transaction logs on a physical machine.
4. If a domain contains more than one domain controller, and you recover one of them, a
nonauthoritative restore is performed and a USN rollback will not occur after the recovery.
On a virtual machine, no agent installation is required; it is presumed that the machine is backed up
by Agent for VMware (Windows) or Agent for Hyper-V.
Agent for VMware (Virtual Appliance) and Agent for VMware (Linux) can create application-aware
backups, but cannot recover application data from them. To recover application data from backups
created by these agents, you need Agent for VMware (Windows), Agent for SQL, or Agent for
Exchange on a machine that has access to the location where the backups are stored. When
configuring recovery of application data, select the recovery point on the Backup storage tab, and
then select this machine in Machine to browse from.
Other requirements are listed in the "Prerequisites" and "Required user rights" sections.
Mailbox backup is available if at least one Agent for Exchange is registered on the management
server. The agent must be installed on a machine that belongs to the same Active Directory forest as
Microsoft Exchange Server.
Before backing up mailboxes, you must connect Agent for Exchange to the machine running the
Client Access server role (CAS) of Microsoft Exchange Server. In Exchange 2016 and later, the CAS
role is not available as a separate installation option. It is automatically installed as part of the
Mailbox server role. Thus, you can connect the agent to any server running the Mailbox role.
As a result, the mailboxes appear under Devices > Microsoft Exchange > Mailboxes.
Membership of the account in the Organization Management role group enables access to any
mailbox, including mailboxes that will be created in the future.
l The account must be a member of the Server Management and Recipient Management role
groups.
l The account must have the ApplicationImpersonation management role enabled for all users
or groups of users whose mailboxes the agent will access.
For information about configuring the ApplicationImpersonation management role, refer to the
following Microsoft knowledge base article: https://msdn.microsoft.com/en-
us/library/office/dn722376.aspx.
You can recover SQL databases to a SQL Server instance, if Agent for SQL is installed on the machine
running the instance. You will need to provide credentials for an account that is a member of the
Alternatively, you can recover the databases as files. This can be useful if you need to extract data
for data mining, audit, or further processing by third-party tools. You can attach the SQL database
files to a SQL Server instance, as described in "Attaching SQL Server databases".
If you use only Agent for VMware (Windows), recovering databases as files is the only available
recovery method. Recovering databases by using Agent for VMware (Virtual Appliance) is not
possible.
System databases are basically recovered in the same way as user databases. The peculiarities of
system database recovery are described in "Recovering system databases".
l System databases can only be recovered to an instance of the same version as the original
instance.
l System databases are always recovered in the "ready to use" state.
l Databases that have appeared in the instance after the backup was done are not visible by the
instance. To bring these databases back to production, attach them to the instance manually by
using SQL Server Management Studio.
l Databases that have been deleted after the backup was done are displayed as offline in the
instance. Delete these databases by using SQL Server Management Studio.
Attaching a database requires any of the following permissions: CREATE DATABASE, CREATE ANY
DATABASE, or ALTER ANY DATABASE. Normally, these permissions are granted to the sysadmin
role of the instance.
To attach a database
You can recover Exchange Server data to a live Exchange Server. This may be the original Exchange
Server or an Exchange Server of the same version running on the machine with the same fully
qualified domain name (FQDN). Agent for Exchange must be installed on the target machine.
The following table summarizes the Exchange Server data that you can select for recovery and the
minimal user rights required to recover the data.
Alternatively, you can recover the databases (storage groups) as files. The database files, along with
transaction log files, will be extracted from the backup to a folder that you specify. This can be
useful if you need to extract data for an audit or further processing by third-party tools, or when the
recovery fails for some reason and you are looking for a workaround to mount the databases
manually.
If you use only Agent for VMware (Windows), recovering databases as files is the only available
recovery method. Recovering databases by using Agent for VMware (Virtual Appliance) is not
possible.
We will refer to both databases and storage groups as "databases" throughout the below
procedures.
The recovered databases will be in a Dirty Shutdown state. A database that is in a Dirty Shutdown
state can be mounted by the system if it is recovered to its original location (that is, information
about the original database is present in Active Directory). When recovering a database to an
alternate location (such as a new database or as the recovery database), the database cannot be
mounted until you bring it to a Clean Shutdown state by using the Eseutil /r <Enn> command.
<Enn> specifies the log file prefix for the database (or storage group that contains the database) into
which you need to apply the transaction log files.
The account you use to attach a database must be delegated an Exchange Server Administrator role
and a local Administrators group for the target server.
For details about how to mount databases, see the following articles:
Note
Available only from database backups. See "Selecting Exchange Server data" (p. 381)
Granular recovery can be performed by Agent for Exchange or Agent for VMware (Windows). The
target Exchange Server and the machine running the agent must belong to the same Active
Directory forest.
When a mailbox is recovered to an existing mailbox, the existing items with matching IDs are
overwritten.
Recovery of mailbox items does not overwrite anything. Instead, the full path to a mailbox item is
recreated in the target folder.
User mailboxes and their contents can be recovered only if their associated user accounts are
enabled. Shared, room, and equipment mailboxes can be recovered only if their associated user
accounts are disabled.
A mailbox that does not meet the above conditions is skipped during recovery.
If some mailboxes are skipped, the recovery will succeed with warnings. If all mailboxes are skipped,
the recovery will fail.
When a mailbox is recovered to an existing Office 365 mailbox, the existing items are kept intact,
and the recovered items are placed next to them.
When recovering a single mailbox, you need to select the target Office 365 mailbox. When
recovering several mailboxes within one recovery operation, the software will try to recover each
mailbox to the mailbox of the user with the same name. If the user is not found, the mailbox is
skipped. If some mailboxes are skipped, the recovery will succeed with warnings. If all mailboxes are
skipped, the recovery will fail.
For more information about recovery to Office 365, refer to "Protecting Office 365 mailboxes".
1. [Only when recovering from a database backup to Office 365] If Agent for Office 365 is not
installed on the machine running Exchange Server that was backed up, do one of the following:
l If there is not Agent for Office 365 in your organization, install Agent for Office 365 on the
machine that was backed up (or on another machine with the same Microsoft Exchange
Server version).
l If you already have Agent for Office 365 in your organization, copy libraries from the machine
that was backed up (or from another machine with the same Microsoft Exchange Server
version) to the machine with Agent for Office 365, as described in "Copying Microsoft
Exchange libraries".
2. Do one of the following:
l When recovering from an application-aware backup: under Devices, select the machine that
originally contained the data that you want to recover.
l When recovering from a database backup, click Devices > Microsoft Exchange > Databases,
and then select the database that originally contained the data that you want to recover.
3. Click Recovery.
4. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Use other ways to recover:
l [Only when recovering from an application-aware backup] If the backup location is cloud or
shared storage (i.e. other agents can access it), click Select machine, select an online machine
that has Agent for Exchange or Agent for VMware, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions will perform the recovery
instead of the original machine that is offline.
5. Click Recover > Exchange mailboxes.
6. Select the mailboxes that you want to recover.
You can search mailboxes by name. Wildcards are not supported.
1. [Only when recovering from a database backup to Office 365] If Agent for Office 365 is not
installed on the machine running Exchange Server that was backed up, do one of the following:
l If there is not Agent for Office 365 in your organization, install Agent for Office 365 on the
machine that was backed up (or on another machine with the same Microsoft Exchange
Server version).
l If you already have Agent for Office 365 in your organization, copy libraries from the machine
that was backed up (or from another machine with the same Microsoft Exchange Server
version) to the machine with Agent for Office 365, as described in "Copying Microsoft
Exchange libraries".
2. Do one of the following:
l When recovering from an application-aware backup: under Devices, select the machine that
originally contained the data that you want to recover.
Note
Click the name of an attached file to download it.
Note
Click the name of an attached file to download it.
When an email message is selected, you can click Send as email to send the message to an
email address. The message is sent from your administrator account's email address.
Copy the following files, according to the Microsoft Exchange Server version that was backed up.
ese.dll
Microsoft Exchange Server %ProgramFiles%\Microsoft\Exchange
esebcli2.dll
2010 Server\V14\bin
store.exe
%ProgramFiles%\Microsoft\Exchange
ese.dll
Microsoft Exchange Server Server\V15\bin
2013
msvcr110.dll %WINDIR%\system32
%ProgramFiles%\Microsoft\Exchange
ese.dll
Server\V15\bin
Microsoft Exchange Server
2016, 2019 msvcr110.dll
%WINDIR%\system32
msvcp110.dll
The libraries should be placed in the folder %ProgramData%\Acronis\ese. If this folder does not
exist, create it manually.
1. Click Devices, and then click Microsoft SQL or Microsoft Exchange.
2. Select the Always On Availability Group, Database Availability Group, SQL Server instance, or
Exchange Server for which you want to change the access credentials.
3. Click Specify credentials.
4. Specify the new access credentials, and then click OK.
1. Click Devices > Microsoft Exchange, and then expand Mailboxes.
2. Select the Exchange Server for which you want to change the access credentials.
For more information on the licensing options, see Acronis Cyber Backup for Microsoft 365
Licensing.
1. Install Agent for Office 365 on a Windows machine that is connected to the Internet. There must
be only one Agent for Office 365 in an organization.
2. In the Cyber Protect web console, click Microsoft Office 365.
3. In the window that opens, enter your application ID, application secret, and Microsoft 365 tenant
ID. For more information on how to find these, refer to Obtaining application ID and application
secret.
4. Click Sign in.
As a result, your organization data items appear in the Cyber Protect web console on the Microsoft
Office 365 page.
15.3 Recovery
The following items can be recovered from a mailbox backup:
l Mailboxes
l Email folders
l Email messages
l Calendar events
l Tasks
When a mailbox is recovered to an existing Office 365 mailbox, the existing items with matching IDs
are overwritten. When a mailbox is recovered to an existing Exchange Server mailbox, the existing
items are kept intact. The recovered items are placed next to them.
Recovery of mailbox items does not overwrite anything. Instead, the full path to a mailbox item is
recreated in the target folder.
15.4 Limitations
l Applying a protection plan to more than 500 mailboxes may cause backup performance
degradation. To protect a large number of mailboxes, create several protection plans and
schedule them to run at different times.
l Archive mailboxes (In-Place Archive) cannot be backed up.
l A mailbox backup includes only folders visible to users. The Recoverable items folder and its
subfolders (Deletions, Versions, Purges, Audits, DiscoveryHold, Calendar Logging) are not
included in a mailbox backup.
l Recovery to a new Office 365 mailbox is not possible. You must first create a new Office 365 user
manually, and then recover items to this user's mailbox.
l Recovery to a different Microsoft Office 365 organization is not supported.
l Some item types or properties supported by Office 365 may not be supported by Exchange
Server. They will be skipped during recovery to Exchange Server.
To select mailboxes
Note
Click the name of an attached file to download it.
When an email message is selected, you can click Send as email to send the message to an
email address. The message is sent from your administrator account's email address.
Your application is now created. In the Azure portal, navigate to the application's Overview page
and check your application (client) ID and directory (tenant ID).
For more information on how to create an application in the Azure portal, refer to the Microsoft
documentation.
1. In the Azure portal, navigate to the application's API permissions, and then click Add a
permission.
2. Select the APIs my organization uses tab, and then search for Office 365 Exchange Online.
3. Click Office 365 Exchange Online, and then click Application permissions.
4. Select the full_access_as_app check box, and then click Add permissions.
5. In API permissions, click Add a permission.
6. Select Microsoft Graph.
7. Select Application permissions.
1. In the Azure portal, navigate to your application's Certificates & secrets > New client secret.
2. In the dialog box that opens, select Expires: Never, and then click Add.
3. Check your application secret in the Value field and make sure that you remember it.
For more information on the application secret, refer to the Microsoft documentation.
We recommend running this temporary virtual machine for up to three days. Then, you can
completely remove it or convert it to a regular virtual machine (finalize) without downtime.
As long as the temporary virtual machine exists, retention rules cannot be applied to the backup
being used by that machine. Backups of the original machine can continue to run.
18.1.2 Prerequisites
l At least one Agent for VMware or Agent for Hyper-V must be registered in the Cyber Protection
service.
l The backup can be stored in a network folder, on a storage node, or in a local folder of the
machine where Agent for VMware or Agent for Hyper-V is installed. If you select a network folder,
it must be accessible from that machine. A virtual machine can also be run from a backup stored
in the cloud storage, but it works slower because this operation requires intense random-access
reading from the backup. A virtual machine cannot be run from a backup stored on an SFTP
server, a tape device, or in Secure Zone.
l The backup must contain an entire machine or all of the volumes that are required for the
operating system to start.
l Backups of both physical and virtual machines can be used. Backups of Virtuozzo containers
cannot be used.
3. [Optional] Click Target machine, and then change the virtual machine type (ESXi or Hyper-V),
the host, or the virtual machine name.
4. [Optional] Click Datastore for ESXi or Path for Hyper-V, and then select the datastore for the
virtual machine.
Changes to the virtual disks accumulate while the machine is running. Ensure that the selected
datastore has enough free space. If you are planning to preserve these changes by making the
virtual machine permanent, select a datastore that is suitable for running the machine in
production.
As a result, the machine appears in the web interface with one of the following icons: or
1. On the All devices tab, select a machine that is running from a backup.
2. Click Delete.
The machine is removed from the web interface. It is also removed from the vSphere or Hyper-V
inventory and datastore (storage). All changes that occurred to the data while the machine was
running are lost.
You have the option to make this machine permanent, i.e. recover all of its virtual disks, along with
the changes that occurred while the machine was running, to the datastore that stores these
changes. This process is named finalization.
Finalization is performed without downtime. The virtual machine will not be powered off during
finalization.
The location of the final virtual disks is defined in the parameters of the Run as VM operation
(Datastore for ESXi or Path for Hyper-V). Prior to starting the finalization, ensure that free space,
sharing capabilities, and performance of this datastore are suitable for running the machine in
production.
Note
Finalization is not supported for Hyper-V running in Windows Server 2008/2008 R2 and Microsoft
Hyper-V Server 2008/2008 R2 because the necessary API is missing in these Hyper-V versions.
The machine name changes immediately. The recovery progress is shown on the Activities tab.
