Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout

Academy
Cyber Protect Cloud

Cloud Tech Associate – Advanced
Security + EDR (Endpoint Detection and
Response)
Acronis Academy
Hello and welcome to the Cloud Tech Associate – Advanced Security + EDR course so
let’s get started.
1
Learning Objectives
• Identify and Explain Standard Security

Components
• Understand Advanced Security
Components
• Discover the Essentials of EDR
• Apply Knowledge through Case Study
Analysis
• Provision and Set Up EDR
#CyberFit Academy
In this course You will learn to recognize the six essential security components
included in the standard security package. You'll understand their benefits and how
they form the foundation of an organization's cybersecurity defense.
You will gain insights into the advanced security features available in the Advanced
Security + EDR pack. This includes comprehending the functionalities and importance
of real‐time antimalware scanning, local signature‐based detection, URL filtering, and
exploit prevention, and how they fortify cybersecurity efforts.
You will establish a foundational understanding of Endpoint Detection and Response
(EDR). You'll explore why EDR is a critical component of cybersecurity, how it
complements prevention strategies, and its role in the wider context of cyberthreat
management.
You will engage with a case study to apply your knowledge of both standard and
advanced security components. This practical exercise will demonstrate the real‐
world application and effectiveness of cybersecurity measures.
You will master the initial steps of working with EDR within Acronis Cyber Protect
Cloud. By learning to provision and set up EDR, you'll lay the groundwork for future
learning in more advanced topics like incident management, investigation, and
remediation.
2
Course Modules
1. Case Study
2. High Level Overview and Benefits
3. Standard Security Components
4. Advanced Security Components
5. EDR Components
Acronis Academy
There are different sections within this course so let us see what is in store for you.
We still start out with a short case study . Then we will go over a high level overview
of what is in the standard security components included and then what is in the
advanced security plus EDR pack.
We will then continue our exploration with seven standard security components such
as Real‐Time Antimalware Scanning, Local Signature‐Based Detection, URL Filtering
and exploit prevention.
Since prevention and detection cover different parts of the cyberthreat landscape, we
will then continue with the EDR or Endpoint Detection and Response portion of our
solution. This is a foundational aspect needed to ensure success with the Advanced
Security plus EDR pack. More technical information will be provided in the tech
professional course.
3
Since prevention and detection cover different parts of the cyberthreat landscape, we
will then continue with the EDR or Endpoint Detection and Response portion of our
solution. More technical information will be provided in the professional course and
this is a foundational aspect needed to ensure success with the Advanced Security
plus EDR pack.
Specifically we will go over a technical use case scenario that will go over the reason
to have EDR in addition to prevention layers. We also need to think about how
attacks can happen and how to respond to them. As stated prevention and detection
cover different parts of the threat landscape and in this section covered next we will
go over that.
And finally within the solution, we want to show you how to provision, setup and
navigate at a higher level the EDR component within Acronis Cyber Protect Cloud. In
the professional course, we will dive more into alerts, how to walk through incident
management, investigation and remediation. But for now, we need to build on a
foundation and understand aspects of the overall cyberthreat landscape and then
progress into the professional course with managing incidents.
So with that let us get started.
3
Acronis Education
Comprehensive Training for Every Scenario
MSP Academy Associate Level Certification Professional Level Certification

• Specialized technical and business • Learn the most common use cases • Learn the more sophisticated
education for MSPs for security components within Advance
Security Pack + EDR
• Comprehensive Understanding of • Learn most utilized components
EDR within Advanced Security Pack + • Understanding how to navigate and
EDR. remediate with the EDR component
• Evolutionary Context
• Learn how to provision and setup • Learn about useful tools and utilities
• Components of EDR EDR component to assist in securing your cyber
• Best practices, integration and infrastructure
holistic approach
Acronis Academy
Acronis has created an MSP Academy which is a vendor neutral training environment
in bite‐sized modules as well as various structured learning plans all designed to help
service providers run and manage their practice. Related to EDR, learners would gain
an understanding ranging from the historical evolution of the space, best practices
and integrating with various tools for a wholistic approach. As you can see on the
screen, the associate and professional course certifications show what would be
covered in those courses.
4
Cyber Protect Cloud
Case Study
Acronis Academy
I would like to present to you a specific case study which related to our safe recovery
feature which is combining cybersecurity related to malware with backup due to our
native integration and how this can improve overall operational efficiency.
5
Meet Emma
(IT Manager of a SMB Company)
Manages IT, Security and internal Support
15 servers and about 120 clients
Using Acronis for local and Cloud Backup,

another Vendor for Security
After a visit from her Service Provider, started

trying Acronis Advanced Security + EDR
features
Acronis Academy
Emma is an IT Manager at a small to medium sized company that manages IT security

and internal support. They currently have about 15 servers and about 120 endpoints
at the time of this course. They currently utilized Acronis for backup but have another
vendor for security solutions in their stack. Their service provider made a visit and
Emma started a trial of Advanced Security + EDR.
6
The Disaster and the Opportunity
One of her managed She discovered that

Applications crashed there was an infected file
and got corrupted in a backup
In hurry, she selected She was able to clean
the Cloud location the infected file and
and enabled Safe complete the Recovery
Recovery process
Acronis Academy
Sometimes disasters can uncover opportunities. One of the applications Emma

manages crashed and corruption occurred. They selected the cloud location and
enabled the safe recovery feature where one can scan for malware and clean during
the backup recovery process. They had an infected file in that backup and they were
able to clean the infected file and complete the recovery process. This is due to that
native integration of security and backup in one agent.
7
Signing up
Acronis Cyber Protect Cloud

 Avoided reinfection thanks to Safe Recovery
 Switched all workloads to Advanced Security +
EDR
 Now manages Backups and Security
operations from one single console
Acronis Academy
Emma realized the time savings with the safe recovery feature and not knowing there
was an infected file. Knowing if they recovered that backup with an infected file, they
would have needed to run another process from the other security vendor to validate
that the backup is clean. Emma realized that one console and process for such an
action was worth switching all the endpoints. How that backup got infected and the
tracing of that will be a benefit from having EDR within the solution.
8
Cyber Protect Cloud
High Level Overview and Benefits
Acronis Academy
At this time, let’s talk discuss a high level overview of the security components and
Acronis data center benefits.
9
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
Security
Standard Security Advanced Security + EDR

 #Cyberfit Score  Anti-malware w/ local signature-
 Vulnerability Assessment based protection
 Anti-ransomware protection  URL filtering
 AV and Anti-malware  Exploit prevention
protection  Forensic Backups
 Device control  Smart Protection Plans
 Events collection
 Endpoint Detection and
Response
Technicians
Owner
Acronis Academy
On the left you can see that we have in the standard security area various cyber
protection measures such as anti‐ransomware capability, a vulnerability assessment
scanner and device control (all prevention type solutions). With Advanced security
plus EDR, there is so much more for an overall cyber protection strategy. If you are
looking at replacing another solution, this is what you will need. From local signature‐
based detection, exploit prevention, URL filtering, we are covering the gamut. We
have a technical professional course the more sophisticated components for the
Advanced Security plus EDR so feel free to take that course to learn more on the
solution.
10
Ensure compliance and a local presence
Choose from over 50 data centers worldwide to store data – Acronis Hosted,
Google Cloud and Microsoft Azure
Over 50
DATA CENTERS
Strong presence in Asia-Pacific,
Singapore, Japan, Australia
Acronis Data Google Data Azure Data

Centers Centers Centers
Acronis Academy
Acronis has over 50 data centers and continues to grow globally. We have several
locations where we natively integrate with Google Cloud and Microsoft Azure.
Besides providing a local presence, it helps with compliance and data sovereignty
regulations.
11
Cyber Protect Cloud
Standard Security Components
Acronis Academy
Let us go over the standard security components we will cover in this associate
course.
12
Standard Security Components
1. Safe Recovery
2. #CyberFit Score
3. Vulnerability Assessment
4. Quarantine
5. Active Protection
6. Antimalware (without local signature-based engine)
Acronis Academy
We will start with safe recovery which was used in the case study earlier. We will
discuss the cyberfit score mechanism along with the vulnerability assessment
scanner. We will then discuss a few aspects related to quarantine and spend a good
amount of time on Acronis Active Protection. Then we will finish this section with our
antimalware components that are included in the standard security stack within
Acronis Cyber Protect Cloud at no additional charge.
13
Cyber Protect Cloud
Safe Recovery
Acronis Academy
Let’s dive a little more into the details for safe recovery.
14
Safe Recovery
Antimalware scanning and deletion performed as part of recovery

(prevent reinfection if malware if present):
• Windows physical or virtual machine with Agent for Windows

installed
• Entire machine or disks/volumes backup of NTFS volumes
• Backups scanned: determine if malware present
• Backup recovered and detected malware deleted
• Not supported for CDP backups (recover to last regular backup
without data in CDP
• To recover CDP: start a files/folders recovery
Acronis Academy
As seen in the case study, a backup could be infected with malware. Recovering a
backup with malware and not having native integration between backup and security
components typically have extra steps involved in the process. The goal here is for a
backup when being recovered to ensure that if malware is present it would be
deleted in the process. This works on windows machines with the agent for windows
installed regardless if a physical or virtual machine. These backups need to be either
the entire machine or disks/volume types and in the NTFS format. CDP or continuous
data protection is a feature in the advanced backup pack and assists with certain
types of backups between regular backups so feel free to inquire about that pack for
more details. When recovering the machine can recover the latest regular backup
without CDP information. To recover the CDP data one can then start a files and
folders recovery. Let’s go to a very short video on how safe recovery works.
15
Cyber Protect Cloud
#CyberFit Score
Acronis Academy
Acronis CyberFit Score, what is it, and what value does it bring to service providers.
17
Acronis #CyberFit Score
Increase Cybersecurity Posture
Assess level of protection

of machine:
Backup enabled?
Antimalware installed?
Firewall in place?
HDDs encrypted?
VPN in use?
Suggests remediation options

based on assessment
Acronis Academy
the CyberFit Score is a security assessment and scoring tool that assesses the security
posture and gaps in client’s environment based on evaluating security metrics and
configurations and provides recommendations for improvements.
18
#CyberFit Score for machines
Based on security assessment of a machine #CyberFit scoring mechanism (max 850)
 Windows 7 and above  Antimalware protection: 0-275

