CyberProtectionService Userguide en-US
Uploaded by
pedro perezCyberProtectionService Userguide en-US
Uploaded by
pedro perezacronis.
com
Cyber Protection
22.08
User Guide REVISION: 8/24/2022
Table of contents
Cyber Protection service editions and sub-editions 17
Cyber Protect edition 17
Cyber Backup edition 17
Comparison of editions 18
Disaster Recovery add-on 18
Supported Cyber Protect features by operating system 19
Activating the account 25
Password requirements 25
Two-factor authentication 25
What if... 26
Accessing the Cyber Protection service 28
The Cyber Protection console 29
Multitenancy support 32
Using the Cyber Protection console as a partner administrator 33
Cyber Protection console – partner level view 34
Alerts tab 34
Activities tab 34
Devices tab 34
Software management tab 36
Software requirements 37
Supported web browsers 37
Supported operating systems and environments 37
Agent for Windows 37
Agent for SQL, Agent for Active Directory, Agent for Exchange (for database backup and
application-aware backup) 38
Agent for Data Loss Prevention 38
Agent for File Sync & Share 38
Agent for Exchange (for mailbox backup) 39
Agent for Microsoft 365 39
Agent for Oracle 39
Agent for MySQL/MariaDB 39
Agent for Linux 40
Agent for Mac 41
Agent for VMware (Virtual Appliance) 41
Agent for VMware (Windows) 41
2 © Acronis International GmbH, 2003-2022
Agent for Hyper-V 41
Agent for Virtuozzo 42
Agent for Virtuozzo Hybrid Infrastructure 42
Agent for Scale Computing HC3 42
Agent for oVirt 42
Cyber Protect Monitor 42
Supported Microsoft SQL Server versions 42
Supported Microsoft Exchange Server versions 42
Supported Microsoft SharePoint versions 43
Supported Oracle Database versions 43
Supported SAP HANA versions 43
Supported MySQL versions 43
Supported MariaDB versions 44
Supported virtualization platforms 44
Limitations 48
Compatibility with encryption software 50
Common installation rule 50
The way of using Secure Zone 50
Common backup rule 50
Software-specific recovery procedures 51
Supported file systems 52
Data Deduplication 53
Installing the software 54
Which agent do I need? 54
System requirements for agents 56
Preparation 57
Step 1 57
Step 2 57
Step 3 57
Step 4 58
Step 5 58
Step 6 59
Linux packages 60
Are the required packages already installed? 60
Installing the packages from the repository 61
Installing the packages manually 62
Proxy server settings 63
3 © Acronis International GmbH, 2003-2022
In Windows 63
In Linux 64
In macOS 65
In bootable media 66
Installing Cyber Protection agents 66
Downloading Cyber Protection agents 67
Installing Cyber Protection agents in Windows 67
Installing Cyber Protection agents in Linux 69
Installing Cyber Protection agents in macOS 70
Changing the logon account on Windows machines 71
Dynamic installation and uninstallation of components 73
Unattended installation or uninstallation 74
Unattended installation or uninstallation in Windows 74
Unattended installation or uninstallation in Linux 80
Unattended installation and uninstallation in macOS 85
Registering machines manually 88
Passwords with special characters or blank spaces 91
Autodiscovery of machines 91
Prerequisites 92
How autodiscovery works 92
How remote installation of agents works 94
Autodiscovery and manual discovery 94
Managing discovered machines 99
Troubleshooting 100
Deploying Agent for VMware (Virtual Appliance) 101
Before you start 101
Deploying the OVF template 102
Configuring the virtual appliance 102
Deploying Agent for Scale Computing HC3 (Virtual Appliance) 104
Before you start 104
Deploying the QCOW2 template 105
Configuring the virtual appliance 106
Agent for Scale Computing HC3 – required roles 107
Deploying Agent for Virtuozzo Hybrid Infrastructure (Virtual Appliance) 108
Before you start 108
Configuring networks in Virtuozzo Hybrid Infrastructure 109
Configuring user accounts in Virtuozzo Hybrid Infrastructure 110
4 © Acronis International GmbH, 2003-2022
Deploying the QCOW2 template 112
Configuring the virtual appliance 113
Deploying Agent for oVirt (Virtual Appliance) 117
Before you start 117
Deploying the OVA template 118
Configuring the virtual appliance 119
Agent for oVirt – required roles and ports 121
Deploying agents through Group Policy 122
Prerequisites 122
Step 1: Generating a registration token 122
Step 2: Creating the .mst transform and extracting the installation package 124
Step 3: Setting up the Group Policy objects 124
Updating agents 125
Updating agents manually 125
Updating agents automatically 127
Preventing unauthorized uninstallation or modification of agents 129
Uninstalling agents 130
In Windows 130
In Linux 131
In macOS 131
Removing Agent for VMware (Virtual Appliance) 131
Removing machines from the service console 131
Protection settings 132
Automatic updates for components 132
Updating the Cyber Protection definitions by schedule 133
Updating the Cyber Protection definitions on-demand 133
Cache storage 133
Remote connection 134
Next-Generation Antivirus 134
Changing the service quota of machines 134
Cyber Protection services installed in your environment 136
Services installed in Windows 136
Services installed in macOS 136
Managing workloads 137
Device groups 137
Built-in groups 137
Custom groups 137
5 © Acronis International GmbH, 2003-2022
Creating a static group 138
Adding devices to static groups 138
Creating a dynamic group 138
Applying a protection plan to a group 147
Protection plan and modules 148
Creating a protection plan 149
Default protection plans 150
Default plan options 151
Resolving plan conflicts 154
Applying several plans to a device 154
Resolving plan conflicts 154
Operations with protection plans 155
#CyberFit Score for machines 157
How it works 157
#CyberFit scoring mechanism 157
Running a #CyberFit Score scan 161
Backup and recovery 163
Backup 163
Protection plan cheat sheet 165
Selecting data to back up 167
Selecting entire machine 167
Selecting disks/volumes 168
Selecting files/folders 171
Selecting system state 173
Selecting ESXi configuration 173
Continuous data protection (CDP) 174
How it works 174
Supported data sources 176
Supported destinations 177
Configuring a CDP backup 177
Selecting a destination 178
Advanced storage option 179
About Secure Zone 180
Schedule 183
Backup schemes 183
Additional scheduling options 184
Schedule by events 186
6 © Acronis International GmbH, 2003-2022
Start conditions 188
Retention rules 194
What else you need to know 195
Replication 195
Usage examples 196
Supported locations 196
Encryption 197
Encryption in a protection plan 197
Encryption as a machine property 198
How the encryption works 199
Notarization 199
How to use notarization 200
How it works 200
Starting a backup manually 200
Default backup options 200
Backup options 201
Availability of the backup options 201
Alerts 204
Backup consolidation 204
Backup file name 205
Backup format 208
Backup validation 210
Changed block tracking (CBT) 210
Cluster backup mode 211
Compression level 212
Error handling 212
Fast incremental/differential backup 214
File filters 214
File-level backup snapshot 216
Forensic data 216
Log truncation 225
LVM snapshotting 225
Mount points 226
Multi-volume snapshot 226
Performance and backup window 227
Physical Data Shipping 231
Pre/Post commands 232
7 © Acronis International GmbH, 2003-2022
Pre/Post data capture commands 234
Scheduling 236
Sector-by-sector backup 237
Splitting 237
Task failure handling 238
Task start conditions 238
Volume Shadow Copy Service (VSS) 239
Volume Shadow Copy Service (VSS) for virtual machines 240
Weekly backup 241
Windows event log 241
Recovery 241
Recovery cheat sheet 241
Safe recovery 243
Recovering a machine 244
Prepare drivers 253
Check access to the drivers in bootable environment 253
Automatic driver search 254
Mass storage drivers to install anyway 254
Recovering files 256
Recovering system state 261
Recovering ESXi configuration 261
Recovery options 262
Operations with backups 270
The Backup storage tab 270
Mounting volumes from a backup 271
Validating backups 273
Exporting backups 274
Deleting backups 274
Protecting Microsoft applications 276
Protecting Microsoft SQL Server and Microsoft Exchange Server 276
Protecting Microsoft SharePoint 276
Protecting a domain controller 276
Recovering applications 276
Prerequisites 277
Database backup 279
Application-aware backup 285
Mailbox backup 286
8 © Acronis International GmbH, 2003-2022
Recovering SQL databases 288
Recovering Exchange databases 291
Recovering Exchange mailboxes and mailbox items 294
Changing the SQL Server or Exchange Server access credentials 300
Protecting mobile devices 300
Supported mobile devices 300
What you can back up 300
What you need to know 301
Where to get the Cyber Protect app 301
How to start backing up your data 302
How to recover data to a mobile device 302
How to review data via the service console 302
Protecting Hosted Exchange data 304
What items can be backed up? 304
What items can be recovered? 304
Selecting mailboxes 304
Recovering mailboxes and mailbox items 305
Protecting Microsoft 365 data 307
Why back up Microsoft 365 data? 307
Agent for Microsoft 365 307
Limitations 309
Required user rights 309
Microsoft 365 seats licensing report 310
Using the locally installed Agent for Office 365 310
Using the cloud Agent for Microsoft 365 313
Protecting Google Workspace data 340
What does Google Workspace protection mean? 340
Required user rights 341
About the backup schedule 341
Limitations 341
Adding a Google Workspace organization 342
Creating a personal Google Cloud project 343
Protecting Gmail data 345
Protecting Google Drive files 350
Protecting Shared drive files 354
Notarization 357
Protecting Oracle Database 358
9 © Acronis International GmbH, 2003-2022
Protecting SAP HANA 359
Protecting MySQL and MariaDB data 359
Configuring an application-aware backup 360
Recovering data from an application-aware backup 361
Protecting websites and hosting servers 364
Protecting websites 364
Protecting web hosting servers 367
Special operations with virtual machines 368
Running a virtual machine from a backup (Instant Restore) 368
Working in VMware vSphere 372
Backing up clustered Hyper-V machines 389
Limiting the total number of simultaneously backed-up virtual machines 390
Machine migration 391
Microsoft Azure and Amazon EC2 virtual machines 392
Cyber Scripting 394
Prerequisites 394
Limitations 394
Scripts 394
Creating a script 395
Cloning a script 396
Editing or deleting a script 397
Changing the script status 398
Comparing script versions 398
Downloading the output of a scripting operation 399
Script repository 399
Scripting plans 400
Creating a scripting plan 401
Schedule and start conditions 402
Managing the target workloads for a plan 404
Plans on different administration levels 405
Scripting plan conflicts 407
Script quick run 407
User roles and Cyber Scripting rights 408
Disaster recovery 411
About Cyber Disaster Recovery Cloud 411
The key functionality 411
Software requirements 412
10 © Acronis International GmbH, 2003-2022
Supported operating systems 412
Supported virtualization platforms 412
Limitations 413
Cyber Disaster Recovery Cloud trial version 413
Compute points 414
Setting up the disaster recovery functionality 415
Create a disaster recovery protection plan 415
Editing the Recovery server default parameters 417
Cloud network infrastructure 418
Setting up connectivity 418
Networking concepts 419
Initial connectivity configuration 430
Prerequisites 432
Network management 438
Prerequisites 453
Setting up recovery servers 454
Creating a recovery server 454
How failover works 457
How failback works 462
Working with encrypted backups 468
Operations with Microsoft Azure virtual machines 469
Setting up primary servers 469
Creating a primary server 469
Operations with a primary server 471
Managing the cloud servers 472
Firewall rules for cloud servers 473
Setting firewall rules for cloud servers 473
Checking the cloud firewall activities 476
Backing up the cloud servers 476
Orchestration (runbooks) 477
Why use runbooks? 477
Creating a runbook 477
Operations with runbooks 479
Antimalware and web protection 481
Antivirus and antimalware protection 481
Antimalware features 481
Antimalware features 481
11 © Acronis International GmbH, 2003-2022
Scanning types 482
Antivirus and antimalware protection settings 483
Active Protection in the Cyber Backup Standard edition 495
Active protection settings in Cyber Backup Standard 496
URL filtering 501
How it works 502
URL filtering configuration workflow 504
URL filtering settings 504
Description 510
Microsoft Defender Antivirus and Microsoft Security Essentials 510
Schedule scan 511
Default actions 511
Real-time protection 512
Advanced 512
Exclusions 513
Quarantine 513
How do files get into the quarantine folder? 513
Managing quarantined files 514
Quarantine location on machines 514
Self-service custom folder on-demand 515
Corporate whitelist 515
Automatic adding to the whitelist 515
Manual adding to the whitelist 515
Adding quarantined files to the whitelist 516
Whitelist settings 516
Viewing details about items in the whitelist 516
Antimalware scan of backups 516
How to configure backup scanning in the cloud 517
Advanced protection 519
Advanced Data Loss Prevention 519
Creating the data flow policy and policy rules 519
Enabling Advanced Data Loss Prevention in protection plans 529
Automated detection of destination 532
Sensitive data definitions 532
Data Loss Prevention events 538
Advanced Data Loss Prevention widgets on the Overview dashboard 540
Protection of collaboration and communication applications 541
12 © Acronis International GmbH, 2003-2022
Vulnerability assessment and patch management 542
Vulnerability assessment 542
Supported Microsoft and third-party products 543
Supported Apple and third-party products 544
Supported Linux products 545
Vulnerability assessment settings 545
Vulnerability assessment for Windows machines 547
Vulnerability assessment for Linux machines 547
Vulnerability assessment for macOS devices 548
Managing found vulnerabilities 548
Patch management 549
How it works 550
Patch management settings 551
Managing list of patches 554
Automatic patch approval 555
Manual patch approval 558
On-demand patch installation 558
Patch lifetime in the list 559
Software inventory 560
Enabling the software inventory scanning 560
Running a software inventory scan manually 561
Browsing the software inventory 561
Viewing the software inventory of a single device 563
Hardware inventory 565
Enabling the hardware inventory scanning 565
Running a hardware inventory scan manually 566
Browsing the hardware inventory 566
Viewing the hardware of a single device 569
Remote desktop access 571
Remote access (RDP and HTML5 clients) 571
How it works 572
How to connect to a remote machine 572
How to run a remote assistance session 573
Share a remote connection with users 573
Remote wipe 575
Smart protection 576
Threat feed 576
13 © Acronis International GmbH, 2003-2022
How it works 576
Deleting all alerts 579
Data protection map 579
How it works 579
Managing the detected unprotected files 579
Data protection map settings 580
Enhanced security mode 582
Limitations 582
Setting the encryption password 582
Changing the encryption password 583
Recovering backups 583
Immutable storage 584
Limitations 584
Enabling and disabling immutable storage 584
Accessing deleted backups in immutable storage 585
Device control 586
Limitation on the use of the agent for Data Loss Prevention with Hyper-V 587
Using device control 588
Enable or disable device control 588
Enabling the use of the device control module on macOS 589
View or change access settings 591
Exclude device subclasses from access control 592
Exclude individual USB devices from access control 592
View device control alerts 595
Access settings 595
OS notification and service alerts 599
Device types allowlist 600
USB devices allowlist 601
USB devices database 602
Excluding processes from access control 605
Device control alerts 607
Action field values 608
The Management tab 611
Protection plan 611
Backup plans for cloud applications 612
Backup scanning plan 612
Limitations 613
14 © Acronis International GmbH, 2003-2022
Off-host data processing 613
Backup replication 614
Validation 615
Cleanup 617
Conversion to a virtual machine 618
The Activities tab 622
Cyber Protect Monitor 623
Bootable media 625
Custom or ready-made bootable media? 625
Linux-based or WinPE/WinRE-based bootable media? 625
Linux-based 625
WinPE/WinRE-based 625
Creating physical bootable media 626
Bootable Media Builder 627
Why use Bootable Media Builder? 627
32-bit or 64-bit? 627
Linux-based bootable media 627
Top-level object 632
Variable object 632
Control type 633
WinPE-based and WinRE-based bootable media 635
Registering the bootable media 638
Network settings 639
Connecting to a machine booted from bootable media 640
Local connection 640
Configuring network settings 640
Operations with bootable media 641
Setting up a display mode 641
Recovery 642
Startup Recovery Manager 642
One-click recovery 643
Monitoring 648
The Overview dashboard 648
The Activities dashboard 649
Cyber Protection 649
Protection status 650
Discovered machines 650
15 © Acronis International GmbH, 2003-2022
#CyberFit Score by machine 651
Disk health monitoring 652
How it works 652
Disk health widgets 653
Disk health status alerts 656
Data protection map 656
Vulnerability assessment widgets 657
Vulnerable machines 657
Existing vulnerabilities 658
Patch installation widgets 658
Patch installation status 658
Patch installation summary 659
Patch installation history 659
Missing updates by categories 659
Backup scanning details 660
Recently affected 660
Downloading data for recently affected workloads 661
Cloud applications 661
Software inventory widgets 662
Hardware inventory widgets 663
Reports 665
Adding a report 666
Editing a report 666
Scheduling a report 667
Exporting and importing the report structure 668
Downloading a report 668
Dumping the report data 668
Reported data according to widget type 668
License management for on-premises management servers 671
Troubleshooting 672
Appendix A. Site-to-site Open VPN - Additional information 673
Glossary 680
Index 684
16 © Acronis International GmbH, 2003-2022
Cyber Protection service editions and sub-
editions
Important
This topic contains information about a legacy licensing model. If you do not use editions as part of
your legacy setup, please skip this information.