Once the recovery is completed, the machine icon changes to that of a regular virtual machine.
l During a finalization, the agent performs random access to different parts of the backup. When
an entire machine is being recovered, the agent reads data from the backup sequentially.
l If the virtual machine is running during the finalization, the agent reads data from the backup
more often, to maintain both processes simultaneously. During a regular recovery, the virtual
machine is stopped.
Replication is the process of creating an exact copy (replica) of a virtual machine, and then
maintaining the replica in sync with the original machine. By replicating a critical virtual machine,
you will always have a copy of this machine in a ready-to-start state.
The replication can be started manually or on the schedule you specify. The first replication is full
(copies the entire machine). All subsequent replications are incremental and are performed with
Changed Block Tracking, unless this option is disabled.
However, powering on a replica is much faster than a recovery and faster than running a virtual
machine from a backup. When powered on, a replica works faster than a VM running from a backup
and does not load the Agent for VMware.
Usage examples
l Replicate virtual machines to a remote site.
Replication enables you to withstand partial or complete datacenter failures, by cloning the
virtual machines from a primary site to a secondary site. The secondary site is usually located in a
remote facility that is unlikely to be affected by environmental, infrastructure, or other factors
that might cause the primary site failure.
l Replicate virtual machines within a single site (from one host/datastore to another).
Onsite replication can be used for high availability and disaster recovery scenarios.
Restrictions
The following types of virtual machines cannot be replicated:
As a result of running a replication plan, the virtual machine replica appears in the All devices list
Testing a replica
To prepare a replica for testing
While the replica is in a failover state, you can choose one of the following actions:
l Stop failover
Stop failover if the original machine was fixed. The replica will be powered off. Replication will be
resumed.
l Perform permanent failover to the replica
This instant operation removes the 'replica' flag from the virtual machine, so that replication to it
is no longer possible. If you want to resume replication, edit the replication plan to select this
machine as a source.
l Failback
Perform failback if you failed over to the site that is not intended for continuous operations. The
replica will be recovered to the original or a new virtual machine. Once the recovery to the
original machine is complete, it is powered on and replication is resumed. If you choose to
recover to a new machine, edit the replication plan to select this machine as a source.
Stopping failover
To stop a failover
Failing back
To failback from a replica
Replication options
To modify the replication options, click the gear icon next to the replication plan name, and then
click Replication options.
Disk provisioning
This option defines the disk provisioning settings for the replica.
The following values are available: Thin provisioning, Thick provisioning, Keep the original
setting.
Pre/Post commands
This option is similar to the backup option "Pre/Post commands".
Failback options
To modify the failback options, click Recovery options when configuring failback.
Error handling
This option is similar to the recovery option "Error handling".
Performance
This option is similar to the recovery option "Performance".
Pre/Post commands
This option is similar to the recovery option "Pre/Post commands".
VM power management
This option is similar to the recovery option "VM power management".
Important
To perform replica seeding, Agent for VMware (Virtual Appliance) must be running on the target
ESXi.
As a result, the software will continue updating the replica. All replications will be incremental.
If your ESXi uses a SAN attached storage, install the agent on a machine connected to the same SAN.
The agent will back up the virtual machines directly from the storage rather than via the ESXi host
and LAN. This capability is called a LAN-free backup.
The diagram below illustrates a LAN-based and a LAN-free backup. LAN-free access to virtual
machines is available if you have a fibre channel (FC) or iSCSI Storage Area Network. To completely
eliminate transferring the backed-up data via LAN, store the backups on a local disk of the agent's
machine or on a SAN attached storage.
1. Install Agent for VMware on a Windows machine that has network access to the vCenter Server.
2. Connect the logical unit number (LUN) that hosts the datastore to the machine. Consider the
following:
l Use the same protocol (i.e. iSCSI or FC) that is used for the datastore connection to the ESXi.
l The LUN must not be initialized and must appear as an "offline" disk in Disk Management. If
Windows initializes the LUN, it may become corrupted and unreadable by VMware vSphere.
To avoid LUN initialization, the SAN Policy is automatically set to Offline All during the Agent
for VMware (Windows) installation.
As a result, the agent will use the SAN transport mode to access the virtual disks, i.e. it will read raw
LUN sectors over iSCSI/FC without recognizing the VMFS file system (which Windows is not aware
of).
Limitations
l In vSphere 6.0 and later, the agent cannot use the SAN transport mode if some of the VM disks
are located on a VMware Virtual Volume (VVol) and some are not. Backups of such virtual
machines will fail.
Example
If you are using an iSCSI SAN, configure the iSCSI initiator on the machine running Windows where
Agent for VMware is installed.
1. Log on as an administrator, open the command prompt, type diskpart, and then press Enter.
2. Type san, and then press Enter. Ensure that SAN Policy : Offline All is displayed.
3. If another value for SAN Policy is set:
a. Type san policy=offlineall.
b. Press Enter.
c. To check that the setting has been applied correctly, perform step 2.
d. Restart the machine.
Note
To find the Administrative Tools applet, you may need to change the Control Panel view to
something other than Home or Category, or use search.
2. If this is the first time that Microsoft iSCSI Initiator is launched, confirm that you want to start the
Microsoft iSCSI Initiator service.
3. On the Targets tab, type the fully qualified domain name (FQDN) name or the IP address of the
target SAN device, and then click Quick Connect.
4. Select the LUN that hosts the datastore, and then click Connect.
If the LUN is not displayed, ensure that the zoning on the iSCSI target enables the machine
running the agent to access the LUN. The machine must be added to the list of allowed iSCSI
initiators on this target.
5. Click OK.
The ready SAN LUN should appear in Disk Management as shown in the screenshot below.
Important
Only NetApp SAN storage is supported.
By default, the agent uses native VMware snapshots created by the ESXi host. While the snapshot is
kept, the virtual disk files are in the read-only state, and the host writes all changes done to the disks
to separate delta files. Once the backup process is finished, the host deletes the snapshot, i.e.
merges the delta files with the virtual disk files.
Both maintaining and deleting the snapshot affect the virtual machine performance. With large
virtual disks and fast data changes, these operations take a long time during which the performance
You can reduce the hypervisor resource utilization by offloading the snapshots to the SAN. In this
case, the sequence of operations is as follows:
1. The ESXi takes a VMware snapshot in the beginning of the backup process, to bring the virtual
disks to a consistent state.
2. The SAN creates a hardware snapshot of the volume or LUN that contains the virtual machine
and its VMware snapshot. This operation typically takes a few seconds.
3. The ESXi deletes the VMware snapshot. Agent for VMware reads the virtual disk content from the
SAN hardware snapshot.
Because the VMware snapshot is maintained only for a few seconds, the virtual machine
performance degradation is minimized.
l The NetApp SAN storage meets the requirements described in "NetApp SAN storage
requirements".
l The machine running Agent for VMware (Windows) is configured as described in "Configuring the
machine running Agent for VMware".
l The SAN storage is registered on the management server.
l [If there are Agents for VMware that did not take part in the above registration] The virtual
machines that reside on the SAN storage are assigned to the SAN-enabled agents, as described in
"Virtual machine binding".
l The "SAN hardware snapshots" backup option is enabled in the protection plan options.
l Microsoft Services for NFS (in Windows Server 2008) or Client for NFS (in Windows Server 2012
and later) is installed.
l The NFS client is configured for anonymous access. This can be done as follows:
5. In User name and Password, specify the SVM administrator credentials.
Important
The specified account must be a local administrator on the SVM, rather than entire NetApp
system management administrator.
You can specify an existing user or create a new one. To create a new user, in the NetApp
OnCommand System Manager, navigate to Configuration > Security > Users, and then create a
new user.
6. Select one or more Agent for VMware (Windows) which will be given the read permission for the
SAN device.
7. Click Add.
A virtual appliance that is running on the same host or cluster with the backed-up virtual machines
has direct access to the datastore(s) where the machines reside. This means the appliance can
attach the backed-up disks by using the HotAdd transport, and therefore the backup traffic is
directed from one local disk to another. If the datastore is connected as Disk/LUN rather than NFS,
the backup will be completely LAN-free. In the case of NFS datastore, there will be network traffic
between the datastore and the host.
Using a locally attached storage presumes that the agent always backs up the same machines. If
multiple agents work within the vSphere, and one or more of them use locally attached storages,
you need to manually bind each agent to all machines it has to back up. Otherwise, if the machines
are redistributed among the agents by the management server, a machine's backups may be
dispersed over multiple storages.
You can add the storage to an already working agent or when deploying the agent from an OVF
template.
1. In VMware vSphere inventory, right click the Agent for VMware (Virtual Appliance).
2. Add the disk by editing the settings of the virtual machine. The disk size must be at least 10 GB.
Warning!
Be careful when adding an already existing disk. Once the storage is created, all data previously
contained on this disk will be lost.
3. Go to the virtual appliance console. The Create storage link is available at the bottom of the
screen. If it is not, click Refresh.
4. Click the Create storage link, select the disk and specify a label for it. The label length is limited
to 16 characters, due to file system restrictions.
When creating a protection plan, in Where to back up, select Local folders, and then type the
letter corresponding to the locally attached storage, for example, D:\.
The below distribution algorithm works for both virtual appliances and agents installed in Windows.
However, when choosing an agent for a machine, the software tries to optimize the overall system
performance. In particular, the software considers the agent and the virtual machine location. An
agent hosted on the same host is preferred. If there is no agent on the same host, an agent from the
same cluster is preferred.
Once a virtual machine is assigned to an agent, all backups of this machine are delegated to this
agent.
Redistribution
Redistribution takes place each time the established balance breaks, or, more precisely, when a load
imbalance among the agents reaches 20 percent. This may happen when a machine or an agent is
added or removed, or a machine migrates to a different host or cluster, or if you manually bind a
machine to an agent. If this happens, the management server redistributes the machines using the
same algorithm.
For example, you realize that you need more agents to help with throughput and deploy an
additional virtual appliance to the cluster. The management server will assign the most appropriate
machines to the new agent. The old agents' load will reduce.
When you remove an agent from the management server, the machines assigned to the agent are
distributed among the remaining agents. However, this will not happen if an agent gets corrupted or
is deleted from manually from vSphere. Redistribution will start only after you remove such agent
from the web interface.
l in the Agent column for each virtual machine on the All devices section
l in the Assigned virtual machines section of the Details panel when an agent is selected in the
Settings > Agents section
Manual binding
The Agent for VMware binding lets you exclude a virtual machine from this distribution process by
specifying the agent that must always back up this machine. The overall balance will be maintained,
but this particular machine can be passed to a different agent only if the original agent is removed.
Automatic assignment cannot be disabled for an agent if there are no other registered agents, or if
automatic assignment is disabled for all other agents.
Usage examples
l Manual binding comes in handy if you want a particular (very large) machine to be backed up by
Agent for VMware (Windows) via a fibre channel while other machines are backed up by virtual
appliances.
l Manual binding is necessary if you are using SAN hardware snapshots. Bind Agent for VMware
(Windows) for which SAN hardware snapshots are configured with the machines that reside on
the SAN datastore.
l It is necessary to bind VMs to an agent if the agent has a locally attached storage.
vMotion
vMotion moves a virtual machine's state and configuration to another host while the machine's
disks remain in the same location on shared storage.
l vMotion of Agent for VMware (Virtual Appliance) is not supported and is disabled.
l vMotion of a virtual machine is disabled during a backup. Backups will continue to run after the
migration is completed.
Storage vMotion
Storage vMotion moves virtual machine disks from one datastore to another.
l Storage vMotion of Agent for VMware (Virtual Appliance) is not supported and is disabled.
l Storage vMotion of a virtual machine is disabled during a backup. Backups will continue to run
after the migration.
In the VMware tab, you can back up the following vSphere infrastructure objects:
l Data center
l Folder
l Cluster
l ESXi host
l Resource pool
Each of these infrastructure objects works as a group object for virtual machines. When you apply a
protection plan to any of these group objects, all virtual machines included in it, will be backed up.
For example, you have selected the cluster and then selected a resource pool inside it. If you click
Backup, all virtual machines included in the selected resource pool will be backed up. If you click
Group backup, all virtual machines included in the cluster will be backed up.
You can change access credentials for the vCenter Server or stand-alone ESXi host without re-
installing the agent.
This information appears in the virtual machine summary (Summary > Custom
attributes/Annotations/Notes, depending on the client type and vSphere version). You can also
enable the Last backup and Backup status columns on the Virtual Machines tab for any host,
datacenter, folder, resource pool, or the entire vCenter Server.
Note
vStorage APIs must be installed on the ESXi host to enable virtual machine backups. See
https://kb.acronis.com/content/14931.
To perform any operations with vCenter objects, such as virtual machines, ESXi hosts, clusters,
vCenter, and more, Agent for VMware authenticates on vCenter or ESXi host by using the vSphere
credentials provided by a user. The vSphere account, used for connection to vSphere by Agent for
VMware, must have the required privileges on all levels of vSphere infrastructure starting from the
vCenter level.
Specify the vSphere account with the necessary privileges during Agent for VMware installation or
configuration. If you need to change the account at a later time, refer to the "Managing virtualization
environments" section.
To assign the permissions to a vSphere user on the vCenter level, do the following:
Direct Access +*
Browse
+ +
datastore
Configure
+ + + + +
datastore
Global Licenses + + + +
Enable methods + + +
Manage custom
+ + +
attributes
Set custom
+ + +
attribute
Storage
partition +
configuration
Delete VM + +
Reconfigure VM + +
Resource Assign VM to
+ + + +
resource pool
Import +
Add or remove
+ + +
device
Advanced + + + +
Change CPU
+
count
Disk change
+ +
tracking
Memory +
Remove disk + + + +
Rename +
Set annotation +
Settings + + +
Guest Operation
+** +
Queries
Guest Operation
+**
Modifications
Configure CD
+ +
media
Console
+
interaction
Guest operating
system
management by
+ +
VIX API (in
vSphere 5.1 and
later)
Power off + + +
Power on + + + +
Create new + + + +
Move +
Remove + + + +
Unregister +
Allow read-only
+ +
disk access
Allow virtual
machine + + + +
download
Remove
+ + + +
snapshot
1. A machine must be available for backup no matter what node it migrates to. To ensure that
Agent for Hyper-V can access a machine on any node, the agent service must run under a
domain user account that has administrative privileges on each of the cluster nodes.
