Acronis Cyber Protect

Tech Professional

Welcome to the Tech Professional course. This course equips you with the knowledge
and skills needed to correctly deploy Acronis Cyber Protect’s advanced backup,
cybersecurity, and endpoint management capabilities. Let’s get started.

1
Learning Objectives

• List and describe advanced features

• Understand and configure advanced backup and
recovery, cybersecurity, and endpoint management
features
• Perform basic troubleshooting

By the end of this course, you will be able to: First, list and describe the advanced
features of Acronis Cyber Protect. Second, understand how advanced backup and
recovery, cybersecurity, and endpoint management features work and how to
configure them. Third, perform basic troubleshooting tasks for Acronis Cyber Protect.

3
Course Modules

1. Advanced Backup and Recovery

2. Advanced Cybersecurity
3. Advanced Endpoint Management
4. Basic Troubleshooting

The course is structured into several modules. Modules one through three cover
advanced backup and recovery, cybersecurity, and endpoint management features,
respectively. The final module focuses on basic troubleshooting tools and resources.

4
Acronis Cyber Protect
Advanced Backup and Recovery

In this module, we will go over advanced backup and recovery capabilities in Acronis
Cyber Protect.

5
 Edition comparison

Features Standard Advanced Backup Advanced

Standard backup and recovery features

Windows, Linux, and Mac | VMware, and Hyper-V | Microsoft Exchange, SQL,
SharePoint, and Active Directory application-aware backup | Backup to local folder,
network folder, and Acronis Cloud | Immutable storage | Acronis Universal Restore

Advanced backup and recovery features

Citrix XenServer, Red Hat Virtualization, Linux KVM, Nutanix AHV, Proxmox VE, Oracle
VM Server, Virtuozzo | Synology NAS | Oracle and SAP HANA database | Clustered
Exchange/SQL backup | Off-host data processing | Tape support | Deduplication | One-
click recovery | Convert to VM | Acronis Instant Restore

Cloud application backup

Microsoft 365, and Google Workspace

Before diving into Acronis Cyber Protect’s core advanced backup and recovery
capabilities, it is important to review the differences between the Acronis Cyber
Protect editions. Several capabilities are available only in the Advanced and Backup
Advanced editions. These include one-click recovery, support for virtualization
platforms beyond VMware and Hyper-V, and advanced backup storage options such
as tape and deduplication. In addition, certain backup and recovery operations are
exclusive to the Advanced and Backup Advanced editions. These include off-host data
or backup processing and Acronis Instant Restore. Finally, cloud application backup
for Microsoft 365 and Google Workspace is available only with Backup Advanced
edition licenses.

6
 Protecting VMs and virtualization hosts Nutanix

i For Nutanix

• VMs can be backed up and recovered with Agent for Nutanix AHV (agentless backup)
• Deployed as a pre-configured QCOW2 virtual appliance (VA) to a Nutanix cluster:
• Recommended settings: 4 vCPUs and 8 GBs of RAM, 16 GB in more demanding cases such as when
backing up multiple VMs with large drives (500GB or more)
• More than 1 VA can be deployed to the same cluster for load-balancing with auto-redistribution
triggering once load imbalance among appliances reaches 20%
• Removing VAs from the web console will trigger load redistribution, removing VAs from Nutanix Prism
Element console will not
• Backup of Nutanix volume groups and application-aware backups are not supported

Acronis Cyber Protect can back up and recover Nutanix virtual machines using the
Agent for Nutanix AHV. The agent is delivered as a QCOW2 virtual appliance that can
be deployed to a Nutanix cluster. When deploying the QCOW2 template, configure
the virtual appliance with 4 vCPUs and 8 GB of RAM. This ensures that backup and
recovery performance is not affected by insufficient resources. For more demanding
scenarios, such as backing up multiple virtual machines with disks of 500 GB or larger,
increase the memory allocation to 16 GB. A single virtual appliance can back up and
recover all virtual machines in a Nutanix cluster. If additional capacity is needed,
multiple appliances can be deployed to support load balancing. When more than one
virtual appliance is deployed, the load is automatically redistributed when imbalance
reaches 20 percent. Virtual appliance removal must always be performed from the
Acronis Cyber Protect web console to ensure that load redistribution is triggered
correctly. Removing a virtual appliance directly from the Nutanix Prism Element
console does not trigger load redistribution. Note that backup of Nutanix volume
groups and application-aware backups are not supported.

7
Protecting VMs and virtualization hosts Proxmox

i For Proxmox

• VMs can be backed up and recovered with Agent for Proxmox (agentless backup)
• Bundled together with Agent for Linux (64-bit), and requires that Agent for Linux is also installed on the
Proxmox host:
• Hosts running Proxmox VE 8.2 and above are supported; in clustered environments, both agents on
each node is required
• Supported Proxmox storages for backup and recovery:
• For VMs: All storages on which a VM can be created
• For containers: LVM Thin, Ceph/RBD, BtrFS

Proxmox virtual machines and containers can be backed up and recovered using the
Agent for Proxmox. This agent is bundled with the 64-bit Agent for Linux. To perform
backup and recovery operations, both the Agent for Proxmox and the Agent for Linux
are required. Hosts running Proxmox VE version 8.2 or later are supported. In
clustered environments, both agents must be installed on every node. For virtual
machines, all storage types on which a VM can be created are supported for backup
and recovery. For containers, backup and recovery are supported on LVM, Ceph RBD,
and BtrFS storage types.

8
Protecting VMs and virtualization hosts Proxmox

i For Proxmox

• Supported backup locations for VMs and containers:

• Acronis cloud storage
• Public cloud storage
• Network folders (SMB and NFS)
• Local folders
• Limitations:
• Application-aware backup is not supported
• Recovery of virtual disks or containers to CephFS storage is not supported
• For other limitations, refer to the user guide

Proxmox virtual machines and containers can be backed up to Acronis Cloud Storage,
public cloud storage, network folders, NFS folders, and local folders. Application-
aware backup and recovery of virtual disks or containers to CephFS storage are not
supported. For additional limitations, refer to the user guide.

9
 Protecting Synology NAS Synology

i Files and folders on Synology NAS can be protected as follows:

• Backup files and folders on local folders (including attached USB drives) to Acronis cloud storage or other
local folders (including attached USB drives)
• Backup files and folders on external network folders (SMB) to other external network folders (SMB), NFS
folders or public clouds (requires Agent for Synology 7.x)
• NAS-specific properties and access permissions for shares, folders, and files are preserved
• Only Synology NAS devices with x86_64 processors running DiskStation Manager 6.x and 7.x are
supported
• Only backups created by Agent for Synology can be recovered to a Synology NAS device

Files and folders on Synology NAS devices can be backed up and recovered using
Agent for Synology while preserving NAS-specific properties and access permissions
for shares, files, and folders. Files and folders stored in local folders, including those
on attached USB devices, can be backed up to Acronis Cloud Storage or to other local
folders. Files and folders located on external network folders can be backed up to
other external network folders using the SMB protocol, as well as to NFS folders or
public cloud storage such as Microsoft Azure, Amazon S3, Wasabi, or other S3-
compatible storage. Backup to public cloud storage is supported only by Agent for
Synology version 7.x. Only Synology NAS devices with x86_64 processors running
DiskStation Manager (DSM) versions 6.x or 7.x are supported. In addition, only
backups created by Agent for Synology can be recovered directly to a Synology NAS
device.

10
 Continuous Data Protection (CDP)

i Minimize data loss when failure occurs between backups

• Backup changes to selected data when changes occur between backups

• Supported OS:
• Windows 7 and above, Windows Server 2008 and above
• Supported file system:
• NTFS only, local folders only, not compatible with application-aware backup
• Supported backup destinations:
• Local folder, Network folder, Cloud storage, Location defined by the script
• In addition to predefined applications, files of other applications or in specific folders, e.g., D:\Data\* can
be added for CDP

Continuous Data Protection (CDP), when enabled, continuously backs up new and
modified files between scheduled backups. This helps ensure that user files are not
lost in the event of a failure. CDP is supported on Windows 7 and later systems using
NTFS volumes and can be enabled only when backups are stored on supported
backup destinations. In addition to predefined applications, you can include files from
other applications or folders for continuous protection.

11
 Continuous Data Protection (CDP)

1 2 3
CDP will start after a When CDP is running: During scheduled backup:
Protection plan with CDP 1. Application saves file to disk 1. CDP is paused
enabled is applied to a (automatically or manually by 2. Scheduled backup executes and
user action)
machine completes successfully
2. CDP driver tracks and notifies 3. CDP is resumed
1. If no backup file is present, CDP Agent about changed file
will be paused until a full backup 4. New CDP backup is created
is created 3. Agent reads entire file and checks
what changed 5. Previous CDP backup is deleted
2. Once there is a full backup, or if
there is an existing backup file, 4. Agent saves changes to CDP
CDP will resume backup

This slide illustrates how CDP, works. When a protection plan with CDP enabled is
applied to a Windows machine, the system first checks whether an existing backup
file is available. If no backup file exists, CDP is paused until an initial full backup is
created. Once a backup file is present, CDP resumes. The CDP driver then monitors
changes to the files and applications selected for CDP. When changes occur, they are
backed up continuously to the CDP backup. When browsing recovery points, both
regularly scheduled backups and the CDP backup are visible. When a scheduled
backup begins, CDP is paused. After the scheduled backup completes successfully,
CDP resumes, creates a new CDP backup file, and deletes the previous CDP backup.

12
 Continuous Data Protection (CDP)

Select files of applications

or specific files and folders
to be protected by CDP

Add other applications to be

protected by specifying the
path to the application exe

When CDP is enabled, you can select files from predefined applications, as well as
specific files and folders, for continuous backup. You can also add additional
applications by specifying the path to the application’s .exe file. This ensures that user
files created or modified by the monitored applications are continuously backed up.

13
 Continuous Data Protection (CDP)

Recovery point
from CDP backup

When browsing recovery points, the CDP backup appears after the most recent
scheduled backup because CDP operates between scheduled backups. In the event of
a system failure, recover first from the most recent scheduled backup, and then apply
the CDP backup to restore user files to their state at the time of failure. If files are lost
but the system is still operational, recover directly from the CDP backup.