 Windows Server 2008 R2 and above  Backup protection: 0-175
 Firewall: 0-175
 Recalculated: Protection Plan applied or any module  Encryption: 0-125
in Protection Plan is run  VPN: 0-75
 NTLM Traffic: 0-25
 Suggests remediation options based on assessment
Acronis Academy
CyberFit Score is available only for Windows machines and is recalculated whenever a
protection plan is applied or any module within a protection plan is run. There are
various scoring mechanisms for each of the items you see on the screen with
weighted numbers for points to a max of 850.
19
#CyberFit Score
Following ratings apply to

machine:
0-579: Poor
580-669: Fair
670-739: Good
740-799: Very Good
800-850: Excellent
Acronis Academy
The overall score provides a rating on that machine. Let’s now go into the product
and get more information on how to look at this information and help and options.
20
Cyber Protect Cloud
Vulnerability Assessment
Acronis Academy
Let us now go over the vulnerability assessment scanner that is part of the standard
security components.
22
Information from NVD (National

Vulnerability Database)
CPOC sends information via
agent
Another vulnerability assessment
tool
• Great way to validate patching
Loss leader Opportunity
• Patching service opportunity
Acronis Academy
The Acronis vulnerability assessment scanner is a tool to identify potential threats

generated by vulnerable software.
The information is derived from the the NIST or National Institute of Standards and
Technology’s national vulnerability database which is maintained by MITRE.
The NIST NVD performs analysis on CVE’s (known as common vulnerability and
exposures) and publishes to a CVE dictionary
23
CVE: Common Vulnerabilities and Exposures
CVSS Score (Common Vulnerability Scoring
System)
• Assigns severity scores: prioritize
responses/resources
• Low, Medium and High Severity Levels
a) Low: 0.1 – 3.9
b) Medium: 4.0 – 6.9
c) High: 7.0 – 10.0
d) None: 0
Search: https://nvd.nist.gov/vuln/search
Acronis Academy
The CVE is a glossary that classifies vulnerabilities and severity scores are assigned
which is the CVSS or Common Vulnerability Scoring System. This is to assist with
prioritized responses and resources.
Feel free to go to this URL you see on the screen to look at different vulnerabilities
and information on them. At this time, let’s go into the solution and see where to set
this up and how to view these vulnerabilities.
24
Cyber Protect Cloud
Quarantine
Acronis Academy
26
Quarantine
Special isolated folder on machine's hard

disk. Suspicious files placed to prevent
further spread
Locations:
• Windows: %ProgramData%\%product_name%\Quarantine
• Mac: /Library/Application Support/Acronis/Quarantine
• Linux: /opt/Acronis/Quarantine
To view, go to Protection > Anti-malware > Quarantine tab
Acronis Academy
Quarantine is called to action when a malicious file is detected by any of the anti‐
ransomware or anti‐malware engines: it is a special isolated folder on a machine's
hard drive where that suspicious file is placed, and this is done to prevent any further
spread of the threat. You can find here in the slide where the quarantine locations are
in the local drive for Windows, Mac and Linux machines. But the important thing to
know about the Cyber Protect Cloud Quarantine is that the web console will show
ALL the quarantined files detected by ALL the Agents in one single place. So the
quarantine tab in the console looks like a "Centralized Quarantine Management", and
I will show here shortly in a quick video.
27
Actions with Quarantined Files
Deleted Restored Added to whitelist
1. Non-malicious – add file to whitelist and restore

2. One-time action (antimalware added specific file: example keygen) – use restore
3. Restore malicious file: detected during next scan and quarantined
Files automatically deleted after time period defined in Antimalware module

(default 30 days)
Acronis Academy
When you go into the Quarantined Files section in the console, you will see that there
are three options available for each quarantined file: you can restore that file into its
original location, it means that this file can be detected once more in the future
because it's not in the quarantine area anymore; or it may happen that a file is
detected as malicious by mistake, for example because it is part of a home‐grown
application, and therefore it's the so called "false positive“. In this case you can add it
to a whitelist so that it won't be detected anymore in the future and then restore it to
its original location; or you can simply delete the file from the quarantine area. Please
note that by default quarantined files will be automatically deleted after 30 days, but
this time period can be defined in the anti‐malware module options. Finally, please
remember that all those actions are centralized, so it means that you can whitelist or
restore or delete files from the Quarantine area from multiple machines with a single
action, and this allows you to be more efficient in managing the quarantined files.
Now let's have a quick look at the Quarantine tab in the console.
28
Section Summary
Safe recovery provides the ability to scan and delete

1 malware as part of the backup recovery process which
will also prevent reinfection if malware if present. Acronis
Cyberfit score will assess the level of various protection
mechanisms in place such as backup, antimalware, and
is a VPN in place. Additionally firewalls in place and are
hard drives encrypted.
Vulnerability assessment scans systems to determine
2 known vulnerabilities based on the national vulnerability
database and provides an opportunity to enter into patch
management service as a loss leader or validate patching
utilized in another solution. Finally, when an item is
quarantined, several options are available such as
deleting, restoring or adding to an allowlist.
Acronis Academy
Safe recovery, as part of a backup recovery process from a backup in the Acronis
Cloud, will scan and delete malware to help prevent reinfection. Our cyberfit score
assesses the level of different security protection mechanisms ranging from backup,
antimalware, is a VPN in place, firewalls present and are hard drives encrypted.
The vulnerability assessment scanner will scan systems for known vulnerabilities
based on the NVD or national vulnerability database and provides an opportunity for
offering patch management as a service lead in or after scanning and patching with
another product, help validate in fact are systems properly patched. And finally when
an item is quarantined, there are several options from deleting, restoring or adding
the file to an allow list.
30
Cyber Protect Cloud
Active Protection
Acronis Academy
Let’s look at Acronis Active Protection.
31
Active Protection
Ransomware blocks access to data
• Unless ransom paid: threatens to delete

• Double extortion: Threatening to publicize data
• Triple: Threatens DDoS attack
• Quadruple: aggressive harassment (contact
customers, employees and business partners and
media to inform about compromise
• Different ways:
 Open attachment: downloads malicious payload and encrypts
 Utilize software exploits, flaws or other vulnerabilities to gain
access
• Internet facing servers or remote desktop logins.
• Hunt network until they control as much as possible
before encrypting.
Acronis Academy
Before we dive into the benefits of Active Protection, why is this feature important to
your overall cybersecurity posture?
In the past, ransomware gangs used to encrypt data and ask for ransom only (and
hopefully get the decryption key). But with backups and restoring, disaster recovery
and even reverse engineering allowed folks to avoid paying the ransom and recover
encrypted data. So, they switched to a double‐extortion method: they would encrypt
and steal data, then they provide proof that they have such data and ask for money
not to publish all the data. A promise not to release public if you will and keep in
mind that privacy issues and fines might happen if such confidential or personal data
was stolen. Even after all this, they would threaten with a distributed denial of service
attack to flood the network to take down the network unless another fee is paid.
Moving into 2024, we not have a fourth attempt where there is the threat to contact
customers, employees, business partners and even media to inform them of the
compromise.
There are various ways of ransomware getting into the network from one opening an
attachment, utilizing exploits or other vulnerabilities to gain access say from remote
desktop logins or Internet facing servers. And once in, they could hunt the network
for a while until they control as much as possible before encrypting.
32
Active Protection
Protects against:
• Ransomware (AI-based and process behavior)

• Process Injection and crypto mining
• Malicious intent against Acronis backup files, processes,
registry settings configuration files and executables
• External drive attacks
• Network folder and server side attacks
Acronis Academy
Active Protection functionality has been around since 2018 and since then it’s been an
integral part of all Acronis Cyber Protection solutions.
Active Protection protects against ransomware as we discussed on the last slide to protect
local files and local backups, from unauthorized modification or encryption. Further it helps
protect Acronis processes, registry settings, configuration files and executables. This artificial
intelligence and behavior‐based engine recognizes that local files are getting encrypted and it
blocks the malicious process. There's also an option to instantly recover files from local
service cache that have been encrypted . For example, imagine that ransomware hits and
encrypts one file; the engine says not too sure yet since certain encrypting of one file can be
a legitimate reason as you will see in a few slides from now. Then it encrypts another file and
the agent detects that something wrong is happening. Then at the third file the agent says
no, this is a ransomware, I am going to stop you!
So now the threat has been blocked, but what about those three files? With this option
enabled (revert from cache), those three files were proactively copied into a cache and then,
as soon as the threat is detected, they will be restored from that cache, so that no files are
lost.
Active protection also helps with process injection, cryptomining (which is using a victim's
CPU and GPU to mine crypto values and earn money), external drive, network folder and
server‐side attacks.
33
Active Protection
Process Injection
• Used for legitimate uses