We recommend that you specify such an account for the agent service during the Agent for
Hyper-V installation.
2. Install Agent for Hyper-V on each node of the cluster.
3. Register all of the agents on the management server.
When you recover backed-up disks to a new Hyper-V virtual machine, or do a conversion to a Hyper-
V virtual machine within a protection plan, the resulting machine is not highly available. It is
considered as a spare machine and is normally powered off. If you need to use the machine in the
production environment, you can configure it for High Availability from the Failover Cluster
Management snap-in.
When multiple protection plans overlap in time, the numbers specified in their backup options are
added up. Even though the resulting total number is programmatically limited to 10, overlapping
plans can affect the backup performance and overload both the host and the virtual machine
storage.
You can further reduce the total number of virtual machines that an Agent for VMware or Agent for
Hyper-V can back up simultaneously.
To limit the total number of virtual machines that Agent for VMware (Windows) or Agent for
Hyper-V can back up
1. On the machine running the agent, create a new text document and open it in a text editor, such
as Notepad.
2. Copy and paste the following lines into the file:
[HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\MMS\Configuration\ManagedMachine\SimultaneousBackupsLimits]
"MaxNumberOfSimultaneousBackups"=dword:00000001
3. Replace 00000001 with the hexadecimal value of the limit that you want to set. For example,
00000001 is 1 and 0000000A is 10.
4. Save the document as limit.reg.
5. Run the file as an administrator.
6. Confirm that you want to edit the Windows registry.
7. Do the following to restart the agent:
a. In the Start menu, click Run, and then type: cmd
b. Click OK.
c. Run the following commands:
To limit the total number of virtual machines that Agent for VMware (Virtual Appliance) or Agent
for VMware (Linux) can back up
<key name="SimultaneousBackupsLimits">
<value name="MaxNumberOfSimultaneousBackups" type="Tdword">"10"</value>
</key>
4. Replace 10 with the decimal value of the limit that you want to set.
5. Save the file.
6. Restart the agent:
l Agent for VMware (Virtual Appliance): execute the reboot command.
l Agent for VMware (Linux): execute the following command:
Backed-up machine
Hyper-V
type Physical ESXi virtual Scale Computing HC3
virtual
machine machine virtual machine
machine
Physical machine + + + -
Hyper-V virtual
+ + + -
machine
l Perform P2V and V2P migration of a Linux machine containing logical volumes (LVM). Use Agent
for Linux or bootable media to create the backup and bootable media to recover.
l Provide drivers for specific hardware that is critical for the system bootability.
The difference from a physical machine is that Windows Azure and Amazon EC2 virtual machines
cannot be booted from bootable media. If you need to recover to a new Windows Azure or Amazon
EC2 virtual machine, follow the procedure below.
1. Create a new virtual machine from an image/template in Windows Azure or Amazon EC2. The
new machine must have the same disk configuration as the machine that you want to recover.
2. Install Agent for Windows or Agent for Linux on the new machine.
3. Recover the backed-up machine as described in "Physical machine". When configuring the
recovery, select the new machine as the target machine.
On-premises deployment
l If both the agents and the management server are installed in the Azure/EC2 cloud, all machines
are already located in the same network. No additional actions are required.
l If the management server is located outside the Azure/EC2 cloud, the machines in the cloud will
not have network access to the local network where the management server is installed. To
enable the agents installed on such machines to communicate with the management server, a
virtual private network (VPN) connection between the local (on-premises) and the cloud
(Azure/EC2) network must be created. For instructions about how to create the VPN connection,
refer to the following articles:
Amazon EC2: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html#vpn-
create-cgw
Cloud deployment
In a cloud deployment, the management server is located in one of the Acronis data centers and is
thus reachable by the agents. No additional actions are required.
If your machine is already protected with a third-party antivirus solution at the moment of applying
the Antivirus and Antimalware protection module to the machine, the system will generate an alert
and will stop the Real-time protection in order to prevent potential compatibility and performance
issues. You will need to either disable or uninstall the third-party antivirus solution, in order to
enable fully functional Acronis Cyber Protect Antivirus and Antimalware protection.
l Detection of malware in files in the real-time protection and on-demand modes (for Windows,
macOS)
l Detection of malicious behavior in processes (for Windows)
l Blocking access to malicious URLs (for Windows)
l Moving dangerous files to the quarantine
l Adding trusted corporate applications to the whitelist
The Antivirus and Antimalware protection module provides you with two types of scanning:
l On-access detection means that the antimalware program runs in the background and actively
and constantly scans your machine system for viruses and other malicious threats for the entire
duration that your system is powered on. Malware will be detected in both cases when a file is
You can monitor the results of antimalware scanning in Dashboard > Overview > Recently affected
widget.
The following settings can be specified for the Antivirus & Antimalware protection module.
Active Protection
Active Protection protects a system from ransomware and cryptocurrency mining malware.
Ransomware encrypts files and demands a ransom for the encryption key. Cryptomining malware
performs mathematical calculations in the background, thus stealing the processing power and
network traffic.
In the Cyber Backup editions of Acronis Cyber Protect, Active Protection is a separate module in the
protection plan. Thus, it can be configured separately and applied to different devices or group of
devices. In the Protect editions of Acronis Cyber Protect, Active Protection is part of the Antivirus &
Antimalware protection module.
Active Protection is available for machines running the following operating systems:
How it works
Active Protection monitors processes running on the protected machine. When a third-party
process tries to encrypt files or mine cryptocurrency, Active Protection generates an alert and
performs additional actions, if those are specified by the configuration.
In addition, Active Protection prevents unauthorized changes to the backup software's own
processes, registry records, executable and configuration files, and backups located in local folders.
l Notify only
The software will generate an alert about the process.
l Stop the process
The software will generate an alert and stop the process.
l Revert using cache
The software will generate an alert, stop the process, and revert the file changes by using the
service cache.
If a file was originally located on a mapped drive, it cannot be saved to the original location when
extracted from the cache by the Revert using cache action. Instead, it will be saved to the folder
specified in this option's settings. The default folder is C:\ProgramData\Acronis\Restored
Network Files. If this folder does not exist, it will be created. If you want to change this path, specify
a local folder. Network folders, including folders on mapped drives, are not supported.
Server-side protection
This option defines whether Antivirus & Antimalware protection protects network folders that are
shared by you from the external incoming connections from other servers in the network that may
potentially bring threats.
On the Blocked tab, you can specify the connections that will not be able to modify any data. You
must define the user name and IP address.
Self-protection
Self-protection prevents unauthorized changes to the software's own processes, registry records,
executable and configuration files, and backups located in local folders. We do not recommend
disabling this feature.
It applies to files that have extensions .tibx, .tib, .tia, and are located in local folders.
This option lets you specify the processes that are allowed to modify the backup files, even though
these files are protected by self-protection. This is useful, for example, if you remove backup files or
move them to a different location by using a script.
If this option is disabled, the backup files can be modified only by processes signed by the backup
software vendor. This allows the software to apply retention rules and to remove backups when a
user requests this from the web interface. Other processes, no matter suspicious or not, cannot
modify the backups.
If this option is enabled, you can allow other processes to modify the backups. Specify the full path
to the process executable, starting with the drive letter.
Cryptomining malware degrades performance of useful applications, increases electricity bills, may
cause system crashes and even hardware damage due to abuse. We recommend that you add
cryptomining malware to the Harmful processes list to prevent it from running.
l Notify only
The software generates an alert about the process suspected of cryptomining activities.
l Stop the process
The software generates an alert and stops the process suspected of cryptomining activities.
Quarantine
Quarantine is a folder where to keep suspicious (probably infected) or potentially dangerous files
isolated.
Remove quarantined files after – Defines the period in days after which the quarantined files will
be removed.
Behavior detection
Acronis Cyber Protect protects your system by using behavioral heuristics to identify malicious
processes: it compares the chain of actions performed by a process with the chains of actions
recorded in the database of malicious behavior patterns. Thus, a new malware is detected by its
typical behavior.
l Notify only
The software will generate an alert about the process suspected of malware activity.
l Stop the process
The software will generate an alert and stop the process suspected of malware activity.
l Quarantine
The software will generate an alert, stop the process, and move the executable file to the
quarantine folder.
l Smart on-access – Monitors all system activities and automatically scans files when they are
accessed for reading or writing, or whenever a program is launched.
l On-execution – Automatically scans only executable files when they are launched to ensure that
they are clean and will not cause any damage to your computer or data.
Schedule scan
You can define schedule according to which your machine will be checked for malware, by enabling
the Schedule scan setting.
Action on detection:
l Quarantine
The software generates an alert and moves the executable file to the quarantine folder.
l Notify only
The software generates an alert about the process that is suspected to be malware.
l Full
The full scan takes much longer to finish in comparison to the quick scan because every file will
be checked.
l Quick
The quick scan only scans the common areas where malware normally resides on the machine.
You can schedule both Quick and Full scan in one protection plan.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions" (p. 196). You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
Scan only new and changed files – Only newly created and modified files will be scanned.
Exclusions
To minimize the resources used by the heuristic analysis and to eliminate the so-called false
positives when a trusted program is considered as ransomware, you can define the following
settings:
l Processes that will never be considered as malware. Processes signed by Microsoft are always
trusted.
l Folders in which file changes will not be monitored.
l Files and folders in which the scheduled scan will not be performed.
l Processes that will always be blocked. These processes will not be able to start as long as Active
Protection is enabled on the machine.
l Folders in which any processes will be blocked.
For specifying folders, you can use the wildcard characters * and ?. The asterisk (*) substitutes for
zero or more characters. The question mark (?) substitutes for exactly one character. Environment
variables, such as %AppData%, cannot be used.
URL Filtering
Please see URL Filtering for detailed description.
l Action on detection
l Self-protection
l Network folder protection
l Server-side protection
l Cryptomining process detection
l Exclusions
In the Protect editions of Acronis Cyber Protect, Active Protection is part of the Antivirus &
Antimalware protection module.
Active Protection is available for machines running the following operating systems:
To learn more about Active Protection and its settings, refer to "Antivirus & Antimalware protection
settings" (p. 443).
The Windows Defender Antivirus module allows you to configure Windows Defender Antivirus
security policy and track its status via the Cyber Protect web console.
This module is applicable for the machines on which Windows Defender Antivirus is installed.
Scan mode:
l Full – a full check of all files and folders in addition to the items scanned during a quick scan. It
requires more machine resources compared to the quick scan.
l Quick – a quick check of the in-memory processes and folders where malware is typically found.
It required less machine resources.
Define the time and day of the week when the scan will be performed.
Daily quick scan – define the time for the daily quick scan.
Start the scheduled scan when the machine is on but not in use
Check for the latest virus and spyware definitions before running a scheduled scan
For more details about the Windows Defender Antivirus schedule settings, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#scheduled-scans-settings.
For more details about the Windows Defender Antivirus default actions settings, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#default-
actions-settings.
Scan all downloads – if selected, scanning is performed for all downloaded files and attachments.
Allow full scan on mapped network drives – if selected, mapped network drives will be fully
scanned.
Allow email scanning – if enabled, the engine will parse the mailbox and mail files, according to
their specific format, in order to analyze the mail bodies and attachments.
For more details about the Windows Defender Antivirus real-time protection settings, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-
time-protection-settings.
20.3.4 Advanced
Specify the advanced scan settings:
l Scan archive files – include archived files such as .zip or .rar files in the scanning.
l Scan removable drives – scan removable drives during full scans.
l Create a system restore point – in some cases an important file or registry entry could be
removed as "false positive", then you will be able to recover from a restore point.
l Remove quarantined files after – define the period after which the quarantined files will be
removed.
l Send file samples automatically when a further analysis is required:
o Always prompt – you will be asked for confirmation before file sending.
o Send safe samples automatically – most samples will be sent automatically except files that
may contain personal information. Such files will require additional confirmation.
o Send all samples automatically – all samples will be sent automatically.
l Disable Windows Defender Antivirus GUI – if selected, the Windows Defender Antivirus user
interface will not be available to a user. You can manage the Windows Defender Antivirus policies
via Cyber Protect web console.
l MAPS (Microsoft Active Protection Service) – online community that helps you choose how to
respond to potential threats.
o I don't want to join MAPS – no information will be sent to Microsoft about the software that
was detected.
o Basic membership – basic information will be sent to Microsoft about the software that was
detected.
o Advanced membership – more detailed information will be sent to Microsoft about the
software that was detected.
For more details, refer to https://www.microsoft.com/security/blog/2015/01/14/maps-in-the-
cloud-how-can-it-help-your-enterprise.
For more details about the Windows Defender Antivirus advanced settings, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#advanced-settings.
l Processes – any file that the defined process reads from or writes to will be excluded from
scanning. You need to define a full path to the executable file of the process.
l Files and folders – the specified files and folders will be excluded from scanning. You need to
define a full path to a folder or file, or define the file extension.
For more details about the Windows Defender Antivirus exclusion settings, refer to
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-
policies#exclusion-settings.
The Microsoft Security Essentials module allows you to configure Microsoft Security Essentials
security policy and track its status via the Cyber Protect web console.
This module is applicable for machines on which Microsoft Security Essentials is installed.
The Microsoft Security Essentials settings are almost the same as Microsoft Windows Defender
Antivirus except the absence of the real-time protection settings and inability to define exclusions
via the Cyber Protect web console.
URL filtering also allows you to control the web usage in order to comply with external regulations
or internal company policies. You can configure different access policies for more than 40 website
categories.
Currently, the HTTP and HTTPS connections from Windows machines are checked by the protection
agent.
1. Create a protection plan with the URL filtering module enabled.
2. Configure the URL filtering settings (see below).
3. Assign the protection plan to the machines that you want.
l Block – The access to the malicious website will be blocked and an alert will be generated.
l Always ask user – The user will be asked to choose whether to proceed to the website or to go
back.
Categories to filter
There are 44 website categories for which you can configure the access policy. By default, the access
to websites from all categories is allowed.
2 Message boards This category covers forums, discussion boards, and question-answer
type websites. This category does not cover the specific sections on
company websites where customers ask questions.