14
Off-host data (backup) processing

i Enables backup processing with another machine

• Reduce CPU and RAM consumption on protected server

by offloading backup management operations to a server
with a dedicated agent
• Operators can offload the following operations: backup
scanning, replication, validation, cleanup, and conversion
to VM
• Perform operations independently from protection plan,
e.g., on a separate schedule such as during off-peak
hours
• If you are using a Storage Node, Agent used for off-host
data process can be installed on the node

Backup scanning, replication, validation, cleanup, and conversion to a virtual machine

are normally performed by the protection agent that creates the backup. These
operations can place additional load on the protected machine, even after the backup
itself has completed. To reduce this impact, you can use off-host data protection
plans. Off-host plans are separate protection plans for scanning, replication,
validation, cleanup, and conversion to a virtual machine. They allow you to assign
these operations to a different machine that has a protection agent installed. With
off-host plans, you can also configure independent schedules to run these tasks
outside of peak hours. This helps reduce resource usage on production systems and
limits network bandwidth consumption.

15
Off-host data (backup) processing

Create plan

Off-host data Plan actions

processing plans

Off-host processing plans are available under the Management tab. You can create
multiple off-host processing plans to handle backups from different machines.

16
Off-host data (backup) processing

Plan settings

Off-host processing plans are flexible and follow a common configuration pattern. You
select the machine with the agent that will perform the operation, choose the backup
or backup location to process, and then configure the required settings for that
operation. If the original backup is encrypted, you must provide the same password
for the off-host operation to complete successfully.

17
 Acronis Instant Restore (Run as VM)

i Spin up a virtual machine from a backup in seconds

• Used for:
• Disaster recovery: Instantly bring a copy of a failed machine online
• Testing of backups: Run machine from backup to ensure guest OS and applications are functioning
• Accessing application data: Extracting application data using native tools
• Requires disk-level backup that contains an OS:
• Virtual disks are emulated directly from the backup used to create a temporary VM
• Can be deleted (all changes discarded) or Finalized (converted to a full VM) to enable backup
• Supported for VMware ESXi and Microsoft Hyper-V:
• Requires Agent for VMware or Agent for Hyper-V and corresponding host

Acronis Instant Restore, also known as Run as VM, is an Acronis technology that
allows you to start a virtual machine from a backup in seconds. It can be used for
disaster recovery, backup testing, or quick access to the operating system,
applications, and data stored in a backup. This feature requires a disk-level backup
that includes an operating system. Instant Restore works by emulating virtual disks
directly from the backup to create a temporary virtual machine. Depending on your
needs, the temporary virtual machine can be deleted if you do not want to keep any
changes made while it is running. Alternatively, it can be finalized and converted into
a full virtual machine. Finalizing the virtual machine enables ongoing backups if you
plan to keep the changes. Run as VM requires either an Agent for VMware or an
Agent for Hyper-V, along with the corresponding virtualization host.

18
Acronis Instant Restore (Run as VM)

i Spin up a virtual machine from a backup in seconds

• Backup must be stored on:

• Network folder
• Local folder of the machine or hypervisor where Agent for VMware or Agent for Hyper-V is installed
• Acronis Cloud (slower performance due to intense random-access reading from the backup)
• Backups of both physical and virtual machines can be used, backups of Virtuozzo containers are not
supported
• For Linux systems using logical volumes, Acronis Instant Restore will only work if it’s a VM backed up by
Agent for VMware or Agent for Hyper-V and using the same platform to run as VM, i.e., VM with Linux
logical volume backed up by Agent for VMware can only be run as VM on a VMware ESXi host

The backup used for Run as VM must be stored on a network folder or on a local
folder of the machine or hypervisor where the Agent for VMware or the Agent for
Hyper-V is installed. Backups stored in Acronis Cloud can also be used, but
performance may be much slower due to the intensive random-access reads required
during operation. Backups of both physical and virtual machines can be used for Run
as VM. Virtuozzo containers are not supported. For Linux systems that use logical
volumes, Acronis Instant Restore works only if the virtual machine was backed up
using the Agent for VMware or the Agent for Hyper-V. In addition, the same platform
used to create the backup must be used to run Run as VM. Otherwise, the virtual
machine started from the backup will fail.

19
Acronis Instant Restore (Run as VM)

Click on Recovery
Go to Devices Select workload with
> all devices backup to perform Run
as VM Click to configure
Run as VM

To perform Run as VM, go to Devices > All devices and select a workload that has a
suitable backup. Click Recovery, choose the desired recovery point, and then select
Run as VM.

20
 Acronis Instant Restore (Run as VM)

Run as VM
settings

Configure the Run as VM settings, including whether to use the Agent for VMware or
the Agent for Hyper-V, the datastore or path for the temporary virtual machine, and
basic virtual machine settings such as memory allocation and network adapters.
Next, select the desired power state and click Run now to start the process. This
process may take a few minutes, depending on where the backup is stored. Once the
virtual machine starts, it appears under Devices > All devices. You can then access the
virtual machine using the console, Remote Desktop, or SSH. If you want to keep the
changes made while the temporary virtual machine is running, initiate Finalization to
convert it into a full virtual machine.

21
 One-click recovery

i Automatically recover a disk-level backup of a Windows or Linux machine

• Simplifies the recovery process thereby allowing operators without deep IT expertise to perform recovery
• Supported backup types:
• Disk-level backup of entire machine or specific disks or volumes
• Supported operations:
• Automatic recovery from the most recent backup
• Recovery from a specific backup
• Supported backup locations:
• Secure Zone | Network folder | Cloud storage

One-click recovery allows you to automatically recover a disk-level backup of a

Windows or Linux machine. It simplifies the recovery process by eliminating the need
to manually configure recovery settings, enabling operators without advanced IT
expertise to perform recovery tasks. One-click recovery supports disk-level backups of
an entire machine, specific disks, or individual volumes. You can recover from the
most recent backup or select a specific recovery point. Backups used for one-click
recovery can be stored in Secure Zone, network folders, or cloud storage.

22
 One-click recovery

i Enabling one-click recovery

1. Go to Devices > All devices and select the

machine you wish to enable one-click recovery
2. Create a new Protection plan or edit a suitable
existing Protection plan for the selected machine
3. Click on Backup options > One click recovery
4. Enable One-click recovery using the toggle
5. Optionally, configure a recovery password that
must be entered to perform one-click recovery
from this machine
6. Save the changes

To enable one-click recovery, go to Devices > All devices and select the target
machine. Create a new protection plan or edit an existing plan that applies to that
machine. In the Backup module, configure the backup as needed, then click Backup
options and locate the One-click recovery setting. Use the toggle to enable one-click
recovery. Optionally, you can configure a recovery password. This password is
required when performing a one-click recovery on the machine. Save the changes to
apply the configuration.

23
 One-click recovery

i Enabling one-click recovery

• When One-click recovery is enabled, Acronis Startup Recovery Manager (ASRM) will be activated on the
target machine; if ASRM cannot be enabled, the backup operation that will create the one-click recovery
backup will fail
• If BitLocker is enabled, suspend it before enabling one-click recovery to avoid having to enter the
BitLocker PIN after restarting your machine due to ASRM activation
• After one-click recovery is enabled, when the protection plan runs and creates a backup, one-click
recovery becomes available whenever the machine reboots

When one-click recovery is enabled, Acronis Startup Recovery Manager (ASRM) is

activated when the protection plan is created or saved. If ASRM cannot be enabled
because the machine does not meet the requirements, the backup operation that
creates the one-click recovery backup will fail. If BitLocker is enabled, temporarily
suspend it before enabling one-click recovery. This prevents the system from
prompting for the BitLocker PIN during a restart. Once one-click recovery is enabled
and the protection plan runs successfully to create a backup, one-click recovery
becomes available every time the machine is restarted.

24
 One-click recovery

i Performing one-click recovery

1. On the machine with One-click recovery enabled, reboot

the machine and press F11 when the prompt “Press F11
for Acronis Startup Recovery Manager” appears
2. Once the bootable agent is loaded, the One-click recovery
menu will be displayed
3. Select desired recovery method with the 1st option being
one-click recovery
4. If the 2nd option is selected, a list of available backups will
be displayed, and you can select one for recovery
5. The 3rd option will display the bootable Agent interface to
allow manual configuration of the recovery task

To perform one-click recovery, reboot the machine where one-click recovery is

enabled. When the Press F11 for Acronis Startup Recovery Manager prompt appears,
press F11. After the bootable agent loads, the one-click recovery menu is displayed.
Select the appropriate recovery option: The first option starts one-click recovery and
automatically restores the machine from the most recent backup stored in the
configured backup location. The second option displays a list of available backups,
allowing you to select a specific backup to recover from. The third option opens the
bootable agent interface, where you can manually configure a recovery task.

25
Acronis Cyber Protect
Advanced Cybersecurity

In this module, we will go over advanced cybersecurity capabilities in Acronis Cyber

Protect.

26
Edition comparison

Features Standard Advanced Backup Advanced

Essential cybersecurity features

Active Protection | Vulnerability assessment

Standard cybersecurity features

Antivirus and anti-malware protection | Exploit prevention | Windows
Defender/Microsoft Security Essentials management | URL filtering | Threat feed

Advanced cybersecurity features

Backup malware scanning | Safe recovery | Forensic backup | Corporate allowlist |
Endpoint Detection and Response (EDR)

Before diving into Acronis Cyber Protect’s advanced cybersecurity capabilities, it is

important to review the differences between the Acronis Cyber Protect editions.
Several capabilities are available only in the Advanced edition. These include backup
malware scanning, safe recovery, forensic backup, corporate allowlisting, and, most
importantly, Endpoint Detection and Response or EDR. Note that EDR is available only
with cloud deployment. Local deployments do not support EDR capabilities.