This section contains information about working with services, editions, and offering items that
were available as part of the licensing model in Acronis Cyber Cloud 21.02 and earlier. These
offering items and editions are still supported and can be configured for tenants as needed, but not
recommended, and are considered legacy now.
Note
The services, editions, and offering items that are available to you are inherited from the offering
items that are available for your parent tenant. If an offering item is not available for the partner
who created your account, that offering item will not be available to you, and you cannot enable it
for your partners or customers.
For information about the new offering items, see "Advanced protection" (p. 519).
The following editions are available:
l Cyber Protect
l Cyber Backup
Cyber Protect edition
This edition is licensed per workload—that is, according to the number of protected machines,
regardless of the size of backed-up data.
Within the Cyber Protect edition, the following sub-editions are available:
l Cyber Protect Essentials
l Cyber Protect Standard
l Cyber Protect Advanced
l Cyber Backup Standard
Cyber Backup edition
This edition is licensed per GB—that is, according to the size of backed-up data, regardless of the
number of protected machines.
In the Cyber Backup edition, there are no sub-editions—only Cyber Backup Standard offering items
are available.
17 © Acronis International GmbH, 2003-2022
Comparison of editions
The number and scope of the available features depend on the edition of Cyber Protection service.
For a detailed comparison between the features in each edition and sub-edition, refer to Compare
Acronis Cyber Protection Editions.
Disaster Recovery add-on
The Disaster Recovery add-on provides recovery functionality designed for companies that have
high requirements for the Recovery Time Objective (RTO). This add-on is available only with the
Cyber Protect edition.
Note
The Disaster recovery add-on cannot be used with the Cyber Protect Essentials sub-edition.
18 © Acronis International GmbH, 2003-2022
Supported Cyber Protect features by operating
system
Note
This topic contains information about all Cyber Protect features and the operating systems on
which they are supported. Some features might require additional licensing, depending on the
applied licensing model.
The Cyber Protect features are supported on the following operating systems:
l Windows: Windows 7 Service Pack 1 and later, Windows Server 2008 R2 Service Pack 1 and later.
Windows Defender Antivirus management is supported on Windows 8.1 and later.
l Linux: CentOS 6.10, 7.8+, CloudLinux 6.10, 7.8+, Ubuntu 16.04.7+, where plus refers to minor
versions of these distributions.
Other Linux distributions and versions might be supported, but have not been tested.
l macOS: 10.13.x and later (only Antivirus and Antimalware protection, and Device control are
supported). Device control functionality is supported on macOS 10.15 and later or macOS 11.2.3
and later.
Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is
an integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for
Data Loss Prevention is installed on the computer, but the device control functionality will not
work. Device control functionality will only work on macOS systems that are supported by Agent
for Data Loss Prevention.
Note
Antimalware protection for Linux and macOS is supported only when Advanced antimalware
protection is enabled.
Important
The Cyber Protect features are only supported for machines on which a protection agent is
installed. For virtual machines protected in agentless mode, for example, by Agent for Hyper-V,
Agent for VMware, Agent for Virtuozzo Hybrid Infrastructure, Agent for Scale Computing, or Agent
for oVirt only backup is supported.
Cyber Protect features Windows Linux macOS
Default protection plans
Remote Workers Yes No No
Office Workers (third-party antivirus) Yes No No
Office Workers (Cyber Protect antivirus) Yes No No
19 © Acronis International GmbH, 2003-2022
Cyber Protect features Windows Linux macOS
Cyber Protect Essentials (only for Cyber Yes No No
Protect Essentials edition)
Forensic backup
Collecting memory dump Yes No No
Snapshot of running processes Yes No No
Notarization of local image forensic backup Yes No No
Notarization of cloud image forensic backup Yes No No
Continuous data protection (CDP)
CDP for files and folders Yes No No
CDP for changed files via application Yes No No
tracking
Autodiscovery and remote installation
Network-based discovery Yes No No
Active Directory-based discovery Yes No No
Template-based discovery (importing Yes No No
machines from a file)
Manual adding of devices Yes No No
Active Protection
Process Injects detection Yes No No
Automatic recovery of affected files from the Yes Yes Yes
local cache
Self-defense for Acronis backup files Yes No No
Self-defense for Acronis software Yes No Yes
(Only Active Protection
and antimalware
components)
Trusted/blocked process management Yes No Yes
Processes/folders exclusions Yes Yes Yes
Ransomware detection based on a process Yes Yes Yes
behavior (AI-based)
Cryptomining process detection based on Yes No No
20 © Acronis International GmbH, 2003-2022
Cyber Protect features Windows Linux macOS
process behavior
External drives protection (HDD, flash Yes No Yes
drives, SD cards)
Network folder protection Yes Yes Yes
Server-side protection Yes No No
Zoom, Cisco Webex, Citrix Workspace, and Yes No No
Microsoft Teams protection
Antivirus and Antimalware protection
Fully-integrated Active Protection Yes No No
functionality
Real-time antimalware protection Yes Yes, when Yes, when Advanced
Advanced antimalware is enabled
antimalware is
enabled
Advanced real-time antimalware protection Yes Yes Yes
with local signature-based detection
Static analysis for portable executable files Yes No Yes*
On-demand antimalware scanning Yes Yes** Yes
Network folder protection Yes Yes No
Server-side protection Yes No No
Scan of archive files Yes No Yes
Scan of removable drives Yes No Yes
Scan of only new and changed files Yes No Yes
File/folder exclusions Yes Yes Yes***
No
Processes exclusions Yes No No
Behavioral analysis engine Yes No Yes
Exploit prevention Yes No No
Quarantine Yes Yes Yes
Quarantine auto clean-up Yes No Yes
21 © Acronis International GmbH, 2003-2022
Cyber Protect features Windows Linux macOS
URL filtering (http/https) Yes No No
Corporate-wide whitelist Yes No Yes
Microsoft Defender Antivirus management Yes No No
Microsoft Security Essentials management Yes No No
Registering and managing Antivirus and Yes No No
Antimalware protection via Windows
Security Center
Vulnerability assessment
Vulnerability assessment of operating Yes Yes**** Yes
system and its native applications
Vulnerability assessment for 3rd-party Yes No Yes
applications
Patch management
Patch auto-approval Yes No No
Patch auto-installation Yes No No
Patch testing Yes No No
Manual patch installation Yes No No
Patch scheduling Yes No No
Fail-safe patching: backup of machine Yes No No
before installing patches as part of
protection plan
Cancelation of a machine reboot if a backup Yes No No
is running
Data protection map
Adjustable definition of important files Yes No No
Scanning machines to find unprotected files Yes No No
Unprotected locations overview Yes No No
Ability to start the protection action from the Yes No No
Data protection map widget (Protect all
files action)
Disk health
22 © Acronis International GmbH, 2003-2022
Cyber Protect features Windows Linux macOS
AI-based HDD and SSD health control Yes No No
Smart protection plans based on Acronis Cyber Protection Operations Center (CPOC) alerts
Threat feed Yes No No
Remediation wizard Yes No No
Backup scanning
Antimalware scan of image backups as part Yes No No
of backup plan
Scanning of image backups for malware in Yes No No
cloud
Malware scan of encrypted backups Yes No No
Safe recovery
Antimalware scanning with Antivirus and Yes No No
Antimalware protection during the recovery
process
Safe recovery for encrypted backups Yes No No
Remote desktop connection
Connection via HTML5-based client Yes No No
Connection via native Windows RDP client Yes No No
Remote assistance Yes No No
#CyberFit Score
#CyberFit Score status Yes No No
#CyberFit Score standalone tool Yes No No
#CyberFit Score recommendations Yes No No
Data loss prevention
Device control Yes No Yes
ARM CPU architecture
is not supported
Management options
Upsell scenarios to promote Cyber Protect Yes Yes Yes
editions
23 © Acronis International GmbH, 2003-2022
Cyber Protect features Windows Linux macOS
Web-based centralized and remote Yes Yes Yes
management console
Protection options
Remote wipe (Windows 10 only) Yes No No
Cyber Protect Monitor
Cyber Protect Monitor app Yes No Yes
Protection status for Zoom Yes No No
Protection status for Cisco Webex Yes No No
Protection status for Citrix Workspace Yes No No
Protection status for Microsoft Teams Yes No No
Software inventory
Software inventory scanning Yes No Yes
Software inventory monitoring Yes No Yes
Hardware inventory
Hardware inventory scanning Yes No Yes
Hardware inventory monitoring Yes No Yes
* Static analysis for portable executable files is supported only for scheduled scans on macOS.
** Start conditions are not supported for on-demand scanning on Linux.
*** File/folder exclusions are only supported for the case when you specify files and folders that will
not be scanned by real-time protection or scheduled scans on macOS.
**** The vulnerability assessment depends on the availability of official security advisories for
specific distribution, for example https://lists.centos.org/pipermail/centos-announce/,
https://lists.centos.org/pipermail/centos-cr-announce/, and others.
24 © Acronis International GmbH, 2003-2022
Activating the account
When an administrator creates an account for you, an email message is sent to your email address.
The message contains the following information:
l Your login. This is the user name that you use to log in. Your login is also shown on the account
activation page.
l Activate account button. Click the button and set the password for your account. Ensure that
your password is at least nine characters long. For more information about the password, refer to
"Password requirements" (p. 25).
If your administrator has enabled two-factor authentication, you will be prompted to set it up for
your account. For more information about it, refer to "Two-factor authentication" (p. 25).
Password requirements
The password for a user account must be at least 9 characters long. Passwords are also checked for
complexity, and fall into one of the following categories:
l Weak
l Medium
l Strong
You cannot save a weak password, even though it might contain 9 characters or more. Passwords
that repeat the user name, the login, the user email, or the name of the tenant to which a user
account belongs are always considered weak. Most common passwords are also considered weak.
To strengthen a password, add more characters to it. Using different types of characters, such as
digits, uppercase and lowercase letters, and special characters, is not mandatory but it results in
stronger passwords that are also shorter.
Two-factor authentication
Two-factor authentication provides extra protection from unauthorized access to your account.
When two-factor authentication is set up, you are required to enter your password (the first factor)
and a one-time code (the second factor) to log in to the service console. The one-time code is
generated by a special application that must be installed on your mobile phone or another device
that belongs to you. Even if someone finds out your login and password, they still will not be able to
login without access to your second-factor device.
The one-time code to configure two-factor authentication for your account is generated based on
the device's current time and the secret provided by the Cyber Protection service as the QR code or
alphanumeric code. During the first login, you need to enter this secret to the authentication
application.
To set up two-factor authentication for your account
25 © Acronis International GmbH, 2003-2022
You can and must configure two-factor authentication for your account when two-factor
authentication has been enabled by an administrator for your organization. If two-factor
authentication has been enabled while you are logged in to the Cyber Protection service console,
you will have to configure it when your current session expires.
Prerequisites:
l Two-factor authentication is enabled for your organization.
l You are logged out of the Cyber Protection service console.
1. Choose a second-factor device.
Most commonly it is a mobile phone, but you can also use a tablet, laptop, or desktop.
2. Ensure that the device time settings are correct and reflect the actual current time, and that the
device locks itself after a period of inactivity.
3. Install the authentication application on the device. The recommended applications are Google
Authenticator or Microsoft Authenticator.
4. Go to the Cyber Protection service console sign in page and set your password.
The service console shows the QR code and the alphanumeric code.
5. Save the QR code and the alphanumeric code in any convenient way (such as, print out the
screen, write down the code, or save the screenshot in cloud storage). If you lose the second-
factor device, you will be able to reset the two-factor authentication by using these codes.
6. Open the authentication application, and then do one of the following:
l Scan the QR code
l Manually enter the alphanumeric code to the application
The authentication application generates a one-time code. A new code will be generated every
30 seconds.
7. Return to the service console login page and enter the generated code.
A one-time code is valid for 30 seconds. If you wait longer than 30 seconds, use the next
generated code.
When logging in the next time, you can select the checkbox Trust this browser.... If you do this, the
one-time code will not be required when you log in by using this browser on this machine.
What if...
...I lost the second-factor device?
If you have a trusted browser, you will be able to log in by using this browser. Nevertheless, when
you have a new device, repeat steps 1-3 and 6-7 of the above procedure by using the new device
and the saved QR code or alphanumeric code.
If you have not saved the code, ask the administrator or service provider to reset the two-factor
authentication for your account, and then repeat steps 1-3 and 6-7 of the above procedure by using
the new device.
26 © Acronis International GmbH, 2003-2022
...I want to change the second-factor device?
When logging in, click the Reset two-factor authentication settings link, confirm the operation by
entering the one-time code, and then repeat the above procedure by using the new device.
27 © Acronis International GmbH, 2003-2022
Accessing the Cyber Protection service
After you activate your account, you can access the Cyber Protection service by logging in to the
Cyber Protection console or via the management portal.
To log in to the Cyber Protection console
1. Go to the Cyber Protection service login page.
2. Type your login, and then click Next.
3. Type your password, and then click Next.
4. [If you use more than one Cyber Cloud service] Click Cyber Protection.
Users who only have access the Cyber Protection service, log in directly to the Cyber Protection
console.
If Cyber Protection is not the only service you have access to, you can switch between the
services by using the icon in the top-right corner. Administrators can also use this icon for
switching to the management portal.
The timeout period for the Cyber Protection console is 24 hours for active sessions and 1 hour for
idle sessions.
You can change the language of the web interface by clicking the account icon in the top-right
corner.
To access the Cyber Protection console via the management portal
1. In the management portal, go to Monitoring > Usage.
2. Under Cyber Protect, select Protection, and then click Manage service.
Alternatively, under Clients, select a customer, and then click Manage service.
As a result, you are redirected to the Cyber Protection console.
To reset your password
1. Go to the Cyber Protection service login page.
2. Type your login, and then click Next.
3. Click Forgot password?
4. Confirm that you want further instructions by clicking Send.
5. Follow the instructions in the email that you have received.
6. Set up your new password.
28 © Acronis International GmbH, 2003-2022
The Cyber Protection console
In the Cyber Protection console, you can manage workloads and plans, change the protection
settings, configure reports, or check the backup storage.