3 Personal websites This category covers personal websites, as well as all types of blogs:
individual, group, and even company ones. A blog is a journal published
on the World Wide Web. It consists of entries (“posts”), typically
displayed in reverse chronological order so that the most recent post
appears first.
4 Corporate/business This is a broad category that covers corporate websites that typically do
websites not belong to any other category.
5 Computer software This category covers websites offering computer software, typically
either open-source, freeware, or shareware. It may also cover some
online software stores.
9 File sharing This category covers file-sharing websites where a user can upload files
and share them with others. It also covers torrent-sharing websites and
torrent trackers.
10 Finance This category covers websites belonging to all banks around the world
that provide online access. Some credit unions and other financial
institutions are covered as well. However, some local banks may be left
uncovered.
11 Gambling This category covers gambling websites. These are the “online casino” or
“online lottery” type website, which typically requires payment before a
user can gamble for money in online roulette, poker, blackjack, or
similar games. Some of them are legitimate, meaning there is a chance
to win; and some are fraudulent, meaning that there is no chance to
win. It also detects “beating tips and cheats” websites that describe the
ways to make money on gambling and online lottery websites.
12 Games This category covers websites that provide online games, typically based
on Adobe Flash or Java applets. It does not matter for detection whether
the game is free or requires a subscription, however, casino-style
websites are detected in the Gambling category.
14 Hacking This category covers websites that provide the hacking tools, articles,
and discussion platforms for hackers. It also covers websites offering
exploits for common platforms that facilitate Facebook or Gmail
account hacking.
15 Illegal activities This category is a broad category related to hate, violence and racism,
and it is intended to block the following categories of websites:
16 Health and fitness This category covers websites associated with medical institutions,
websites related to disease prevention and treatment, websites that
offer information or products about weight loss, diets, steroids, anabolic
or HGH products, as well as websites providing information on plastic
surgery.
17 Hobbies This category covers websites that present resources related to activities
typically performed during an individual’s free time, such as collecting,
arts and crafts, and cycling.
18 Web hosting This category covers free and commercial website hosting services that
allow private users and organizations to create and publish web pages.
19 Illegal downloads This category covers websites related to software piracy, including:
20 Instant messaging This category covers instant messaging and chat websites that allow
users to chat in real-time. It will also detect yahoo.com and
gmail.com since they both contain an embedded instant messenger
service.
22 Mature content This category covers the content that was labeled by a website creator
as requiring a mature audience. It covers a wide range of websites from
the Kama Sutra book and sex education websites, to hardcore
pornography.
24 News This category covers news websites that provide text and video news. It
strives to cover both global and local news websites; however, some
small local news websites may not be covered.
26 Online payments This category covers websites offering online payments or money
transfers. It detects popular payment websites like PayPal or
Moneybookers. It also heuristically detects the webpages on the regular
websites that ask for the credit card information, allowing detection of
hidden, unknown, or illegal online stores.
27 Photo sharing This category covers photo-sharing websites whose primary purpose is
to let users upload and share photos.
28 Online stores This category covers known online stores. A website is considered an
online store if it sells goods or services online.
30 Portals This category covers websites that aggregate information from multiple
sources and various domains, and that usually offer features such as
search engines, e-mail, news, and entertainment information.
31 Radio This category covers websites that offer Internet music streaming
services, from online radio stations to websites that provide on-demand
(free or paid) audio content.
32 Religion This category covers websites promoting religion or a sect. It also covers
the discussion forums related to one or multiple religions.
33 Search engines This category covers search engine websites, such as Google, Yahoo,
and Bing.
34 Social networks This category covers social network websites. This includes
MySpace.com, Facebook.com, Bebo.com, etc. However, specialized
social networks, like YouTube.com, will be listed in the Video/Photo
category.
35 Sport This category covers websites that offer sports information, news, and
tutorials.
38 Waste of time This category covers websites where individuals tend to spend a lot of
time. This can include websites from other categories such as social
networks or entertainment.
39 Traveling This category covers websites that present travel offers and travel
equipment, as well as travel destination reviews and ratings.
40 Videos This category covers websites that host various videos or photos, either
uploaded by users or provided by various content providers. This
includes websites like YouTube, Metacafe, Google Video, and photo
websites like Picasa or Flickr. It will also detect videos embedded in
other websites or blogs.
41 Violent cartoons This category covers websites discussing, sharing, and offering violent
cartoons or manga that may be inappropriate for minors due to
violence, explicit language, or sexual content.
This category doesn't cover the websites that offer mainstream cartoons
such as “Tom and Jerry”.
42 Weapons This category covers websites offering weapons for sale or exchange,
manufacture, or usage. It also covers the hunting resources and the
usage of air and BB guns, as well as melee weapons.
43 Email This category covers websites that provide email functionality as a web
application.
44 Web proxy This category covers websites that provide web proxy services. This is a
“browser inside a browser” type website when a user opens a web page,
enters the requested URL into a form, and clicks “Submit”. The web
proxy site downloads the actual page and shows it inside the user
browser.
These are the following reasons this type is detected (and might need to
be blocked):
Since the SDK analyzes the HTML page (if provided), and not just URLs,
for some categories the SDK will still be able to detect the content.
Other reasons, however, cannot be avoided just by using the SDK.
If you enable the Show all notifications for blocked URLs by categories check box, the
notifications for blocked URLs by categories will be shown in the tray. If a website has several sub-
domains, notifications are also generated for them, therefore their number may be significant.
Exclusions
URLs that are known as safe can be added to the list of the trusted URLs. URLs that represent a
threat can be added to the list of the blocked URLs.
Important
All addresses in the domain that you enter will be treated as trusted or blocked. For example, if you
enter https://www.xyz.com/en-us/my/beta/2020/page.html as a trusted URL, all addresses in the
xyz.com domain will be treated as trusted.
20.6 Quarantine
Quarantine is a special isolated folder on a machine's hard disk where the suspicious files detected
by Antivirus & Antimalware protection are placed to prevent further spread of threats.
Quarantine allows you to review suspicious and potentially dangerous files from all machines and
decide whether they should be removed or restored. The quarantined files are automatically
removed if the machine is removed from the system.
Name Description
Date quarantined The date and time when the file was placed in
Quarantine.
The whitelist can be enabled and disabled. When it is disabled, the files added to it are temporarily
hidden.
1. In the Cyber Protect web console, go to Antimalware protection > Whitelist.
2. Click Add file.
3. Specify the path to the file, and then click Add.
1. In the Cyber Protect web console, go to Antimalware protection > Quarantine.
2. Select a quarantined file, and then click Add to whitelist.
l Low
Corporate applications will be added to the whitelist only after a significant amount of time and
checks. Such applications are more trusted. However, this approach increases the possibility of
false positive detections. The criteria to consider a file as clean and trusted are high.
l Default
Corporate applications will be added to the whitelist according to the recommended protection
level, to reduce possible false positive detections. The criteria to consider a file as clean and
trusted are medium.
l High
If you are unsure about an item that you added, you can check it in the VirtusTotal analyzer. When
you click Check on VirusTotal, the site analyzes suspicious files and URLs to detect types of
malware by using the file hash of the item that you added. You can view the hash in the File hash
(MD5) string.
The Machines value represents the number of machines where such hash was found during
backup scanning. This value is populated only if an item came from Backup scanning or Quarantine.
This field remains empty if the file has been added manually to the whitelist.
Note
For security and performance reasons, we recommend that you use a designated machine for
scanning purposes. This machine will have access to all backups that are scanned.
You can check the results of the scan in the “Backup scanning details” widget on the Dashboard.
Also, you can see the backup status in Backup storage > Locations > <backup name>. If a backup
scan is not performed, the backups are in the Not scanned status. After a backup scan is
performed, the backups have an updated status of either:
l No malware
l Malware detected
20.8.1 Limitations
l Only backups of type Entire machine or Disks/volumes can be scanned for malware.
l Only volumes with the NTFS file system with GPT and MBR partitioning will be scanned.
l Supported backup locations are: Cloud storage, Local folder, and Network folder.
l Backups with Continuous data protection (CDP) recovery points can be selected for scanning, but
these recovery points will be excluded from the scan. Only regular recovery points will be
scanned.
The protection configuration for Zoom, Cisco Webex Meetings, and Microsoft Teams is similar. In
the example below, we will consider configuration for Zoom.
1. Install a protection agent on the machine where the collaboration application is installed.
2. Log in to the Cyber Protect web console and apply a protection plan with one of the following
modules enabled:
l Antivirus and Antimalware protection (with the Self-Protection and Active Protection
settings enabled) – if you have one of the Cyber Protect editions.
l Active Protection (with the Self-Protection setting enabled) – if you have one of the Cyber
Backup editions.
3. [Optional] For automatic update installation, configure the Patch management module in the
protection plan.
As a result, your Zoom application will be under protection that includes the following activities:
Vulnerability assessment scanning is supported for machines running the following operating
systems:
l Windows. For more information, see "Supported Microsoft and third-party products" (p. 468).
l Linux (CentOS 7/Virtuozzo/Acronis Cyber Infrastructure) machines. For more information, see
"Supported Linux products" (p. 469).
Use the Patch management (PM) functionality to manage patches (updates) for applications and
operating systems installed on your machines, and keep your systems up-to-date. In the Patch
management module you can automatically or manually approve update installations on your
machines.
Patch management is supported for machines running Windows. For more information, see
"Supported Microsoft and third-party products" (p. 468).
1. You create a protection plan with enabled Vulnerability assessment module, specify the
vulnerability assessment settings, and assign the plan to machines.
2. The system, by schedule or on demand, sends a command to the protection agents to run the
vulnerability assessment scanning.
3. The agents receive the command, start scanning machines for vulnerabilities, and generate the
scanning activity.
4. After the vulnerability assessment scanning completes, the agents generate the results and send
them to Monitoring Service.
5. Monitoring Service processes the data from the agents and shows the results in the vulnerability
assessment widgets and a list of found vulnerabilities.
6. By using this information, you can decide which of the found vulnerabilities must be fixed.
You can monitor the results of the vulnerability assessment scanning in Dashboard > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
Windows-related components
l Internet Explorer
l Microsoft Edge
l Windows Media Player
l .NET Framework
l Visual Studio and Applications
l Components of the operating system
Server applications
For the full list of supported third-party products for Windows, refer to
https://kb.acronis.com/content/62853.
l Virtuozzo 7.0.11
l Virtuozzo 7.0.10 (320)
l Virtuozzo 7.0.9 (539)
l Virtuozzo 7.0.8 (524)
l CentOS 7.x
l Acronis Cyber Infrastructure 3.x
l Acronis Storage 2.4.0
l Acronis Storage 2.2.0
You can specify the following settings in the Vulnerability assessment module.
What to scan
Define which software products you want to scan for vulnerabilities:
l Windows machines:
o Microsoft products
o Windows third-party products
For more information about the supported third-party products for Windows, refer to
https://kb.acronis.com/content/62853.
l Linux machines:
o Scan Linux packages
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions" (p. 196). You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
1. In the Cyber Protect web console, create a protection plan and enable the Vulnerability
assessment module.
2. Specify the vulnerability assessment settings:
l What to scan – select Microsoft products, Windows third-party products, or both.
l Schedule – define the schedule for performing the vulnerability assessment.
For more information about the Schedule options, refer to "Vulnerability assessment
settings" (p. 469).
3. Assign the plan to the Windows machines.
After a vulnerability assessment scan, you can see a list of found vulnerabilities. You can process the
information and decide which of the found vulnerabilities must be fixed.
To monitor the results of the vulnerability assessment, see Dashboard > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
1. In the Cyber Protect web console, create a protection plan and enable the Vulnerability
assessment module.
2. Specify the vulnerability assessment settings:
l What to scan – select Scan Linux packages.
l Schedule – define the schedule for performing the vulnerability assessment.
For more information about the Schedule options, refer to "Vulnerability assessment
settings" (p. 469).
3. Assign the plan to the Linux machines.
After a vulnerability assessment scan, you can see a list of found vulnerabilities. You can process the
information and decide which of the found vulnerabilities must be fixed.
To monitor the results of the vulnerability assessment, see Dashboard > Overview >
Vulnerabilities / Existing vulnerabilities widgets.
Name Description
l Critical: 9 - 10 CVSS
l High: 7 - 9 CVSS
l Medium: 3 - 7 CVSS
l Low: 0 - 3 CVSS
l None
Published The date and time when the vulnerability was published in
Common Vulnerabilities and Exposures (CVE).
You can find the description of a found vulnerability by clicking its name in the list.
1. In the Cyber Protect web console, go to Software management > Vulnerabilities.
2. Select the vulnerabilities in the list, and then click Install patches. The vulnerability remediation
wizard will open.
3. Select the patches to be installed. Click Next.
4. Select the machines on which you want to install patches.
5. Choose whether to reboot the machines after patch installation:
l No – reboot will never be initiated after patch installation.
l If required – reboot is initiated only if it is required for applying the updates.
l Yes – reboot will be always initiated after patch installation. However, you can specify a delay.
Cyber Protect introduces peer-to-peer technology to minimize network bandwidth traffic. You can
choose one or more dedicated agents that will download updates from the Internet and distribute
them among other agents in the network. All agents will also share updates with each other as peer-
to-peer agents.
You can monitor the results of the patch installation in Dashboard > Overview > Patch
installation history widget.
The following settings can be specified for the Patch management module.
Microsoft products
To install the Microsoft updates on the selected machines, enable the Update Microsoft products
option.
l All updates
l Only Security and Critical updates
l Updates of specific products: you can define custom settings for different products. If you want
to update specific products, for each product you can define which updates to install by category,
severity, or approval status.
l Only major updates allows you to install the latest available version of the update.
l Only minor updates allows you to install the minor version of the update.
l Updates of specific products: you can define custom settings for different products. If you want
to update specific products, for each product you can define which updates to install by category,
severity, or approval status.