27
 Backup malware scanning

i Scan backups for malware to prevent re-infection

• For local deployment: Requires Scan Service component to be installed with the management server
• Supported for backups of Entire machine and disks/volumes of Windows machines created by Agent for
Windows, Agent for Hyper-V, and Agent for VMware (Windows)
• Only .EXE files in volumes with NTFS file system, and MBR or GPT partitioning will be scanned
• Supported backup locations for local deployment: Local folder | Network folder | Acronis cloud storage
• Supported backup locations for cloud deployment: Acronis cloud storage
• CDP backups are not supported and will not be scanned
• After backup scanning plan is created, backup will be placed in queue for execution;
backup will show “Not scanned” status until scanning is complete

Backup malware scanning examines backups for malicious content to help prevent
reinfection during recovery. For local deployments, the Scan Service component must
be installed alongside the management server for backup malware scanning to be
available. Installing the Scan Service requires an external PostgreSQL or Microsoft SQL
database. For cloud deployments, no additional installation is required. Backup
malware scanning is supported for entire machine, disk, and volume backups of
Windows machines created by Agent for Windows, Hyper-V, and the Windows
version of the VMware agent. Only .exe files located on NTFS volumes that use MBR
or GPT partitioning are scanned. For local deployments, backups stored in local
folders, network folders, and Acronis Cloud Storage can be scanned. For cloud
deployments, only backups stored in Acronis Cloud Storage are supported for backup
malware scanning. Continuous Data Protection or CDP backups are not supported
and are not scanned, even if backup malware scanning is enabled. To begin, configure
a backup scanning plan. Backups selected for scanning are placed in a processing
queue. Scan completion time depends on the queue length and the size of each
backup. Until scanning is complete, backups display a Not scanned status.

28
Backup malware scanning

Create plan

Backup scanning
plan
Plan actions

Backup scanning plans are available under the Management tab. You can create
multiple backup scanning plans to handle backups from different machines.

29
Backup malware scanning

Plan settings

When configuring a backup scanning plan, you can select either the backup location
or a specific backup to scan. When scanning encrypted backups, create a separate
backup scanning plan for each encrypted backup. Enable the encryption setting and
provide the same encryption password used to create the backup.

30
Safe recovery

i Scan backup for malware during recovery to prevent re-infection

• Can be enabled when configuring a recovery task:

• Once enabled, the backup used for recovery will be scanned for malware when the recovery task
starts; If malware is found, it will be deleted after recovery from the backup is complete
• Supported for backups of Entire machine and disks/volumes of Windows machines created by Agent for
Windows, Agent for Hyper-V, and Agent for VMware (Windows)
• Only .EXE files in volumes with NTFS file system, and MBR or GPT partitioning will be scanned
• Supported backup locations for local deployment: Local folders, network folders,
Acronis cloud storage
• Supported backup locations for cloud deployment: Acronis cloud storage
• CDP backups are not supported and will not be scanned

Safe recovery can be enabled to scan the backup used for recovery for malware,
helping prevent reinfection. While backup malware scanning regularly scans selected
backups once configured, safe recovery scans only the backup that is being used for a
specific recovery operation. This approach allows you to sanitize backups that were
not included in backup scanning plans when they are needed for recovery. Once safe
recovery is enabled, the selected backup is scanned when the recovery task starts.
Based on the scan results, the backup is assigned a status, such as Malware detected
if threats are found. The recovery task then proceeds to restore the backup to the
selected machine. After the recovery completes, any infected files detected during
the scan are deleted. Because safe recovery uses the same scanning mechanism as
backup malware scanning, the same requirements apply. The backup must be an
entire machine, disk, or volume backup of a Windows machine, and it must be stored
in a supported backup location for the safe recovery option to be available during
recovery configuration.

31
 Safe recovery

Safe recovery
setting

When configuring a recovery task, the Safe recovery option appears only if all safe
recovery requirements are met.

32
 Forensic backup

i Collect digital evidence for forensic investigation

• Backup that contains a snapshot of both used and unused disk space, memory dumps, and a snapshot of
running processes
• Supported OS:
• Windows 8.1 and above
• Windows Server 2012 R2 and above
• Requires selecting Entire machine for What to backup and enabling Backup option > Forensic data
• Supported backup destinations:
• Local folder on local disk and external HDD connected via USB, network folder and Acronis Cloud
• Backups with forensic data are automatically notarized

Forensic backup can be used to collect digital evidence for forensic investigation after
a security incident. In addition to capturing both used and unused disk space, a
forensic backup also includes a memory dump and a snapshot of running processes
at the time the backup is taken. Forensic backup is supported on Windows 8.1 and
Windows Server 2008 R2 and above. It requires selecting Entire machine as the
backup source. Continuous Data Protection (CDP) is not supported for forensic
backups and must be disabled. Supported backup destinations include local folders,
network folders, and Acronis Cloud Storage. After selecting what to back up and
where to store the backup, open Backup options and enable the Forensic data option
to turn on forensic backup.

33
Forensic backup

i Forensic backup process

1. Collects raw memory dump and the list of

running processes
2. Automatically reboots the machine into the
bootable media environment
3. Creates the backup that includes both the
occupied space and unallocated space
4. Notarizes the backed-up disks
5. Reboots into the live OS and continue plan
execution, e.g., replication, cleanup, etc.

Once enabled, the forensic backup process works as follows. When the backup starts,
the agent collects a raw memory dump and captures a list of running processes. The
machine is then rebooted into the bootable media environment, where both
occupied and unallocated disk space are backed up. After the backup completes, the
backup is notarized. Once notarization is finished, the machine reboots back into the
operating system. If additional operations, such as replication or cleanup, are
configured, they are performed at this stage.

34
 Forensic backup

• Forensic data can be recovered from a forensic backup: running processes snapshot (modules, processes, and
[Link]), and memory dump ([Link])
• Select to recover Entire machine to recover as a full forensic backup, backup will be recovered without boot mode
making it possible to check the disk contents while avoiding changes that may be made by OS bootup

To recover data from a forensic backup, browse to the backup location and select the
backup you want to restore. In addition to the standard recovery options for restoring
the entire machine or individual files and folders, there is also an option to recover
forensic data. Selecting Forensic data allows you to recover the raw memory dump,
along with lists of running processes, modules, and threads. The memory dump can
then be analyzed using forensic analysis tools, such as the Volatility Framework. If
disk content analysis is required, select the option to recover the entire machine. This
restores both occupied and unallocated disk space, if present. The recovered system
is restored in a non-bootable state, which prevents it from starting. This approach
preserves the integrity of the disk contents by avoiding any changes that would
normally occur during system boot.

35
 Corporate allowlist (whitelist)

i Prevent detection of legitimate corporate-specific applications as malicious (false positive)

• Used by all agents during antivirus and anti-malware scans

• Adding to the whitelist:
• Automatic: Enable Automatic generation of whitelist in Protection > Whitelist, Settings, files will be
automatically added when backup malware scanning of backups from at least 2 machines are
complete
• Manual: In Protection > Whitelist, click on Add file to specify the path to the file to be whitelisted
• Quarantined: In Protection > Quarantine, quarantined files can be added to the whitelist
• Level of heuristic detection for automatic generation of whitelist can be configured:
• Default | Low | High
• Files added to the whitelist can be checked against VirusTotal when viewing file details

Legitimate, corporate-specific applications, especially custom-developed ones, can

sometimes be incorrectly identified as malicious by Acronis antivirus and anti-
malware. These false positives can disrupt operations if business-critical applications
are quarantined, preventing access or proper functionality. The corporate allowlist
helps prevent this issue. When enabled, all agents use the corporate allowlist during
antivirus and anti-malware scans. There are several ways to add application files to
the corporate allowlist. One option is automatic population by enabling Automatic
allowlist generation in Protection > Whitelist. The allowlist is populated after backup
malware scanning has successfully completed for backups from at least two
machines. You can also configure the heuristic detection level for identifying
legitimate applications. The default setting provides a balanced approach. A lower
level applies stricter criteria before marking files as trusted, while a higher level uses
more permissive criteria and adds files more quickly. Additional methods for adding
items to the allowlist include manually adding files through Protection > Whitelist and
adding files directly from the Quarantine tab. Files added to the allowlist can also be
checked against VirusTotal for additional verification.

36
 Corporate allowlist (whitelist)

Whitelist settings

Whitelist tab

In the Protection > Whitelist tab, you can enable or disable the corporate allowlist
and configure the level of heuristic detection used for automatic allowlist generation
of legitimate corporate applications. When the allowlist is disabled, any added files
are temporarily hidden.

37
 Endpoint Detection and Response (EDR)

i What is EDR?

• Event correlation security platform that can detect suspicious activity on a workload, including attacks
that have gone unnoticed by:
• Continuous monitoring and collection of endpoint activity and security events
• Perform correlation of collected data using machine learning and security analytic algorithms to spot
potential attacks
• Generates incidents which provides a step-by-step overview of each attack
• Enables incident investigation and response:
• Provides easy-to-understand interpretation of each stage in the attack
• Provides investigation and remediation capabilities

What is Endpoint Detection and Response, or EDR, and why should organizations
deploy it? Simply put, EDR is an event-correlation security platform designed to
detect suspicious activity on a workload, including attacks that might otherwise go
unnoticed. When deployed on an endpoint such as a laptop, desktop, or server, EDR
continuously monitors and collects endpoint activity and security events. These
events include process execution, file changes, and network activity. The collected
data is then correlated using cloud-based machine learning and security analytics to
identify potential threats. When a threat is detected, EDR generates an incident
record that provides a step-by-step view of the attack. EDR also supports
investigation and response by offering clear visualizations and easy-to-understand
interpretations of each attack stage, along with built-in investigation and remediation
capabilities. As a result, EDR not only uncovers attacks that might otherwise remain
hidden, but also significantly reduces the time and expertise required to investigate
and respond to them.

38
 Endpoint Detection and Response (EDR)

i Acronis EDR features

• Receive alert notifications when a breach happens including email notifications

• Manage incidents in the Protection > Incidents tab with filters for severity, workload affected, and more
• Easy to understand visualization (Cyber Kill Chain) of the attack storyline allows even non-security
personnel to digest the objectives and severity of an attack with details on:
• How the attacker got in
• How the attacker hid their tracks
• What harm was caused
• How the attack spread

Acronis EDR provides a comprehensive set of features to help organizations detect,

investigate, and respond to security incidents efficiently. When a breach occurs,
Acronis EDR generates alert notifications, including email alerts, so incidents are
identified quickly. Incidents can be managed directly from the Protection > Incidents
tab, where filters allow you to sort by severity, affected workloads, and other relevant
criteria. Acronis EDR also includes an easy-to-understand visualization of the attack
storyline based on the Cyber Kill Chain. This visualization enables even non-security
personnel to understand the objectives and severity of an attack. It clearly illustrates
how the attacker gained access, how they attempted to hide their activity, what
damage was caused, and how the attack spread across the environment.