The Cyber Protection console provides access to additional services or features, such as File Sync &
Share or Antivirus and Antimalware protection, Patch management, Device control, and
Vulnerability assessment. The type and number of these services and features vary according to
your Cyber Protection license.
To check the dashboard with the most important information about your protection, go to
Monitoring > Overview.
Depending on your access permissions, you can manage the protection for one or multiple
customer tenants or units in a tenant. To switch the hierarchy level, use the drop-down list in the
navigation menu. Only the levels to which you have access are shown. To go to the management
portal, click Manage.
The Devices section is available in simple and table view. To switch between them, click the
corresponding icon in the top right corner.
The simple view shows only a few workloads.
29 © Acronis International GmbH, 2003-2022
The table view is enabled automatically when the number of workloads becomes larger.
Both views provide access to the same features and operations. This document describes access to
operations from the table view.
When a workload goes online or offline, it takes some time for its status to change in the Cyber
Protection console. The workload status is checked every minute. If the agent installed on the
corresponding machine is not transferring data, and there is no answer to five consecutive checks,
the workload is shown as offline. The workload is shown as back online when it answers to a status
check or starts transferring data.
To delete a workload from the Cyber Protection console
1. Select the check box next to the desired workload.
2. Click Delete, and then confirm your choice.
Important
Deleting a workload from the service console does not uninstall the protection agent on the
corresponding machine and does not delete the protection plans applied to this workload. The
backups of the deleted workload will also be kept.
ESXi hosts and virtual machines on the following virtualization platforms can be backed up by an
agent that is not installed on them—that is, in the agentless mode:
l Hyper-V
l VMware
l Virtuozzo Hybrid Infrastructure
l Scale Computing
l Red Hat Virtualization/oVirt
You cannot delete such machines individually. To delete them, you need to find and delete the
machine on which the respective agent (Agent for Hyper-V, Agent for VMware, Agent for Virtuozzo
Hybrid Infrastructure, Agent for Scale Computing, or Agent for oVirt) is installed.
To delete a virtual machine or ESXi host without an agent
1. Under Devices, select All devices.
2. Click the gear icon in the upper right corner and enable the Agent column.
30 © Acronis International GmbH, 2003-2022
3. In the Agent column, check the name of the machine where the respective agent is installed.
4. Delete this machine from the service console. This will also delete all of the machines that are
backed up by its agent.
5. Uninstall the agent from the deleted machine as described in "Uninstalling agents" (p. 130).
31 © Acronis International GmbH, 2003-2022
Multitenancy support
The Cyber Protection service supports multitenancy, which implies administration on the following
levels:
l [For service providers] Partner tenant (All customers) level
This level is only available for partner administrators who manage customer tenants.
l Customer tenant level
This level is managed by company administrators.
Partner administrators can also work on this level in the customer tenants that they manage. On
this level, partner administrators have the same rights as the customer administrators on whose
behalf they act.
l Unit level
This level is managed by unit administrators and by company administrators from the parent
customer tenant.
Partner administrators who manage the parent customer tenant can also access the unit level.
On this level, they have the same rights as the customer administrators on whose behalf they act.
Administrators can manage objects in their own tenant and in its child tenants. They cannot see or
access objects on an upper administration level, if any.
For example, company administrators can manage protection plans both on the customer tenant
level and on the unit level. Unit administrators can manage only their own protection plans on the
unit level. They cannot manage any protection plans on the customer tenant level and cannot
manage the protection plans that are created by the customer administrator on the unit level.
Also, partner administrators can create and apply scripting plans in the customer tenants that they
manage. The company administrators in such tenants have only read-only access to the scripting
plans that are applied to their workloads by a partner administrator. However, customer
administrators can create and apply their own scripting or protection plans.
32 © Acronis International GmbH, 2003-2022
Using the Cyber Protection console as a partner
administrator
A partner administrator can use the Cyber Protection console at the following levels:
l Partner tenant (All customers) level
On this level, you can manage scripting plans for workloads from all your managed customer
tenants.
You can apply the same scripting plan to workloads in from different customers, and can create
device groups with workloads from different customers. To learn how to create a static or a
dynamic device group on the partner level, refer to the "Devices tab" (p. 34). For more
information about the scripts and scripting plans, refer to "Cyber Scripting" (p. 394).
l Customer tenant level
On this level, you have the same rights as the company administrator on whose behalf you act.
To change the level of administration, use the drop-down list in the navigation menu. The drop-
down list is only available for administrators who can access both the Cyber Protection console and
the management portal, and can manage more than one tenant or unit.
To work on the partner level, select All customers.
To work on the customer or unit level, select the name of that customer or unit.
33 © Acronis International GmbH, 2003-2022
Cyber Protection console – partner level view
When you use the Cyber Protection console on the partner level, a customized view is available.
The Alerts and Activities tabs provide additional partner-related filters, while the Devices and the
Management tabs provide access only to the features or objects that are accessible to partner
administrators.
Alerts tab
Here, you can see the alerts from all your managed customers, search them, and filter them
according to the following criteria:
l Device
l Customer
l Plan
You can select multiple items for each of these criteria.
Activities tab
Here, you can see the activities from all the tenants that you manage or the activities in a specific
customer tenant.
You can filter the activities by customer, status, time, and type.
The following types of activities are automatically pre-selected on this level:
l Applying plan
l Creating the protection plan
l Protection plan
l Revoking plan
l Scripting
Devices tab
Only the All devices, Machines with agents, and virtualization host tabs are available under
Devices.
In the Machines with agents tab, you can see all workloads from your managed customer tenants,
and you can select workloads from one or more tenants. You can also create device groups that
include workloads from different tenants.
34 © Acronis International GmbH, 2003-2022
Important
When you work on the partner (All customers) level, a limited number of operations with devices
are available. For example, you cannot see and manage existing protection plans on customer
devices, as well as create new protection plans, add new devices, recover backups, use Disaster
Recovery, or access the Cyber Protection Desktop features. To perform any of these operations,
switch to the customer level.
To see the workloads of a specific customer
1. In the Cyber Protection console, go Devices > Machines with agents.
2. In the tree, click Machines with agents to expand the list.
3. Click the name of the customer whose workloads you want to manage.
To create a static device group on the partner level
1. In the Cyber Protection console, go Devices > Machines with agents.
2. Click the gear icon next to Machines with agents, and then click New group.
3. Specify the group name.
4. [Optional] Add a description.
5. Click OK.
To create a dynamic device group on the partner level
1. In the Cyber Protection console, go Devices > Machines with agents.
2. In the tree, click Machines with agents to expand the list.
3. Click All.
4. In the search field, specify the criteria according to which you want to create a dynamic device
group, and then click Search.
To learn more about the available search criteria, refer to "Search query" (p. 139).
5. Click Save as, and then specify the group name.
6. [Optional] Add a description.
7. Click OK.
35 © Acronis International GmbH, 2003-2022
Software management tab
If the software inventory scanning is enabled for customer workloads, partner administrators can
see the software scanning results.
36 © Acronis International GmbH, 2003-2022
Software requirements
Supported web browsers
The Cyber Protection web console supports the following web browsers:
l Google Chrome 29 or later
l Mozilla Firefox 23 or later
l Opera 16 or later
l Microsoft Edge 25 or later
l Safari 8 or later running in the macOS and iOS operating systems
In other web browsers (including Safari browsers running in other operating systems), the user
interface might be displayed incorrectly or some functions may be unavailable.
Supported operating systems and environments
Agent for Windows
This agent includes a component for Antivirus & Antimalware protection and URL Filtering. See
"Supported Cyber Protect features by operating system" (p. 19) for details about supported
functionality by operating system.
l Windows XP Professional SP1 (x64), SP2 (x64), SP3 (x86)
l Windows Server 2003 SP1/2003 R2 and later – Standard and Enterprise editions (x86, x64)
l Windows Small Business Server 2003/2003 R2
l Windows Server 2008, Windows Server 2008 SP2* – Standard, Enterprise, Datacenter,
Foundation, and Web editions (x86, x64)
l Windows Small Business Server 2008, Windows Small Business Server 2008 SP2*
l Windows 7 – all editions
Note
To use Cyber Protection with Windows 7, you must install the following updates from Microsoft
before installing the Cyber Protection agent:
o Windows 7 Extended Security Updates (ESU)
o KB4474419
o KB4490628
For more information on the required updates, refer to this knowledge base article.
l Windows Server 2008 R2* – Standard, Enterprise, Datacenter, Foundation, and Web editions
l Windows Home Server 2011*
l Windows MultiPoint Server 2010*/2011*/2012
l Windows Small Business Server 2011* – all editions
37 © Acronis International GmbH, 2003-2022
l Windows 8/8.1 – all editions (x86, x64), except for the Windows RT editions
l Windows Server 2012/2012 R2 – all editions
l Windows Storage Server 2003/2008/2008 R2/2012/2012 R2/2016
l Windows 10 – Home, Pro, Education, Enterprise, IoT Enterprise and LTSC (formerly LTSB) editions
l Windows Server 2016 – all installation options, except for Nano Server
l Windows Server 2019 – all installation options, except for Nano Server
l Windows 11 – all editions
l Windows Server 2022 – all installation options, except for Nano Server
Note
* To use Cyber Protection with this version of Windows, you must install the SHA2 code signing
support update from Microsoft (KB4474419) before installing the Cyber Protection agent.
For information on issues related to the SHA2 code signing support update, refer to this knowledge
base article.
Agent for SQL, Agent for Active Directory, Agent for Exchange (for
database backup and application-aware backup)
Each of these agents can be installed on a machine running any operating system listed above and a
supported version of the respective application.
Agent for Data Loss Prevention
l Microsoft Windows 7 Service Pack 1 and later
l Microsoft Windows Server 2008 R2 and later
l macOS 10.15 (Catalina) and later
l macOS 11.2.3 (Big Sur) and later
Note
Agent for Data Loss Prevention for macOS supports only x64 processors (Apple silicon ARM-based
processors are not supported).
Note
Agent for Data Loss Prevention might be installed on unsupported macOS systems because it is an
integral part of Agent for Mac. In this case, the Cyber Protect console will display that Agent for Data
Loss Prevention is installed on the computer, but the device control functionality will not work.
Device control functionality will only work on macOS systems that are supported by Agent for Data
Loss Prevention.
Agent for File Sync & Share
For the list of supported operating systems, refer to the Cyber Files Cloud user guide.
38 © Acronis International GmbH, 2003-2022
Agent for Exchange (for mailbox backup)
l Windows Server 2008 – Standard, Enterprise, Datacenter, Foundation, and Web editions (x86,
x64)
l Windows Small Business Server 2008
l Windows 7 – all editions
l Windows Server 2008 R2 – Standard, Enterprise, Datacenter, Foundation, and Web editions
l Windows MultiPoint Server 2010/2011/2012
l Windows Small Business Server 2011 – all editions
l Windows 8/8.1 – all editions (x86, x64), except for the Windows RT editions
l Windows Server 2012/2012 R2 – all editions
l Windows Storage Server 2008/2008 R2/2012/2012 R2
l Windows 10 – Home, Pro, Education, and Enterprise editions
l Windows Server 2016 – all installation options, except for Nano Server
l Windows Server 2019 – all installation options, except for Nano Server
Agent for Microsoft 365
l Windows Server 2008 – Standard, Enterprise, Datacenter, Foundation, and Web editions (x64
only)
l Windows Small Business Server 2008
l Windows Server 2008 R2 – Standard, Enterprise, Datacenter, Foundation, and Web editions
l Windows Home Server 2011
l Windows Small Business Server 2011 – all editions
l Windows 8/8.1 – all editions (x64 only), except for the Windows RT editions
l Windows Server 2012/2012 R2 – all editions
l Windows Storage Server 2008/2008 R2/2012/2012 R2/2016 (x64 only)
l Windows 10 – Home, Pro, Education, and Enterprise editions (x64 only)
l Windows Server 2016 – all installation options (x64 only), except for Nano Server
l Windows Server 2019 – all installation options (x64 only), except for Nano Server
Agent for Oracle
l Windows Server 2008R2 – Standard, Enterprise, Datacenter, and Web editions (x86, x64)
l Windows Server 2012R2 – Standard, Enterprise, Datacenter, and Web editions (x86, x64)
l Linux – any kernel and distribution supported by Agent for Linux (listed below)
Agent for MySQL/MariaDB
l Linux – any kernel and distribution supported by Agent for Linux (listed below)
39 © Acronis International GmbH, 2003-2022
Agent for Linux
This agent includes a component for Antivirus & Antimalware protection and URL Filtering. See
"Supported Cyber Protect features by operating system" (p. 19) for details about supported
functionality by operating system.
Important
Active protection and real-time protection are not supported on kernel versions 4.17 and later.
The following Linux distributions and kernel versions have been specifically tested. However, even if
your Linux distribution or kernel version is not listed below, it may still work correctly in all required
scenarios, due to the specifics of the Linux operating systems.
If you encounter issues while using Cyber Protection with your combination of Linux distribution
and kernel version, contact the Support team for further investigation.
Linux with kernel from 2.6.9 to 5.16 and glibc 2.3.4 or later, including the following x86 and
x86_64 distributions:
l Red Hat Enterprise Linux 4.x, 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*
l Ubuntu 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, 14.10, 15.04, 15.10,
16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04, 20.10, 21.04, 21.10, 22.04
l Fedora 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31
l SUSE Linux Enterprise Server 10, 11, 12, 15
Important
Configurations with Btrfs are not supported for SUSE Linux Enterprise Server 12 and SUSE Linux
Enterprise Server 15.
l Debian 4.x, 5.x, 6.x, 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.11, 9.0, 9.1,
9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 10, 11
l CentOS 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*
l CentOS Stream 8
l Oracle Linux 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5* – both Unbreakable Enterprise Kernel and
Red Hat Compatible Kernel
l CloudLinux 5.x, 6.x, 7.x, 8.0, 8.1, 8.2, 8.3, 8.4*, 8.5*
l ClearOS 5.x, 6.x, 7.x
l AlmaLinux 8.4*, 8.5*
l Rocky Linux 8.4*, 8.5*
l ALT Linux 7.0
Before installing the product on a system that does not use RPM Package Manager, such as an
Ubuntu system, you need to install this manager manually; for example, by running the following
command (as the root user): apt-get install rpm
* Supported only with kernels from 4.18 to 5.16
40 © Acronis International GmbH, 2003-2022
Agent for Mac
This agent includes a component for Antivirus & Antimalware protection and URL Filtering. See
"Supported Cyber Protect features by operating system" (p. 19) for details about supported
functionality by operating system.
Both x64 and ARM architecture (used in Apple silicon processors such as Apple M1)* are supported.
l OS X Mavericks 10.9
l OS X Yosemite 10.10
l OS X El Capitan 10.11
l macOS Sierra 10.12
l macOS High Sierra 10.13
l macOS Mojave 10.14
l macOS Catalina 10.15
l macOS Big Sur 11
l macOS Monterey 12
Agent for VMware (Virtual Appliance)
This agent is delivered as a virtual appliance for running on an ESXi host.
VMware ESXi 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, 7.0
Agent for VMware (Windows)
This agent is delivered as a Windows application for running in any operating system listed above
for Agent for Windows with the following exceptions:
l 32-bit operating systems are not supported.
l Windows XP, Windows Server 2003/2003 R2, and Windows Small Business Server 2003/2003 R2
are not supported.