Schedule
Define the schedule according to which the updates will be installed on the selected machines.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
Note
The task will not run at system shutdown. Shutting down and logging off are different events in
the scheduling configuration.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions" (p. 196). You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
Pre-update backup
Run backup before installing software updates – the system will create an incremental backup
of machine before installing any updates on it. If there were no backups created earlier, then a full
Name Description
l Critical
l High
l Medium
l Low
l None
How it works
You should have two environments: test and production. The test environment is used for testing
the patch installation and ensuring that they do not break anything. After you tested patch
1. For each vendor whose products you are planning to update, you must read and accept the
license agreements. Otherwise, automatic patch installation will not be possible.
2. Configure the settings for automatic approval.
3. Prepare the protection plan (for example, "Test patching") with the enabled Patch management
module and apply it to the machines in the test environment. Specify the following condition of
patch installation: the patch approval status must be Not defined. This step is needed to
validate the patches and check whether the machines work properly after patch installation.
4. Prepare the protection plan (for example, "Production patching") with the enabled Patch
management module and apply it to the machines in the production environment. Specify the
following condition of patch installation: the patch status must be Approved.
5. Run the Test patching plan and check the results. The approval status for those machines that
have no issues can be preserved as Not defined while the status for machines working
incorrectly must be set to Declined.
6. According to the number of days set in the Automatic approval option, those patches that were
Not defined will become Approved.
7. When the Production patching plan is launched, only those patches that are Approved will be
installed on the production machines.
Step 1. Read and accept the license agreements for the products that you
want to update
1. In the Cyber Protect web console, go to Software management > Patches.
2. Select the patch, then read and accept the license agreement.
Important
For all the products to be updated, define Approval status as Not defined. When the time to
update comes, the agent will install only Not defined patches on the selected machines in the
test environment.
Important
For all the products to be updated, define Approval status as Approved. When the time to
update comes, the agent will install only Approved patches on the selected machines in the
production environment.
Step 5. Run the Test patching protection plan and check the results
1. Run the Test patching protection plan (by schedule or on-demand).
2. After that, check which of the installed patches are safe and which are not.
3. Go to Software management > Patches and set the Approval status as Declined for those
patches that are not safe.
1. In the Cyber Protect web console, go to Software management > Patches.
2. Select the patches that you want to install, then read and accept the license agreements.
3. Set Approval status to Approved for the patches that you approve for installation.
4. Create a protection plan with the enabled Patch management module. You can either configure
the schedule or launch the plan on-demand by clicking Run now in the Patch management
module settings.
As a result, only the approved patches will be installed on the selected machines.
l Go to the list of patches (Software management > Patches) and install the necessary patches.
l Go to the list of vulnerabilities (Software management > Vulnerabilities) and start the
remediation process which includes patch installation as well.
l Go to the list of devices (Devices > All devices), select the particular machines that you want to
update, and install patches on them.
1. In the Cyber Protect web console, go to Software management > Patches.
2. Accept the license agreements for the patches that you want to install.
3. Select the patches that you want to install and click Install.
4. Select the machines on which patches must be installed.
5. Define whether reboot is initiated after installing patches:
l Never – reboot will never be initiated after the patches.
l If required – reboot is done only if it is required for applying the patches.
l Always – reboot will be always initiated after the patches. You can always specify the reboot
delay.
Do not reboot until backup is finished – if the backup process is running, the machine reboot
will be delayed until the backup is completed.
6. Click Install patches.
The Lifetime in list option defines how long will the detected available patch be kept in the list of
patches. Generally, the patch is removed from the list if it is successfully installed on all the
machines where its absence is detected or the defined time lapses.
A security alert can be resolved with the number of specific actions that are provided by the security
experts. There are some alerts that are used just for notifying you about the upcoming threats but
no recommended actions are available.
The main workflow of the threat feed is illustrated in the diagram below.
1. In the Cyber Protect web console, go to Dashboard > Threat feed to check whether there are
any existing security alerts.
4. Enable the actions that you want to be performed and select the machines to which these actions
must be applied. The following actions can be suggested:
5. Click Start.
6. On the Activities page, verify that the activity was successfully performed.
l To get detailed information about the stored data (classification, locations, protection status, and
additional information) on your machines.
l To detect whether the data is protected or not. The data is considered protected if it is protected
with backup (a protection plan with the Backup module enabled).
l To perform actions for data protection.
1. In the Cyber Protect web console, go to Devices > Data protection map.
In the list of devices, you can find general information about the number of unprotected files,
size of such files per device, and the last data discovery.
To protect files on a particular machine, click the ellipsis icon (...), and then click Protect all files.
You will be redirected to the list of plans where you can create a protection plan with the Backup
module enabled.
To delete the particular device with unprotected files from the list, click Hide until next data
discovery.
2. To view detailed information about the unprotected files on a particular device, click the name of
this device.
You will see a list of unprotected files per file extension and per location. You can filter this list by
file extension.
3. To protect all unprotected files, click Protect all files. You will be redirected to the list of plans
where you can create a protection plan with the Backup module enabled.
To get the information about the unprotected files in the form of report, click Download detailed
report in CSV.
The following settings can be specified for the Data protection map module.
Schedule
You can define different settings to create the schedule according to which the task for data
protection map will be performed.
l Schedule by time – The task will run according to the specified time.
l When user logs in to the system – By default, a login of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l When user logs off the system – By default, a logoff of any user will start the task. You can
modify this setting so that only a specific user account can trigger the task.
l On the system startup – The task will run when the operating system starts.
l On the system shutdown – The task will run when the operating system shuts down.
Schedule type:
l Monthly – Select the months and the weeks or days of the month when the task will run.
l Daily – Select the days of the week when the task will run.
l Hourly – Select the days of the week, repetition number, and the time interval in which the task
will run.
Start at – Select the exact time when the task will run.
Run within a date range – Set a range in which the configured schedule will be effective.
Start conditions – Define all conditions that must be met simultaneously for the task to run.
Start conditions for antimalware scans are similar to the start conditions for the Backup module that
are described in "Start conditions" (p. 196). You can define the following additional start conditions:
l Distribute task start time within a time window – This option allows you to set the time
frame for the task in order to avoid network bottlenecks. You can specify the delay in hours or
minutes. For example, if the default start time 10:00 AM and the delay is 60 minutes, then the
task will start between 10:00 AM and 11:00 AM.
l If the machine is turned off, run missed tasks at the machine startup
l Prevent the sleep or hibernate mode during task running – This option is effective only for
machines running Windows.
l If start conditions are not met, run the task anyway after – Specify the period after which
the task will run, regardless of the other start conditions.
On the Exception rules tab, you can define files and folders whose protection status will not be
checked during the data discovery.
Prerequisites:
l A protection agent is installed on the remote machine and is registered on the management
server.
l The machine has an appropriate Cyber Protect license assigned.
l The Remote Desktop Connection сlient is installed on the machine from which the connection is
initialized.
l The machine from which the RDP connection is initialized must be able to access the
management server by the its host name. The DNS settings must be configured properly or the
management server host name must be put in the hosts file.
A remote connection can be established from both Windows and macOS machines.
To establish a connection from a macOS machine to a remote machine, ensure that the following
applications are installed on the macOS machine:
1. In the Cyber Protect web console, go to Devices > All devices.
2. Click on the machine to which you want to connect remotely and then click Cyber Protection
Desktop > Connect via RDP client or Connect via HTML5 client.
Note
Connection via HTML5 client is only available if the management server is installed on a Linux
machine.
3. [Optional, only for connection via RDP client] Download and install the Remote Desktop
Connection client. Initiate the connection to the remote machine.
4. Specify the login and password to access the remote machine, and then click Connect.
As a result, you are connected to the remote machine and can manage it.
1. In the Cyber Protect web console, go to Settings > Protection > Remote connection.
2. Select the check box Share remote desktop connection.
As a result, when you select a device in Cyber Protect web console, a new option Share remote
connection will appear.
1. In the Cyber Protect web console, go to Devices > All devices.
2. Select the device to which you want provide a remote connection.
3. Click Share remote connection.
4. Click Get link. In the opened window, copy the generated link. This link can be shared with a
user who needs a remote access to the device. The link is valid for 10 hours.
After getting the link, you can share it via email or other means of communication. The user with
whom the link was shared, must click it and then select the connection type:
Remote wipe is only available for machines running Windows 10. To receive the wipe command, the
machine must be turned on and connected to the Internet.
1. In the Cyber Protect web console, go to Devices > All devices.
2. Select the machine whose data you want to wipe.
Note
You can wipe data from one machine at a time.
Note
You can check the details about the wiping process and who started it in Dashboard >
Activities.
You can apply a protection plan to a group. Once a new device appears in the group, the device
becomes protected by the plan. If a device is removed from the group, the device will no longer be
protected by the plan. A plan that is applied to a group cannot be revoked from a member of the
group, only from the group itself.
Only devices of the same type can be added to a group. For example, under Hyper-V you can create
a group of Hyper-V virtual machines. Under Machines with agents, you can create a group of
machines with installed agents. Under All devices, you cannot create a group.
Root groups cannot be edited or deleted. You cannot apply plans to root groups.
Some of the root groups contain built-in sub-root groups. These groups cannot be edited or deleted.
However, you can apply plans to sub-root built-in groups.
A custom group can contain one or more nested groups. Any custom group can be edited or
deleted. There are the following types of custom groups:
l Static groups
Static groups contain the machines that were manually added to them. The static group content
never changes unless you explicitly add or delete a machine.
Example: You create a custom group for the accounting department and manually add the
accountants' machines to this group. Once you apply a protection plan to the group, the
accountants' machines become protected. If a new accountant is hired, you will have to add the
new machine to the group manually.
l Dynamic groups
Dynamic groups contain the machines added automatically according to the search criteria
specified when creating a group. The dynamic group content changes automatically. A machine
remains in the group while it meets the specified criteria.
Another way to add devices to a static group is to select the group and click Add devices.
Supported
Criterion Meaning Search query examples for group
creation
Possible values:
Yes
l 'x64'
l 'x86'
l true
l false
l 'x86'
l 'x64'
Possible values:
l 'windows' Yes
l 'linux'
l 'macosx'
Possible values:
l 'dc' Yes
Stands for Domain
Controller.
l 'server'
l 'workstation'
Possible values:
No
l true
l false
Possible values:
l 'idle'
l 'interactionRequire
d'
l 'canceling'
l 'backup'
l 'recover'
l 'install'
No
l 'reboot'
l 'failback'
l 'testReplica'
l 'run_from_image'
l 'finalize'
l 'failover'
l 'replicate'
l 'createAsz'
l 'deleteAsz'
Possible values:
l 'notProtected'
l 'ok' No
l 'warning'
l 'error'
l 'critical'
l true
l false
Possible values:
l unknown
l laptop Yes
l desktop
l server
l other
Note
If you skip the hour and minutes value, the start time is considered to be YYYY-MM-DD 00:00, and
the end time is considered to be YYYY-MM-DD 23:59:59. For example, lastBackupTime = 2020-02-20,
means that the search results will include all backups from the interval
lastBackupTime >= 2020-02-20 00:00 and lastBackup time <= 2020-02-20 23:59:59
26.5.2 Operators
The following table summarizes the available operators.
LIKE 'wildcard pattern' This operator is used to test name LIKE 'en-00'
if an expression matches the
name LIKE '*en-00'
wildcard pattern. This
operator is case-insensitive. name LIKE '*en-00*'
The Reports section enables you to generate on-demand and scheduled reports about your
protected infrastructure. This section is only available with an Advanced license.
With an Advanced license, you can also download the current state of the dashboard or send it via
email in the .pdf or/and .xlsx format. To send the dashboard via email, ensure that the Email server
settings are configured.
The available widgets depend on your Cyber Protect edition. The default widgets are listed below:
Cyber Not available in Shows overall information about the size of backups, blocked
protection Cyber Backup malware, blocked URLs, found vulnerabilities, and installed
editions patches.
Protection Available in all Shows the current protection status for all machines.
status editions
Activities Available in all Shows a summary of the activities that were performed during a
editions specified time period.
Active alerts Available in all Shows a summary of the active alerts by alert type and by
summary editions severity.
Patch Not available in Shows the number of machines grouped by patch installation
installation Cyber Backup status.
status editions
Missing updates Not available in Shows the number of missing updates by category.
by category Cyber Backup
editions
Disk health Not available in Shows the number of disks by their status.
status Cyber Backup
editions
Devices Available in all Shows detailed information about the devices in your
editions environment.
Existing Available in all Shows the existing vulnerabilities for the operating systems and
vulnerabilities editions applications in your environment, and the affected machines.
Patch Not available in Shows detailed information about the patches that were installed.
installation Cyber Backup
history editions
Recently Available in all Shows detailed information about the recently infected machines.
affected editions
Locations Available in all Shows detailed information about the backup locations.
summary editions
To add a widget
l Click the widget that you want to add. The widget will be added with the default settings.
l To edit the widget before adding it, click the pencil icon when the widget is selected. After editing
the widget, click Done.
To edit a widget
Click the pencil icon next to the widget name. Editing a widget enables you to rename it, change the
time range, set filters, and group rows.
To remove a widget
l Backed up today – the sum of recovery point sizes for the last 24 hours
l Malware blocked – the number of currently active alerts about malware blocked
l URLs blocked – the number of currently active alerts about URLs blocked
l Existing vulnerabilities – the number of currently existing vulnerabilities
l Patches ready to install – the number of currently available patches to be installed
Protection status
This widget shows the current protection status for all machines.
If you click on the machine status, you will be redirected to the list of machines with this status for
more details.
Discovered machines
This widget shows the list of discovered machines during the specified time range.
Limitations:
l Disk health forecast is supported only for machines running Windows.
l Only disks of physical machines are monitored. Disks of virtual machines cannot be monitored
and are not shown in the disk health widgets.
l On NVMe drives, disk health monitoring is supported only for drives that communicate the
SMART data via the Windows API. Disk health monitoring is not supported for NVMe drives that
require reading the SMART data directly from the drive.
l OK
Disk health is between 70% and 100%.
How it works
Disk Health Prediction Service uses an AI-based prediction model.
1. The protection agent collects the SMART parameters of the disks and passes this data to Disk
Health Prediction Service:
l SMART 5 – Reallocated sectors count.
l SMART 9 – Power-on hours.
l SMART 187 – Reported uncorrectable errors.
l SMART 188 – Command timeout.
l SMART 197 – Current pending sector count.
l SMART 198 – Offline uncorrectable sector count.
l SMART 200 – Write error rate.