• Debuggers hook to application
• Antivirus services inject into browsers to
investigate browser behavior, website content, and
Internet traffic
• Used for malicious purposes
• Hiding true nature of actions (hide existence)
• Mask to look like ok processes
• DLL injection most common to appear
• Others like Portable Execution (PE) injection,
process hollowing, and registry modification
Acronis Academy
Related to process injection on the last slide, a process injection is where one attaches a
process to another process and works along with it. Please note that process injection is not a
malicious technique by itself, it can also be used for legitimate uses: for example, debugger
software can hook to applications to catch bugs or code flaws. Some anti‐virus solutions
inject their processes into browsers to investigate browser behavior, website content and
Internet traffic.
The problem is when process injection is used for malicious purposes: usually the idea is to
hide the true nature of actions behind legitimate processes, to look like is it okay. Would you
stop the notepad process if you found it open? Maybe it's not only notepad, but a crafted
version of notepad which is also running some malicious activity! There are several other
types of process injection: for example the DLL (or dynamic link library) injection, that is
injecting malicious code into a legitimate DLL, is becoming more common; or also portable
execution injection, process hollowing and registry modification.
So adversaries may inject code into processes in order to evade process‐based defenses as
well as possibly elevate privileges. Process injection is a method of executing arbitrary code in
the address space of a separate live process. Running code in the context of another process
may allow access to the memory space of that process, system or network resources, and
possibly elevated privileges. Execution via process injection may also evade detection from
security products since the execution is masked under a legitimate process.
34
Active Protection
Trusted or blocked processes and folders
• Specify certain processes never considered malware

• Example: home grown application
• Specify certain processes to always be blocked
Acronis Academy
With Active Protection you can also trust or block processes and folders depending
on your needs. You can specify that certain processes must never be considered as
malware, for example in case of a home‐grown application which heavily works on
files like a file‐based database which opens and works and add files to archives, and it
may happen that such operations are considered as malicious when they are not. On
the other side you can also specify that certain process must always be blocked for
any reasons .
35
Active Protection
Protects collaboration and communications
applications (self-protection selection):
• Zoom, Cisco WebEx, Microsoft Teams, Citrix

Workspace
• Protect application processes from code
injections
• Preventing suspicious operations by application
processes
• Protecting “hosts” file from adding domains
related to application
• Supported OS: Windows
Acronis Academy
This is the Self‐Protection functionality that is applicable for

collaboration/communication tools and certain types of protections for them. Further
it helps with hardening down our agent, registries and other items to make sure our
agent is not compromised. By hardening down our agent, this helps avoid an attacker
to use it as a gateway to compromise backups in the cloud. So let me show you in the
web console where the Active Protection options are.
36
Active Protection
Things to help
Active Protection Manage access control and Allow Listing inside

running privileges Acronis Cyber Protect
Apply Least Privilege (minimal Cloud
Apply Active Protection
privileges to users) Help prevent unvetted
 No elevation of privileges without software running
administrators consent
 Process launched by standard
user: inherits permissions and
limited to system level changes.
 Zero trust if possible
Acronis Academy
So what are some things one can do to help against such threats related to the
discussion we have had here with Active Protection? Well you want to make sure you
stop a ransomware attack as early as possible (preferably at the desktop before it can
infect the network and other users).
Well first applying active protection to a protection plan. Also one should manage
access control and privileges to users.
Apply at the very least the concept of least privilege which is granting the least
amount of privileges to users to access resources needed in order to do their job. For
example one should not allow elevation pf privileges without administrators consent.
If a process gets launched by a standard, they should inherit permissions and be
limited to any system level changes.
There is the concept of zero trust and this is another avenue if feasible. This is a
framework that requires all users, whether they are inside or outside the company
network to be authenticated, authorized and continuously validated for their security
configuration and posture before being granted or keeping access to applications and
data. NIST or the National Institute of Standards and Technology has a publication
38
called SP 800‐207 for more information on this topic. As NIST puts it, zero trust
assumes there is no implicit trust granted or assets or user accounts based solely on
their physical or network location or based on asset ownership.
And finally have some form of allow listing to help prevent unvetted software from
running. This is allowing only trusted files, applications and processes to be run and
anything else (unless added) is denied. NIST recommends this related to their
publication SP 800‐167. As you will see the Advanced Security Plus EDR pack has the
ability to perform whitelisting based on backup scanning capabilities with data stored
in Acronis Data Centers.
38
Cyber Protect Cloud
Antimalware
(Standard Security Components)
Acronis Academy
At this time let’s go over some features related to antimalware in the standard
security components
42
Antimalware – Standard Components
Cloud Based Signature Detection

(File Reputation Services (FRS))
• Specific hash-based small signatures: not much data

sent to look up
• Cloud look-up could help for on-demand scan
(something not executed)
• If executed: can look up but might have already started
• FRS determined if file is good or bad
• Using (among other things) VirusTotal: doing hash
checking against cloud database
Acronis Academy
With the Cloud‐based signature detection, we utilize File Reputation Services. This
works with specific hash‐based small signatures so when a file is scanned, the hash of
that file is taken and compared with hashes in the database to determine if malicious.
If it matches, then it means that the file is infected. File reputation services
determines if a file is good or bad.
Cloud based detection can help with on‐demand scanning and not something
executed. So why? Because if something is executed and its hash is looked up in the
cloud, then it may be detected but it is too late as the malware might have already
started: unless it was in the database already. We are not using any sandbox analysis
so no files are sent off: only the hashes.
We are using our own File Reputation Service along with Virus Total.
43
Cloud Based Signature Detection

(File Reputation Services (FRS))
• Example: VirusTotal says 10 AV Vendors detected the file

1. Some plausibility checking and add to our list for
blocking with FRS right away
2. 10 not magic number
3. Statistical guess on VirusTotal so not a fixed number
(Symantec and McAfee could have higher weights)
• May take awhile until first “victim” uploads a file. Benefit to
having Advanced Security + EDR Pack.
• Behavior-based detection and other layers might help but not
guaranteed
Acronis Academy
So say there is a file in the system which is scanned by the antimalware engine. The
hash is sent to the File Reputation Services. In this case, Virus Total says that 10 other
Antivirus vendors detected it as infected. So we add the hash of that specific file to
our list. Now in this example, we said 10 and this is not a fixed number. Some vendors
as an example Symantec or McAfee, can have higher weights on this. So we are
taking a weighted statistical guess on VirusTotal to decide if that file should be put on
our list or not.
The is a concern about this method. It may take a while until the first "victim" uploads
a file and then it becomes part of the reputation database in Virus Total. Therefore
the Cloud‐based detection alone might NOT be enough to be protected. This is where
the Advanced Pack plus EDR helps.
44
Supports Windows, Quick / Full scans Exclusions can be

Linux and macOS configurable configured
3rd party antivirus • Full scan: checks all • Trust certain files,
present when applying files on machine folders and
Protection Plan real- • Quick scan: checks processes
time component: alert only machine system • Block specific
generated and on- files processes
access protection • Detected threats
stopped to prevent quarantined and
conflicts automatically deleted
after 30 days
(default)
Acronis Academy
Our antimalware capabilities are supported for Windows, Linux and macOS systems.
The Antimalware engine has both on‐access and on‐demand capabilities so files will
be scanned for infections as they are opened or upon a scheduled scanning process.
Later in this course you will understand why when applying the real‐time component
when another solution is running a real‐time component is highly not recommended.
Our solution will prevent this to stop conflicts.
Related to scanning we have a full scan which checks all files on the machine or a
Quick Scan, which only checks system files. All files detected as infected are moved
into the Quarantine area and deleted by default after 30 days and can be modified
on the days in each protection plan. And finally specific files, folders and processes
can be trusted and not scanned, or some processes can be put into a blacklist so that
they will always be stopped.
45
Section Summary
Acronis Active Protection assists with blocking

1 ransomware and the self protection mechanism assists
with locking down our software and agent along with
protection against various communication collaboration
tools.
File reputation services will send specific small hash-

2 based signatures and perform a cloud look-up which
would help with an on-demand scan. Quick or full scans
can be performed and various files, folders or processes
can be configured as trusted or blocked.
Acronis Academy
Acronis Active Protection is a feature that helps prevent ransomware attacks. It works
by blocking ransomware from encrypting your files and holding you hostage.
Additionally, there's a self‐protection feature that helps secure the Acronis software,
registries, executables, configuration files and also the agent. It also provides
protection against certain exploits against communication and collaboration tools as
mentioned in this course.
File reputation services utilizes small, unique signatures based on hashes. These hash
signatures are sent to a cloud database for a quick check, which is really helpful with
on demand scanning.
You can choose between quick or full scans, depending on how thorough you want
the scan to be. Additionally, you have the ability to set certain files, folders, or
processes as trusted (meaning they're considered safe) or blocked (meaning they're
not allowed) based on your preferences.
46
Cyber Protect Cloud
Advanced Security Components
Acronis Academy
Let us go over the advanced security components we will cover in this associate
course.
47
Advanced Security Components
1. Advanced Security Components

1. Real-Time Antimalware Scanning
2. Local Signature-Based Detection
3. URL Filtering
4. Backup Scanning
5. Corporate Allowlist
6. Remote Wipe
7. Exploit Prevention
Acronis Academy
Within the Advanced Security plus EDR pack, the following items from an Advanced
Security prevention perspective you see here on the screen will be presented. As
stated, in the professional course, other items not covered within this portion of the
advanced security prevention components will be covered there.
48
Cyber Protect Cloud
Real-time Antimalware Scanning
Acronis Academy
Real‐time antimalware scanning is an important part of cyber protection so let us

dive into this feature
49
Real-time Antimalware Scanning
Real-time: Runs in background Constantly checks malicious

threats to entire time system when
depending on scan mode powered on (unless paused by
computer user)
Applying protection plan when