39
 Endpoint Detection and Response (EDR)

i Acronis EDR features

• Recommendations and remediation steps with AI-guided response available via Acronis Copilot
• Check for presence of IoCs on workloads from publicly disclosed attacks in threat feeds
• Quick glance overview in the dashboard with EDR statistics such as number of incidents yet to be
investigated, efficiency rate of closing down incidents, and network status of workloads
• Store security incidents for 180 days to enable review
• Supported for:
• Windows 7 SP 1 and above, Windows Server 2008 R2 and above
• macOS 13 and above
• CentOS 7.x, Debian 10.x, 11.x, CloudLinux 7.x, 8.x, Ubuntu 16.04, 18.04, 20.04, 22.04

To support faster response, Acronis EDR provides recommendations and remediation

steps, with AI-guided response capabilities available through Acronis Copilot. It can
also check workloads for indicators of compromise, or IoCs, associated with publicly
disclosed attacks by using threat intelligence feeds. The dashboard offers a quick,
high-level overview of the security posture, including EDR statistics such as the
number of incidents awaiting investigation, the efficiency rate of closing incidents,
and the network status of protected workloads. Security incidents are retained for up
to 180 days, enabling review and analysis over time. Acronis EDR is supported on
Windows 7 Service Pack 1 and later, Windows Server 2008 R2 and later, macOS 13
and later, and multiple Linux distributions, including CentOS, Debian, CloudLinux, and
Ubuntu.

40
 Endpoint Detection and Response (EDR)

i Enabling EDR

1. Go to Devices > All devices and select the

machine you wish to enable EDR for
2. Create a new Protection plan or edit a suitable
existing Protection plan for the selected machine
3. Enable the Endpoint Detection and Response
(EDR) module using the toggle

To enable EDR, go to Devices > All devices and select the target machine. Create a
new protection plan or edit an existing plan that applies to the machine, then use the
toggle to enable the Endpoint Detection and Response module.

41
Endpoint Detection and Response (EDR)

i Enabling EDR

4. In the displayed dialog box, click Enable

5. Optionally, disable one or more Antivirus &
Antimalware protection components if needed,
e.g., for testing purposes
6. Save the changes

In the displayed dialog box, click Enable. Optionally, you can disable one or more
Antivirus and Antimalware protection components, for example, for testing purposes.
Once done, save the changes to apply the protection plan.

42
 Endpoint Detection and Response (EDR)

i Using Acronis EDR

• Step 1: Review incident

• Analyze incident details
• Step 2: Investigate incident
• Investigate incidents in the cyber kill chain
• Step 3: Remediate incident
• Remediate entire incident
• For more details on how to use Acronis EDR, refer to the user guide

Let us review how to handle security incidents in Acronis EDR. Incident management
typically follows a three-step process. First, review the incident by analyzing the
incident details to understand what occurred and assess its severity. Next, investigate
the incident by examining each stage of the attack through the Cyber Kill Chain. This
helps you understand how the attack progressed and identify affected assets. Finally,
remediate the incident by applying the appropriate remediation actions to fully
resolve the threat and prevent recurrence. For more detailed instructions and
additional Acronis EDR use cases, refer to the user guide.

43
Endpoint Detection and Response (EDR)

In Devices > All devices tab, for Not mitigated

the machine showing the threat status
“Incident detected” status, click
on the status to show the alert
Open Cyber Kill
Chain to perform
investigation

Let us take a closer look at step one: reviewing an incident. When Acronis EDR is
enabled on a workload, security incidents are created in two primary scenarios. The
first scenario occurs when a prevention layer stops a threat. For example, if Acronis
antivirus detects and successfully quarantines malware during a scan, an incident is
created automatically. These incidents are handled by the protection layer according
to the protection plan settings, and the incident alert displays a Mitigated status.
Even though the threat has been addressed, you can still investigate the incident to
understand what the malware attempted to do before it was detected and
quarantined. The second scenario occurs when EDR detects suspicious activity. These
incidents represent potential threats that require immediate investigation. In this
case, the incident alert shows a Not mitigated status. You can select “Investigate
incident” to open Cyber Kill Chain, where you can review each stage of the attack and
apply the appropriate remediation actions. Alternatively, you can navigate to
Protection > Incidents to review incident details first and then switch to Cyber Kill
Chain for deeper investigation and response.

44
 Endpoint Detection and Response (EDR)

Filter or search
by criteria

Review
incidents in the
Protection > Sort by column
Incidents tab

In the Protection > Incidents tab, you can view a list of all created incidents along with
summary metrics for the environment. When multiple incidents are not mitigated,
you can prioritize which ones to investigate and remediate by sorting or filtering by
creation date, severity, or incident type. For detailed definitions of severity levels and
incident types, refer to the user guide. As a rule, any incident that is not mitigated
and has a Critical severity should be investigated immediately, as it indicates a severe
risk of malicious activity and a high likelihood that an attack is in progress.

45
 Endpoint Detection and Response (EDR)

Review incident Switch to the

details after attack info tab
clicking on the to review
incident in the details of the
incident list attack and
techniques used

To gather more information about an incident before starting an investigation, or to

help prioritize which incident to investigate first, select the incident from the incident
list to view its details in the Overview tab. To review the attack details and techniques
used, switch to the Attack Info tab. To see the actions performed on the incident,
switch to the Activities tab.

46
 Endpoint Detection and Response (EDR)
Click to return to Protection > Incidents tab

Click to change Click to add notes

investigation state and comments

Click to remediate
entire incident

Now let’s take a closer look at step two: investigating an incident. To begin the
investigation, click Investigate incident for the incident you want to investigate. This
opens the Cyber Kill Chain view. The Cyber Kill Chain allows you to investigate an
entire incident, including all attack stages and affected objects such as processes,
registry entries, scheduled tasks, and domains. Across the top of the page, you can
view key incident details, change the investigation state, add notes and comments,
and access the Remediate entire incident dialog box. To return to the Protection >
Incidents tab, click the link in the upper-left corner of the page.

47
 Endpoint Detection and Response (EDR)

Cyber Kill Chain graph showing

each and every step of the attack
Legend showing affected items

In the center of the page, each step of the attack is displayed in a kill chain graph
along with all affected objects. On the left side, a legend provides a summary of the
number of affected objects.

48
Endpoint Detection and Response (EDR)

AI-powered Attack summary

Scroll down the left side of the page to view the Attack summary section. Acronis
uses AI technologies to generate an easy-to-understand summary based on the attack
stages of the incident. This summary helps even non-security personnel understand
the attacker’s objectives and methods, making it easier to determine whether the
incident represents a true positive.

49
Endpoint Detection and Response (EDR)

Attack stages mapped to

MITRE ATTA&K framework

Scroll further down the left side of the page to view the Attack stages section. The
attack stages provide an easy-to-understand interpretation of each step in the attack.
Each stage summarizes what occurred and which objects were targeted. The attack
stages are mapped to the MITRE ATT&CK framework, providing a common lexicon to
support analysis and communication with other stakeholders. You can learn more
about the specific technique used by clicking the header of an attack stage. For
example, in the slide, clicking Command and Control opens the corresponding MITRE
webpage that explains this technique within the MITRE ATT&CK framework. These
built-in interpretations significantly reduce the time required to investigate an
incident. Instead of reviewing individual security events from timelines or graph
nodes and manually reconstructing the attack, you are presented with a clear,
structured explanation of what happened.

50
 Endpoint Detection and Response (EDR)

Click on a node
to show details
in the sidebar

Sidebar with tabs containing

security details, scripting
activities invoked in the attack,
response actions, and activities

In addition to reviewing attack stages, you can investigate individual nodes in the
Cyber Kill Chain. As described earlier, attack stages provide easy-to-understand
interpretations of the attack and help you determine whether the activity represents
a true positive and which remediation actions may be required. For deeper analysis,
you can examine individual nodes in the Cyber Kill Chain. Each object affected by the
attack, such as a process, registry entry, scheduled task, or domain, is represented as
a node. Selecting a node displays its details and the available response actions in the
sidebar, allowing you to continue the investigation based on this information. One of
the most important sources of information is the Overview tab in the sidebar. This
section includes a security analysis of the selected node, the EDR verdict (such as
suspicious activity), severity, and the techniques used, mapped to the MITRE ATT&CK
framework. It also provides additional details, including the path to the node, file
hashes, and digital signatures. Another valuable source of information is the Scripting
activities tab, which shows details of any scripts invoked or loaded during the attack.
You can copy these scripts to the clipboard for further investigation. The sidebar also
provides response actions to support investigation and analysis, such as remote
desktop access and forensic backup.

51
 Endpoint Detection and Response (EDR)

Click to show the

Remediate entire
incident dialog

Lastly, let’s look at remediating an incident. After completing your investigation and
deciding to proceed with remediation, there are two primary approaches. Note that
this represents a typical workflow, which may vary depending on the incident and
your specific requirements. The first approach is to remediate the entire incident.
Click Remediate entire incident in the upper-right corner of the page to open the
Remediate entire incident dialog. In this dialog, you can select a verdict and choose
remediation actions such as rolling back incident-specific changes, recovering from
backup, starting disaster recovery, adding threats to the blocklist, or installing
patches. Some remediation actions depend on resource availability. For example,
recovery from backup is available only if backups exist, and patch installation is
possible only if a vulnerability associated with the attack is identified. For detailed
information about each remediation action, refer to the user guide. After selecting
the desired remediation actions, you can optionally update the investigation state to
closed and add comments. Click Remediate to execute the selected actions.
Remediation actions are performed sequentially, and you can view their results in the
Activities section.

52
Endpoint Detection and Response (EDR)

Response
actions
available for
selected node

The second approach is to remediate individual nodes. This method is useful when
you need to manage an incident with greater granularity. To do this, select the node
you want to remediate in the Cyber Kill Chain graph to open the sidebar, then switch
to the Response actions tab. Response actions are grouped into four categories:
Remediate, Investigate, Recovery, and Prevent. The available actions depend on the
type of node selected. For example, actions such as Manage network isolation,
Remote desktop connection, and Forensic backup are available only when a workload
node is selected. Stop process is available only for process nodes, and Quarantine is
available only for file nodes. Some response actions require additional configuration
before they can be executed. If an incident is closed, response actions cannot be
applied. In this case, reopen the incident by changing its investigation state to
Investigating, and then apply the required response actions.