Agent for Hyper-V
l Windows Server 2008 (x64 only) with Hyper-V role, including Server Core installation mode
l Windows Server 2008 R2 with Hyper-V role, including Server Core installation mode
l Microsoft Hyper-V Server 2008/2008 R2
l Windows Server 2012/2012 R2 with Hyper-V role, including Server Core installation mode
l Microsoft Hyper-V Server 2012/2012 R2
l Windows 8, 8.1 (x64 only) with Hyper-V
l Windows 10 – Pro, Education, and Enterprise editions with Hyper-V
l Windows Server 2016 with Hyper-V role – all installation options, except for Nano Server
l Microsoft Hyper-V Server 2016
41 © Acronis International GmbH, 2003-2022
l Windows Server 2019 with Hyper-V role – all installation options, except for Nano Server
l Microsoft Hyper-V Server 2019
l Windows Server 2022 – all installation options, except for Nano Server
Agent for Virtuozzo
l Virtuozzo 6.0.10, 6.0.11, 6.0.12, 7.0.13, 7.0.14
l Virtuozzo Hybrid Server 7.5
Agent for Virtuozzo Hybrid Infrastructure
Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5
Agent for Scale Computing HC3
Scale Computing Hypercore 8.8, 8.9, 9.0, 9.1
Agent for oVirt
Red Hat Virtualization 4.2, 4.3, 4.4
Cyber Protect Monitor
l Windows 7 and later
l Windows Server 2008 R2 and later
l All macOS versions that are supported by Agent for Mac
Supported Microsoft SQL Server versions
l Microsoft SQL Server 2019
l Microsoft SQL Server 2017
l Microsoft SQL Server 2016
l Microsoft SQL Server 2014
l Microsoft SQL Server 2012
l Microsoft SQL Server 2008 R2
l Microsoft SQL Server 2008
l Microsoft SQL Server 2005
The SQL Server Express editions of the above SQL server versions are supported as well.
Supported Microsoft Exchange Server versions
l Microsoft Exchange Server 2019 – all editions.
l Microsoft Exchange Server 2016 – all editions.
l Microsoft Exchange Server 2013 – all editions, Cumulative Update 1 (CU1) and later.
42 © Acronis International GmbH, 2003-2022
l Microsoft Exchange Server 2010 – all editions, all service packs. Mailbox backup and granular
recovery from database backups are supported starting with Service Pack 1 (SP1).
l Microsoft Exchange Server 2007 – all editions, all service packs. Mailbox backup and granular
recovery from database backups are not supported.
Supported Microsoft SharePoint versions
Cyber Protection supports the following Microsoft SharePoint versions:
l Microsoft SharePoint 2013
l Microsoft SharePoint Server 2010 SP1
l Microsoft SharePoint Foundation 2010 SP1
l Microsoft Office SharePoint Server 2007 SP2*
l Microsoft Windows SharePoint Services 3.0 SP2*
*In order to use SharePoint Explorer with these versions, you need a SharePoint recovery farm to
attach the databases to.
The backups or databases from which you extract data must originate from the same SharePoint
version as the one where SharePoint Explorer is installed.
Supported Oracle Database versions
l Oracle Database version 11g, all editions
l Oracle Database version 12c, all editions
Only single-instance configurations are supported.
Supported SAP HANA versions
HANA 2.0 SPS 03 installed in RHEL 7.6 running on a physical machine or VMware ESXi virtual
machine.
Because SAP HANA does not support recovery of multitenant database containers by using storage
snapshots, this solution supports SAP HANA containers with only one tenant database.
Supported MySQL versions
l 5.5.x − Community Server, Enterprise, Standard, and Classic editions
l 5.6.x − Community Server, Enterprise, Standard, and Classic editions
l 5.7.x − Community Server, Enterprise, Standard, and Classic editions
l 8.0.x − Community Server, Enterprise, Standard, and Classic editions
43 © Acronis International GmbH, 2003-2022
Supported MariaDB versions
l 10.0.x
l 10.1.x
l 10.2.x
l 10.3.x
l 10.4.x
l 10.5.x
Supported virtualization platforms
The following table summarizes how various virtualization platforms are supported.
Note
The following hypervisor vendors and versions supported via the Backup from inside a guest OS
method have been specifically tested. However, even if you run a hypervisor from a vendor or
hypervisor with a version that is not listed below, the Backup from inside a guest OS method may
still work correctly in all required scenarios.
If you encounter issues while using Cyber Protection with your combination of hypervisor vendor
and version, contact the Support team for further investigation.
Platform Backup at a hypervisor level (agentless backup) Backup from
inside a guest OS
VMware
VMware vSphere
versions: 4.1, 5.0,
5.1, 5.5, 6.0, 6.5, 6.7,
7.0
VMware vSphere
editions:
VMware vSphere
Essentials*
+ +
VMware vSphere
Essentials Plus*
VMware vSphere
Standard*
VMware vSphere
Advanced
VMware vSphere
44 © Acronis International GmbH, 2003-2022
Enterprise
VMware vSphere
Enterprise Plus
VMware vSphere
Hypervisor (Free +
ESXi)**
VMware Server
(VMware Virtual
server)
VMware +
Workstation
VMware ACE
VMware Player
Microsoft
Windows Server
2008 (x64) with
Hyper-V
Windows Server
2008 R2 with Hyper-
V
Microsoft Hyper-V
Server 2008/2008
R2
Windows Server
2012/2012 R2 with
Hyper-V
+ +
Microsoft Hyper-V
Server 2012/2012
R2
Windows 8, 8.1 (x64)
with Hyper-V
Windows 10 with
Hyper-V
Windows Server
2016 with Hyper-V –
all installation
options, except for
Nano Server
45 © Acronis International GmbH, 2003-2022
Microsoft Hyper-V
Server 2016
Windows Server
2019 with Hyper-V –
all installation
options, except for
Nano Server
Microsoft Hyper-V
Server 2019
Windows Server
2022 with Hyper-V –
all installation
options, except for
Nano Server
Microsoft Virtual PC
2004, 2007 +
Windows Virtual PC
Microsoft Virtual
+
Server 2005
Scale Computing
Scale Computing + +
Hypercore 8.8, 8.9,
9.0, 9.1
Citrix
Citrix Only fully virtualized
XenServer/Citrix (aka HVM) guests.
Hypervisor 4.1.5, Paravirtualized (aka
5.5, 5.6, 6.0, 6.1, 6.2, PV) guests are not
6.5, 7.0, 7.1, 7.2, 7.3, supported.
7.4, 7.5, 8.0, 8.1, 8.2
Red Hat and Linux
Red Hat Enterprise
Virtualization (RHEV)
2.2, 3.0, 3.1, 3.2, 3.3,
3.4, 3.5, 3.6 +
Red Hat
Virtualization (RHV)
4.0, 4.1
46 © Acronis International GmbH, 2003-2022
Red Hat
Virtualization
+ +
(managed by oVirt)
4.2, 4.3, 4.4
Kernel-based Virtual
+
Machines (KVM)
Kernel-based Virtual
Machines (KVM)
managed by oVirt
4.3 running on Red + +
Hat Enterprise Linux
7.6, 7.7 or CentOS
7.6, 7.7
Kernel-based Virtual
Machines (KVM)
managed by oVirt
4.4 running on Red + +
Hat Enterprise Linux
8.x or CentOS
Stream 8.x
Parallels
Parallels
+
Workstation
Parallels Server 4
+
Bare Metal
Oracle
Oracle Virtualization + +
Manager (based on
oVirt)*** 4.3
Oracle VM Server Only fully virtualized
3.0, 3.3, 3.4 (aka HVM) guests.
Paravirtualized (aka
PV) guests are not
supported.
Oracle VM
+
VirtualBox 4.x
Nutanix
Nutanix Acropolis +
47 © Acronis International GmbH, 2003-2022
Hypervisor (AHV)
20160925.x through
20180425.x
Virtuozzo
Virtuozzo 6.0.10, Virtual machines
6.0.11, 6.0.12 + only. Containers are
not supported.
Virtuozzo 7.0.13, Virtual machines
Ploop containers only. Virtual machines are not
7.0.14 only. Containers are
supported.
not supported.
Virtuozzo Hybrid Virtual machines
Server 7.5 + only. Containers are
not supported.
Virtuozzo Hybrid Infrastructure
Virtuozzo Hybrid
Infrastructure 3.5, + +
4.0, 4.5
Amazon
Amazon EC2
+
instances
Microsoft Azure
Azure virtual
+
machines
* In these editions, the HotAdd transport for virtual disks is supported on vSphere 5.0 and later. On
version 4.1, backups may run slower.
** Backup at a hypervisor level is not supported for vSphere Hypervisor because this product
restricts access to Remote Command Line Interface (RCLI) to read-only mode. The agent works
during the vSphere Hypervisor evaluation period while no serial key is entered. Once you enter a
serial key, the agent stops functioning.
***Oracle Virtualization Manager is supported by Agent for oVirt.
Limitations
l Fault tolerant machines
Agent for VMware backs up a fault tolerant machine only if fault tolerance was enabled in
VMware vSphere 6.0 and later. If you upgraded from an earlier vSphere version, it is enough to
48 © Acronis International GmbH, 2003-2022
disable and enable fault tolerance for each machine. If you are using an earlier vSphere version,
install an agent in the guest operating system.
l Independent disks and RDM
Agent for VMware does not back up Raw Device Mapping (RDM) disks in physical compatibility
mode or independent disks. The agent skips these disks and adds warnings to the log. You can
avoid the warnings by excluding independent disks and RDMs in physical compatibility mode
from the protection plan. If you want to back up these disks or data on these disks, install an
agent in the guest operating system.
l Pass-through disks
Agent for Hyper-V does not back up pass-through disks. During backup, the agent skips these
disks and adds warnings to the log. You can avoid the warnings by excluding pass-through disks
from the protection plan. If you want to back up these disks or data on these disks, install an
agent in the guest operating system.
l Hyper-V guest clustering
Agent for Hyper-V does not support backup of Hyper-V virtual machines that are nodes of a
Windows Server Failover Cluster. A VSS snapshot at the host level can even temporarily
disconnect the external quorum disk from the cluster. If you want to back up these machines,
install agents in the guest operating systems.
l In-guest iSCSI connection
Agent for VMware and Agent for Hyper-V do not back up LUN volumes connected by an iSCSI
initiator that works within the guest operating system. Because the ESXi and Hyper-V hypervisors
are not aware of such volumes, the volumes are not included in hypervisor-level snapshots and
are omitted from a backup without a warning. If you want to back up these volumes or data on
these volumes, install an agent in the guest operating system.
l Linux machines containing logical volumes (LVM)
Agent for VMware and Agent for Hyper-V do not support the following operations for Linux
machines with LVM:
o P2V migration, V2P migration, and V2V migration from Virtuozzo. Use Agent for Linux to create
the backup and bootable media to recover.
o Running a virtual machine from a backup created by Agent for Linux.
l Encrypted virtual machines (introduced in VMware vSphere 6.5)
o Encrypted virtual machines are backed up in an unencrypted state. If encryption is critical to
you, enable encryption of backups when creating a protection plan.
o Recovered virtual machines are always unencrypted. You can manually enable encryption after
the recovery is complete.
o If you back up encrypted virtual machines, we recommend that you also encrypt the virtual
machine where Agent for VMware is running. Otherwise, operations with encrypted machines
may be slower than expected. Apply the VM Encryption Policy to the agent's machine by
using vSphere Web Client.
49 © Acronis International GmbH, 2003-2022
o Encrypted virtual machines will be backed up via LAN, even if you configure the SAN transport
mode for the agent. The agent will fall back on the NBD transport because VMware does not
support SAN transport for backing up encrypted virtual disks.
l Secure Boot
o VMware virtual machines: (introduced in VMware vSphere 6.5) Secure Boot is disabled after a
virtual machine is recovered as a new virtual machine. You can manually enable this option
after the recovery is complete. This limitation applies to VMware.
o Hyper-V virtual machines: For all GEN2 VMs, Secure Boot is disabled after the virtual machine is
recovered to both new virtual machine or an existing virtual machine.
l ESXi configuration backup is not supported for VMware vSphere 7.0.
Compatibility with encryption software
There are no limitations on backing up and recovering data that is encrypted by file-level encryption
software.
Disk-level encryption software encrypts data on the fly. This is why data contained in the backup is
not encrypted. Disk-level encryption software often modifies system areas: boot records, or
partition tables, or file system tables. These factors affect disk-level backup and recovery, the ability
of the recovered system to boot and access to Secure Zone.
You can back up the data encrypted by the following disk-level encryption software:
l Microsoft BitLocker Drive Encryption
l McAfee Endpoint Encryption
l PGP Whole Disk Encryption
To ensure reliable disk-level recovery, follow the common rules and software-specific
recommendations.
Common installation rule
The strong recommendation is to install the encryption software before installing the protection
agents.
The way of using Secure Zone
Secure Zone must not be encrypted with disk-level encryption. This is the only way to use Secure
Zone:
1. Install the encryption software; then, install the agent.
2. Create Secure Zone.
3. Exclude Secure Zone when encrypting the disk or its volumes.
Common backup rule
You can do a disk-level backup in the operating system.
50 © Acronis International GmbH, 2003-2022
Software-specific recovery procedures
Microsoft BitLocker Drive Encryption
To recover a system that was encrypted by BitLocker:
1. Boot from the bootable media.
2. Recover the system. The recovered data will be unencrypted.
3. Reboot the recovered system.
4. Turn on BitLocker.
If you only need to recover one partition of a multi-partitioned disk, do so under the operating
system. Recovery under bootable media may make the recovered partition undetectable for
Windows.
McAfee Endpoint Encryption and PGP Whole Disk Encryption
You can recover an encrypted system partition by using bootable media only.
If the recovered system fails to boot, rebuild Master Boot Record as described in the following
Microsoft knowledge base article: https://support.microsoft.com/kb/2622803
51 © Acronis International GmbH, 2003-2022
Supported file systems
A protection agent can back up any file system that is accessible from the operating system where
the agent is installed. For example, Agent for Windows can back up and recover an ext4 file system if
the corresponding driver is installed in Windows.
The following table summarizes the file systems that can be backed up and recovered (bootable
media supports only recovery). The limitations apply to both the agents and bootable media.
Supported by
File system Bootable Limitations
Bootable media for
Agents media for
Windows and Linux
Mac
FAT16/32 + +
NTFS All agents + +
No limitations
ext2/ext3/ext4 + -
HFS+ - +
l Supported starting with
macOS High Sierra 10.13
Agent for l Disk configuration should
APFS Mac - + be re-created manually
when recovering to a non-
original machine or bare
metal.
JFS + - l Files cannot be excluded
from a disk backup
l Fast incremental/
Agent for differential backup cannot
ReiserFS3 + -
Linux be enabled
l Files cannot be excluded
ReiserFS4 + - from a disk backup
l Fast incremental/
differential backup cannot
ReFS + + be enabled
All agents l Volumes cannot be
XFS + + resized during a recovery
Agent for
Linux swap + - No limitations
Linux
exFAT All agents + + l Only disk/volume backup
52 © Acronis International GmbH, 2003-2022
is supported
Bootable media
l Files cannot be excluded
cannot be used for
from a backup
recovery if the backup
l Individual files cannot be
is stored on exFAT
recovered from a backup
The software automatically switches to the sector-by-sector mode when backing up drives with
unrecognized or unsupported file systems (for example, Btrfs). A sector-by-sector backup is possible
for any file system that:
l is block-based
l spans a single disk
l has a standard MBR/GPT partitioning scheme
If the file system does not meet these requirements, the backup fails.
Data Deduplication
In Windows Server 2012 and later, you can enable the Data Deduplication feature for an NTFS
volume. Data Deduplication reduces the used space on the volume by storing duplicate fragments
of the volume's files only once.