2. Disk Health Prediction Service processes the received SMART parameters, makes forecasts, and
provides the following disk health characteristics:
l Disk health current state: OK, warning, critical.
l Disk health forecast: negative, stable, positive.
l Disk health forecast probability in percentage.
The prediction period is always one month.
3. Monitoring Service receives these characteristics, and then shows the relevant information in the
disk health widgets in the Cyber Protect web console.
l Disk health overview is a treemap widget with two levels of detail that can be switched by
drilling down.
o Machine level
Shows summarized information about the disk status of all machines in the selected
o Disk level
Shows the current disk health status of all disks for the selected machine. Each disk block
shows one of the following disk health forecasts and its probability in percentage:
n Will be degraded
n Will stay stable
l Disk health status is a pie chart widget that shows the number of disks for each status.
Disk
Alert
Severity health Description
name
status
Disk failure Warning (30 – 70) The <disk name> disk on this machine is likely to fail in the
is possible future. Run a full image backup of this disk as soon as
possible, replace it, and then recover the image to the new
disk.
Disk failure Critical (0 – 30) The <disk name> disk on this machine is in a critical state
is imminent and will most likely fail very soon. An image backup of this
disk is not recommended at this point as the added stress
can cause the disk to fail. Back up the most important files
on this disk immediately and replace it.
Each block size depends on the total number/size of all important files that belong to an
organizational unit/machine.
l Critical – there are 51-100% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l Low – there are 21-50% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l Medium – there are 1-20% of unprotected files with the extensions specified by you that are not
being backed up and will not be backed up with the existing backup settings for the selected
machine/location.
l High – all files with the extensions specified by you are protected (backed up) for the selected
machine/location.
The results of the data protection examination can be found on the dashboard, in the Data
Protection Map widget – a treemap widget that shows details on a machine level.
Vulnerable machines
This widget shows the vulnerable machines by the vulnerability severity.
The found vulnerability can have one of the following severity levels according to the Common
Vulnerability Scoring System (CVSS) v3.0:
Existing vulnerabilities
This widget shows currently existing vulnerabilities on machines. In the Existing vulnerabilities
widget, there are two columns showing timestamps:
l First detected – date and time when a vulnerability was detected initially on the machine.
l Last detected – date and time when a vulnerability was detected the last time on the machine.
l Security updates
l Critical updates
l Other
To customize the view of the Activities tab, click the gear icon and select the columns that you want
to see.
To see the activity progress in real time, ensure that the Refresh automatically check box is
selected. However, frequent updating of multiple activities degrades the performance of the
management server.
l Device name
This is the machine on which the activity is carried out.
l Started by
This is the account who started the activity.
l Status
For example, succeeded, failed, in progress, canceled.
1. On the machine running the management server, open the following configuration file in a text
editor:
l In Windows: %Program Files%\Acronis\TaskManager\task_manager.yaml
l In Linux: /usr/lib/Acronis/TaskManager/task_manager.yaml
2. Locate the following section:
database:
connection-string: ""
run-cleanup-at: "23:59"
cleanup-batch-size: 10
max-cleanup-retries: 10
log-queries: false
max-transaction-retries: 10
shards:
- connection-string: sqlite://task-manager.sqlite
days-to-keep: 90
space: "default"
key: "00000000-0000-0000-0000-000000000000"
Note
Increasing the retention period degrades the performance of the management server.
4. Restart Acronis Service Manager Service as described in "Using a certificate issued by a trusted
certificate authority."
27.3 Reports
You can use predefined reports or create a custom report. A report can include any set of the
dashboard widgets.
You can only configure reports for the units that you manage.
The reports can be sent via email or downloaded on a schedule. To send the reports via email,
ensure that the Email server settings are configured. If you want to process a report by using third-
party software, schedule saving the report in the .xlsx format to a specific folder.
The available reports depend on your Cyber Protect edition. The default reports are listed below:
Alerts Cyber Backup Shows the alerts that occurred during a specified time
Advanced period.
Cyber Protect
Advanced
Backup scanning Cyber Protect Shows detailed information about detected threats in the
details Advanced backups.
Backups Cyber Backup Shows details about the current backups and recovery
Advanced points.
Cyber Protect
Advanced
Current status Cyber Backup Shows the current status of your environment.
Advanced
Cyber Protect
Advanced
Daily activities Cyber Backup Shows a summary about the activities that were
Advanced performed during a specified time period.
Cyber Protect
Advanced
Data protection map Cyber Protect Shows detailed information about the number, size,
Advanced location, and protection status of all important files on the
machines.
Detected threats Cyber Backup Shows details about the affected machines by number of
Advanced blocked threats, and information about the healthy and
vulnerable machines.
Cyber Protect
Advanced
Discovered Cyber Backup Shows all machines that were discovered in the
machines Advanced organization network.
Cyber Protect
Advanced
Disk health Cyber Protect Shows predictions about when your HDD/SSD will break
prediction Advanced down, and the current disk status.
Existing Cyber Backup Shows the existing vulnerabilities for the operating
vulnerabilities Advanced systems and applications in your environment, and the
affected machines.
Cyber Protect
Advanced
Cyber Protect
Advanced
Locations Cyber Backup Shows usage statistics for the backup locations, for a
Advanced specified time period.
Cyber Protect
Advanced
Patch management Cyber Protect Shows the number of missing patches, installed patches,
summary Advanced and applicable patches. You can drill down the report to
get the missing/installed patch information and details
about all the systems.
Summary Cyber Backup Shows a summary of the protected devices, for a specified
Advanced time period.
Cyber Protect
Advanced
Tape activities Cyber Backup Shows a list of tapes that were used during the last 24
Advanced hours.
Cyber Protect
Advanced
Weekly activities Cyber Backup Shows a summary of the activities that were performed
Advanced during a specified time period.
Cyber Protect
Advanced
To add a report
To edit a report
To schedule a report
To export the report structure, select a report, and then click Export.
To import the report structure, click Create report, and then click Import.
The software generates the data dump on the fly. If you specify a long period of time, this action
may take a long time.
l The Alerts section of the Overview tab lets you quickly identify and solve the problems by
monitoring the current alerts.
l Under Devices, the device status is derived from alerts. The Status column enables you to filter
devices with problems.
l When configuring email notifications, you can choose which alerts will trigger a notification.
l Critical
l Error
l Warning
You can change the severity of an alert or disable an alert completely by using the alerts
configuration file as described below. This operation requires restarting the management server.
Changing the severity of an alert does not affect already generated alerts.
l In Windows: <installation_path>\AlertManager\alert_manager.yaml
Here, <installation_path> is the management server installation path. By default, it is
%ProgramFiles%\Acronis .
l In Linux: /usr/lib/Acronis/AlertManager/alert_manager.yaml
The file is structured as a YAML document. Each alert is an element in the alertTypes list.
The severity key defines the alert severity. It must have one of the following values: critical, error,
or warning.
The optional enabled key defines whether the alert is enabled or disabled. Its value must be either
true or false. By default (without this key) all alerts are enabled.
1. On the machine where the management server is installed, open the alert_manager.yaml file in
a text editor.
2. Locate the alert that you want to change or disable.
3. Do one of the following:
1. In the Start menu, click Run, and then type: cmd
2. Click OK.
3. Run the following commands:
It may also contain other components such as barcode readers or barcode printers.
An autoloader is a particular case of tape libraries. It contains one drive, several slots, a changer
and a barcode reader (optional).
A stand-alone tape drive (also called streamer) contains one slot and can hold only one tape at a
time.
In Windows, Acronis Cyber Protect can back up to a tape device even if the drivers for the device's
changer are not installed. Such a tape device is shown in Device Manager as Unknown Medium
Changer. However, drivers for the device's drives must be installed. In Linux and under bootable
media, backing up to a tape device without drivers is not possible.
Recognition of IDE or SATA connected devices is not guaranteed. It depends on whether proper
drivers have been installed in the operating system.
To learn if your specific device is supported, use the Hardware Compatibility Tool as described at
http://kb.acronis.com/content/57237. You are welcome to send a report about the test results to
Acronis. Hardware with confirmed support is listed in the Hardware Compatibility List:
https://go.acronis.com/acronis-cyber-protect-advanced-tape-hcl.
The database size depends on the number of backups stored on tapes and equals approximately
10 MB per hundred backups. The database may be large if the tape library contains thousands of
backups. In this case, you may want to store the tape database on a different volume.
• In Linux: /var/lib/Acronis/BackupAndRecovery/TapeLocation
The TapeLocation folder size is about 0,5-1% of the size of all backups stored on tapes. For disk-level
backups with the file recovery option enabled, the TapeLocation folder size might be slightly larger,
depending on the number of the backed-up files.
Note
When the software reads from a tape, it uses the same block size that was used when writing to the
tape. If the tape device does not support this block size, the reading will fail.
The parameters are set on each machine that has a tape device attached. It can be a machine where
an agent or a storage node is installed. On a machine running Windows, the configuration is
performed in the registry; on a Linux machine, it is done in the configuration file
/etc/Acronis/BackupAndRecovery.config.
In Windows, create the respective registry keys and their DWORD values. In Linux, add the following
text at the end of the configuration file, right before the </registry> tag:
<key name="TapeLocation">
<value name="WriteCacheSize" type="Dword">
"value"
</value>
<value name=DefaultBlockSize" type="Dword">
"value"
</value>
</key>
Possible values: 0, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072,
262144, 524288, 1048576.
If the value is 0 or if the parameter is absent, the block size is determined as follows:
If the specified value is not accepted by the tape drive, the software divides it by two until the
applicable value is reached or until the value reaches 32 bytes. If the applicable value is not found,
the software multiplies the specified value by two until the applicable value is reached or until the
value reaches 1 MB. If no value is accepted by the drive, the backup will fail.
WriteCacheSize
This is the buffer size (in bytes) used when writing to tapes.
Possible values: 0, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072,
262144, 524288, 1048576, but not less than the DefaultBlockSize parameter value.
If the value is 0 or if the parameter is absent, the buffer size is 1 MB. If the operating system does
not support this value, the software divides it by two until the applicable value is found or until the
DefaultBlockSize parameter value is reached. If the value supported by the operating system is not
found, the backup fails.
If you specify a non-zero value that is not supported by the operating system, the backup will fail.
Parallel operations
Acronis Cyber Protect can simultaneously perform operations with various components of a tape
device. During an operation that uses a drive (backing up, recovering, rescanning, or erasing), you
can launch an operation that uses a changer (moving a tape to another slot or ejecting a tape) and
vice versa. If your tape library has more than one drive, you can also launch an operation that uses
one of the drives during an operation with another drive. For example, several machines can back
up or recover simultaneously using different drives of the same tape library.
The operation of detecting the new tape devices can be performed simultaneously with any other
operation. During inventorying, no other operation is available except for detecting the new tape
devices.
Limitations
The limitations of tape device usage are the following:
1. Tape devices are not supported when a machine is booted from 32-bit Linux-based bootable
media.
2. You cannot back up the following data types to tapes: Microsoft Office 365 mailboxes, Microsoft
Exchange mailboxes.
3. You cannot create application-aware backups of physical and virtual machines.
4. In macOS, only file-level backup to a managed tape-based location is supported.
5. The consolidation of backups located on tapes is not possible. As a result, the Always
incremental backup scheme is unavailable when you back up to tapes.
6. The deduplication of backups located on tapes is not possible.
7. The software cannot automatically overwrite a tape that contains non-deleted backups or if
there are dependent backups on other tapes.
The only exception to this rule is when the option "Overwrite a tape in the stand-alone tape drive
when creating a full backup" is enabled.
It is possible to append incremental and differential backups to rescanned backups that were
created by Acronis Backup 11.5 and Acronis Backup 11.7.
Echo + + + +
Bootable
ABR10 + + + +
Media
ABR11/ Acronis
Backup + + + -
11.5/11.7/12.5
Tape
written on 9.1 + + + +
a locally
Echo + + + +
attached
tape Agent for
ABR10 + + + +
device Windows
(tape drive ABR11/ Acronis
or tape Backup + + + -
library) 11.5/11.7/12.5
by...
9.1 + + + +
Echo + + + +
Agent for
ABR10 + + + +
Linux
ABR11/ Acronis
Backup + + + -
11.5/11.7/12.5
9.1 - - - -
Backup
Tape Server
Echo - - - -
written on
a tape ABR10 + + + +
device
Storage
through... ABR11/ Acronis
Node
Backup + + + +
11.5/11.7/12.5
Prerequisites
l The tape device is attached to the machine in accordance with the manufacturer’s instructions.
l The protection agent is installed on the machine.
Note
Full inventorying of an entire tape device may take a long time.
c. If the loaded tapes were sent to the Unrecognized tapes or Imported tapes pool and you
want to use them for backing up, move such tapes to the Free tapes pool manually.
Note
Tapes sent to the Imported tapes pool contain backups written by Acronis software . Before
moving such tapes to the Free tapes pool, ensure that you do not need these backups.
Backing up
Create a protection plan as described in the "Backup" section. When specifying the backup location,
select Tape pool 'Acronis'.
Results
l To access the location where backups will be created, click Backup storage > Tape pool
'Acronis'.
l Tapes with the backups will be moved to the Acronis pool.
Prerequisites
l A storage node is registered on the management server.
l The tape device is attached to the storage node in accordance with the manufacturer’s
instructions.
Note
Full inventorying of an entire tape device may take a long time.
c. If the loaded tapes were sent to the Unrecognized tapes or Imported tapes pool and you
want to use them for backing up, move such tapes to the Free tapes pool manually.
Note
Tapes sent to the Imported tapes pool contain backups written by Acronis software . Before
moving such tapes to the Free tapes pool, ensure that you do not need these backups.
d. Decide whether you want to back up to the Acronis pool or to create a new pool.
Details. Having several pools enables you to use a separate tape set for each machine or
each department of your company. By using multiple pools, you can prevent backups created
via different protection plans from mixing up on one tape.
e. If the selected pool can take tapes from the Free tapes pool when required, skip this step.
Otherwise, move tapes from the Free tapes pool to the selected pool.
Tip. To learn whether a pool can take tapes from the Free tapes pool, click the pool and then
click Info.