53
Acronis Cyber Protect
Advanced Endpoint Management

In this module, we will go over advanced endpoint management capabilities in

Acronis Cyber Protect.

54
Edition comparison

Features Standard Advanced Backup Advanced

Essential endpoint management features

Auto-discovery and remote installation

Standard endpoint management features

Single protection plan | Patch management | Disk health monitoring | Remote desktop
(RDP) | Hardware inventory | Software inventory

Advanced endpoint management features

Group management | Centralized plans management | Monitoring | Cyber scripting | Partial
Remote Desktop (NEAR) | Reports | Centralized Dashboard | Role-based management

Before diving into Acronis Cyber Protect’s advanced endpoint management

capabilities, it is important to review the differences between the Acronis Cyber
Protect editions. Several endpoint management features are available only in the
Advanced edition and, in some cases, partially in the Backup Advanced edition. These
capabilities include group management, centralized plan management, monitoring
plans, cyber scripting, remote desktop access using the NEAR protocol, reporting, a
centralized dashboard, and role-based management. Note that monitoring plans,
cyber scripting, and role-based management are available only with cloud
deployments, while the centralized dashboard is available only with local
deployments.

55
Group management

i Device groups

• Used for convenient management of large numbers of registered machines:

• Built-in groups: Appears once an agent of the same type is registered, e.g., registering an Agent for
Hyper-V will cause the Hyper-V group to appear on the Devices tab where all Hyper-V hosts and VMs
will be shown
• Custom groups: Manually created in one of the built-in groups to group machines for group
management – protection plans can then be applied to a custom group, and all members of the group
will execute the plan
• 2 types of custom groups are available:
• Static: machines must be manually added/removed
• Dynamic: machines are automatically added/removed based on search criteria

Device groups are used to simplify the management of large numbers of registered
machines. There are two main types of device groups: built-in groups and custom
groups. Built-in groups appear automatically when an agent of a specific type is
registered. For example, registering an Agent for Hyper-V causes a Hyper-V group to
appear on the Devices tab, where all Hyper-V hosts and virtual machines are
displayed. Custom groups are manually created within built-in groups to organize
machines for group-based management. Protection plans can be applied to a custom
group, and all machines in the group automatically execute the assigned plan. There
are two types of custom groups. Static groups require machines to be manually
added or removed. Dynamic groups automatically add or remove machines based on
defined search criteria.

56
 Group management

i Creating a static group

1. In Devices, select the built-in group which

contains the machines for which you want to
create a static group
2. Click on New static group
3. Specify a name for the group
4. Optionally, add comments.
5. Click OK to create the group

To create a static group, go to Devices and select the built-in group that contains the
machines you want to include. Click New static group and specify a name for the
group. Optionally, add comments to describe the group. When finished, click OK to
create the group.

57
 Group management

i Adding devices to a static group

1. In Devices, select the static group and click on

Add devices
2. Browse the groups tree and select the machines
to add to the static group.
3. Alternatively, in Devices, select one or more
machines and click Add to group
4. A tree of groups to which the selected machines
can be added will be displayed
5. Select the desired groups to add the machines to

To add machines to a static group, go to Devices and select the static group. Click Add
devices, then browse the group tree and select the machines you want to add.
Alternatively, from Devices, select one or more machines and click Add to group. A
list of available groups is displayed. Select the desired group or groups to add the
selected machines.

58
 Group management

i Creating a dynamic group

1. In Devices, select the built-in group which

contains the machines for which you want to
create a dynamic group
2. Search for machines using the search field. You
can use a search query with one or more
attributes and operators. For more info on
search queries, refer to the user guide.
3. Click on Save as next to the search field
4. Specify a name for the group, and then click OK

To create a dynamic group, go to Devices and select the built-in group that contains
the machines you want to include. Use the search field to find machines. You can
search using one or more attributes and operators. For more information about
search queries, refer to the user guide. Next, click Save as next to the search field to
open the Create new dynamic group dialog box. Enter a name for the group, then
click OK.

59
 Centralized plans management

i Manage protection and other plans from a single tab

• Easily search for, view, and edit all types of plans from the Management tab
• Spend less time and effort on managing plans for large numbers of workloads
• Audit multiple plans conveniently from a single location
• Plans available:
• Protection plan | Remote management plan | Scripting plan | Monitoring plan | Cloud application
backup | Archiving plan | Backup scanning plan | Backup replication | Validation | Cleanup |
Conversion to VM | VM replication
• Some plans may not be available depending on deployment type, allocated licenses,
and administration level in the cloud console

With centralized plans management, you can manage protection and other plans
from a single tab. From the Management tab, you can easily search for, view, and edit
all plan types. This centralized approach helps you reduce the time and effort
required to manage plans across large numbers of workloads. You can also
conveniently audit multiple plans from one location. Several plan types are available,
although availability may vary based on your Acronis Cyber Protect deployment type,
allocated licenses, and administration level in the cloud console.

60
Centralized plans management

Selected plan
Available
actions
Plans under
Managemen
t tab

In the Management tab, you can manage all plans that were previously created.
When you select a plan, the available actions appear. One useful action is export and
import. You can export plans as a JSON file and import them into a different
management server or Acronis account. This saves you the effort of recreating plans
from scratch.

61
 System and hardware monitoring

i Enable proactive and preemptive IT management with ML-based monitoring

• Perform system and hardware performance monitoring via monitoring plans that includes both anomaly-
based and threshold-based alerts
• Monitor 20+ system and hardware metrics as well as custom metrics for Windows and macOS to identify
potential issues early
• Accelerate problem resolution with automatic responses upon alert:
• Run a script | Restart services | Execute response actions
• Reduce the alert load on technicians through improved accuracy of issue detection,
precise alerting rules, and auto-response actions
• Available for cloud deployment only

Acronis Cyber Protect supports system and hardware monitoring through monitoring
plans that include both anomaly-based and threshold-based alerts. This enables
proactive and preemptive IT management, especially when you use anomaly-based
monitoring, which relies on machine learning to detect abnormal behavior in a
workload. You can monitor more than 20 system and hardware metrics and configure
custom metrics for Windows and macOS to identify potential issues early. When
alerts are triggered, use automatic responses, such as running a script, restarting
services, or executing other response actions, to accelerate problem resolution. All of
this helps reduce your alert load by improving the accuracy of issue detection,
applying precise alerting rules, and using auto-response actions. System and
hardware monitoring is available only with cloud deployments.

62
 System and hardware monitoring

i Monitoring types

• Threshold-based:
• Tracks if the values of the parameters are above or below a configured threshold value
• Anomaly-based:
• Uses machine learning to learn the normal behavior patterns for a workload and to detect abnormal
behavior
• Requires at least 3 weeks of training, results in dynamic upper and lower thresholds
that account for spikes and dips that are part of normal workload operations
• Choose either monitoring type for monitors in a monitoring plan; some monitors only support
threshold-based monitoring

There are two monitoring types available for monitors in a monitoring plan:
threshold-based and anomaly-based. Threshold-based monitoring tracks whether a
monitor’s parameter values rise above or fall below a configured threshold. When a
threshold is exceeded, an alert is generated. If auto-response actions are configured,
those actions are executed automatically. Anomaly-based monitoring uses machine
learning to learn normal behavior patterns for a workload and detect abnormal
behavior. This monitoring type requires at least three weeks of training to become
reliable, with longer training periods producing more accurate behavior models. The
training results in dynamic upper and lower thresholds that account for normal spikes
and dips in workload activity. This helps reduce the number of false-positive alerts
generated by monitoring. You can choose either monitoring type for monitors in a
monitoring plan, although some monitors support only threshold-based monitoring.

63
System and hardware monitoring

Select which type

Go to Monitoring of monitoring
plans in Management plan to create
tab

To create a monitoring plan, go to Management and select Monitoring plans. Click

Create, then choose the type of monitoring plan you want to create. The
Recommended option creates a monitoring plan with default monitors, while the
Custom option allows you to select and configure the monitors included in the plan.

64
System and hardware monitoring

Add workloads to apply

the Monitoring plan to

Add monitor or
customize
existing monitors

In the next step of creating a monitoring plan, you can add new monitors or
customize existing ones. Newly added monitors are populated with default values,
and you can add a maximum of 30 monitors to a single monitoring plan. To apply the
monitoring plan to specific devices, click Add workloads and select the workloads you
want to include.

65
System and hardware monitoring

Monitor settings

Expand a monitor to view its settings. Most monitors include configurable parameters
and response actions. For detailed information about available monitors, configurable
parameters, and response actions, refer to the user guide.

66
 Cyber scripting

i Automate routine IT operations with AI-assisted scripting

• Automate operations such as installing software, modifying configurations, starting or stopping services,
and creating accounts
• AI-based script generation and editing available to boost productivity and reduce human error
• Supports PowerShell for Windows and Bash for macOS
• Built-in script repository provides a library of predefined scripts as well as a My scripts section
for storing custom scripts
• Scripts are deployed and executed securely and centrally via a scripting plan from the web console
• Supports script approval and execution through user roles with defined scripting rights
• Available for cloud deployment only

Cyber scripting automates routine IT operations, such as installing software,

modifying configurations, starting or stopping services, and creating accounts,
through the use of scripts. To boost productivity and reduce human error, Acronis
Cyber Protect integrates with OpenAI to enable AI-based script generation and
editing. The supported scripting languages are PowerShell for Windows and Bash for
macOS. To improve usability and convenience, a built-in script repository provides a
library of predefined scripts, along with a My scripts section for storing custom
scripts. You can deploy scripts securely and centrally through a scripting plan in the
web console. Script approval and execution is managed through different user roles
with defined scripting rights. Cyber scripting is available for cloud deployment only.

67
 Cyber scripting
Select a predefined
script to clone to My
scripts

Click on Library to
view predefined
scripts

Go to Script
repository in
Management tab

In Management > Script repository, you can view all predefined scripts by selecting
Library. From there, you can clone a predefined script to My scripts to prepare it for
approval and inclusion in a scripting plan. You can also select a predefined script to
view its details and inspect the script contents.