You can back up and recover a data deduplication–enabled volume at a disk level, without
limitations. File-level backup is supported, except when using Acronis VSS Provider. To recover files
from a disk backup, either run a virtual machine from your backup, or mount the backup on a
machine running Windows Server 2012 or later, and then copy the files from the mounted volume.
The Data Deduplication feature of Windows Server is unrelated to the Acronis Backup Deduplication
feature.
53 © Acronis International GmbH, 2003-2022
Installing the software
Which agent do I need?
Selecting an agent depends on what you are going to back up. The table below summarizes the
information, to help you decide.
In Windows, Agent for Exchange, Agent for SQL, Agent for Active Directory, and Agent for Oracle
require that Agent for Windows is also installed. Thus, if you install, for example, Agent for SQL, you
also will be able to back up the entire machine where the agent is installed.
It is recommended to install Agent for Windows when you install also Agent for VMware (Windows)
and Agent for Hyper-V.
In Linux, Agent for Oracle and Agent for Virtuozzo require that Agent for Linux (64-bit) is also
installed. These three agents share one installer.
What are you going to Which agent to Where to install it?
back up? install?
Physical machines
Physical machines running Agent for On the machine that will be backed up.
Windows Windows
Physical machines running Agent for Linux
Linux
Physical machines running Agent for Mac
macOS
Applications
SQL databases Agent for SQL On the machine running Microsoft SQL Server.
MySQL databases Agent for On the machine running MySQL Server.
MySQL/MariaDB
MariaDB databases Agent for On the machine running MariaDB Server.
MySQL/MariaDB
Exchange databases Agent for On the machine running the Mailbox role of Microsoft
Exchange Exchange Server.*
Microsoft 365 mailboxes Agent for On a Windows machine that is connected to the
Microsoft 365 Internet.
Depending on the desired functionality, you may or
may not need to install Agent for Microsoft 365. For
more information, refer to "Protecting Microsoft 365
54 © Acronis International GmbH, 2003-2022
data".
Microsoft 365 OneDrive — This data can be backed up only by an agent that is
files and SharePoint installed in the cloud. For more information, refer to
Online sites "Protecting Microsoft 365 data".
Google Workspace Gmail — This data can be backed up only by an agent that is
mailboxes, Google Drive installed in the cloud. For more information, refer to
files, and Shared drive files "Protecting Google Workspace".
Machines running Active Agent for Active On the domain controller.
Directory Domain Services Directory
Machines running Oracle Agent for Oracle On the machine running Oracle Database.
Database
Virtual machines
VMware ESXi virtual Agent for VMware On a Windows machine that has network access to
machines (Windows) vCenter Server and to the virtual machine storage.**
Agent for VMware On the ESXi host.
(Virtual Appliance)
Hyper-V virtual machines Agent for Hyper-V On the Hyper-V host.
Scale Computing HC3 Agent for Scale On the Scale Computing HC3 host.
virtual machines Computing HC3
(Virtual Appliance)
Red Hat Virtualization Agent for oVirt On the Red Hat Virtualization host.
virtual machines (Virtual Appliance)
(managed by oVirt)
Virtuozzo virtual machines Agent for On the Virtuozzo host.
and containers*** Virtuozzo
Virtuozzo Hybrid Agent for On the Virtuozzo Hybrid Infrastructure host.
Infrastructure virtual Virtuozzo Hybrid
machines Infrastructure
Virtual machines hosted The same as for On the machine that will be backed up.
on Amazon EC2 physical
machines****
Virtual machines hosted
on Windows Azure
Citrix XenServer virtual
machines
Red Hat Virtualization
(RHV/RHEV)
55 © Acronis International GmbH, 2003-2022
Kernel-based Virtual
Machines (KVM)
Oracle virtual machines
Nutanix AHV virtual
machines
Mobile devices
Mobile devices running Mobile app for On the mobile device that will be backed up.
Android Android
Mobile devices running Mobile app for iOS
iOS
*During the installation, Agent for Exchange checks for enough free space on the machine where it
will run. Free space equal to 15 percent of the biggest Exchange database is temporarily needed
during a granular recovery.
**If your ESXi uses a SAN attached storage, install the agent on a machine connected to the same
SAN. The agent will back up the virtual machines directly from the storage rather than via the ESXi
host and LAN. For detailed instructions, refer to "Agent for VMware - LAN-free backup".
***For Virtuozzo 7, only ploop containers are supported. Virtual machines are not supported.
****A virtual machine is considered virtual if it is backed up by an external agent. If an agent is
installed in the guest system, the backup and recovery operations are the same as with a physical
machine. Nevertheless, if Cyber Protection can identify a virtual machine by using the CPUID
instruction, a virtual machine service quota is assigned to it. If you use direct passthrough or
another option that masks the CPU manufacturer ID, only service quotas for physical machines can
be assigned.
System requirements for agents
Agent Disk space required for installation
Agent for Windows 1.2 GB
Agent for Linux 2 GB
Agent for Mac 1 GB
Agent for SQL and Agent for Windows 1.2 GB
Agent for Exchange and Agent for Windows 1.3 GB
Agent for Data Loss Prevention 500 MB
56 © Acronis International GmbH, 2003-2022
Agent for Microsoft 365 500 MB
Agent for Active Directory and Agent for Windows 2 GB
Agent for VMware and Agent for Windows 1.5 GB
Agent for Hyper-V and Agent for Windows 1.5 GB
Agent for Virtuozzo and Agent for Linux 1 GB
Agent for Virtuozzo Hybrid Infrastructure 700 MB
Agent for Oracle and Agent for Windows 2.2 GB
Agent for Oracle and Agent for Linux 2 GB
Agent for MySQL/MariaDB and Agent for Linux 2 GB
Backup operations require about 1 GB of RAM per 1 TB of backup size. The memory consumption
may vary, depending on the amount and type of data being processed by the agents.
Note
The RAM usage might increase when backing up to extra large backup sets (4 TB and more).
On x64 systems, operations with bootable media and disk recovery with restart require at least 2 GB
of memory.
Preparation
Step 1
Choose an agent, depending on what you are going to back up. For more information on the
possible choices, refer to Which agent do I need?
Step 2
Ensure that there is enough free space on your hard drive to install an agent. For detailed
information about the required space, refer to "System requirements for agents" (p. 56).
Step 3
Download the setup program. To find the download links, click All devices > Add.
The Add devices page provides web installers for each agent that is installed in Windows. A web
installer is a small executable file that downloads the main setup program from the Internet and
saves it as a temporary file. This file is deleted immediately after the installation.
57 © Acronis International GmbH, 2003-2022
If you want to store the setup programs locally, download a package containing all agents for
installation in Windows by using the link at the bottom of the Add devices page. Both 32-bit and 64-
bit packages are available. These packages enable you to customize the list of components to install.
These packages also enable unattended installation, for example, via Group Policy. This advanced
scenario is described in Deploying agents through Group Policy.
To download Agent for Microsoft 365 setup program, click the account icon in the top-right corner,
and then click Downloads > Agent for Microsoft 365.
Installation in Linux and macOS is performed from ordinary setup programs.
All setup programs require an Internet connection to register the machine in the Cyber Protection
service. If there is no Internet connection, the installation will fail.
Step 4
Cyber Protect features require Microsoft Visual C++ 2017 Redistributable. Please ensure that it is
already installed on your machine or install it before installing the agent. After the installation of
Microsoft Visual C++, a restart may be required. You can find the Microsoft Visual C++
Redistributable package here https://support.microsoft.com/help/2999226/update-for-universal-c-
runtime-in-windows.
Step 5
Verify that your firewalls and other components of your network security system (such as a proxy
sever) allow outbound connections through the following TCP ports.
l 443 and 8443 These ports are used for accessing the service console, registering the agents,
downloading the certificates, user authorization, and downloading files from the cloud storage.
l 7770...7800 The agents use these ports to communicate with the backup management server.
l 44445 and 55556 The agents use these ports for data transfer during backup and recovery.
If a proxy server is enabled in your network, refer to the "Proxy server settings" section to
understand whether you need to configure these settings on each machine that runs a protection
agent.
The minimum Internet connection speed required for managing an agent from the cloud is 1 Mbit/s
(not to be confused with the data transfer rate acceptable for backing up to the cloud). Consider this
if you use a low-bandwidth connection technology such as ADSL.
TCP ports required for backup and replication of VMware virtual machines
l TCP 443 Agent for VMware (both Windows and Virtual Appliance) connects to this port on the
ESXi host/vCenter server to perform VM management operations, such as create, update, and
delete VMs on vSphere during backup, recovery, and VM replication operations.
58 © Acronis International GmbH, 2003-2022
l TCP 902 Agent for VMware (both Windows and Virtual Appliance) connects to this port on the
ESXi host to establish NFC connections to read/write data on VM disks during backup, recovery,
and VM replication operations.
l TCP 3333 If the Agent for VMware (Virtual Appliance) is running on the ESXi host/cluster that is
the target for VM replication, VM replication traffic does not go directly to the ESXi host on port
902. Instead, the traffic goes from the source Agent for VMware to TCP port 3333 on the Agent for
VMware (Virtual Appliance) located on the target ESXi host/cluster.
The source Agent for VMware that reads data from the original VM disks can be anywhere else
and can be of any type: Virtual Appliance or Windows.
The service that is responsible for accepting VM replication data on the target Agent for VMware
(Virtual Appliance) is called “Replica disk server.” This service is responsible for the WAN
optimization techniques, such as traffic compression and deduplication during VM replication,
including replica seeding (see Seeding an initial replica). When no Agent for VMware (Virtual
Appliance) is running on the target ESXi host, this service is not available, and therefore the
replica seeding scenario is not supported.
Ports required by the Downloader component
The Downloader component is responsible for delivering updates to a computer and distributing
them to other Downloader instances. It can run in agent mode which turns its computer into
Downloader agent. The Downloader agent downloads updates from the internet and servers as the
source of updates distribution to other computers. The Downloader requires the following ports to
operate.
l 6888 Used by BitTorrent protocol for torrent peer to peer updates.
l 6771 Used as the local peer discovery port. Also takes part in peer to peer updates.
l 18018 Used for communication between updaters working in different modes: Updater and
UpdaterAgent.
l 18019 Local port, used for communication between the Updater and the <BRAND> Cyber
Protection agent.
Step 6
On the machine where you plan to install the Cyber Protection agent, verify that the following local
ports are not in use by other processes.
l 127.0.0.1:9999
l 127.0.0.1:43234
l 127.0.0.1:9850
Note
You do not have to open them in the Firewall.
The Active Protection service is listening at TCP port 6110. Verify that it is not in use by another
process.
59 © Acronis International GmbH, 2003-2022
Changing the ports used by the Cyber Protection agent
Some of the ports required by the Cyber Protection agent might be in use by other applications in
your environment. To avoid conflicts, you can change the default ports used by the Cyber Protection
agent by modifying the following files.
l In Linux: /opt/Acronis/etc/aakore.yaml
l In Windows: \ProgramData\Acronis\Agent\etc\aakore.yaml
Linux packages
To add the necessary modules to the Linux kernel, the setup program needs the following Linux
packages:
l The package with kernel headers or sources. The package version must match the kernel version.
l The GNU Compiler Collection (GCC) compiler system. The GCC version must be the one with
which the kernel was compiled.
l The Make tool.
l The Perl interpreter.
l The libelf-dev, libelf-devel, or elfutils-libelf-devel libraries for building kernels starting with
4.15 and configured with CONFIG_UNWINDER_ORC=y. For some distributions, such as Fedora 28,
they need to be installed separately from kernel headers.
The names of these packages vary depending on your Linux distribution.
In Red Hat Enterprise Linux, CentOS, and Fedora, the packages normally will be installed by the
setup program. In other distributions, you need to install the packages if they are not installed or do
not have the required versions.
Are the required packages already installed?
To check whether the packages are already installed, perform these steps:
1. Run the following command to find out the kernel version and the required GCC version:
cat /proc/version
This command returns lines similar to the following: Linux version 2.6.35.6 and gcc version
4.5.1
2. Run the following command to check whether the Make tool and the GCC compiler are installed:
make -v
gcc -v
For gcc, ensure that the version returned by the command is the same as in the gcc version in
step 1. For make, just ensure that the command runs.
3. Check whether the appropriate version of the packages for building kernel modules is installed:
60 © Acronis International GmbH, 2003-2022
l In Red Hat Enterprise Linux, CentOS, and Fedora, run the following command:
yum list installed | grep kernel-devel
l In Ubuntu, run the following commands:
dpkg --get-selections | grep linux-headers
dpkg --get-selections | grep linux-image
In either case, ensure that the package versions are the same as in Linux version in step 1.
4. Run the following command to check whether the Perl interpreter is installed:
perl --version
If you see the information about the Perl version, the interpreter is installed.
5. In Red Hat Enterprise Linux, CentOS, and Fedora, run the following command to check whether
elfutils-libelf-devel is installed:
yum list installed | grep elfutils-libelf-devel
If you see the information about the library version, the library is installed.
Installing the packages from the repository
The following table lists how to install the required packages in various Linux distributions.
Linux Package How to install
distribution names
Red Hat kernel- The setup program will download and install the packages automatically
Enterprise devel by using your Red Hat subscription.
Linux gcc
make
elfutils-
libelf-devel
perl Run the following command:
yum install perl
CentOS kernel- The setup program will download and install the packages
devel automatically.
Fedora
gcc
make
elfutils-
libelf-devel
perl Run the following command:
61 © Acronis International GmbH, 2003-2022
yum install perl
Ubuntu linux- Run the following commands:
headers
Debian
linux-image sudo apt-get update
gcc sudo apt-get install linux-headers-$(uname -r)
sudo apt-get install linux-image-$(uname -r)
make sudo apt-get install gcc-<package version>
perl sudo apt-get install make
sudo apt-get install perl
SUSE Linux kernel-
sudo zypper install kernel-source
source sudo zypper install gcc
OpenSUSE
gcc sudo zypper install make
make sudo zypper install perl
perl
The packages will be downloaded from the distribution's repository and installed.
For other Linux distributions, please refer to the distribution's documentation regarding the exact
names of the required packages and the ways to install them.
Installing the packages manually
You may need to install the packages manually if:
l The machine does not have an active Red Hat subscription or Internet connection.
l The setup program cannot find the kernel-devel or gcc version corresponding to the kernel
version. If the available kernel-devel is more recent than your kernel, you need to either update
the kernel or install the matching kernel-devel version manually.
l You have the required packages on the local network and do not want to spend time for
automatic search and downloading.
Obtain the packages from your local network or a trusted third-party website, and install them as
follows:
l In Red Hat Enterprise Linux, CentOS, or Fedora, run the following command as the root user:
rpm -ivh PACKAGE_FILE1 PACKAGE_FILE2 PACKAGE_FILE3
l In Ubuntu, run the following command:
sudo dpkg -i PACKAGE_FILE1 PACKAGE_FILE2 PACKAGE_FILE3
Example: Installing the packages manually in Fedora 14
Follow these steps to install the required packages in Fedora 14 on a 32-bit machine:
62 © Acronis International GmbH, 2003-2022
1. Run the following command to determine the kernel version and the required GCC version:
cat /proc/version
The output of this command includes the following:
Linux version 2.6.35.6-45.fc14.i686
gcc version 4.5.1
2. Obtain the kernel-devel and gcc packages that correspond to this kernel version:
kernel-devel-2.6.35.6-45.fc14.i686.rpm
gcc-4.5.1-4.fc14.i686.rpm
3. Obtain the make package for Fedora 14:
make-3.82-3.fc14.i686
4. Install the packages by running the following commands as the root user:
rpm -ivh kernel-devel-2.6.35.6-45.fc14.i686.rpm
rpm -ivh gcc-4.5.1.fc14.i686.rpm
rpm -ivh make-3.82-3.fc14.i686
You can specify all these packages in a single rpm command. Installing any of these packages may
require installing additional packages to resolve dependencies.