Backing up
Create a protection plan as described in the "Backup" section. When specifying the backup location,
select the created tape pool.
Results
l To access the location where backups will be created, click Backups, and then click the name of
the created tape pool.
l Tapes with the backups will be moved to the selected pool.
Warning!
During the inventorying, do not turn on Move unrecognized and imported tapes to the 'Free
tapes' pool. If the switch is turned on, you may lose all your backups.
2. Rescan the Unrecognized tapes pool. As a result, you will get the contents of the loaded tape(s).
3. If any of the detected backups continue on other tapes that have not been rescanned yet, load
these tapes as prompted and rescan them.
1. Load the tape(s) required for the recovery into the tape device.
2. Boot the machine from the bootable media.
3. Click Manage this machine locally or click Rescue Bootable Media twice, depending on the
media type you are using.
4. If the tape device is connected by using the iSCSI interface, configure the device as described in
"Configuring iSCSI and NDAS devices".
5. Click Tape management.
6. Click Inventory.
7. In Objects to be inventoried, select the tape device.
8. Click Start to start the inventorying.
9. After the inventorying completes, click Close.
10. Click Actions > Recover.
11. Click Select data, and then click Browse.
12. Expand Tape devices, and then select the necessary device. The system prompts to confirm the
rescanning. Click Yes.
13. Select the Unrecognized tapes pool.
14. Select the tapes to be rescanned. To select all the tapes of the pool, select the check box next to
the Tape name column header.
15. If the tapes contain a password-protected backup, select the corresponding check box, and then
specify the password for the backup in the Password box. If you do not specify a password, or
the password is incorrect, the backup will not be detected. Please keep this in mind in case you
see no backups after the rescanning.
Tip. If the tapes contain several backups protected by various passwords, you need to repeat the
rescanning several times specifying each password in turn.
16. Click Start to start the rescanning. As a result, you will get the contents of the loaded tape(s).
17. If any of the detected backups continue on other tapes that have not been rescanned yet, load
these tapes as prompted and rescan them.
18. After the rescanning completes, click OK.
19. In the Archive view, select the backup whose data is to be recovered, and then select the data
you want to recover. After you click OK, the Recover data page will show you the list of tapes
required for the recovery. The missing tapes are grayed out. If your tape device has empty slots,
load these tapes into the device.
20. Configure other recovery settings.
21. Click OK to start the recovery.
22. If any of the required tapes are not loaded for some reason, the software will show you a
message with the identifier of the needed tape. Do the following:
1. Load the tape(s) required for the recovery into the tape device.
2. Boot the machine from the bootable media.
3. Click Manage this machine locally or click Rescue Bootable Media twice, depending on the
media type you are using.
4. Click Recover.
5. Click Select data, and then click Browse.
6. In the Path box, type bsp://<storage node address>/<pool name>/, where <storage node
address> is the IP address of the storage node that contains the required backup, and <pool
name> is the name of the tape pool. Click OK and specify credentials for the pool.
7. Select the backup, and then select the data you want to recover. After you click OK, the Recover
data page will show you the list of tapes required for the recovery. The missing tapes are grayed
out. If your tape device has empty slots, load these tapes into the device.
8. Configure other recovery settings.
9. Click OK to start the recovery.
10. If any of the required tapes are not loaded for some reason, the software will show you a
message with the identifier of the needed tape. Do the following:
a. Load the tape.
b. Perform the fast inventorying.
c. Click Overview > Activities, and then click the recovery activity with the Interaction
required status.
d. Click Show details, and then click Retry to continue the recovery.
Usually, a tape device is detected automatically as soon as it is attached to a machine with the
product installed. However you may need to detect tapes devices in the following cases:
Tape pools
The backup software uses tape pools that are logical groups of tapes. The software contains the
following predefined tape pools: Unrecognized tapes, Imported tapes, Free tapes, and Acronis.
Also, you can create your own custom pools.
The Acronis pool and custom pools are also used as backup locations.
Predefined pools
Unrecognized tapes
The pool contains tapes that were written by third-party applications. To write to such tapes, you
need to move them to the Free tapes pool explicitly. You cannot move tapes from this pool to any
other pool, except for the Free tapes pool.
Imported tapes
The pool contains tapes that were written by Acronis Cyber Protect in a tape device attached to
another storage node or agent. To write to such tapes, you need to move them to the Free tapes
pool explicitly. You cannot move tapes from this pool to any other pool, except for the Free tapes
pool.
Free tapes
The pool contains free (empty) tapes. You can manually move tapes to this pool from other pools.
When you move a tape to the Free tapes pool, the software marks it as empty. If the tape contains
backups, they are marked with the icon. When the software starts overwriting the tape, the data
related to the backups will be removed from the database.
Acronis
The pool is used for backing up by default, when you do not want to create your own pools. Usually
it applies to one tape drive with a small number of tapes.
Custom pools
You need to create several pools if you want to separate backups of different data. For example, you
may want to create custom pools in order to separate:
Creating a pool
To create a pool:
Editing a pool
You can edit parameters of the Acronis pool or your own custom pool.
To edit a pool:
Deleting a pool
You can delete only custom pools. Predefined tape pools (Unrecognized tapes, Imported tapes,
Free tapes, and Acronis) cannot be deleted.
Note
After a pool is deleted, do not forget to edit protection plans that have the pool as the backup
location. Otherwise, these protection plans will fail.
To delete a pool:
You need to move tapes to slots of one slot magazine and then take the magazine out manually.
When you move a tape to the Free tapes pool, the software marks it as empty. If the tape contains
backups, they are marked with the icon. When the software starts overwriting the tape, the data
related to the backups will be removed from the database.
Note
If you have restorable backups on the tape and you move the tape to another pool, make sure you
refresh the vault under Backup storage once you complete the move operation. The backups will be
available in the second pool despite the original backup destination.
Inventorying
The inventorying operation detects tapes loaded into a tape device and assigns names to those that
have none.
Inventorying methods
There are two methods of inventorying.
Fast inventorying
The agent or storage node scans tapes for barcodes. Using barcodes, the software can quickly
return a tape to the pool where it was before.
Select this method to recognize tapes used by the same tape device attached to the same machine.
Other tapes will be sent to the Unrecognized tapes pool.
If your tape library contains no barcode reader, all tapes will be sent to the Unrecognized tapes
pool. To recognize your tapes, perform full inventorying or combine fast and full inventorying as
described later in this section.
Full inventorying
The agent or storage node reads earlier written tags and analyzes other information about the
contents of the loaded tapes. Select this method to recognize empty tapes and tapes written by the
same software on any tape device and any machine.
The following table shows pools to which tapes are sent as a result of the full inventorying.
Tape was used by... Tape is read by... Tape is sent to pool...
The fast inventorying can be applied to entire tape devices. The full inventorying can be applied to
entire tape devices, individual drives, or slots. For stand-alone tape drives, the full inventorying is
always performed, even if the fast inventorying is selected.
Full inventorying of an entire tape device may take a long time. If you need to inventory only a few
tapes, proceed as follows:
If you want to recover from a tape that was placed in the Unrecognized tapes or Imported tapes
pool, you need to rescan it. The tape will be moved to the pool you have selected during the
rescanning, and the backups stored on the tape will appear in the location.
Warning!
Only enable this switch if you are absolutely sure that the data stored on your tapes can be
overwritten.
Rescanning
The information about the contents of tapes is stored in a dedicated database. The rescanning
operation reads the contents of tapes and updates the database if the information in it mismatches
the data stored on tapes. The backups detected as a result of the operation are placed in the
specified pool.
Within one operation, you can rescan tapes of one pool. Only online tapes can be selected for the
operation.
To rescan tapes with a multistreamed or both multistreamed and multiplexed backup, you need at
least the same number of drives that were used to create this backup. Such a backup cannot be
rescanned through a stand-alone tape drive.
To rescan tapes
Note
During the inventorying, do not enable the Move unrecognized and imported tapes to the
'Free tapes' pool switch.
5. Select the Unrecognized tapes pool. This is the pool to which most of the tapes are sent as a
result of the fast inventorying. Rescanning any other pool is also possible.
6. [Optional] To rescan only individual tapes, select them.
7. Click Rescan.
8. Select the pool where the newly detected backups will be placed.
9. If necessary, select the Enable file recovery from disk backups stored on tapes check box.
Details. If the check box is selected, the software will create special supplementary files on a
hard disk of the machine where the tape device is attached. File recovery from disk backups is
possible as long as these supplementary files are intact. Be sure to select the check box if the
tapes contain application-aware backups. Otherwise, you will not be able to recover the
application data from these backups.
10. If the tapes contain password-protected backups, select the corresponding check box, and then
specify the password for the backups. If you do not specify a password, or the password is
incorrect, the backups will not be detected. Please keep this in mind in case you see no backups
after the rescanning.
Tip. If the tapes contain backups protected by various passwords, you need to repeat the
rescanning several times specifying each password in turn.
11. Click Start rescan to start the rescanning.
Result. The selected tapes are moved to the selected pool. The backups stored on the tapes can be
found in this pool. A backup spread over several tapes will not appear in the pool until all of these
tapes are rescanned.
Renaming
When a new tape is detected by the software, it is automatically assigned a name in the following
format: Tape XXX, where XXX is a unique number. Tapes are numbered sequentially. The renaming
operation allows you to manually change the name of a tape.
To rename tapes
Erasing
Erasing a tape physically deletes all backups stored on the tape and removes the information about
these backups from the database. However the information about the tape itself remains in the
database.
After erasing, a tape located in the Unrecognized tapes or Imported tapes pool is moved to the
Free tapes pool. A tape located in any other pool is not moved.
To erase tapes
Ejecting
For successful ejecting of a tape from a tape library, the tape library must have the mail slot and the
slot must not be locked by a user or by other software.
To eject tapes
After a tape is ejected either manually or automatically, it is recommended to write its name on the
tape.
Removing
The removal operation deletes the information about the backups stored on the selected tape and
about the tape itself from the database.
Unlike an erased tape, the data from a removed tape is not physically deleted. Hence, you can make
backups stored on such tape available again. To do so:
Note
During the inventorying, do not enable the Move unrecognized and imported tapes to the
'Free tapes' pool switch.
3. Perform the rescanning to match the data stored on tapes with the database.
Unlike specifying tape sets in the backup options, where you can use variables, here you can specify
only a string value.
Perform this operation if you want the software to back up to specific tapes according to a certain
rule (for example, if you want to store Monday's backups on Tape 1, Tuesday's backups on Tape 2,
etc). Specify a certain tape set for each of the required tapes, and then specify the same tape set or
use proper variables in the backup options.
For the above example, specify tape set Monday for Tape 1, Tuesday for Tape 2, etc. In the backup
options, specify [Weekday]. In this case, a proper tape will be used on the respective day of the week.
We recommend that you install a storage node and a catalog service on separate machines. The
system requirements to a machine running a catalog service are described in "Cataloging best
practices".
1. Log on as an administrator and start the Acronis Cyber Protect setup program.
2. [Optional] To change the language the setup program is displayed in, click Setup language.
3. Accept the terms of the license agreement and select whether the machine will participate in the
Acronis Customer Experience Program (ACEP).
l In a local folder:
o On a hard drive local to the storage node
o On a SAN storage that appears to the operating system as a locally attached device
l In a network folder:
o On an SMB/CIFS share
o On a SAN storage that appears to the operating system as a network folder
o On a NAS
l On a tape device that is locally attached to the storage node.
Tape-based locations are created in the form of tape pools. One tape pool is present by default. If
necessary, you can create other tape pools, as described later in this section.
1. Click Backup storage > Add location or, when creating a protection plan, click Where to back
up > Add location.
2. Click Tapes.
3. [Optional] Select the storage node that will manage the location.
4. Follow the steps described in "Creating a pool", starting from step 4.
Note
By default, agents use the storage node name to access a managed tape-based location. To make
the agents use the storage node IP address, click Backup storage > the location > Edit, and then
change the Address field value.
Deduplication restrictions
Common restrictions
Encrypted backups cannot be deduplicated. If you want to use deduplication and encryption at the
same time, leave the backups unencrypted and direct them to a location where both deduplication
and encryption are enabled.
Disk-level backup
Deduplication of disk blocks is not performed if the volume's allocation unit size—also known as
cluster size or block size—is not divisible by 4 KB.
Note
The allocation unit size on most NTFS and ext3 volumes is 4 KB. This allows for block-level
deduplication. Other examples of allocation unit sizes allowing for block-level deduplication include
8 KB, 16 KB, and 64 KB.
File-level backup
Deduplication of a file is not performed if the file is encrypted.
In the NTFS file system, a file may have one or more additional sets of data associated with it—often
called alternate data streams.
When such file is backed up, so are all its alternate data streams. However, these streams are never
deduplicated—even when the file itself is.
To increase the speed of access to a deduplication database, the database and the location must be
placed on separate physical devices.
It is best to allocate dedicated devices for the location and the database. If this is not possible, at
least do not place a location or database on the same disk with the operating system. The reason is
that the operating system performs a large number of hard disk read/write operations, which
significantly slows down the deduplication.
l The database must reside on a fixed drive. Please do not try to place the deduplication database
on external detachable drives.
l To minimize access time to the database, store it on a directly attached drive rather than on a
mounted network volume. The network latency may significantly reduce deduplication
performance.
l The disk space required for a deduplication database can be estimated by using the following
formula:
S = U * 90 / 65536 + 10
Here,
S is disk size, in GB
For example, if the planned amount of unique data in the deduplication data store is
U=5 TB, the deduplication database will require a minimum of free space, as shown below:
For the purpose of data loss prevention, we recommend using RAID 10, 5, or 6. RAID 0 is not
recommended since it not fault tolerant. RAID 1 is not recommended because of relatively low
speed. There is no preference to local disks or SAN, both are good.
High-speed LAN
1-Gbit LAN is recommended. It will allow the software to perform 5-6 backups with deduplication in
parallel, and the speed will not reduce considerably.
Back up a typical machine before backing up several machines with similar contents
When backing up several machines with similar contents, it is recommended that you back up one
machine first and wait until the end of the backed-up data indexing. After that, the other machines
will be backed up faster owing to the efficient deduplication. Because the first machine's backup has
been indexed, most of the data is already in the deduplication data store.