68
 Cyber scripting

Click to create a script

using GenAI

Click on My
scripts to view
scripts cloned
from the Library Click on a script to
as well as view details or to edit
manually created
scripts

In Management > My scripts, you can view and manage scripts cloned from the
Library as well as scripts created manually. You can select a script to view its details
and to edit it. To manually create a script using GenAI, select Create script using AI.

69
Cyber scripting

Enter prompt to
generate scripts
using GenAI
Script details

To create a script using GenAI, enter a clear and detailed description of what the
script should do in the prompt. When finished, click the arrow button. In the
confirmation window that appears, select the scripting language and operating
system, then click Generate. The script generated by GenAI is displayed in the main
pane. Note that up to 100 scripts can be generated using GenAI per calendar month
at no additional cost.

70
 Cyber scripting

Edit the script

manually if needed

Script status

Once the script is generated, you can edit it manually in the main pane, if needed.
You can also add credentials and arguments as required. When you use GenAI to
create a script, the script details are automatically filled in, except for the script
status. Script status is used to approve scripts for execution or inclusion in a scripting
plan.

71
 Cyber scripting

i Script status

• Used for approval processes:

• Draft: Default value for newly created and cloned scripts in My scripts repository, cannot be run or
included in scripting plans
• Testing: Only administrators with Cyber Administrator role can change the status of a script to Testing,
run scripts with Testing status, and run scripting plans with such scripts
• Approved: Can be run and included in scripting plans by users and administrators
• Only administrators with the Cyber Administrator role can change the status of a script or delete an
approved script

Before a script can be included in a scripting plan or run, it must be approved. This
approval is managed through script status. There are three statuses available: Draft,
Testing, and Approved. You can set up an approval chain using appropriate user roles
and script statuses to ensure that only vetted scripts are run or included in a scripting
plan. For more information about user roles and rights related to scripts and scripting
plans, refer to the user guide.

72
Cyber scripting

Add workloads to apply

the Scripting plan to

Plan settings

Go to Scripting
plans in
Management tab

Scripting plans let you run approved scripts on multiple workloads, providing an
efficient and secure way to perform operations across large numbers of machines
from a central location. To create a scripting plan, go to Scripting plans on the
Management tab. In the scripting plan, you select the script to run, define the
schedule, choose the account used to execute the script, and set the maximum
duration. You can also specify the workloads to which the scripting plan applies.
When finished, click Create.

73
Remote desktop (NEAR)

i Remotely access Windows, Linux and macOS machines through the web console

• Supports advanced functionalities as follows:

• 2-way AES encryption
• Connect in Control or View-only mode
• File transfer
• Clipboard sharing
• Session recording
• Screenshot transmission
• Remote management plan must be configured and applied to the workload to enable remote access
• Acronis Connect client must be installed on the machine used to initiate the remote connection and agent
must be installed on the target/remote machine for the remote connection

Acronis Cyber Protect lets you establish remote desktop connections using NEAR to
Windows, Linux, and macOS machines through the web console, for both local and
cloud deployments. NEAR is an Acronis proprietary remote access protocol that
supports advanced features such as two-way AES encryption, file transfer, session
recording, and screenshot transmission. Similar to using RDP, you must configure and
apply a remote management plan to the workload to enable remote access. You must
also install the Acronis Connect client on the machine you use to initiate the remote
connection. In addition, the Acronis protection agent must be installed on the target
machine you want to access remotely.

74
 Remote desktop (NEAR)

Go to Devices
> All devices Select machine to initiate
remote connection
Select NEAR as the
connection protocol
and click on Control or
View-only to start the
Acronis Connect client

To start a remote desktop connection, go to Devices > All devices and select the
machine you want to access. From the Actions menu, click Remote desktop, confirm
that NEAR is selected as the connection protocol, and then choose Control for a
remote desktop session or View-only for remote assistance. This action launches the
Acronis Connect client. If the Acronis Connect client is not installed, a pop-up appears
with a link to download the installer.

75
Remote desktop (NEAR)

Remote connection client Viewer window toolbar with buttons

for Size | Control/View-only (Observe) | Select display | File
transfer | Take screenshot | Send Ctrl+Alt+Del | Image quality |
Other

After the Acronis Connect client starts and you enter credentials to access the remote
machine, you will see the Viewer window. At the top of the Viewer window, a toolbar
displays buttons for available actions. These actions include changing the size of the
remote desktop view, switching between Control and View-only modes, selecting
from multiple displays on the remote machine, initiating file transfer, taking a
screenshot, sending the Control Alt Delete key combination, adjusting the remote
desktop display quality, and performing other actions.

76
Remote desktop (NEAR)

Screenshot transmission settings

Select machine to initiate

screenshot transmission

Go to Devices Request permission from remote user to

> Screenshot transmit desktop screenshot if Ask for
transmission permission setting is enabled in the remote
management plan

You can monitor the desktop of one or more machines using screenshot
transmission. Go to Devices > Screenshot transmission and select the machine to
start screenshot transmission. If Ask for permission is enabled in the remote
management plan for the machine, click Request screenshot transmission to request
permission from the remote user to transmit desktop screenshots. At the top of the
Screenshot Transmission pane, you can adjust settings such as the screenshot refresh
rate, image quality, and download the screenshot as an image.

77
 Dashboard and Reports

i Configure widgets in the dashboard and in reports to monitor and report operational status

• Dashboard can be found in Monitoring > Overview in the management server:

• Contains customizable widgets that display operational statistics for backup, cybersecurity and
endpoint management
• More widgets can be added and you can drag and drop widgets to rearrange them on the Dashboard
• Dashboard can be downloaded or sent via email as .PDF and .XLSX (requires Advanced license)
• Reports can be found in the Reports tab (requires Advanced license)
• Contains customizable widgets like the Dashboard
• Reports can be sent via email or downloaded on a schedule via Report settings
• Email server must be configured to send Dashboard or Reports as email

Dashboards and reports help you monitor and report on the operational status of
backup, cybersecurity, and endpoint management features. Both use customizable
widgets to display operational statistics. You can add widgets and rearrange them by
dragging and dropping to create a layout that fits your needs. You can access the
dashboard from the Monitoring > Overview tab, and reports from the Reports tab.
You can download dashboards or send them by email as PDF or XLSX files. This
functionality requires at least one Advanced license to be assigned to a workload.
Reporting also requires an Advanced license. A set of predefined reports is available,
and you can customize them as needed. You can send reports by email or download
them to a folder on a schedule for processing by third-party applications. You
configure the schedule in the report settings. To send dashboards and reports by
email, you must configure email server settings under Settings > System settings.

80
Flexible monitoring and reporting

Open in full-screen mode Available actions

Go to
Monitoring
> Overview

In the Monitoring > Overview tab, you can view the dashboard and its available
actions. A predefined set of widgets appears by default, and you can add additional
widgets based on your preferences.

81
 Flexible monitoring and reporting

Available actions and settings

Go to Pre-defined reports
Reports

Add a new
report

In the Reports tab, you can view a list of predefined reports, along with the available
actions and settings for the selected report. Each predefined report includes a
specific set of widgets, and you can add additional widgets to capture the operational
statistics you want to include. You can also create new reports and customize them as
needed.

82
 Centralized dashboard
Features Centralized Acronis Third-party Monitoring / Reporting /
Monitoring Hub Analytical systems
 Actual data snapshots
 Historical view
 Highly customisable dashboards
 Multiple data sources
 Monitoring & analytical dashboards
 Data drill-down & filters
 Alerts based on data thresholds
 Integration with 3rd-party systems

Data Warehouse
(actual data,
historical data)

Acronis Cyber Protect Acronis Cyber Protect

(AMS instance #1) (AMS instance #2)
Any other data sources

Agent Agent Agent Agent Agent Agent

#1.1 #1.2 … #1.N #2.1 #2.2 … #2.N

With the centralized dashboard, you can aggregate data from multiple management
servers and view it in a single console. In addition to highly customizable widgets, you
can run queries to extract specific information from the aggregated data, set alerts
based on data thresholds, and download the data as an image, XLSX file, or CSV file.
To install the centralized dashboard, you must perform a custom installation and use
an external Microsoft SQL database. The centralized database can be installed only on
a machine running a 64-bit Windows Server operating system. For more information
about configuring and using the centralized dashboard, refer to the user guide.

83
 Academy
Acronis Cyber Protect
Basic troubleshooting

In this module, we will go over basic troubleshooting in Acronis Cyber Protect.

84
 Basic troubleshooting steps

Review UG and KB
Part 1

Gather symptoms to understand what

and error messages is the expected Verify product functionality
behavior

Search for known Review related Gather troubleshooting

Part 2

issues in release troubleshooting

notes, and KB articles in KB information

Troubleshoot using Try available Collect required logs

Part 3

Reach out to Acronis

Perform troubleshooting suggested tools and solutions and and troubleshooting
Customer Support
steps workarounds tools outputs

To troubleshoot technical issues in Acronis Cyber Protect quickly and effectively, you
can follow a three-part process. First, gather symptoms and error messages to
determine which part of the software is not working as expected. Next, review the
user guide or Knowledge Base to understand the expected behavior and confirm that
the issue is not caused by incorrect configuration or software limitations. Second,
search for known issues based on the symptoms and error messages in the release
notes and the Acronis Knowledge Base. Also, review related troubleshooting articles
to gather all available troubleshooting information. Third, perform troubleshooting by
using the recommended tools and steps. Try available solutions and workarounds one
at a time. If the issue remains unresolved, collect the required Acronis Cyber Protect
logs and the output from the troubleshooting tools you used. Then, contact Acronis
Customer Support to open a support ticket and submit the collected logs and
outputs.

85
 User guide(UG)

• To view the user guide in the management

server web console:
• Click on the ? button on the top right of the
page and select Help
• Alternatively, go to the Acronis website’s
Support & Resources section to view all
available user guides and other
documentation:
[Link]
us/support/documentation/

Let’s look at some of the resources available for troubleshooting. The first resource is
the user guide. The Acronis Cyber Protect user guide is comprehensive and includes
explanations of operations and correct configuration steps for all features in Acronis
Cyber Protect. You can access the user guide in several ways. In the web console, click
the question mark icon in the upper-right corner of the page and select
Documentation. Alternatively, visit the Support & Resources section of the Acronis
website to view all available user guides and related documentation.