Proxy server settings
The protection agents can transfer data through an HTTP/HTTPS proxy server. The server must work
through an HTTP tunnel without scanning or interfering with the HTTP traffic. Man-in-the-middle
proxies are not supported.
Because the agent registers itself in the cloud during the installation, the proxy server settings must
be provided during the installation or in advance.
In Windows
If a proxy server is configured in Windows (Control panel > Internet Options > Connections), the
setup program reads the proxy server settings from the registry and uses them automatically. Also,
you can enter the proxy settings during the installation, or specify them in advance by using the
procedure described below. To change the proxy settings after the installation, use the same
procedure.
To specify the proxy settings in Windows
1. Create a new text document and open it in a text editor, such as Notepad.
2. Copy and paste the following lines into the file:
63 © Acronis International GmbH, 2003-2022
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Global\HttpProxy]
"Enabled"=dword:00000001
"Host"="proxy.company.com"
"Port"=dword:000001bb
"Login"="proxy_login"
"Password"="proxy_password"
3. Replace proxy.company.com with your proxy server host name/IP address, and 000001bb with the
hexadecimal value of the port number. For example, 000001bb is port 443.
4. If your proxy server requires authentication, replace proxy_login and proxy_password with the
proxy server credentials. Otherwise, delete these lines from the file.
5. Save the document as proxy.reg.
6. Run the file as an administrator.
7. Confirm that you want to edit the Windows registry.
8. If the protection agent is not installed yet, you can install it now.
9. Open file %programdata%\Acronis\Agent\etc\aakore.yaml in a text editor.
10. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
11. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
12. In the Start menu, click Run, type: cmd, and click OK.
13. Restart the aakore service by using the following commands:
net stop aakore
net start aakore
14. Restart the agent by using the following commands:
net stop mms
net start mms
In Linux
Run the installation file with the parameters --http-proxy-host=ADDRESS --http-proxy-port=PORT --
http-proxy-login=LOGIN--http-proxy-password=PASSWORD. To change the proxy settings after the
installation, use the procedure described below.
To change the proxy settings in Linux
1. Open the file /etc/Acronis/Global.config in a text editor.
2. Do one of the following:
64 © Acronis International GmbH, 2003-2022
l If the proxy settings were specified during the agent installation, find the following section:
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
3. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
4. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
5. Save the file.
6. Open file /opt/acronis/etc/aakore.yaml in a text editor.
7. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
8. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
9. Restart the aakore service by using the following command:
sudo service aakore restart
10. Restart the agent by executing the following command in any directory:
sudo service acronis_mms restart
In macOS
You can enter the proxy settings during the installation, or specify them in advance by using the
procedure described below. To change the proxy settings after the installation, use the same
procedure.
To specify the proxy settings in macOS
1. Create the file /Library/Application Support/Acronis/Registry/Global.config and open it in a
text editor, such as Text Edit.
2. Copy and paste the following lines into the file
<?xml version="1.0" ?>
<registry name="Global">
65 © Acronis International GmbH, 2003-2022
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"proxy.company.com"</value>
<value name="Port" type="Tdword">"443"</value>
<value name="Login" type="TString">"proxy_login"</value>
<value name="Password" type="TString">"proxy_password"</value>
</key>
</registry>
3. Replace proxy.company.com with your proxy server host name/IP address, and 443 with the
decimal value of the port number.
4. If your proxy server requires authentication, replace proxy_login and proxy_password with the
proxy server credentials. Otherwise, delete these lines from the file.
5. Save the file.
6. If the protection agent is not installed yet, you can install it now.
7. Open file /Library/Application Support/Acronis/Agent/etc/aakore.yaml in a text editor.
8. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
9. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
10. Go to Applications > Utilities > Terminal
11. Restart the aakore service by using the following commands:
sudo launchctl stop aakore
sudo launchctl start aakore
12. Restart the agent by using the following commands:
sudo launchctl stop acronis_mms
sudo launchctl start acronis_mms
In bootable media
When working under bootable media, you may need to access the cloud storage via a proxy server.
To specify the proxy server settings, click Tools > Proxy server, and then specify the proxy server
host name/IP address, port, and credentials.
Installing Cyber Protection agents
You can install agents on machines running any of the operating systems listed in "Supported
operating systems and environments". The operating systems that support the Cyber Protect
features are listed in "Supported Cyber Protect features by operating system".
66 © Acronis International GmbH, 2003-2022
Downloading Cyber Protection agents
Before you install an agent, you must download its installation file from the service console.
To download an agent while adding a workload to protect
1. In the Cyber Protection console, navigate to Devices > All devices.
2. In the upper right, click Add device.
3. In the Add devices panel, from the Release channel drop-down menu, select an agent version.
l Previous release - download the agent version from the previous release.
l Current - download the latest available agent version.
4. Select the agent that corresponds to the operating system of the workload that you are adding.
The Save As dialog opens.
5. [Only for Macs with Apple silicon (such as Apple M1) processors] Click Cancel. In the Add Mac
panel that opens, click the Download ARM installer link.
6. Select a location to save the agent installation file and click Save.
To download an agent for later use
1. In the upper right corner of the Cyber Protection console, click the User icon.
2. Click Downloads.
3. In the Downloads dialog, from the Release channel drop-down menu, select an agent version.
l Previous release - download the agent version from the previous release.
l Current - download the latest available agent version.
4. Scroll the list of available installers to locate the agent installer that you need and click the
download icon at the end of its row.
The Save As dialog opens.
5. Select a location to save the agent installation file and click Save.
Installing Cyber Protection agents in Windows
Prerequisites
Download the agent that you need on the machine that you plan to protect. See "Downloading
Cyber Protection agents" (p. 67).
To install Agent for Windows
1. Ensure that the machine is connected to the Internet.
2. Log on as an administrator and start the installer.
3. [Optional] Click Customize installation settings and make the appropriate changes if you want:
l To change the components to install (for example, to disable the installation of Cyber
Protection Monitor or the Command-Line Tool, or to install the Agent for Antimalware
protection and URL filtering).
67 © Acronis International GmbH, 2003-2022
Note
On Windows machines, the antimalware protection and URL filtering features require the
installation of Agent for Antimalware protection and URL filtering. It will be installed
automatically for protected workloads if the Antivirus & Antimalware protection or the
URL filtering module is enabled in their protection plans.
l To change the method of registering the machine in the Cyber Protection service. You can
switch from Use service console (default) to Use credentials or Use registration token.
l To change the installation path.
l To change the user account under which the agent service will run. For details, refer to
"Changing the logon account on Windows machines".
l To verify or change the proxy server host name/IP address, port, and credentials. If a proxy
server is enabled in Windows, it is detected and used automatically.
4. Click Install.
5. [Only when installing Agent for VMware] Specify the address and access credentials for the
vCenter Server or stand-alone ESXi host whose virtual machines the agent will back up, and then
click Done. We recommend using an account that has the Administrator role assigned.
Otherwise, provide an account with the necessary privileges on the vCenter Server or ESXi.
6. [Only when installing on a domain controller] Specify the user account under which the agent
service will run, and then click Done. For security reasons, the setup program does not
automatically create new accounts on a domain controller.
Note
The user account that you specify must be granted the Log on as a service right.
This account must have already been used on the domain controller, in order for its profile
folder to be created on that machine.
7. If you kept the default registration method Use service console in step 3, wait until the
registration screen appears, and then proceed to the next step. Otherwise, no more actions are
required.
8. Do one of the following:
l Click Register the machine. In the opened browser window, sign in to the service console,
review the registration details, and then click Confirm registration.
l Click Show registration info. The setup program shows the registration link and the
registration code. You can copy them and perform the registration steps on a different
machine. In this case, you will need to enter the registration code in the registration form. The
registration code is valid for one hour.
Alternatively, you can access the registration form by clicking All devices > Add, scrolling
down to Registration via code, and then clicking Register.
68 © Acronis International GmbH, 2003-2022
Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the machine will be assigned to the account that was used to log in to the service
console.
l Register the machine manually by using the command line. For more information on how to
do this, refer to "Registering machines manually".
9. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
Installing Cyber Protection agents in Linux
Prerequisites
l Download the agent that you need on the machine that you plan to protect. See "Downloading
Cyber Protection agents" (p. 67).
l To install Agent for Linux, you need at least 2 GB of free disk space.
To install Agent for Linux
1. Ensure that the machine is connected to the Internet.
2. As the root user, run the installation file.
If a proxy server is enabled in your network, when running the file, specify the server host
name/IP address and port in the following format: --http-proxy-host=ADDRESS --http-proxy-
port=PORT --http-proxy-login=LOGIN--http-proxy-password=PASSWORD.
If you want to change the default method of registering the machine in the Cyber Protection
service, run the installation file with one of the following parameters:
l --register-with-credentials – to ask for a user name and password during the installation
l --token=STRING – to use a registration token
l --skip-registration – to skip the registration
3. Select the check boxes for the agents that you want to install. The following agents are available:
l Agent for Linux
l Agent for Virtuozzo
l Agent for Oracle
l Agent for MySQL/MariaDB
Agent for Virtuozzo, Agent for Oracle, and Agent for MySQL/MariaDB require that Agent for Linux
(64-bit) is also installed.
4. If you kept the default registration method in step 2, proceed to the next step. Otherwise, enter
the user name and password for the Cyber Protection service, or wait until the machine will be
registered by using the token.
5. Do one of the following:
69 © Acronis International GmbH, 2003-2022
l Click Register the machine. In the opened browser window, sign in to the service console,
review the registration details, and then click Confirm registration.
l Click Show registration info. The setup program shows the registration link and the
registration code. You can copy them and perform the registration steps on a different
machine. In this case, you will need to enter the registration code in the registration form. The
registration code is valid for one hour.
Alternatively, you can access the registration form by clicking All devices > Add, scrolling
down to Registration via code, and then clicking Register.
Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the machine will be assigned to the account that was used to log in to the service
console.
l Register the machine manually by using the command line. For more information on how to
do this, refer to "Registering machines manually".
6. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
7. If the UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (the one of the root user or
"acronis") should be used.
Note
The installation generates a new key that is used for signing the kernel modules. You must enroll
this new key to the Machine Owner Key (MOK) list by restarting the machine. Without enrolling
the new key, your agent will not be operational. If you enable the UEFI Secure Boot after the
agent is installed, you need to reinstall the agent.
8. After the installation completes, do one of the following:
l Click Restart, if you were prompted to restart the system in the previous step.
During the system restart, opt for MOK (Machine Owner Key) management, choose Enroll
MOK, and then enroll the key by using the password recommended in the previous step.
l Otherwise, click Exit.
Troubleshooting information is provided in the file:
/usr/lib/Acronis/BackupAndRecovery/HOWTO.INSTALL
Installing Cyber Protection agents in macOS
Prerequisites
Download the agent that you need on the machine that you plan to protect. See "Downloading
Cyber Protection agents" (p. 67).
70 © Acronis International GmbH, 2003-2022
To install Agent for Mac (x64 or ARM64)
1. Ensure that the machine is connected to the Internet.
2. Double-click the installation file (.dmg).
3. Wait while the operating system mounts the installation disk image.
4. Double-click Install.
5. If a proxy server is enabled in your network, click Protection Agent in the menu bar, click Proxy
server settings, and then specify the proxy server host name/IP address, port, and credentials.
6. If prompted, provide administrator credentials.
7. Click Continue.
8. Wait until the registration screen appears.
9. Do one of the following:
l Click Register the machine. In the opened browser window, sign in to the service console,
review the registration details, and then click Confirm registration.
l Click Show registration info. The setup program shows the registration link and the
registration code. You can copy them and perform the registration steps on a different
machine. In this case, you will need to enter the registration code in the registration form. The
registration code is valid for one hour.
Alternatively, you can access the registration form by clicking All devices > Add, scrolling
down to Registration via code, and then clicking Register.
Note
Do not quit the setup program until you confirm the registration. To initiate the registration
again, you will have to restart the setup program and repeat the installation procedure.
As a result, the machine will be assigned to the account that was used to log in to the service
console.
l Register the machine manually by using the command line. For more information on how to
do this, refer to "Registering machines manually".
10. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set
the encryption password.
11. If your macOS version is Mojave 10.14.x or later, grant full disk access to the protection agent to
enable backup operations.
For instructions, see Grant the 'Full Disk Access' permission to the Cyber Protection agent
(64657).
Changing the logon account on Windows machines
On the Select components screen, define the account under which the services will run by
specifying Logon account for the agent service. You can select one of the following:
71 © Acronis International GmbH, 2003-2022
l Use Service User Accounts (default for the agent service)
Service User Accounts are Windows system accounts that are used to run services. The
advantage of this setting is that the domain security policies do not affect these accounts' user
rights. By default, the agent runs under the Local System account.
l Create a new account
The account name will be Agent User for the agent.
l Use the following account
If you install the agent on a domain controller, the system prompts you to specify existing
accounts (or the same account) for the agent. For security reasons, the system does not
automatically create new accounts on a domain controller.
For more information about installing the agent on a read-only domain controller, refer to this
knowledge base article.
If you chose the Create a new account or Use the following account option, ensure that the
domain security policies do not affect the related accounts' rights. If an account is deprived of the
user rights assigned during the installation, the component may work incorrectly or not work.
Privileges required for the logon account
A protection agent is run as a Managed Machine Service (MMS) on a Windows machine. The account
under which the agent will run must have specific rights for the agent to work correctly. Thus, the
MMS user should be assigned the following privileges:
1. Included in the Backup Operators and Administrators groups. On a Domain Controller, the
user must be included in the group Domain Admins.
2. Granted the Full Control permission on the folder %PROGRAMDATA%\Acronis (in Windows XP and
Server 2003, %ALLUSERSPROFILE%\Application Data\Acronis) and on its subfolders.
3. Granted the Full Control permission on certain registry keys in the following key: HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis.
4. Assigned the following user rights:
l Log on as a service
l Adjust memory quotas for a process
l Replace a process level token
l Modify firmware environment values
How to assign the user rights
Follow the instructions below to assign the user rights (this example uses the Log on as service
user right, the steps are the same for other user rights):
1. Log on to the computer by using an account with administrative privileges.
2. Open Administrative Tools from Control Panel (or click Win+R, type control admintools, and
press Enter) and open Local Security Policy.
3. Expand Local Policies and click on User Rights Assignment.
4. In the right pane, right-click Log on as a service and select Properties.
72 © Acronis International GmbH, 2003-2022
5. Click on the Add User or Group… button to add a new user.
6. In the Select Users, Computers, Service Accounts, or Groups window, find the user you wish
to enter and click OK.
7. Click OK in the Log on as a service Properties to save the changes.
Important
Ensure that the user which you have added to the Log on as service user right is not listed in the
Deny log on as a service policy in Local Security Policy.
Note that it is not recommended to change logon accounts manually after the installation is
completed.
Dynamic installation and uninstallation of components
For Windows workloads protected by agent version 15.0.26986 (released in May 2021) or later, the
following components are installed dynamically – that is, only when required by a protection plan:
l Agent for Antimalware protection and URL filtering – required for the operation of the
antimalware protection and URL filtering features.
l Agent for Data Loss Prevention – required for the operation of the device control features.
l Acronis Cyber Protection Service - required for the operation of the antimalware protection.
By default, these components are not installed. The respective component is automatically installed
if a workload becomes protected by a plan in which any of the following modules is enabled:
l Antivirus & Antimalware protection
l URL filtering
l Device control
Similarly, if no protection plan requires antimalware protection, URL filtering, or device control
features anymore, the respective component is automatically uninstalled.