On-execution turned on and another solution
On-access (default)
running: will not enable real-time
Scan only
Scanned when scanning to protect machine from
executables when
accessed for reading conflicts
launched
or writing (or
launching program)
Acronis Academy
The Antimalware engine has both on‐access which is set to default and on‐execution
capabilities so files will be scanned for infections as they are opened or upon an
executable being launched.
It may happen that a third‐party antivirus solution is running on the system with their
real‐time feature enabled. When a Protection Plan with antimalware module enabled
and one tries to apply to that machine real‐time protection and the third‐party
solution is detected, an alert is generated and the settings are stopped to avoid
conflicts. Having two different engines with real‐time protection running is strongly
NOT recommended. The first is performance since running two at the same time can
consume quite a bit of resources. Keep in mind that one of the products will have first
right of refusal to analyze anyway. It can also produce more false positives since one
engine is detection the activity of the other engine on a file as a suspicious one. And
finally, while rare, if you have two real‐time protections running for a while, there is
the possibility of file corruption since working at a low level the deal with the same
file at the same time. So if one desires to enable the full functionality you need to
disable or uninstall the third‐party solution (preferably uninstall at some point).
50
Behavior Engine
Behavioral Heuristics
Protects workloads using behavioral heuristics to identify

malicious processes.
Compares chain of actions performed by a process with
chains of actions recorded in database of malicious behavior
patterns.
Acronis Academy
Our behavior engine is an additional layer of protection that can be enabled in a

protection plan. This protection works using behavioral heuristics to identify
malicious processes. So the engine compares the chain of actions performed by a
specific process with chain of actions recorded in a huge database of malicious
behavior patterns.
51
Stacktrace AI Analyzer
ML based malware detection
technology
Recognize legitimate/malicious
injections
Analysis of 25B+ processes
100M+ unique stacktrace
database
Advantages:
• Trusted processes monitoring
• Lightweight GBM ML model
• Fast response time: ~10 ms
Acronis Academy
Let's dig a little bit more into details about our Machine Learning based anti‐malware
detection technology, that we call Stacktrace Artificial Intelligence Analyzer. We have
analyzed more than 25 billion execution stacks which are chain of events of important
calls that an application does of running processes, both good and bad, we classified
them and we have created a database of more than 100 Million unique stacktraces.
So the stacktrace is a database of all the apps and processes we have tested. We
don't only detect processes as they are, but we can also predict injections of
malicious modules into different types of processes.
But how to provide a response in a timely manner upon a process running into the
system? Here is where the Artificial Intelligence comes in action: we are using the
GBM, or Gradient Boosting Machine, Machine Learning model. Sometimes GBM is
referred to as MART which is multiple additive regression trees or GBRT which is
gradient boosted regression trees.
This combines the predictions from multiple decision trees to generate the final
predictions. We are using a light weight version of the GBM model, which based on a
histogram‐based method for selecting the best split between the decision trees, and
this allows to have a fast response time of about 10 milliseconds! Now let's jump into
our Lab to see all the antimalware options right in the web console
52
Cyber Protect Cloud
Local Signature-Based Detection
Antimalware
Acronis Academy
Lets discuss the benefit of having a local signature‐based detection engine.
53
Local Signature Based Detection
Known threats, higher processing speed

and low false positive rates
Slow Internet connection benefit
Acronis Academy
In a protection plan under the antivirus and antimalware area you will see advanced
antimalware which is the local signature‐based detection engine. By default the
solution utilizes our own local signature‐based detection engine.
Signature‐based detection is one of the most direct and well‐established methods for
identifying malicious activity based on known signatures. Think of a fingerprint. Each
is unique and thus known signatures are unique. This is an approach of identifying
based on a unique identifier which is normally a specific string of code or the hash of
a known piece of malicious code. Remember this is based on a database of known
malicious patterns. If a match is found, then it is considered to be malicious. If
someone has a slow internet connection, this can be of benefit also as opposed to
the cloud file reputation services we discussed earlier.
54
Cyber Protect Cloud
URL Filtering
Acronis Academy
Acronis also provides URL Filtering so let us see how this works and is applied.
55
URL Filtering
Malware distributed by malicious or infected sites
• Checks HTTP/HTTPS connections against URL filtering database

• Deemed malicious: prevented from accessing or warning alert shown
• HTTPS: prevent option only / no warning alert
• Database includes sites sourced from URLhaus1
• Manually add Trusted or Blocked sites
• 44 website categories: helps blocking traffic to website categories to
which access was prohibited (Alert generated)
1 URLhaus database https://urlhaus.abuse.ch/browse/ includes submissions from Google Safe Browsing (GSB),
Spamhaus DBL and SURBL
Acronis Academy
We know through research that a majority of infections are originated by malicious

emails (URLs can be placed inside emails). Malware can also be distributed through
malicious websites. There can be hidden links or well‐crafted websites that pretend
to do something while instead they are trying to infect a machine.
The most common method to infect machines through websites is via the drive‐by‐
download. URL Filtering avoids going to malicious websites or domain by checking
HTTP or HTTPS connections against a huge URL Filtering database. We are using
URLHaus and you can see the link down below. If the URL the browser is trying to
connect to is listed in that database and definitions are updated, then the user will be
prevented to access that website or a warning alert will be displayed, with the option
to continue or drop the connection. Now this is true for HTTP connections, whereas
with HTTPS connections the connection will be prevented only, so no warning alert in
this case.
You can also add particular URLs to a list of trusted or blocked sites manually. You can
also block or allow Internet surfing for your end users through 44 website categories:
so, when a user is trying to connect to a particular website, for example let's say
Facebook, and your client does want their users to waste time with social networks,
56
you simply have to set the Social Network category as denied. You can also mix
categories and trusted URLs. As an example, you can deny all social network websites
through the category option, but set Instagram as a trusted website. This way users
will be allowed to navigate to Instagram and no other social media websites that are
based on the categories. When you want to add a trusted or blocked location, one
only needs to put the domain and no prefix to it. For example if one put abc.com.
This will include both http and https site along with subdomains associated with this.
There is also no need to put www or other items in front.
At this time, let us go through several examples in the product on how this all works.
56
Video
URL Filtering
Acronis Academy
Place holder for video
57
Section Summary
Real-time scanning runs in the background and can be

1 on-access (default) or on execution. This will check the
entire time the system is powered on unless paused by
the computer user. Acronis also provides behavioral
heuristics to identify malicious processes based on a
chain of actions performed against a database of
malicious patterns.
Local signature-based detection is good for known
2 threats and a benefit if one has a slow Internet
connection. Finally URL filtering will check http and https
connections against a database which includes sites
sourced from URLHaus. One can manually add trusted or
blocked sites and work to deny or allow site categories. If
a site is https then only the prevention option will work.
Acronis Academy
Real‐time scanning is a feature that quietly runs in the background of your computer.
It can work in two ways: by continuously checking files as you access them (which is
the default setting) or when you actually run a program or open a file. This scanning
process runs all the time your computer is turned on, unless you stop it yourself.
Additionally, Acronis offers a feature called behavioral heuristics. This feature helps
identify potentially harmful processes by looking at a sequence of actions they take
and comparing them to a database of known malicious patterns. In simpler terms, it
watches how programs behave and can flag them as suspicious if they exhibit
behavior commonly seen in malware.
Local signature‐based detection is a method that's effective at identifying threats that

are known. It is especially useful if you have a slow internet connection because it
doesn't rely on constantly downloading new information or utilizing the cloud file
reputation services.
URL filtering checks websites accessed through both HTTP and HTTPS connections
against a database. This database includes websites gathered from a source called
URLHaus. You also have the ability to manually add websites to your trusted or
58
blocked list. Plus, you can set rules to either allow or deny access to certain
categories of websites.
As a reminder, if a website uses HTTPS, only the prevention option will work.
58
Cyber Protect Cloud
Backup Scanning
Acronis Academy
Ok so let’s continue with advanced security components and hit on backup scanning.
59
Backup Scanning
Cloud storage scanned for malware

(prevent restoring infected files):
• Windows OS:
• Only Entire machine or disks/volumes backups
• NTFS file system with GPT or MBR partitioning volumes
• Acronis Cloud Backups only
• After backup scanning plan created, placed in queue for execution
• May take time for scan to start/complete depending on queue; will
show “Not Scanned” status until scanning complete
Acronis Academy
Sometimes it happens when we take a backup of our machines, we are not aware
that some files are infected or the backups were compromised directly. So one when
needs to restore a backup to a machine, those infected files can be restored. So now
you have a reinfection. Scanning backups for malware can prevent restoring infected
files to the system. Keep in mind that this works with Windows operating systems
and the file system must be ntfs (NT file system or sometimes referred to as the New
Technology File System) with either GPT (GUID partition table)or MBR (master boot
record) partitions. Entire machine or disk volume backups can be scanned. Keep in
mind this works with Acronis cloud backups only. The reason is there are special
components responsilbe for this scanning process and run in our data centers only.
Think of agent in the cloud. To enable this, a backup scanning plan needs to be
created. You would select which backup archives should be scanned for malware. The
scheduling is once per day and they go into a queue to run. Once it is complete the
status of those scanned backups are displayed as no malware or malware detections.
If it still needs to run it will say not scanned. At this time let me show you how to
setup a backup scanning plan and the options.
60
Cyber Protect Cloud
Corporate Allowlist
Acronis Academy
Corporate allow list goes hand and hand with backup scanning so let us go over the
benefits of a corporate allow list.
62
Corporate Allowlist
• Applications detected as false positive
• Need to add manually as trusted application (avoid
unwanted errors and disruptions)
• Automated by scanning cloud backups:
• Backup scans: two or more machines required and enable
Automatic generation of whitelist
• Level of heuristic detection configurable:
Default | Low | High
• Automatic generation of allowlist enabled, manual adding
of applications will be available (allow seven days to run)
• Allowlist used by all agents during antimalware scanning
Acronis Academy
Companies may have specific applications, maybe even some home‐grown

applications, that can be detected as false positive by antivirus solutions. So there
could be the need to add them manually as trusted applications to an allow list to
avoid unwanted errors, applications disruptions or even data corruption.
Doing this manually for every machine and item to be added can be a time‐
consuming process. With the corporate allow list, that is a whitelist of all trusted
applications for all the machines, in an automatic way. How does it work. If you
enable the automatic generation of whitelist option, then backups in the Acronis
cloud data center of at least two machines are scanned (so backup scanning is
needed here) and all applications, libraries and other relevant items found in
common and were never caught as malicious will be automatically added to the
corporate whitelist. This scanning process will have to run for seven days for the list
to appear. After this, it is possible to add items manually. You can also set the level of
the heuristic detection of applications to three different values. The corporate allow
list will be used by all Agents registered in that tenant during their antimalware
scanning process. Now let’s go to a quick video on how this is all setup.
63
Cyber Protect Cloud
Remote Wipe
Acronis Academy
At this time let’s discuss the remote wipe capabilities in the Advanced Security Pack
plus EDR.
65
Remote Wipe
Deletion of all data on remote machine (loss or theft):
• Windows 10 and 11
• Select machine, click on Details > Wipe data1
• Remote wipe initiated when machine is turned on and connected to
Internet (no undo)
• All data deleted and machine returned to factory default state
1Remote wipe uses RemoteWipeCSP and requires Windows Recovery