86
 Acronis Knowledge Base (KB)

• Contains information on:

• Product functionality | Product limitations |
Known issues | Troubleshooting techniques
| Support tools and usage instructions |
Supplemental support information
• To access, go to [Link]
and click on Resources > For businesses to
search for KB articles on Acronis Cyber
Protect
• Click on Acronis Cyber Protect under Browse
by products to view list of articles grouped
by categories
• Click on Known Solutions and filter by
Acronis Cyber Protect to view recent known
solution articles

Next, would be the Acronis Knowledge Base, or KB. It includes information about
product functionality, limitations, known issues, and, most importantly,
troubleshooting techniques, support tools, usage instructions, and supplemental
support content. You can access the Knowledge Base at [Link]. Because
the KB contains articles for all Acronis solutions, go to the For businesses section
under Resources to find and search for articles related to Acronis Cyber Protect. You
can also select Known solutions and filter by Acronis Cyber Protect to view recent
known solution articles.

87
 Acronis Knowledge Base (KB)

• To view troubleshooting guides for Acronis

Cyber Protect:
• Click on Acronis Cyber Protect under Browse
by products and select Troubleshooting
from the list
• Other relevant article categories for
troubleshooting are FAQs and Hot Topics,
Security Updates, and How-to’s

To view a list of troubleshooting guides for Acronis Cyber Protect, go to the Acronis
Cyber Protect product section and select Troubleshooting. Other useful sections
include FAQs and Hot Topics, Security Updates, and How-To articles.

88
 Collect system information (Sysinfo/Acroinfo)

• For troubleshooting device issues, and escalating to Acronis

customer support, you need to collect system information
(sysinfo) from the affected device
• To collect sysinfo from an online machine:
• For machines with an agent installed, select the machine
from Devices > All devices, and click on Activities in the
action menu
• To collect sysinfo from a management server, go to
Dashboard > Activities
• Click on the Collect system information button at the
bottom of the panel
• Sysinfo will be collected and available for download as a
.ZIP file
• For offline devices, use Acronis bootable media:
• Collect system information is available from the Help
menu

To troubleshoot device issues and for opening a support ticket, you need to collect
system information from the affected device. Acronis Cyber Protect includes a built-in
tool for this purpose. To collect system information from a managed device, select
the device with the error from the Devices tab in the web console. From the Actions
menu, go to Activities, and then click Collect system information at the bottom of the
Activities panel. This action triggers the agent on the device to collect the required
information. The process can take several minutes to complete. When the collection
is finished, the logs and system information files are compressed into a ZIP file and
made available for download from the web console. To collect system information
from a management server, go to Dashboard > Activities. The Collect system
information button is available at the bottom of the Activities page. If the device is
offline, or if no agent is installed due to a failed installation, start the device by using
Acronis bootable media. In this case, you can collect system information from the
Help menu in the bootable agent.

89
Collect system information (Sysinfo/Acroinfo)

Windows Linux Mac

• Product logs: %ProgramData%\Acronis • Product’s logs: • Product’s logs:

• Operating system logs • /var/lib/Acronis • /var/lib/Acronis
• Acronis product registry keys export • /etc/Acronis • /Library/LaunchDaemons
• Device hardware and software configuration • /usr/lib/Acronis • /Library/LaunchAgents
details
• Operating system logs • /Library/Application Support/Acronis
• /Library/Logs/DiagnosticReports
• Operating system logs
• OS crash dumps

The collected system information includes Acronis Cyber Protect product logs, system
logs, Acronis registry keys, when the information is collected from a Windows
machine, and hardware and software configuration details. Depending on the
operating system, the collected system information may vary slightly.

90
Collect system information (Sysinfo/Acroinfo)

• Collect system information for Windows machines

will include the Windows System and Application
event logs
• Use it to view system and application events to trace
errors:
• Windows System and Application event logs will
be opened in Event viewer when you double-click
on them
• They will appear under the Saved logs section
• Use them to locate error or warning messages
regarding the issue you are troubleshooting
• Refer to the following KB for more information:
[Link]
Checking-Windows-Event-Log-for-issues-with-
computer-environment

When you collect system information from a Windows machine, it includes the
Windows System and Application event logs. You can open these logs in Event Viewer,
where they appear under the Saved Logs section. Use these logs to identify error or
warning messages related to the issue you are troubleshooting. For more
information, refer to the Knowledge Base article listed on the slide.

91
 Collect system information (Sysinfo/Acroinfo)

• Disk report:
• View detailed information regarding local disks
and partitions
• Most important information is the partition
layout table at the top of the report which
summarizes information on all local disks and
partitions
• Besides checking for parameters like drive letter
and available free space, the ABCHSV columns on
the right will show if there are errors or warnings
• If column B or C shows errors or warnings, it is Disk Partition Free Partition Col B: Quick
recommended to run the Windows check disk and letter in space name in partition check
utility (CHKDSK) to fix the error if possible partition OS OS Col C: Full
number partition check
(starts C: No errors
• Refer to the following KB for more information: from 1) E: Errors
[Link] W: Warning
Report

The disk report is another component of the system information collection that you
can use for troubleshooting. This report is a text file, and the most critical information
appears in the partition layout table at the top of the report. You can use this table to
view detailed information about all local disks and partitions, including disk and
partition numbers and drive letters, disk type, partition size, free space, file system,
and the partition name in the operating system. In addition to reviewing disk and
partition details, check the ABCHSV columns on the right side of the table. These
columns indicate errors or warnings. If column B or C shows an error or warning, you
can run the Windows Check Disk utility to attempt to fix the issue. For more
information, refer to the Knowledge Base article listed on the slide.

92
 Collect system information (Sysinfo/Acroinfo)

• MSInfo32 – Microsoft system information report:

OS version
• View hardware, system components, and
software environment information
Computer name
• Can be used to check whether OS and hardware
are supported Architecture

• In addition, you can gather information on

installed hardware and software that can be
useful for troubleshooting such as:
• Disk drive type, partition size and sector size
in Components > Storage
• Running tasks, Services and Start-up Programs
in Software Environment
Current user
• Refer to the following KB for more information:
[Link]
System-Information-File

The MSInfo32 report is another component of the system information collection that
you can use for troubleshooting. In this report, you can view details about hardware,
system components, and the software environment. Use the MSInfo32 report to
verify that the operating system and installed hardware are supported. You can also
review information about local disks, running tasks, services, and startup programs to
help troubleshoot disk and software operation issues.

93
 Acronis Cyber Protect logs

• Easiest way is to collect system information from the machine with agent or management server – all logs will be saved to the archive
file that will be downloaded, and you can be easily extracted and browse for the desired log
• For ease of searching and browsing, sort the logs by Date modified (descending) to see the most recent logs at the top of the folder

Type Log file name in log folder

 Windows: C:\ProgramData\Acronis\InstallationLogs
Installation logs  Linux: /var/log/[Link]
 Mac: /var/log/acronis_install.log

Management server logs  C:\ProgramData\Acronis\AMS\logs\[Link]

Storage Node logs  C:\ProgramData\Acronis\BackupAndRecovery\ASN\logs\asn-[date&time].log

Managed Machine Service logs  C:\ProgramData\Acronis\BackupAndRecovery\MMS\[Link]

Service process logs  C:\ProgramData\Acronis\ServiceProcess\[date&time].log

N – index number of the log, where 0 - recent log, 1-N - old logs

The easiest way to obtain Acronis Cyber Protect logs is to collect system information
from the machine with the agent or from the management server you are
troubleshooting. Alternatively, you can access the logs directly by using the file paths
listed on the slide. When you view logs in a folder, sort them by the date modified in
descending order to see the most recent logs at the top.

94
 Log structure

Log entry interpretation

2025-08-30T[Link] 10124 I00000000 [sub-component] User is running command. Command=Backing up;…
Timestamp Channel Name of sub-
Level + UID Message body
Date Time ID component if available

For example, in a service process log corresponding to the start time of a scheduled backup, you can look for Command=Backing up to
find the entry for the start of backup and start to read line by line as well as Command has failed to quickly locate error messages
2025-08-30T[Link]-07:00 10124 I00000000: User is running command. Command=Backing up; User=WIN2019-DEMO1\Administrator; clientProfileID=;
clientSessionID=211C6660-84E8-43A9-BE30-CEB21B3E6BAE; activityID=68E595DB-86FE-439E-B730-5B69FC07C965; tenantID=00000000-0000-0000-0000-
000000000000
2025-08-30T[Link]-07:00 10124 I00000000: Task execution window: listen current preset from 0FA04A80-EBD5-4592-A830-09AD8B29886D

Level:
I00000000 – Information W00000000 – Warning
D00000000 – Debug E00000000 – Error
Logs are rotated frequently; older logs are compressed to *.gz fies

Most logs follow the structure shown on this slide. Each entry includes a timestamp,
channel ID, level with a unique ID, a subcomponent name, when available, and the
message body. To begin troubleshooting, locate the log entry closest in time to the
activity where the error occurred. Then, use the timestamp to quickly find related log
entries for the event you are investigating. You can also search for specific strings to
narrow your focus. For example, search for “Command=Backing up” to find the start
of a backup operation, or “Command has failed” to quickly locate error messages.
The level field indicates the type of entry, such as informational, warning, debug, or
error. Focus on entries marked as errors, especially those related to subcomponents
relevant to the issue. Logs are rotated frequently, and older logs are compressed into
.gz files to conserve disk space.

95
 Troubleshooting tools – Process Monitor

• Using Process Monitor:

• Process Monitor (ProcMon) is a free advanced
monitoring tool from Microsoft that shows real-time file
system, registry and process/thread activity:
[Link]
us/sysinternals/downloads/procmon
• Used to track system and software activity to
troubleshoot product, system or network issues,
especially when it is necessary to track what files, folders,
or registry keys a particular application or process
accesses:
• Process interruption or hang
• Issues with installation/uninstallation/update
• Locked files during backup, Access denied errors, etc
• Refer to the following KB for more information:
[Link]
Monitor-Log

Process Monitor is a free, advanced monitoring tool from Microsoft that captures
real-time file system, registry, and process activity. You can use it to troubleshoot
issues such as interrupted or unresponsive software processes, problems with
software installation, uninstallation, or updates, and locked files or access denied
errors during backups. Because Process Monitor can generate a large volume of
events, apply filters before saving the log to capture only the activity relevant to the
issue you are troubleshooting. For more information, refer to the Knowledge Base
article listed on the slide.