1. Specify and confirm a word (password) to be used for generating the encryption key.
The word is case-sensitive. You will be asked for this word only when attaching the location to
another storage node.
2. Select one of the following encryption algorithms:
l AES 128 – the location contents will be encrypted by using the Advanced Encryption Standard
(AES) algorithm with a 128-bit key.
l AES 192 – the location contents will be encrypted by using the AES algorithm with a 192-bit
key.
l AES 256 – the location contents will be encrypted by using the AES algorithm with a 256-bit
key.
3. Click OK.
The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a
randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the
longer it will take for the program to encrypt the backups stored in the location and the more secure
the backups will be.
The encryption key is then encrypted with AES-256 using a SHA-256 hash of the selected word as a
key. The word itself is not stored anywhere on the disk; the word hash is used for verification
purposes. With this two-level security, the backups are protected from any unauthorized access, but
recovering a lost word is not possible.
28.2.5 Cataloging
Data catalog
The data catalog lets you easily find the required version of data and select it for recovery. The data
catalog displays the data stored in the managed locations for which cataloging is or was enabled.
The Catalog section appears under the Backup storage tab only if at least one catalog service is
registered on the management server. For information about installing the catalog service, refer to
"Installing a storage node and a catalog service".
Limitations
Cataloging is supported only for disk- and file-level backups of physical machines, and backups of
virtual machines.
Note
To see which service catalogs a location, select the location in BackupStorage> Locations >
Locations, and then click Details.
3. The software shows the machines that were backed up to the managed locations cataloged by
the selected catalog service.
Select the data to recover by browsing or by using search.
l Browsing
Double-click a machine to view the backed-up disks, volumes, folders, and files.
To recover a disk, select the disk marked with the following icon:
To recover a volume, double click the disk that contains the volume, and then select the
volume.
To recover files and folders, browse the volume where they are located. You can browse
If several storage nodes are registered on the management server, one catalog service is sufficient
unless the indexing or search performance degrades. For example, if you notice that cataloging is
working 24/7 (meaning that there are no pauses between cataloging activities), install one more
catalog service on a separate machine. Then, remove some of the managed locations and recreate
them with the new catalog service. The backups stored in these locations will be kept intact.
System requirements
Recommended
Parameter Minimum value
value
You can enable cataloging when adding a managed location or at a later time. Once cataloging is
enabled, all backups that are stored in the location and were not previously cataloged will be
cataloged after the next backup to the location.
The cataloging process can be time-consuming, especially if a large number of machines is backed
up to the same location. You can disable cataloging at any time. Cataloging of backups that were
created prior to disabling will be completed. The newly created backups will not be cataloged.
In default backup options, you can override these settings exclusively for the events that occur
during backup. In this case, the global settings will be effective for operations other than backup.
When creating a protection plan, you can choose which settings will be used: the global settings or
the settings specified in the default backup options. You can also override them with custom values
that will be specific for the plan only.
Important
When the global email notification settings are changed, all protection plans that use the global
settings are affected.
Before configuring these settings, ensure that the Email server settings are configured.
29.3 Security
Use these options to enhance security of your Acronis Cyber Protect on-premises deployment.
29.3.2 Show notification about the last login of the current user
This option enables displaying the date and time of the user's last successful login, the number of
authentication failures since the last successful login, and the IP address of the last successful login.
This information is shown at the bottom of the screen every time the user logs in.
29.4 Updates
This option defines whether Acronis Cyber Protect checks for a new version each time an
organization administrator signs in to the Cyber Protect web console.
If this option is disabled, the administrator can check for updates manually as described in
"Checking for software updates".
When creating a protection plan, a user can override a default value with a custom value that will be
specific for this plan only.
It is possible to disable anonymous registration on the management server so that the valid user
name and password of a management server administrator are always required for a device
registration. If a user opts for anonymous registration, the registration will fail. Registration of
bootable media pre-configured with the Do not ask for user name and password option also will
be rejected. During unattended installation, you will need to provide a registration token in the
transform file (.mst) or as the msiexec command parameter.
"auth": {
"anonymous_role": {
"enabled": true
}
},
If you updated the management server from build 11010 or earlier, this section is absent. Copy
and paste it to the beginning of the file right after the opening brace {.
4. Change true to false.
5. Save the api_gateway.json file.
Important
Please be careful and do not accidentally delete any commas, brackets, and quotation marks in
the configuration file.
6. Restart Acronis Service Manager Service as described in "Using a certificate issued by a trusted
certificate authority."
Units
The Organization group is automatically created when you install the management server. With the
Acronis Cyber Protect Advanced license, you can create child groups called units, which typically
correspond to units or departments of the organization, and add administrative accounts to the
units. This way, you can delegate the protection management to other people whose access
permissions will be strictly limited to the corresponding units. For information about how to create a
unit, refer to "Creating units."
Every unit can have child units. The administrative accounts of the parent unit have the same
privileges in all child units. The Organization group is the top-level parent unit, and administrative
accounts on this level have the same privileges in all units.
Administrative accounts
Any account that is able to sign in to the Cyber Protect web console is administrative account.
In the Cyber Protect web console, any administrative account can view or manage anything on or
below the hierarchical level of its unit. For example, an administrative account in the organization
has access to this top level and therefore access to all the units of this organization, while an
administrative account in a specific unit can access only this unit and its child units.
For information about how to add an administrative account to the management server, refer to
"Adding administrative accounts."
l Administrator
This role provides full administrative access to the organization or a unit.
l Read-only
This role provides read-only access to the Cyber Protect web console. It only allows gathering
diagnostic data, such as system reports. The read-only role does not allow browsing backups or
browsing the content of backed-up mailboxes.
l Auditor
This role provides read-only access to the Activities tab in the Cyber Protect web console. For
more information about this tab, refer to "The Activities tab." This role does not allow gathering
or exporting any data, including system information of the management server.
Inheritance of roles
Roles in a parent unit are inherited by its child units. If the same user account has different roles
assigned in the parent unit and in a child unit, it will have both roles.
Also, roles can be explicitly assigned to a specific user account or inherited from a user group. Thus,
a user account can have both a specifically assigned role and an inherited one.
If a user account has different roles (assigned and/or inherited), it can access objects and perform
actions allowed by any of these roles. For example, a user account with an assigned read-only role
and inherited administrator role will have administrator privileges.
Important
In the Cyber Protect web console, only explicitly assigned roles for the current unit are shown. Any
possible discrepancies with the inherited roles are not displayed. We strongly recommend that you
assign administrator, read-only, and auditor roles to separate accounts or groups, in order to avoid
possible issues with the inherited roles.
Default administrators
In Windows
When the management server is being installed on a machine, the following happens:
You can delete the Administrators group from the list of the organization administrators. However,
the Acronis Centralized Admins group cannot be deleted. In the unlikely case that all organization
administrators have been deleted, you can add an account to the Acronis Centralized Admins
group in Windows, and then log in to the Cyber Protect web console by using this account.
In Linux
When the management server is being installed on a machine, the root user is added to the
management server as an organization administrator.
You can add other Linux users to the list of management server administrators, as described later,
and then delete the root user from this list. In the unlikely case that all organization administrators
have been deleted, you can restart the acronis_asm service. As a result, the root user will be
automatically re-added as an organization administrator.
An account that has permissions for all units in an organization does not have permissions for the
organization. Administrative accounts on the organization level must be added to the Organization
group explicitly.
When installing agents locally, an administrator provides their credentials. The machine is added to
the unit managed by the administrator. If the administrator manages multiple units, the installer
prompts to choose a unit to which the machine will be added.
Note
This feature is not available in the Standard and Essentials editions.
To add accounts
This procedure applies to management servers running on Linux machines and in Acronis Cyber
Protect All-in-One Appliance.
1. On the machine running the management server, as the root user, open the file
/etc/security/acronisagent.conf with a text editor.
2. In this file, type the user names that you added as the management server administrators, one
per line.
3. Save and close the file.
service or click the icon in the top-right corner, and then click Management portal. Only users
that have administrative privileges can access this portal.
For information about administering user accounts and organization units, refer to the
Management Portal Administrator's Guide. To access this document, click the question mark icon in
the management portal.
This section provides additional information related to managing the Cyber Protection service.
30.2.1 Quotas
Quotas enable you to limit the users' ability to use the service. To set the quotas, select the user on
the Users tab, and then click the pencil icon in the Quotas section.
When a quota is exceeded, a notification is sent to the user's email address. If you do not set a
quota overage, the quota is considered "soft". This means that restrictions on using the Cyber
Protection service are not applied.
You can also specify the quota overages. An overage allows the user to exceed the quota by the
specified value. When the overage is exceeded, restrictions on using the Cyber Protection service
are applied.
Backup
You can specify the cloud storage quota, the quota for local backup, and the maximum number of
machines/devices/mailboxes a user is allowed to protect. The following quotas are available:
l Cloud storage
l Workstations
l Servers
l Windows Server Essentials
l Virtual hosts
l Universal
This quota can be used instead of any of the four quotas listed above: Workstations, Servers,
Windows Server Essentials, Virtual hosts.
l Mobile devices
l Office 365 mailboxes
l Local backup
The Local backup quota limits the total size of local backups that are created by using the cloud
infrastructure. An overage cannot be set for this quota.
Disaster recovery
These quotas are applied by the service provider to the entire company. Company administrators
can view the quotas and the usage in the management portal, but cannot set quotas for a user.
30.2.3 Reports
The report about using the Cyber Protection service includes the following data about the
organization or a unit:
To collect logs
S
D
Single-file backup format
Differential backup
A new backup format, in which the initial full
A differential backup stores changes to the data and subsequent incremental backups are
against the latest full backup. You need access saved to a single .tib file, instead of a chain of
to the corresponding full backup to recover the files. This format leverages the speed of the
data from a differential backup. incremental backup method, while avoiding its
main disadvantage– difficult deletion of
F outdated backups. The software marks the
blocks used by outdated backups as "free" and
Full backup
writes new backups to these blocks. This
A self- sufficient backup containing all data results in extremely fast cleanup, with minimal
chosen for backup. You do not need access to resource consumption. The single- file backup
Agent for Scale Computing HC3 (Virtual Autodiscovery and manual discovery 125
Appliance) 41
Autodiscovery of machines 122
Agent for SQL, Agent for Exchange (for
Automatic adding to the whitelist 463
database backup and application-aware
backup), Agent for Active Directory 38 Automatic driver search 270
Agent installation 65
B
Agent installation parameters 85, 88
Back up a typical machine before backing up
Agents 32, 37
several machines with similar
Alerts 216 contents 547
By total size of backups 172 Cloud deployment 30, 97, 143, 152, 440, 559
Cloud storage 226
Cluster-aware backup 384
Configuring the scan mode for Real-time Cryptomining process detection settings 446
protection 447
D Deployment 190
E F
High-speed LAN 547
I
High Availability of a recovered machine 436
If you choose to create the virtual machine on a
How autodiscovery works 123
virtualization server 210
How creating Secure Zone transforms the
If you choose to save the virtual machine as a
disk 188
set of files 210
How do files get into the quarantine
Ignore bad sectors 227
folder? 461
In-archive deduplication 222
How it works 179, 206, 232, 260, 296, 443, 454,
473, 478, 483, 485, 490, 507 In bootable media 102
Installing the product by using the .mst Log out inactive users after 552
transform 80, 107
Log truncation 238
Installing the software 67
LVM snapshotting 238
Interaction with Windows Removable Storage
Manager (RSM) 521 M
Inventorying 536
Mac 177
Inventorying methods 536
Machine migration 438
macOS 96, 121
K
Mailbox backup 387
Kernel parameters 307
Malicious website access 456
L Managed location 172
Managing licenses 22
N
Managing list of patches 477
Names without variables 219
Managing quarantined files 462
NetApp SAN storage requirements 423
Managing the detected unprotected files 486
Network connection diagram - Cyber Protect
Managing virtualization environments 430
processes 59
Manual adding to the whitelist 463
Network connection diagram for Acronis Cyber
Manual binding 428 Protect 58
Protection of collaboration and communication Recovering files by using the web interface 271
applications 466
Recovering mailbox items 397, 404
Protection plan and modules 162
Recovering mailboxes 396, 404
Protection settings 146
Recovering mailboxes and mailbox items 404
Protection status 506
Recovering SQL databases 388
Proxy server settings 99
Recovering system databases 391
Selection rules for Windows 173 Step 1. Read and accept the license
agreements for the products that you
Self-protection 445
want to update 479
Sequence of actions 538
Setting up the Group Policy objects 141 Supported Microsoft SQL Server versions 44
Structure of autostart.json 312 T
Sufficient free space in the location 547
Tape-related backup options 525
Support for VM migration 430
Tape devices 521
Supported cluster configurations 382, 384
Tape management 251, 285, 532
Supported Cyber Protect features by operating
Tape management database 522
system 17
Tape pools 533
Supported data sources and destinations for
continuous data protection 180 Task failure handling 255
The tool "tibxread" for getting the backed-up Universal Restore settings 270
data 233
Unregistering a management server 27
The way of using Secure Zone 53
Update 44
Threat feed 483
Updates 553
Tip 212
Updating agents 143
Tips for further usage of the tape library 530
Updating the Cyber Protect definitions by
Top-level object 312 schedule 148
Transferring license quota to another Updating the Cyber Protect definitions on-
management server 26 demand 148
URL filtering 453
U
URL Filtering 450
Unattended installation and uninstallation in
URL filtering settings 456
macOS 117
Usage examples 211, 220, 410, 414, 429
Unattended installation or uninstallation 79,
106 Usage scenarios 289
Unattended installation or uninstallation in Use tape sets within the tape pool selected for
macOS 90 backup 254
Unattended installation or uninstallation in Use the following tape devices and drives 252
Windows 79, 106
User is idle 197
Unattended installation or uninstallation
Users logged off 199
parameters 81, 107, 113
Using a certificate issued by a trusted
Uninstallation parameters 86, 89, 111, 116
certificate authority 159
Viewing the distribution result 428 What does a disk or volume backup store? 177
Whitelist settings 463
WinPE-based 302
WinRE-based PE images 320
WriteCacheSize 524