Dynamic installation or uninstallation of components takes up to 10 minutes after you change the
protection plan. However, if any of the following operations are running, dynamic installation or
uninstallation will start after this operation finishes:
l Backup
l Recovery
l Backup replication
l Virtual machine replication
l Testing a replica
l Running a virtual machine from backup (including finalization)
l Disaster recovery failover
l Disaster recovery failback
l Running a script (for Cyber Scripting functionality)
73 © Acronis International GmbH, 2003-2022
l Patch installation
l ESXi configuration backup
Unattended installation or uninstallation
Unattended installation or uninstallation in Windows
This section describes how to install or uninstall protection agents in the unattended mode on a
machine running Windows, by using Windows Installer (the msiexec program). In an Active Directory
domain, another way of performing unattended installation is through Group Policy—see
"Deploying agents through Group Policy" (p. 122).
During the installation, you can use a file known as a transform (an .mst file). A transform is a file
with installation parameters. As an alternative, you can specify installation parameters directly on
the command line.
Creating the .mst transform and extracting the installation packages
1. Log on as an administrator and start the setup program.
2. Click Create .mst and .msi files for unattended installation.
3. In What to install, select the components that you want to install, and then click Done.
The installation packages for these components will be extracted from the setup program.
4. In Registration settings, select Use credentials or Use registration token. Depending on your
choice, specify the credentials or the registration token, and then click Done.
For more information on how to generate a registration token, refer to "Step 1: Generating a
registration token" (p. 122).
5. [Only when installing on a domain controller] In Logon account for the agent service, select
Use the following account. Specify the user account under which the agent service will run,
and then click Done. For security reasons, the setup program does not automatically create new
accounts on a domain controller.
For more information about installing the agent on a read-only domain controller, refer to this
knowledge base article.
6. Review or modify other installation settings that will be added to the .mst file, and then click
Proceed.
7. Select the folder where the .mst transform will be generated and the .msi and .cab installation
packages will be extracted, and then click Generate.
Installing the product by using the .mst transform
On the command line, run the following command.
Command template:
msiexec /i <package name> TRANSFORMS=<transform name>
74 © Acronis International GmbH, 2003-2022
Where:
l <package name> is the name of the .msi file.
l <transform name> is the name of the transform.
Command example:
msiexec /i BackupClient64.msi TRANSFORMS=BackupClient64.msi.mst
Installing or uninstalling the product by specifying parameters manually
On the command line, run the following command.
Command template (installing):
msiexec /i <package name><PARAMETER 1>=<value 1> ... <PARAMETER N>=<value n>
Here, <package name> is the name of the .msi file. All available parameters and their values are
described in "Unattended installation or uninstallation parameters".
Command template (uninstalling):
msiexec /x <package name> <PARAMETER 1>=<value 1> ... <PARAMETER N>=<value n>
The .msi package must be of the same version as the product that you want to uninstall.
Unattended installation or uninstallation parameters
This section describes parameters that are used during unattended installation or uninstallation in
Windows. In addition to these parameters, you can use other parameters of msiexec, as described at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa367988(v=vs.85).aspx.
Installation parameters
Basic parameters
ADDLOCAL=<list of components>
The components to be installed, separated by commas and without space characters. All of
the specified components must be extracted from the setup program prior to installation.
The full list of the components is as follows:
Component Must be installed Bitness Component
together with name /
description
AgentFeature 32-bit/64- Core
bit components
75 © Acronis International GmbH, 2003-2022
for agents
MmsMspComponents AgentFeature 32-bit/64- Core
bit components
for backup
BackupAndRecoveryAgent MmsMspComponents 32-bit/64- Agent for
bit Windows
AmpAgentFeature BackupAndRecoveryAgent 32-bit/64- Agent for
bit Antimalware
and URL
filtering
DlpAgentFeature BackupAndRecoveryAgent 32-bit/64- Agent for Data
bit Loss Prevention
SasAgentFeature TrayMonitor 32-bit/64- Agent for File
bit Sync & Share
ArxAgentFeature MmsMspComponents 32-bit/64- Agent for
bit Exchange
ArsAgentFeature BackupAndRecoveryAgent 32-bit/64- Agent for SQL
bit
ARADAgentFeature BackupAndRecoveryAgent 32-bit/64- Agent for Active
bit Directory
ArxOnlineAgentFeature MmsMspComponents 32-bit/64- Agent for
bit Microsoft 365
OracleAgentFeature BackupAndRecoveryAgent 32-bit/64- Agent for
bit Oracle
AcronisESXSupport BackupAndRecoveryAgent 64-bit Agent for
VMware ESX(i)
(Windows)
HyperVAgent BackupAndRecoveryAgent 32-bit/64- Agent for
bit Hyper-V
CommandLineTool 32-bit/64- Command-Line
bit Tool
TrayMonitor AgentFeature 32-bit/64- Cyber Protect
bit Monitor
BackupAndRecoveryBootableComponents 32-bit/64- Bootable Media
bit Builder
TARGETDIR=<path>
76 © Acronis International GmbH, 2003-2022
The folder where the product will be installed. By default, this folder is: C:\Program
Files\BackupClient.
REBOOT=ReallySuppress
If the parameter is specified, the machine reboot is forbidden.
/l*v <log file>
If the parameter is specified, the installation log in the verbose mode will be saved to the
specified file. The log file can be used for analyzing the installation issues.
CURRENT_LANGUAGE=<language ID>
The product language. Available values are as follows: en, bg, cs, da, de, es, fr, hu,
id, it, ja, ko, ms, nb, nl, pl, pt, pt_BR, ru, fi, sr, sv, tr, zh, zh_TW.
If this parameter is not specified, the product language will be defined by your system language on
the condition that it is in the list above. Otherwise, the product language will set to English (en).
Registration parameters
REGISTRATION_ADDRESS
This is the URL for the Cyber Protection service. You can use this parameter either with the
REGISTRATION_LOGIN and REGISTRATION_PASSWORD parameters, or with the REGISTRATION_TOKEN one.
l When you use REGISTRATION_ADDRESS with REGISTRATION_LOGIN and REGISTRATION_PASSWORD
parameters, specify the address that you use to log in to the Cyber Protection service. For
example, https://cloud.company.com:
l When you use REGISTRATION_ADDRESS with the REGISTRATION_TOKEN parameter, specify the exact
datacenter address. This is the URL that you see once you are logged in to the Cyber Protection
service. For example, https://eu2-cloud.company.com.
Do not use https://cloud.company.com here.
REGISTRATION_LOGIN and REGISTRATION_PASSWORD
Credentials for the account under which the agent will be registered in the Cyber Protection
service. This cannot be a partner administrator account.
REGISTRATION_PASSWORD_ENCODED
Password for the account under which the agent will be registered in the Cyber Protection
service, encoded in base64. For more information on how to encode your password, refer to
"Registering machines manually".
77 © Acronis International GmbH, 2003-2022
REGISTRATION_TOKEN
The registration token is a series of 12 characters, separated by hyphens in three segments.
You can generate one in the service console, as described in "Deploying agents through Group
Policy".
REGISTRATION_REQUIRED={0,1}
Defines how the installation will finish if the registration fails. If the value is 1, the installation
also fails. The default value is 0, so if you don't specify this parameter, the installation completes
successfully even though the agent is not registered.
Additional parameters
To define the logon account for the agent service in Windows, use one of the following parameters:
l MMS_USE_SYSTEM_ACCOUNT={0,1}
If the value is 1, the agent will run under the Local System account.
l MMS_CREATE_NEW_ACCOUNT={0,1}
If the value is 1, the agent will run under a newly created account named Acronis Agent User.
l MMS_SERVICE_USERNAME=<user name> and MMS_SERVICE_PASSWORD=<password>
Use these parameters to specify an existing account under which the agent will run.
For more information on logon accounts, refer to "Changing the logon account on Windows
machines".
SET_ESX_SERVER={0,1}
l If the value is 0, Agent for VMware being installed will not be connected to a vCenter Server or an
ESXi host. If the value is 1, specify the following parameters:
o ESX_HOST=<host name>
The host name or IP address of the vCenter Server or the ESXi host.
o ESX_USER=<user name> and ESX_PASSWORD=<password>
Credentials to access the vCenter Server or ESXi host.
HTTP_PROXY_ADDRESS=<IP address> and HTTP_PROXY_PORT=<port>
The HTTP proxy server to be used by the agent. Without these parameters, no proxy server
will be used.
HTTP_PROXY_LOGIN=<login> and HTTP_PROXY_PASSWORD=<password>
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
HTTP_PROXY_ONLINE_BACKUP={0,1}
If the value is 0, or the parameter is not specified, the agent will use the proxy server only for
backup and recovery from the cloud. If the value is 1, the agent also will connect to the management
server through the proxy server.
78 © Acronis International GmbH, 2003-2022
SKIP_SHA2_KB_CHECK={0,1}
If the value is 0, or the parameter is not specified, the setup program the will check whether
the SHA2 code signing support update from Microsoft (KB4474419) is installed on the machine. If
the update is not found, the installation will fail.
The check only runs on operating systems that require the SHA2 code signing support
update. To see which operating systems require it, refer to "Supported operating systems and
environments" (p. 37).
Uninstallation parameters
REMOVE={<list of components>|ALL}
The components to be removed, separated by commas and without space characters. If the
value is ALL, all of the product components will be uninstalled.
Additionally, you can specify the following parameter:
DELETE_ALL_SETTINGS={0, 1}
If the value is 1, the product's logs, tasks, and configuration settings will be removed.
ANTI_TAMPER_PASSWORD=<password>
The password required for uninstalling a password-protected Agent for Windows or
modifying its components.
Examples
l Installing Agent for Windows, Agent for Antimalware and URL filtering, Command-Line Tool, and
Cyber Protection Monitor. Registering the machine in the Cyber Protection service by using a user
name and password.
msiexec.exe /i BackupClient64.msi /l*v my_log.txt /qn
ADDLOCAL=MmsMspComponents,BackupAndRecoveryAgent,AmpAgentFeature,CommandLineTool,Tray
Monitor TARGETDIR="C:\Program Files\BackupClient" REBOOT=ReallySuppress MMS_USE_
SYSTEM_ACCOUNT=1 REGISTRATION_ADDRESS=https://cloud.company.com REGISTRATION_
LOGIN=johndoe REGISTRATION_PASSWORD=johnspassword
l Installing Agent for Windows, Command-Line Tool, and Cyber Protection Monitor. Creating a new
logon account for the agent service in Windows. Registering the machine in the Cyber Protection
service by using a token.
msiexec.exe /i BackupClient64.msi /l*v my_log.txt /qn
ADDLOCAL=MmsMspComponents,BackupAndRecoveryAgent,CommandLineTool,TrayMonitor
TARGETDIR="C:\Program Files\BackupClient" REBOOT=ReallySuppress MMS_CREATE_NEW_
ACCOUNT=1 REGISTRATION_ADDRESS=https://eu2-cloud.company.com REGISTRATION_TOKEN=34F6-
8C39-4A5C
l Installing Agent for Windows, Command-Line Tool, Agent for Oracle and Cyber Protection
Monitor. Registering the machine in the Cyber Protection service by using a user name and
79 © Acronis International GmbH, 2003-2022
encoded in base64 password.
msiexec.exe /i BackupClient64.msi /l*v my_log.txt /qn
ADDLOCAL=MmsMspComponents,BackupAndRecoveryAgent,CommandLineTool,OracleAgentFeature,T
rayMonitor TARGETDIR="C:\Program Files\BackupClient" REBOOT=ReallySuppress CURRENT_
LANGUAGE=en MMS_USE_SYSTEM_ACCOUNT=1 REGISTRATION_ADDRESS=https://cloud.company.com
REGISTRATION_LOGIN=johndoe REGISTRATION_PASSWORD_ENCODED=am9obnNwYXNzd29yZA==
l Installing Agent for Windows, Command-Line Tool, and Cyber Protection Monitor. Registering the
machine in the Cyber Protection service by using a token. Setting an HTTP proxy.
msiexec.exe /i BackupClient64.msi /l*v my_log.txt /qn
ADDLOCAL=MmsMspComponents,BackupAndRecoveryAgent,CommandLineTool,TrayMonitor
TARGETDIR="C:\Program Files\BackupClient" REBOOT=ReallySuppress CURRENT_LANGUAGE=en
MMS_USE_SYSTEM_ACCOUNT=1 REGISTRATION_ADDRESS=https://eu2-cloud.company.com
REGISTRATION_TOKEN=34F6-8C39-4A5C HTTP_PROXY_ADDRESS=https://my-proxy.company.com
HTTP_PROXY_PORT=80 HTTP_PROXY_LOGIN=tomsmith HTTP_PROXY_PASSWORD=tomspassword
l Uninstalling all the agents and deleting their logs, tasks, and configuration settings.
msiexec.exe /x BackupClient64.msi /l*v uninstall_log.txt REMOVE=ALL DELETE_ALL_
SETTINGS=1 REBOOT=ReallySuppress
Unattended installation or uninstallation in Linux
This section describes how to install or uninstall protection agents in the unattended mode on a
machine running Linux, by using the command line.
To install or uninstall a protection agent
1. Open Terminal.
2. Do one of the following:
l To start the installation by specifying the parameters on the command line, run the following
command:
<package name> -a <parameter 1> ... <parameter N>
Here, <package name> is the name of the installation package (an .i686 or an .x86_64 file). All
available parameters and their values are described in "Unattended installation or uninstallation
parameters".
l To start the installation with parameters that are specified in a separate text file, run the following
command:
<package name> -a --options-file=<path to the file>
This approach might be useful if you don't want to enter sensitive information on the command
line. In this case, you can specify the configuration settings in a separate text file and ensure that
80 © Acronis International GmbH, 2003-2022
only you can access it. Put each parameter on a new line, followed by the desired value, for
example:
--rain=https://cloud.company.com
--login=johndoe
--password=johnspassword
--auto
or
-C
https://cloud.company.com
-g
johndoe
-w
johnspassword
-a
--language
en
If the same parameter is specified both on the command line and in the text file, the command
line value precedes.
3. If UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the
system after the installation. Be sure to remember what password (that of the root user or
"acronis") should be used. During the system restart, opt for MOK (Machine Owner Key)
management, choose Enroll MOK, and then enroll the key by using the recommended password.
If you enable UEFI Secure Boot after the agent installation, repeat the installation, including step 3.
Otherwise, backups will fail.
Unattended installation or uninstallation parameters
This section describes parameters that are used during unattended installation or uninstallation in
Linux.
The minimal configuration for unattended installation includes -a and registration parameters (for
example, --login and --password parameters; --rain and --token parameters). You can use more
parameters to customize you installation.
Installation parameters
Basic parameters
{-i |--id=}<list of components>
The components to be installed, separated by commas and without space characters. The
following components are available in the .x86_64 installation package:
Component Component description
81 © Acronis International GmbH, 2003-2022
BackupAndRecoveryAgent Agent for Linux
AgentForPCS Agent for Virtuozzo
OracleAgentFeature Agent for Oracle
MySQLAgentFeature Agent for MySQL/MariaDB
Without this parameter, all of the above components will be installed.
Agent for Virtuozzo, Agent for Oracle, and Agent for MySQL/MariaDB require that Agent for
Linux is also installed.
The .i686 installation package contains only BackupAndRecoveryAgent.
{-a|--auto}
The installation and registration process will complete without any further user interaction.
When using this parameter, you must specify the account under which the agent will be registered
in the Cyber Protection service, either by using the --token parameter, or by using the --login and -
-password parameters.
{-t|--strict}
If the parameter is specified, any warning that occurs during the installation results in
installation failure. Without this parameter, the installation completes successfully even in the case
of warnings.