96
 Troubleshooting tools – ProcDump

• Using ProcDump:
• Procdump is a free tool from Microsoft that allows you to create
dumps of crashed/hung processes:
[Link]
us/sysinternals/downloads/procdump
• Used to:
• Troubleshooting crashed/hung Acronis software
• Hardware resources (CPU/RAM) over-consumption
• Collect dumps of crashed, hanged and locked-up processes
for escalating to Acronis support
• KB on how to download and use ProcDump:
[Link]
ProcDump
• List of Acronis Cyber Protect Windows processes:
[Link]
15-Windows-services-and-processes
• List of Acronis Cyber Protect Linux processes:
[Link]
15-Linux-components-services-and-processes

Proc Dump is a free, command-line tool for Windows that Microsoft provides to
create process dumps for crashed or unresponsive applications. You can use it to
troubleshoot crashed or hung Acronis software, as well as issues related to excessive
CPU or memory usage. When escalating an issue to Acronis Support, collect dumps
from crashed, hung, or locked processes and attach them to the support ticket. For
examples of how to collect dumps, based on whether the issue involves a crashed or
hung process, refer to the Knowledge Base article listed on the slide.

97
Troubleshooting tools – Scheduler Manager

• Using Scheduler Manager:

• Scheduler Manager is an Acronis command line utility that allows
you to manage scheduled tasks on Windows and Linux
• Used to:
• Monitor scheduled tasks.
• Detect deleted backup tasks that still run.
• Detect single not running tasks.
• Collect Scheduler log in case of an issue
• Windows location:
• C:\Program
Files\Acronis\BackupAndRecovery\[Link]
• Linux location:
• /usr/sbin/schedmgr Main commands:
• Refer to the following KB for more information: get list – shows all registered tasks
[Link] task N-N – selects task to take action
Troubleshooting-Scheduled-Backup-Issues task delete – deletes the task

Scheduler Manager is a command-line utility provided by Acronis and installed with

the agent. It is available for Windows and Linux and helps you troubleshoot issues
with scheduled tasks, such as when a deleted task continues to run on a machine.
Scheduler Manager provides a range of commands that you can use to investigate
and resolve these issues. For more information, refer to the Knowledge Base article
listed on the slide.

98
 Troubleshooting tools – vssadmin

• Using vssadmin:
• Vssadmin is a Windows OS built-in tool that displays all
installed Volume Shadow Copy writers and providers and
helps in snapshot troubleshooting and analysis.
• Major use cases for vssadmin include, but are not limited
to:
• VSS writer failure.
• Shadow Storage management.
• VSS provider issue.
• For more details: [Link]
us/windows-server/administration/windows-
commands/vssadmin
• Refer to the following KB for more information:
[Link]
VSS-Troubleshooting-Guide

VSSadmin is a built-in command-line tool in the Windows operating system that you
use to troubleshoot VSS snapshot issues. These issues can include VSS writer failures,
insufficient shadow storage, and VSS provider errors. To learn more about the
available commands, refer to the Microsoft documentation or the Knowledge Base
article listed on the slide.

99
Troubleshooting tools – DiskShadow

• Using DiskShadow:
• DiskShadow is a Windows Server OS built-in tool that exposes
the functionality offered by the Volume Shadow copy Service
(VSS); it is helpful in troubleshooting snapshot-related issues.
• Major use cases for DiskShadow include, but are not limited
to:
• VSS writer failure.
• VSS provider failure.
• Using DiskShadow, you can check the functionality of the VSS
service components and the application VSS writers
independently of Acronis software.
• For more details: [Link]
server/administration/windows-commands/diskshadow
• Refer to the following KB for more information:
[Link]
to-Determine-Issues-with-VSS

Disk Shadow is a built-in command-line tool in the Windows Server operating system
that provides more advanced functionality than VSSadmin. Like VSSadmin, you use it
to troubleshoot VSS snapshot issues. However, Disk Shadow supports more complex
actions, such as testing VSS component functionality independently of Acronis
software. Using Disk Shadow can help you determine whether an issue is related to
Acronis software or to the underlying VSS service components. To learn more about
the available commands, refer to the Microsoft documentation or the Knowledge
Base article listed on the slide.

100
 Troubleshooting tools – Acronis VSS Doctor

• Using Acronis VSS Doctor:

• Acronis VSS Doctor is a free tool to diagnose and fix
issues with VSS: [Link]
us/products/vss-doctor
• Used for:
• One-click diagnostic of all VSS components
• Automatically collects data from scattered sources
into a single report
• Easily spots the weak places in the VSS infrastructure
• Generates a report with the results of the tests
performed
• Fixes issues with one-click when a pre-defined
solution is available

Acronis VSS Doctor is a free Windows tool from Acronis that you use to diagnose and
fix VSS issues. It includes a one-click diagnostic feature that checks the status of VSS
service components. After you run the diagnostics, you can review the results to
identify weaknesses in the machine’s VSS configuration. You can then save the results
as a report and resolve issues with a single click when a predefined solution is
available. To download the tool, go to the URL listed on this slide.

101
 Troubleshooting tools – Wireshark

• Using Wireshark:
• Wireshark is a free network traffic analyzer that can
capture all network traffic to/from monitored network
adapters: [Link]
• Used to troubleshoot:
• Network connectivity issues (e.g., device is shown as
offline, while the actual machine is live).
• Backup failures (Cloud/network storage not
accessible).
• Backup to Cloud/network share interruptions.
• Refer to the following KB for more information:
[Link]
Logs-with-Wireshark-and-PCAP-Remote

Wireshark is a free network traffic analyzer and packet capture tool that you use to
troubleshoot network connectivity issues. These issues can include devices appearing
offline when they are actually online, as well as failures when backing up to the cloud
or a network folder. Like Process Monitor, Wireshark can display a large number of
entries, so you need to apply filters to capture only the packets relevant to the issue
you are troubleshooting. For more information, refer to the Knowledge Base article
listed on the slide.

102
Troubleshooting guides

Acronis Cyber Protect log locations: How to troubleshoot WMI errors:

[Link] [Link]
logs-locations WMI-errors
Troubleshooting installation issues: Troubleshooting failing Cyber Protect definitions update:
[Link] [Link]
Troubleshooting-Installation-Issues Troubleshooting-failing-Updating-Cyber-Protect-definitions-
activities
Acronis Cleanup Utility: [Link]
Acronis-Cyber-Protect-Acronis-Cyber-Backup-Cleanup-Utility Troubleshooting management server registration:
[Link]
How to upgrade to Acronis Cyber Protect 17: Unable-to-register-AMS-because-it-is-already-registered-to-
[Link] another-account
upgrade-to-Acronis-Cyber-Protect-16
How to move a management server:
Slow backup/recovery speed: [Link]
[Link] Acronis-Cyber-Protect-15-Moving-Management-Server
speed
Acronis Cyber Protect 16 FAQ:
Collecting HAR logs: [Link] [Link]
Collecting-HAR-Log FAQ

This slide lists URLs for useful troubleshooting guides available in the Acronis
Knowledge Base. When you download the student manual, you can keep this page as
a handy reference.

103
Escalating to Acronis support

• Getting support:
• Go to [Link] and login using the
Acronis account used for registering your license keys.
• For customers with accounts created before Sep 2024:
• You will remain on [Link]
• Go to the Support tab and click on Technical issues to
see support options for your licensed Acronis Cyber
Protect products
• For customers with accounts created after Sep 2024:
• You will be redirected to the cloud console
• Click on the Help button on the top right of the page
and select Support Portal switch to the Acronis
Support Portal
• Click on Contact Center > Technical issues to see
support options for your licensed Acronis Cyber
Protect products

To get support, go to [Link] and sign in using the Acronis account that
you used to register your license keys. If your account was created before September
2024, you remain on [Link]. Go to the Support tab and select Technical
issues to view the available support options for your licensed Acronis Cyber Protect
products. If your account was created after September 2024, you are redirected to
the cloud console. Click the Help button in the upper-right corner of the page and
select Support Portal to switch to the Acronis Support Portal. Then, click Contact
Center > Technical issues to view the available support options for your licensed
Acronis Cyber Protect products.

104
 Escalating to Acronis support

• Opening support tickets:

• Split different issues in separate requests (you will get a
different support case number for each request)
• Description:
• Explain the issue and the symptoms
• Provide steps to reproduce the issue
• Describe the desired outcome you expect from the product
• Logs:
• Provide full error message and screenshots associated with the
issue.
• Provide collect system information output as well as outputs
from any other troubleshooting tools used.
• Additional information:
• Provide user account login id
• Provide device name (if applicable)
• Provide environment details (OS, network config etc.)

When opening a support case, submit each issue as a separate request so that each
one receives its own support case number. In the case description, clearly explain the
issue and its symptoms, include the steps needed to reproduce the problem, and
describe the expected outcome you want from the product. Be sure to provide the
full error message and any relevant screenshots. You should also attach the collected
system information and the output from any additional troubleshooting tools you
used. Finally, include supporting details such as the user account login ID, the affected
device name, if applicable, and relevant environment information, including the
operating system and network configuration.

105
 Academy
Acronis Cyber Protect
What’s Next

So we are at the end of our course. What comes next?

106
Review the Materials

Download and
review the course
materials
Re-watch the videos
as many times as
you’d like

Feel free to come back to watch sections of this video as often as needed. Please be
sure to download any PDF’s attached to this course for reference material and to
assist with the exam.

107
Take your test

Assessment:

20 MCQ Quiz

60 Min Working
Time

70% Passing
Grade

2 Attempts,
Open Book

There will be 20 questions for the exam and all the answers are within any PDF's
attached in the course.
You will have one hour, need a 70% passing grade and remember two attempts and
open book (the PDF’s are searchable so Control “F” is your best friend).

108
Thank you for watching

We have come to the end of this course, thank you for watching.

109
Cyber Foundation
Building a More Knowledgeable Future

Create, Spread and Protect

Knowledge with Us!
[Link]
#CyberFit

Building New Schools

Publishing Education Programs
Publishing Books

111