Environment (windows RE) to be enabled on the machine in order to
function
Acronis Academy
With the Remote Wipe feature it is possible to remotely initiate a deletion of all data
in case a machine has been lost or stolen. With this functionality a Windows API (or
application programming interface) named Remote Wipe CSP is called. This API will
return the Operating System to the factory default state, thus deleting all data in the
machine. For the process to start, the machine must be turned on and the Agent
must be connected to the Internet. You can also enable it when the machine is still
turned off, so that as soon as the Agent is back online, it will receive the command
from the Cloud and the Remote Wipe process will start. Be careful as there is no undo
option, so once started the process cannot be stopped. This functionality is available
for Windows 10 and Windows 11 only. Let’s go into the product with a quick video
and see how this is accomplished.
66
Cyber Protect Cloud
Exploit Prevention
Acronis Academy
An important protection mechanism is exploit prevention and let us go over the four
types of exploit prevention items we cover.
68
Exploit Prevention
Detects and prevents malicious processes from

exploiting software vulnerabilities on a system
• Memory protection
• Code injection
• Privilege escalation
• ROP protection (return-oriented programming)
Acronis Academy
The four types of exploits that are prevented can be checked or unchecked
individually. It is recommended to leave them all enabled, unless specifically
instructed by the Support Team (or knowing what you are doing). For example if
some specific application seems not working properly
69
Exploits
Memory protection Code Injection
Stop attacks based on modification Malicious code into remote

of execution rights of memory processes. To hide malicious intent
pages looking suspicious. Made to of an application behind clean
enable shellcode execution from processes (also evade detection
areas like stacks and heaps. by antimalware solutions).
Acronis Academy
Memory protection will stop attacks based on the modification of execution rights of
memory pages that look suspicious. I mention stacks and heaps here so like to
describe what these are. Stacks store temp variables created by a function and has a
linear data structure. Stacks use static memory allocation so when a task is complete
the memory is erased. Heaps are used by a programming language to store global
variables and have an hierarchical data structure. Stacks are not fragmented and are
in contiguous blocks and heaps can be fragments as blocks are first allocated and
then freed up.
Code injection is malicious code into remote processes to hide malicious intent of an
application behind some clean process. This could be exploitation of a bug processing
invalid data or an attacker introduces code to a vulnerable program and changes the
course of the execution. It is popular in system hacking or cracking to get information.
SQL injection and cross‐site scripting (XSS) are popular. There are others ways like
token manipulation, process hollowing, reflective DLL, stack pivots and early bird type
of exploits). For those not familiar with this, process hallowing will remove code from
an executable file and replace with bad code (mostly through phishing emails). There
is a pause during the process. The hacker removes code and then puts their stuff in
there and then the launch continues. Token manipulation is granting a malicious
70
process with the same rights and or permissions and legitimize the user. This
pretends to be some process started then by that user. So this is to change
permissions of an application by associating with some token of another users. A
hacker needs the token of a target account, login as the person or token stealing.
Stack pivots run things creating a fake stack using certain values. An attacker tricks
the computer using a fake stack and can control program execution like function
arguments or return addresses. A reflective DLL loads a DLL into process memory not
using the windows loader. This does require writing the DLL into memory and then
resolving or relocating the DLL and need to know the custom loader. AN example
would be reflectively loading a DLL will not require the DLL to be on the disk. The
attacker exploits a process, then maps the DLL to memory then reflectively loads the
DLL without putting on the disk. Since not on the disk the library loaded may not be
visible. And finally early bird puts bad code into legitimate process and then runs
before the entry point of the process. Since it started before the entry point a typical
malware scan only performs on a legitimate process.
A cross site script is an injection flaw of user input into a web script that is placed into
the output of HTML and not being checked for HTML code or scripting and SQL
injections take advantage of syntax in SQL to inject commands that can read or
modify a database or compromise meaning of the original query. Another way to say
that is it takes malicious SQL statements and inserts into an entry field for execution.
This needs to exploit a security vulnerability in the application software.
70
Exploits
Privilege escalation Return-oriented

programming (ROP)
Stop elevation of privileges made Allows attacker to use code in

by unauthorized code or presence of security defenses like
application. code signing and space protection
Goal: prevent unauthorized code to
access system resources or modify
system settings.
Acronis Academy
Privilege escalation stops the elevation of privileges made by unauthorized code or

application. The goal is to prevent unauthorized code to access system resources or
modify system settings. This could be some bug or misconfiguration to get elevated
access to resources (and could be the operating system or an application). The result
is elevated privileges. There is vertical and horizontal escalation with vertical
escalation being most typical where a lower user or application gets access reserved
for higher privileged users or applications. An example would be a vulnerability like a
buffer overflow that could be used to execute arbitrary code with privileges elevated
to the local system. Return‐oriented programming allows an attacker to use code in
the presence of security defenses like code signing and space protection. They gain
control of a call stack and hijacks program flow and executes malicious code. Here
would be a stack buffer overflow. I mentioned a buffer overflow twice here. IN a stack
buffer overflow, data is written to a stack no longer the length of the memory space
allocated for the buffer and thus adjacent memory is overwritten. Now the content of
the stack changes. The result is a program crash as the new stuff makes no sense or
the program flow is changing since new data is interpreted as valid stack entries.
Let us go quickly into the solution to show you where in a protection plan to set these
up.
71
Section Summary
Backup Scanning will work with backups stored in the

1 Acronic cloud and will scan backups in a queue for
malware and inform of such threats. When you have two
or more backup scans, you have the ability for generating
an allow list for allowing various trusted items to allowed.
One can also manually list trusted applications.
Acronis remote wipe will work on Windows 10 and 11

2 machines and provide the ability to restore to the factory
default state. And finally the exploit protection area helps
code injection, memory protection, privilege escalation
and return-oriented programming type attacks.
Acronis Academy
Backup Scanning is a feature that works with your backups stored in the Acronis
cloud. It scans these backups for malware. If any threats are found, it lets you know
about them. When you have multiple backup scans, you can create what's called an
allow list. This list includes items that you trust and want to allow. This helps you
ensure that these trusted items are considered safe during future scanning of such
items. You also have the option to manually add trusted items to this list, giving you
even more control over what is considered safe.
The Acronis remote wipe feature works with Windows 10 and 11 computers. It allows
you to remotely erase everything on the computer and return it to its original, factory
default state.
The exploit prevention options help safeguard your computer from various types of
cyberattacks. It protects against things like unauthorized code injection, memory
protection, attempts to gain higher privileges on the system, and attacks that
manipulate program code for malicious purposes.
73
Cyber Protect Cloud
EDR Component
Acronis Academy
Welcome back. At this time I would like to focus on the EDR component specifically
within the Advanced Security plus EDR pack. So let’s get started here.
74
EDR Component
1. What is EDR and Use Case

2. How Attacks Happen
3. Prevention VS Detection
4. Provision and Setup
Acronis Academy
In this section let us talk about exactly what is EDR and a technical use case. In order
to start researching attacks, let’s understand how attacks happen. We will then cover
prevention versus detection since they cover different parts of the threat landscape.
And then we will demonstrate how to provision for your client and setup within a
protection plan.
75
Cyber Protect Cloud
Advanced Security + EDR
What is EDR
Acronis Academy
Welcome back. What exactly is EDR and how does it fit within Acronis Cyber Protect
Cloud?
76
What is EDR
Event Correlation Security Platform
• Capable of Identifying Advanced Threats or In-

Progress Attacks
• Collects endpoint events
• Correlates with machine learning and
security analytic algorithms to highlight
security incidents
• Two Main Advantages
• Incident Investigation
• Incident response (containment and
remediation)
• Records activities/events taking place on
endpoints
• Visibility to uncover incidents otherwise invisible
Acronis Academy
What is EDR (endpoint detection and response) and why have it? EDR is an event
correlation security platform. It is continuously monitoring and collecting endpoint
events to detect and respond to cyberthreats like ransomware and overall malware. It
is recording activities and events and storing endpoint system level behavior and
utilizing data analytic techniques. The goal is to detect suspicious system behavior,
provide contextual information, block malicious activity and provide remediation
suggestions to restore affected systems.
There are two main advantages: Incident investigation and incident response
(containment and remediation).
So EDR is recording activities and events taking place on endpoints (visibility to

security teams to uncover incidents that would otherwise remain invisible) and have
continuous visibly into what is happening.
77
What is EDR
DETECT, and RESPOND to advanced attacks:

minimal investigation efforts
• Provide business resilience and continuity:

more holistic protection across NISТ
• Minutes-not-hours detection and incident

analysis across MITRE ATT&CK®
• Rapid turn-on and scale
• Identify, Protect and Recover – pre-integrated

capabilities
Acronis Academy
With Acronis Endpoint Detection and Response (EDR) capabilities you as a service
provider can DETECT, and RESPOND to advanced attacks that sneak past other
endpoint defenses with minimal investigation efforts, with pre‐integrated IDENTIFY,
PROTECT, and RECOVER capabilities.
The Advanced Security + EDR pack provides business resilience and continuity with a
more holistic protection across the NIST framework. Acronis has pre‐integrated
recovery capabilities to remediate with a single‐click response. This is the power of
backup, disaster recovery, patch management along with security inside one agent
and console.
78
What is EDR
Visibility into attack chain
• How did they get in?

• How did they hide its tracks?
• How did it cause harm?
• How did it spread?
• Focus threat hunting using emerging threat

intelligence feed to search for Indicators of
Compromise
• Prioritized visibility of suspicious activities across

endpoints – rather than flat list of alerts
Acronis Academy
An important value of Advanced Security + EDR is that it enables service provides to

analyze an attack in minutes and unlock rapid response with automated human‐
friendly interpretation of the attack. The solution provides complete visibility into the
attack chain to understand:
How did it get in?
How did it hide its tracks?
How did it cause harm?
How did it spread?
This enables incident investigation to be done in minutes rather than hours without
requiring rigorous training or resource‐intensive operations. It also enables your team
to focus efforts on what matters with prioritized visibility of suspicious activities
across endpoints and emerging threat intelligence feeds.
With Acronis EDR component, you can monitor the threat landscape and search for
Indicators of Compromise and take automatic remediation actions.
I want to take a minute to discuss the Indicators of Compromise reference and what
are they.
79
IoC’s serve as forensic evidence of potential intrusions on a host system or network.
They help to detect intrusion attempts (or other malicious types of activities). An
example of this would be unknown files, applications and processes in a system,
suspicious activity in administrative or privileged type accounts or maybe even
suspicious registry changes.
IOC’s: would be like “breadcrumbs” that let a service provider detect malicious
activity early in an attack sequence. Unusual activities are red flags that indicate
potential (or in‐progress) attacks that could lead to a data breach or system
compromise. IOC’s are not always easy to detect. Identifying various IOCs to look for,
correlating, and piecing them together to analyze a potential threat or incident is of
great value. And finally IOC’s are evidence that a cyber‐attack has taken place and
gives valuable information on not just what happened but serves to prepare for the
future and prevent similar attacks.
79
What is EDR
Select actions to take: respond with single click.
Identify Protect Detect Respond Recover

inventory and data Threat feed Continuous Investigation, Backup and disaster
classification: better monitoring recovery
Forensic insights Forensic data collection
understand attack URL filtering
surface Patch management, Endpoint isolation
Blocking analyzed Threat intelligence Killing processes
attacks feed
Quarantine threats
Event correlation
Attack-specific
rollbacks
Acronis Academy
Currently at the time of recording this, NIST cybersecurity framework has five pillars.
There will be a sixth related to governance but let us look at the five pillars and how
we work within this framework.
Identify
You need to know what you have to fully protect it, and investigate into it. Our
platform includes both inventory and data classification tools to better understand
attack surfaces.
Protect
We help close security vulnerabilities by using our threat feed, forensic insights, and
natively integrated tools across the broader Acronis platform like patch management
and blocking analyzed attacks
Detect
It is nice to have the ability for continuous monitoring using automated behavioral‐
and signature‐based engines, URL filtering, an emerging threat intelligence feed, and
event correlation
80
Respond
You want to investigate threats and conduct follow‐up audits using a secure, remote
connection into workloads or reviewing automatically saved forensic data in backups.
Then you need to remediate say via isolation, killing processes, quarantining, and
attack‐specific rollbacks.
And finally
Recover
You want to ensure systems, data and the client business is up and running using our
fully integrated, backup and disaster recovery products and solutions.
80
Section Summary
EDR analyzes system, process and user activity to

1 detect security threats on endpoints. Two main
advantages is incident investigation and response. It
provides visibility into the attack chain and focuses
on threat hunting using emerging threat intelligence
feed to search for indicators of compromise.
2 When an incident occurs, one can select actions to

take and respond rapidly including isolating a
workload and remediating via the rollback of files
and registries, to integrated backup, disaster
recovery and patch management capabilities when
properly licensed.
Acronis Academy
EDR, or Endpoint Detection and Response, is a system that examines what's

happening on your computer, including system activities, processes running, and
actions taken by users. Its main job is to spot any potential security threats on your
computer.
There are two key benefits of using EDR. First, it's really helpful for investigating
security incidents. It gives you a clear view of how an attack happened, step by step.
Second, it's great for responding to security incidents. EDR allows you to take action
when a threat is detected.
One way EDR works is by showing you the entire sequence of events during an attack.
This helps you understand how the attack happened and what needs to be done to
stop it. It also actively searches for signs that your computer may have been
compromised by using up‐to‐date information using emerging threats intelligence to
search for indicators of compromise.
When a security incident happens, you have the option to choose what actions to
take. You can respond quickly by doing things like isolating a specific task or fixing the
problem by undoing changes made to files and registry settings. Further one can
utilize our integrated backup, disaster recovery, and patch management features, as
long as you have the right licenses in place.
81
Cyber Protect Cloud
EDR Use Case – Missed Patch /
Forgot To Patch
Acronis Academy
I want to get your mind thinking on one scenario as an example of why Advanced
Security plus EDR is something to highly consider. This use case will specifically focus
on reasons to have EDR in additional to preventative technologies.
82
Use Case EDR – Missed Patch/Forgot To Patch
Patch Preventing Attackers to Remotely Execute Code on Web

Application Targeted Not Applied:
• Bad bug – can mess with system anywhere in the world

• Attacker performing reconnaissance
• Sent http request with malicious code tucked in content-type header
• Run queries to give better sense of some database structure and how many
records
• SQL command to identify general details of data tables and select a sample of
records from a database
• CWE of say Improper Input Validation as example
Acronis Academy
Say you missed a patch or forgot to patch a system. This could be a bad bug in the
software. Well an attacker starts by performing reconnaissance (which I will explain
later the different stages of an attack) – or another way to say at this point is
exploring the targeted systems. In this example they send an http request with
malicious code that is tucked away in a content‐type header. Various queries are run
to give the attacker a better sense of some of the database structure and how many
records are in there.
Then some SQL command is generated to identify general details of data tables and
then select a sample of records from the database (a small amount).
SO let’s say the CWE (common weakness enumeration) is being exploited. Now a
CWE (which is maintained by MITRE, provides a common language for discussing,
finding and dealing with causes of software security vulnerabilities when they are
found in code, design or system architecture). When a CWE is mentioned it is a single
vulnerability type. If interested one can go to the MITRE website for the list and
provides detailed definitions for each individual CWE.
In our example we are using CWE‐20 (Improper Input Validation) where the product
receives input of data, but it does not validate or incorrectly validates that the input
has the properties that are required to process the data safely and correctly.
83

• Next Stop: Upload “web shells” to gain access to a web server

• Positioned to collect credentials (thus access to back-end databases)
• (ex…Break into a building: easier to do if a resident leaves first floor window
unlocked and you manage to steal employee IDs)
Acronis Academy
Now CWE‐20 is exploited so the attacker uploads “web shells” to gain access to a web
server. For reference a web shells are malicious scripts that will enable a threat actor
to compromise web servers and then launch additional attacks. The attackers first
penetrate a system (or network) and then install a web shell. After this they use it as
a backdoor into the web applications targeted and any connected systems.
So after uploading “web shells”, the attacker is now positioned to collect the
credentials and have access to back‐end databases. The analogy is that it is easier to
break into a building if some resident leaves a first‐floor window unlocked and you
happen to have employee IDs.
84

• Next Stop: run series of SQL commands to find valuable data

• Getting that data is one thing: getting it undetected is another
• Store stolen data in temporary files (and if large compress and break into
manageable sizes)
• Attacker keep transmissions small to avoid suspicion
• After exfiltrating, delete the compressed files to minimize the trail
• Attacker deep enough: could use existing encrypted communication channels
to send queries and commands (look like normal activity)
Acronis Academy
So web shells are uploaded, the attacker runs a series of SQL commands to find
valuable data. Now getting the data is one thing: the key for the attacker is to get this
data undetected. So stolen data goes into temporary files…and if a large file, it most
likely would be compressed and/or broken down into smaller sizes manageable to
help being undetected. The attacker wants the transmissions to be small.
Now they exfiltrated the data, they then delete the compressed files (want to hide
their tracks). If the attacker is deep enough within the systems, they could use
existing encrypted communication channels to send queries and commands (so it
looks like normal activity).
85

• Attacker setup many servers in many countries: use encrypted login

protocols to mask involvement. Wipe server log files every day.
• Access system via Swiss IP Address. Use stolen username and
password for service account to get to a database.
• Query database for specific info and store in output files
• Create compressed file archive of results: copy to different directory
and download
• Data in hands of attacker: delete the archive
• Perform over several weeks and get a lot of information to extort
Acronis Academy
So this attacker has setup many servers in various countries and utilizes encrypted
login protocols to mask the involvement and on the server log files, they are deleting
them consistently and could be every day.
So as an example: they access the system via a Swiss IP address and utilize the stolen
username/password for the service account to get into a database. They query the
database for specific information and store in output files and they are compressed
(or broken down smaller) and copy to a different directory and download. Once in
the hands of the attacker, the archive is deleted. Since smaller amounts and
undetected, they perform this over many weeks and get more and more information
to extort the customer (double of triple extortion).
86

• Imagine patch not available (zero day) in this scenario: CVE could be in
NIST NVD (attackers aware of issue)
• Items to ponder?
• Sensitive fields plaintext stored or encrypted?
• Databases segmented?
• File integrity monitoring?
• Using long-expired security certificates?
Acronis Academy
So let’s say this was a zero‐day type vulnerability where a patch was NOT available
(not forgetting or missing a patch)….the CVE (Common Vulnerability and Exposures)
could also be published in the NIST NVD (National Vulnerability Database) so
attackers also know what the issue is.
Think about other avenues of attack…

Is there sensitive fields stored in plaintext somewhere?
Are databases segmented?
Are you using expired security certificates?
Do you have any file integrity monitoring which tests/checks Operating systems,
databases and application software files to see if they have been tampered with or
corrupted?
87

• Imagine client data has high profile targets (CXX) and intelligence
gathering (PII is leverage)
Acronis Academy
Now in the database: imagine data exfiltrated with high profile targets or PII (which is
personally identifiable information that when used alone or with other data relevant
can identify an individual). Sensitive PII can be things like a drivers license, medical
records or social security number (here in the US relating that to). There is non‐
sensitive PII that one can get from public sources like date of birth and zip code.
As we go into the course, one will see that attackers can lurk within a system without
knowledge due to bypassing protection layers and this is where EDR provides value.
88
Cyber Protect Cloud
How Attacks Happen
Acronis Academy
Before going into prevention and detection, one should understand how a typical
attack happens.
89
Before getting into the solution, we need to re‐emphasize that attackers run their
attacks in certain steps in order to achieve their objective. You might have heard of
the Lockheed Martin Cyber Kill Chain Model…if not, let’s discuss this process to
understand with prevention and detection layers together are of benefit.
Attackers need to plan each step of the attack.
RECONNAISANCE (which is the first stage in the cyber security kill chain):
Before they attack, they need to understand their target. What security solutions are
in place, what software is installed, what ports are open (like automated scanners),
gathering public email addresses, who might be victim 0 (mostly done via social
engineering). They need to scope out vulnerabilities and potential entry points. (and
this can be done both online and offline (active and passive phases). The more
intelligence an attacker gets at this stage, the more successful the attack is likely to
be. All this information is important to prepare for the next step of an attack which is
Weaponizing. The attacker then creates malware or malicious payloads to use

against the target which could be designing new forms of malware or
modifying existing programs to better match say the vulnerabilities trying to
exploit. Examples on determining what form of infiltration: is the company
widely dispersed with plenty of email users (Phishing?). Did the company just
hire a whole brand new bunch of IT folks (new to the organization).
Delivery is where they work to infiltrate the network or security system (they
are putting plans into action). This could be deploying malware into a system
via say a phishing email and other social engineering tools (USB stick on the
ground AKA USB Drop Attack). Imagine some USB stick laying in the hallway
that says “HR Payroll Data” on it. Many would be curious so they take the stick
and put it in their laptop as an example and a malicious payload starts. Could
also be like hacking into the network and exploiting vulnerabilities on
hardware or software.
Then we have exploitation where the attack is formally launched where that
user clicks the email or plugs in that infected USB drive. So now they are
successful in delivery via malware or say other forms of hacking on the
system. now the attacker would like to exploit this weakness uncovered and
further infiltrate the network and learn of more vulnerabilities the attacker
was unaware of prior during the reconnaissance stage. Attackers are now
getting the opportunity to exploit systems by installing tools/running scripts
and even modifying security certificates as examples. Usually an application or
operating systems’ vulnerabilities are a target.
Installation (or the privilege escalation phase). Now an attacker tries to install
malware (or other cyber weapons if you will) within the network to gain
additional control of systems, data and accounts. This could be with
backdoors, remote access trojans, access token manipulation as examples.
The tactics at this point intensify and the attacker is not forcefully infiltrating
the network and looking for unprotected security credentials and changing
permission on compromised accounts as an example. This is a turning point in
the attack cycle as they have now entered the system and working on
assuming control.
Command and Control (or known as the C2 phase). This phrase comes from
the military here involving a solder (or a low‐level actor) talking to
commanders about next steps. If the hacker is hired by a larger group, that
hacker may need to prove access to the system and then that attacker may
need to hear about what should happen next (could be brief or last awhile).
Once an attacker has gained control of part of the target systems or accounts,
the attacker can now track, monitor and guide their deployed weapons and
tool stacks remotely. Now they have gained access to privileged accounts.
90
They might even attempt brute force attacks, search for credentials or even
change permissions to take over the control. This is where they work on trying
to move laterally on the network. There are two methods this stage can be
broken down. Obfuscation: this is where an attacker makes it look like no
threat is present (covering their tracks). This could be file deletions, binary
padding and code signing as examples. They could leave a hidden backdoor to
return and attack again. By eliminating their tracks it becomes a challenge for
service providers to understand how they got in and close the security gaps.
The other is Denial of Service. This is when an attacker causes problems in
other systems/areas to distract the security teams from uncovering the core
objective of the attack. Often this involves a network denial of service or
endpoint denial of service and other techniques like resource hijacking and
shutting down systems.
Then there is action and monetization (technically monetization is like the 8th
step but lumping together here). Related to action the attackers execute the
objective of the attack. After all: hackers know that simple entry has no value
and must do something to make worthwhile. Now this process can take
several weeks or months depending on the success of all the previous steps.
There are common goals here of a strategic cyberattack like: supply chain
attacks, data exfiltration or encryption. So their objective is gathering,
encrypting and extracting information. When monetizing is they initiate some
ransom request (demand funds by threating to release or sell sensitive data
(personal information or say trade secrets). This is where you hear the term
double extortion. And triple extortion is another avenue for monetization
after all the previous threats, now there is a threat to perform a DDOS (or
distributed denial service attack) unless they are paid. Of course the earlier
one can intercept and stop an attack, the easier the remediation would be.
When stopping an attack during the C2 phase, this takes more time‐
consuming and advanced efforts. EDR with our alerts, isolation and restoring
from a backup to patching to other methods, helps streamline the process
when advanced attacks occur.
90
Cyber Protect Cloud
Prevention VS Detection
Acronis Academy
Welcome back. At this time let’s go over prevention versus detection covering
different parts of the threat landscape.
91
Security Components - Prevention
• Security Components - Prevention

• Great at preventing attacks from starting
• Risk transfer to service provider from client for stopping what is known to
be bad files / processes / behavior
• EDR – Detection
• More benefit to service provider for SLA’s / business continuity / risk
reduction / increased cybersecurity posture
Acronis Academy
Prevention security components. These components are excellent at stopping attacks

before they even begin. They allow the client to shift the risk of dealing with known
malicious files, processes, or behaviors to the service provider. They help ensure that
anything known to be harmful is blocked, reducing the client's risk.
EDR is on the detection side. EDR is more beneficial to the service provider when it
comes to Service Level Agreements (SLAs), ensuring business continuity, reducing
risk, and enhancing overall cybersecurity. EDR focuses on identifying and responding
to threats that may have already infiltrated the system, making it crucial for
enhancing security and quickly addressing potential issues.
92
EDR – Can Add Later
• Land / Adopt / Expand

• Ability to start with prevention and adopt
• Learn more about EDR and determine if you can manage at service
provider level – no additional cost. Understand IOC’s (indicators of
compromise), MITRE attack points and sequence of events of cyber
kill chain
• Option for MDR (Managed Detection andResponse) services (tentatively
slated for Q2, 2024) if 24X7 service want to provide to clients
Acronis Academy
You can begin by focusing on prevention and gradually incorporate other security
measures. Take the time to understand EDR to determine if it's something you can
handle as a service provider and remember there is no additional cost to determine
this since built into the Advanced Security plus EDR pack. Take time to learn about
indicators of compromise), MITRE attack techniques, and the sequence of events in in
the "cyber kill chain.“ Please note that Acronis will offer a managed detection and
response service slated for the second quarter of 2024 if providing a 24 by 7 service
clients desire.
93
Short EDR story – a bank robbery
Bank Security Detection & Response
Surveillance
Security
•• •Security team
teamguard unaware
and of
couldn’t
analyzes any maintenance
identify
validates the
the breach.
on robber
surveillance cameras
•Suspect
••• Camera is taken
Technician
shouldn’tdown;
due has
to his team fixesvault
noimpersonation
be job near
disabled gaps in camera
unless prior
High number process
maintenance of suspicious activities
e.g. known technicians only
• permission obtainedto Security team
1 Nextbackground
with step: Escalation
checks only
5
5. 1.Begin event
4. Response
2.Suspicious
3.Suspicious
Potential action
event
breach
Robber disguised
Security team
as technician takes suspect
EDRsuspicious
•• incident
•• Another
An records
Investigate the
further,
is created benign
Contain
activity:
and MSPEDR event
threats
can tries tothe
review
enters the bank down
•• Remediate
chain Note:
of related
correlate and
AVactivityRecover
solution
events. fails to detect the
• this
EDR records withtheother related
events
• Prevent
Each
• ones, step
threat
which threats
of(no
the from
attack
match
might lead reoccurring
isinexplained
to by showing
itsadatabase)
breach
what the attacker did and how
2 AdvancedSecurity
Avanced Security+ +EDR
EDR
3 4
Moves towards
Vault Surveillance team
escalates to Security
Disables team
Cameras
Acronis Academy
Let’s talk an analogy of a bank robbery (since we talked about criminal databases
earlier) and how EDR might play in a physical security incident?
As you can see here there are multiple events at play.
A “technician” enters the bank (now it is unclear at this step that this is a robber in
disguised). They move towards the vault. Now cameras are disabled
Some of these events, if individually analyzed, are benign and don’t really show
anything malicious (Many people enter a bank and move around right?)
But as soon as events are combined and corelated together, it increases the chance of
becoming a breach.
EDR understands a possible bad intent and unveils attack visibility (in our case
interpreting all steps of the attack based on the MITRE ATT&CK framework) to the
security team to take proper measures and stop the attack from finalizing
Then with the Advanced Security + EDR pack, service providers are not only able to
stop the breach but do so much more with a single‐click response, including
94
capabilities to:
Investigate further using remote connection and forensic backup

Contain threats by isolating the affected workload from the network
Remediate by killing malware processes and rolling back the changes
Recover with pre‐integrated backup and disaster recovery AND
Prevent incidents from reoccurring with software patch management and by blocking
analyzed threats from execution.
94
Acronis Advanced Security + EDR
 Known malware  Common exploit kits  Exploits (recent  Elusive threats: zero-days,
 Phishing kits vulnerabilities) hacking tools, fileless, living
 Polymorphic malware off the land malware, APTs
 Variants of known malware
 Obfuscation techniques
 Samples vs
Number of attacks
Complexity: First 3
columns
Prevention technologies: prevention layers
Realtime protection, Acronis Active Protection, anti-exploit, Detection  EDR: cost
URL filtering, signature based scanning, AI/ML, technologies –EDR increases for
behavior analysis, patch management attackers and
techniques more
complex
Low High Very High

Attack complexity
Acronis Academy
So how does prevention and detection work together and cover different parts of the
threat landscape?
The graph you see here shows volume samples vs complexity of each attack. The first
three columns in the graph show a high volume of samples. For attackers it is cheap
to create variants of malware from exiting malware. As a side note, you can actually
get your own ransomware sample for say $5 or more or heck even free by compiling
an opensource code of an existing malware. So the prevention layers block the first
three categories of malware successfully. The last part of the spectrum, is where the
cost for attackers is increased and their techniques become more complex (thus the
prevention layers are blind). EDR solutions unveil such complex attacks. Why are such
attacks complex? Because some of them are actually using software from the
workload so no malware sample is needed and some are using zero‐day
vulnerabilities that nobody knows about (and for which attacker might have paid
money on the dark web).
95
Section Summary
Attacks happen in a certain sequence ranging from

1 reconnaissance where one gathers information
about the target all the way to taking action (data
exfiltration, encrypting of data, supply chain attacks
and extortion) and monetizing such a threat.
2 Prevention and detection cover different parts of the

threat landscape. Prevention is concerned about
preventing attacks from even starting. Detection is
concerned about the intent of the attacker.
Acronis Academy
Attacks follow a specific sequence of steps. It begins with the attacker gathering
information about their target, a stage known as 'reconnaissance.' Then, they move
on to taking action, which can involve actions like stealing data, encrypting data,
launching supply chain attacks, or demanding money from the victim. This is how
attackers turn their threats into financial gain.“
Prevention and detection focus on different aspects of the threat landscape.

Prevention aims to stop attacks from happening in the first place, essentially blocking
them before they can begin. On the other hand, detection is all about identifying the
intentions and actions of potential attackers.
96
Cyber Protect Cloud
Provision and Setup
Acronis Academy
Welcome back. At this time let’s go how to provision and setup the Acronis Security +
EDR pack for a tenant.
97
Provision in One Click
Enabled at tenant level
Pick configuration at
tenant level
Acronis Academy
When setting up a tenant you will under clients configure the ability to turn on the
Advanced Security plus EDR pack by hitting the check box. Please remember that
Advance Security plus EDR is now one pack.
98
Enable features in 1-2 clicks
Enable EDR in protection plan (only workloads you want)
Acronis Academy
Once in a protection plan you turn on Endpoint Detection and Response you will be
notified that the rest of the pack will be turned on. Remember that detection and
prevention cover different parts of the threat landscape. You pay for the workloads
that you want protected based on protection plans.
99
A security analyst user role for EDR was released in September 2023. The Security
Analyst role allows partners to assign specific permissions and access rights to users
with the necessary skills to operate Advanced Security with EDR. Partners can provide
access to a larger number of users for managing EDR incidents, without worrying
about granting unnecessary access to other areas of Acronis Cyber Protect Cloud.
Generic SIEM Connector
 Any SIEM supporting CEF

event format over SYSLOG
 Integration with external
devices
 Other specific integrations
 Microsoft Sentinel
 Logsign
 Fluency
 IBM QRadar
Acronis Academy
The Acronis generic SIEM (Security Information and Event Management) connector released in
June 2023 enables connection between Acronis Cyber Protect Cloud and any SIEM that supports
the CEF (Common event format) over SYSLOG. SIEM support is crucial for enabling the integration
of Acronis Advanced Security and EDR with external services. As a Partner administrator, you can:
Enable an integration by providing credentials for the SIEM, select the tenants that should send
data to SIEM and review a list of Acronis alerts and select which alerts should be pushed to a
SIEM.
SIEMs empower MSP security specialists to identify attack routes across the network and get
visibility into compromised files. Now with the Acronis Generic SIEM connector, MSPs will gain
extra visibility into customers networks, will be able to search for threats across all managed
workloads, and correlate events from both security and data protection applications, and run
response actions based on collected telemetry, that is now enriched with Acronis data. SIEM
platforms are used by many MSPs for security incident investigation and remediation, threat
hunting, and compliance. Integration allows service providers to select which customer tenants in
Acronis should send alerts to their SIEM. Since alerts are sent to the same SIEM instance, it's
possible to run correlation, threat hunting and perform investigation for all customers in the
same console. It also empowers MSPs to search for threats, that were discovered on one
workload in one customer tenant, in other customers environments. We do have specific
integrations with Microsoft Sentinel, Logsign, Fluency and IBM Qradar. We are consistently
adding integrations within Acronis Cyber Protect Cloud so keep looking at the integrations area
for all updates.
101
Cyber Protect Cloud
What`s Next
Acronis Academy
Well we are reaching the end of this course. So what is next?
103
Review the Materials
Download and review

the course materials
Re-watch the videos

as many times as
you’d like
Acronis Academy
Feel free to come back to watch sections of this video as often as needed. Please be
sure to download the PDF’s attached to this course for reference material and to
assist with the exam.
104
Take your test
Assessment:
20 MCQ Quiz
60 Min Working
Time
70% Passing
Grade
2 Attempts,
Open Book
Acronis Academy
As a reminder, there will be 20 questions for the exam: some are coming from the full
course PDF and others are coming from this PDF. Both are included in the download
area of this course to use. You will have one hour, need a 70% passing grade and
remember two attempts and open book. The PDF’s are searchable so Control “F” is
your best friend.
105
Thank you for watching!
Acronis Academy
And with that I like to thank you for attending the Cloud Tech Associate Course for
Advanced Security plus EDR. I hope this helped and wish you great success with
Acronis Cyber Protect Cloud.
106
Cyber Foundation
Building a More Knowledgeable Future
Create, Spread and Protect

Knowledge with Us!
www.acronis.org
#CyberFit
Building New Schools
Publishing Education Programs
Publishing Books
Acronis Academy
109

Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout

Uploaded by

Copyright:

Available Formats

You might also like

Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout

Uploaded by

Copyright:

Available Formats

Academy

Cyber Protect Cloud

• Identify and Explain Standard Security

So with that let us get started.

MSP Academy Associate Level Certification Professional Level Certification

Manages IT, Security and internal Support

15 servers and about 120 clients

Using Acronis for local and Cloud Backup,

After a visit from her Service Provider, started

Emma is an IT Manager at a small to medium sized company that manages IT security

One of her managed She discovered that

Sometimes disasters can uncover opportunities. One of the applications Emma

Acronis Cyber Protect Cloud

Standard Security Advanced Security + EDR

Acronis Data Google Data Azure Data

Antimalware scanning and deletion performed as part of recovery

• Windows physical or virtual machine with Agent for Windows

Assess level of protection

Suggests remediation options

Based on security assessment of a machine #CyberFit scoring mechanism (max 850)

 Windows 7 and above  Antimalware protection: 0-275

Following ratings apply to

Information from NVD (National

The Acronis vulnerability assessment scanner is a tool to identify potential threats

Special isolated folder on machine's hard

Deleted Restored Added to whitelist

1. Non-malicious – add file to whitelist and restore

Files automatically deleted after time period defined in Antimalware module

Safe recovery provides the ability to scan and delete

Let’s look at Acronis Active Protection.

Ransomware blocks access to data

• Unless ransom paid: threatens to delete

• Ransomware (AI-based and process behavior)

• Used for legitimate uses

Trusted or blocked processes and folders

• Specify certain processes never considered malware

• Zoom, Cisco WebEx, Microsoft Teams, Citrix

This is the Self‐Protection functionality that is applicable for

Active Protection Manage access control and Allow Listing inside

Cloud Based Signature Detection

• Specific hash-based small signatures: not much data

Cloud Based Signature Detection

• Example: VirusTotal says 10 AV Vendors detected the file

Supports Windows, Quick / Full scans Exclusions can be

Acronis Active Protection assists with blocking

File reputation services will send specific small hash-

1. Advanced Security Components

Real‐time antimalware scanning is an important part of cyber protection so let us

Real-time: Runs in background Constantly checks malicious

Applying protection plan when

Protects workloads using behavioral heuristics to identify

Our behavior engine is an additional layer of protection that can be enabled in a

Lets discuss the benefit of having a local signature‐based detection engine.

Known threats, higher processing speed

Malware distributed by malicious or infected sites

• Checks HTTP/HTTPS connections against URL filtering database

We know through research that a majority of infections are originated by malicious

Place holder for video

Real-time scanning runs in the background and can be