{-n|--nodeps}
The absence of required Linux packages will be ignored during the installation.
{-d|--debug}
Writes the installation log in the verbose mode.
--options-file=<location>
The installation parameters will be read from a text file instead of the command line.
--language=<language ID>
The product language. Available values are as follows: en, bg, cs, da, de, es, fr, hu, id,
it, ja, ko, ms, nb, nl, pl, pt, pt_BR, ru, fi, sr, sv, tr, zh, zh_TW.
If this parameter is not specified, the product language will be defined by your system language on
the condition that it is in the list above. Otherwise, the product language will set to English (en).
Registration parameters
Specify one of the following parameters:
l {-g|--login=}<user name> and {-w|--password=}<password>
Credentials for the account under which the agent will be registered in the Cyber Protection
service. This cannot be a partner administrator account.
82 © Acronis International GmbH, 2003-2022
l --token=<token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the service console, as described in "Deploying agents through Group Policy".
You cannot use the --token parameter along with --login, --password, and --register-with-
credentials parameters.
o {-C|--rain=}<service address>
The URL of the Cyber Protection service.
You don't need to include this parameter explicitly when you use --login and --password
parameters for registration, because the installer uses the correct address by default – this
would be the address that you use to log in to the Cyber Protection service. For example:
However, when you use {-C|--rain=} with the --token parameter, you must specify the exact
datacenter address. This is the URL that you see once you are logged in to the Cyber
Protection service. For example:
l --register-with-credentials
If this parameter is specified, the installer's graphical interface will start. To finish the
registration, enter the user name and password for the account under which the agent will be
registered in the Cyber Protection service. This cannot be a partner administrator account.
l --skip-registration
Use this parameter if you need to install the agent but you plan to register it in the Cyber
Protection service later. For more information on how to do this, refer to "Registering machines
manually".
Additional parameters
--http-proxy-host=<IP address> and --http-proxy-port=<port>
The HTTP proxy server that the agent will use for backup and recovery from the cloud, and
for connection to the management server. Without these parameters, no proxy server will be used.
--http-proxy-login=<login> and --http-proxy-password=<password>
The credentials for the HTTP proxy server. Use these parameters if the server requires
authentication.
--tmp-dir=<location>
Specifies the folder where the temporary files are stored during the installation. The default
folder is /var/tmp.
83 © Acronis International GmbH, 2003-2022
{-s|--disable-native-shared}
Redistributable libraries will be used during the installation, even though they might have
already been present on your system.
--skip-prereq-check
There will be no check of whether the packages required for compiling the snapapi module
are already installed.
--force-weak-snapapi
The installer will not compile a snapapi module. Instead, it will use a ready-made module
that might not match the Linux kernel exactly. Using this option is not recommended.
--skip-svc-start
The services will not start automatically after the installation. Most often, this parameter is
used with the --skip-registration one.
Information parameters
{-?|--help}
Shows the description of parameters.
--usage
Shows a brief description of the command usage.
{-v|--version}
Shows the installation package version.
--product-info
Shows the product name and the installation package version.
--snapapi-list
Shows the available ready-made snapapi modules.
--components-list
Shows the installer components.
Parameters for legacy features
These parameters relate to a legacy component, agent.exe.
{-e|--ssl=}<path>
Specifies the path to a custom certificate file for SSL communication.
{-p|--port=}<port>
Specifies the port on which agent.exe listens for connections. The default port is 9876.
84 © Acronis International GmbH, 2003-2022
Uninstallation parameters
{-u|--uninstall}
Uninstalls the product.
--purge
Uninstalls the product and removes its logs, tasks, and configuration settings. You don't
need to specify the --uninstall parameter explicitly when you use the --purge one.
Examples
l Installing Agent for Linux without registering it.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -i BackupAndRecoveryAgent -a --skip-
registration
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and registering them by
using credentials.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --login=johndoe --
password=johnspassword
l Installing Agent for Oracle and Agent for Linux, and registering them by using a registration
token.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -i
BackupAndRecoveryAgent,OracleAgentFeature -a --rain=https://eu2-cloud.company.com --
token=34F6-8C39-4A5C
l Installing Agent for Linux, Agent for Virtuozzo, and Agent for Oracle with configuration settings in
a separate text file.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --options-
file=/home/mydirectory/configuration_file
l Uninstalling Agent for Linux, Agent for Virtuozzo, and Agent for Oracle, and removing all their
logs, tasks, and configuration settings.
./Cyber_Protection_Agent_for_Linux_x86_64.bin -a --purge
Unattended installation and uninstallation in macOS
This section describes how to install, register, and uninstall the Cyber Protection agent in the
unattended mode on a machine running macOS, by using the command line.
To download the installation file (.dmg)
85 © Acronis International GmbH, 2003-2022
1. In the service console, go to Devices > All devices.
2. Click Add, and then click Mac.
To install Agent for Mac
1. Create a temporary directory where you will mount the installation file (.dmg).
mkdir <dmg_root>
Here, <dmg_root> is a name of your choice.
2. Mount the .dmg file.
hdiutil attach <dmg_file> -mountpoint <dmg_root>
Here, <dmg_file> is the name of the installation file. For example, Cyber_Protection_Agent_for_
MAC_x64.dmg.
3. Run the installer.
sudo installer -pkg <dmg_root>/Install.pkg -target LocalSystem
4. Detach the installation file (.dmg).
hdiutil detach <dmg_root>
Examples
l
mkdir mydirectory
hdiutil attach /Users/JohnDoe/Cyber_Protection_Agent_for_MAC_x64.dmg -mountpoint
mydirectory
sudo installer -pkg mydirectory/Install.pkg -target LocalSystem
hdiutil detach mydirectory
To register Agent for Mac
Do one of the following:
l Register the agent under a specific account, by using a user name and password.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a <Cyber Protection
service address> -t cloud -u <user name> -p <password> -o register
Here:
86 © Acronis International GmbH, 2003-2022
<Cyber Protection service address> is the address that you use to log in to the Cyber Protection
service. For example:
<user name> and <password> are the credentials for the account under which the agent will be
registered.This cannot be a partner administrator account.
l Register the agent by using a registration token.
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a <Cyber Protection
service address> -t cloud -o register --token <token>
The registration token is a series of 12 characters, separated by hyphens in three segments. You
can generate one in the service console, as described in "Deploying agents through Group Policy".
When you use a registration token, you must specify the exact datacenter address. This is the URL
that you see once you are logged in to the Cyber Protection service. For example:
Examples
Registration with a user name and password.
l
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a
https://cloud.company.com -t cloud -u johndoe -p johnspassword -o register
Registration with a token.
l
sudo /Library/Application\
Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent -a https://eu2-cloud
company.com -t cloud o -register --token D91D-DC46-4F0B
Important
If you use macOS 10.14 or later, grant the protection agent full disk access. To do so, go to
Applications >Utilities, and then run Cyber Protect Agent Assistant. Then, follow the
instructions in the application window.
To uninstall Agent for Mac
Run the following command:
87 © Acronis International GmbH, 2003-2022
l
sudo /Library/Application\ Support/BackupClient/Acronis/Cyber\ Protect\ Agent\
Uninstall.app/Contents/MacOS/AgentUninstall /confirm
To remove all logs, tasks and configuration settings during the uninstallation, run the following
command:
l
sudo /Library/Application\ Support/BackupClient/Acronis/Cyber\ Protect\ Agent\
Uninstall.app/Contents/MacOS/AgentUninstall /confirm /purge
Registering machines manually
In addition to registering a machine in the Cyber Protection service during the agent installation, you
can also register it by using the command line interface. You might need to do so if you have
installed the agent but the automatic registration failed, for example, or if you want to register an
existing machine under a new account.
To register a machine
To register a machine by using a user name and password, run the following command.
In Windows
Command for registering a machine under the current account:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -s mms -t
cloud --update
Command template for registering a machine under another account:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a <service address> -u <user name> -p <password>
Command example:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a https://cloud.company.com -u johndoe -p johnspassword
In Linux
Command for registering a machine under the current account:
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o register -s mms -t cloud --
update
Command template for registering a machine under another account:
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o register -t cloud -a <service
address> -u <user name> -p <password>
88 © Acronis International GmbH, 2003-2022
Command example:
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o register -t cloud -a
https://cloud.company.com -u johndoe -p johnspassword
In macOS
Command for registering a machine under the current account:
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o register -s mms -t cloud --update
Command template for registering a machine under another account:
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o register -t cloud -a <service address> -u <user name> -p <password>
Command example:
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o register -t cloud -a https://cloud.company.com -u johndoe -p johnspassword
Note
Use the user name and password for the specific account under which the agent will be registered.
This cannot be a partner administrator account.
The service address is the URL that you use to log in to the Cyber Protection service. For example,
https://cloud.company.com:
Alternatively, you can register a machine by using a registration token. To do so, run the following
command.
In Windows
Command template:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a <service address> --token <token>
Command example:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a https://au1-cloud.company.com --token 3B4C-E967-4FBD
In Linux
89 © Acronis International GmbH, 2003-2022
Command template:
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o register -t cloud -a <service
address> --token <token>
Command example:
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o register -t cloud -a
https://eu2-cloud.company.com --token 34F6-8C39-4A5C
In macOS
Command template:
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o register -t cloud -a <service address> --token <token>
Command example:
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o register -t cloud -a https://us5-cloud.company.com --token 9DBF-3DA9-4DAB
Note
When you use a registration token, you must specify the exact datacenter address. This is the URL
that you see once you are logged in to the Cyber Protection service. For example, https://eu2-
cloud.company.com.
Do not use https://cloud.company.com here.
The registration token is a series of 12 characters, separated by hyphens in three segments. For
more information on how to generate one, refer to "Deploying agents through Group Policy".
To unregister a machine
Run the following command:
In Windows
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o unregister
In Linux
sudo "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" -o unregister
In macOS
90 © Acronis International GmbH, 2003-2022
sudo "/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"
-o unregister
Passwords with special characters or blank spaces
If your password contains special characters or blank spaces, enclose it in quotation marks when
you type it on the command line.
For example, in Windows, run this command.
Command template:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a <service address> -u <user name> -p <"password">
Command example:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a https://cloud.company.com -u johndoe -p "johns password"
If you still receive an error:
l Encode your password into base64 format at https://www.base64encode.org/.
l On the command line, specify the encoded password by using the -b or --base64 parameter.
For example, in Windows, run this command.
Command template:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a <service address> -u <user name> -b -p <encoded password>
Command example:
"%ProgramFiles%\BackupClient\RegisterAgentTool\register_agent.exe" -o register -t cloud
-a https://cloud.company.com -u johndoe -b -p am9obnNwYXNzd29yZA==
Autodiscovery of machines
Using autodiscovery, you can:
l Automate the installation of protection agents and the registration of machines by detecting the
machines in your Active Directory domain or local network.
l Install and update protection agents on multiple machines.
l Use synchronization with Active Directory, in order to reduce the efforts for provisioning
resources and managing machines in a large Active Directory domain.
91 © Acronis International GmbH, 2003-2022
Prerequisites
To perform autodiscovery, you need at least one machine with an installed protection agent in your
local network or Active directory domain. This agent is used as a discovery agent.
Important
Only agents that are installed on Windows machines can be discovery agents. If there are no
discovery agents in your environment, you will not be able to use the Multiple devices option in
the Add devices panel.
Remote installation of agents is supported only for machines running Windows (Windows XP is not
supported). For remote installation on a machine running Windows Server 2012 R2, you must have
Windows update KB2999226 installed on this machine.
How autodiscovery works
During a local network discovery, the discovery agent collects the following information for each
machine in the network, by using NetBIOS discovery, Web Service Discovery (WSD), and the Address
Resolution Protocol (ARP) table:
l Name (short/NetBIOS hostname)
l Fully qualified domain name (FQDN)
l Domain/workgroup
l IPv4/IPv6 addresses
l MAC addresses
l Operating system (name/version/family)
l Machine category (workstation/server/domain controller)
During an Active Directory discovery, the discovery agent, in addition to the list above, collects
information about the Organizational Unit (OU) of the machines and detailed information about
their names and operating systems. However, the IP and MAC addresses are not collected.
The following diagram summarizes the autodiscovery process.
92 © Acronis International GmbH, 2003-2022
1. Select the discovery method:
l Active Directory discovery
l Local network discovery
l Manual discovery – By using a machine IP address or host name, or by importing a list of
machines from a file
The results of an Active directory discovery or a local network discovery exclude machines with
installed protection agents.
During a manual discovery, the existing protection agents are updated and re-registered. If you
perform autodiscovery by using the same account under which an agent is registered, the agent
will only be updated to the latest version. If you perform autodiscovery by using another
account, the agent will be updated to the latest version and re-registered under the tenant to
which the account belongs.
2. Select the machines that you want to add to your tenant.
3. Select how to add these machines:
l Install a protection agent and additional components on the machines, and register them in
the service console.
93 © Acronis International GmbH, 2003-2022
l Register the machines in the service console (if a protection agent was already installed).
l Add the machines to the web console as Unmanaged machines, without installing a
protection agent.
You can also apply an existing protection plan to the machines on which you install a protection
agent or which you register in the service console.
4. Provide administrator credentials for the selected machines.
5. Verify that you can connect to the machines by using the provided credentials.
The machines that are shown in the Cyber Protection service console, fall into the following
categories:
l Discovered – Machines that are discovered, but a protection agent is not installed on them.
l Managed – Machines on which a protection agent is installed.
l Unprotected – Machines to which a protection plan is not applied. Unprotected machines
include both discovered machines and managed machines with no protection plan applied.
l Protected – Machines to which a protection plan is applied.
How remote installation of agents works
1. The discovery agent connects to the target machines by using the host name, IP address, and
administrator credentials specified in the discovery wizard, and then uploads the web_
installer.exe file to these machines.
2. The web_installer.exe file runs on the target machines in the unattended mode.
3. The web installer retrieves additional installation packages from the cloud, and then installs
them to the target machines via the msiexec command.
4. After the installation completes, the components are registered in the cloud.
Note
Remote installation of agents is not supported for Domain Controllers due to the additional
permissions required for the agent service to run.
Autodiscovery and manual discovery
Before starting the discovery, ensure that the prerequisites are met.
Note
Autodiscovery is not supported for adding Domain Controllers due to additional permissions
required for the agent service to run.
To discover machines
1. In the service console, go to Devices> All devices.
2. Click Add.
3. In Multiple devices, click Windows-only. The discovery wizard opens.
94 © Acronis International GmbH, 2003-2022
4. [If there are units in your organization] Select a unit. Then, in Discovery agent you will be able to
select the agents associated with the selected unit and its child units.
5. Select the discovery agent that will perform the scan to detect machines.
6. Select the discovery method:
l Search Active Directory. Ensure that the machine with the discovery agent is the Active
Directory domain member.
l Scan local network. If the selected discovery agent could not find any machines, select
another discovery agent.
l Specify manually or import from file. Manually define the machines to be added or import
them from a text file.
7. [If the Active Directory discovery method is selected] Select how to search for machines:
l In organizational unit list. Select the group of machines to be added.
l By LDAP dialect query. Use the LDAP dialect query to select the machines. Search base
defines where to search, while Filter allows you to specify the criteria for machine selection.
8. [If the Active Directory or local network discovery method is selected] Use a list to select the
machines that you want to add.
[If the Manual discovery method is selected] Specify the machine IP addresses or hostnames, or
import the machine list from a text file. The file must contain IP addresses/hostnames, one per
line. Here is an example of a file:
156.85.34.10
156.85.53.32
156.85.53.12
EN-L00000100
EN-L00000101
After adding machine addresses manually or importing from a file, the agent tries to ping the
added machines and define their availability.
9. Select what actions must be performed after the discovery:
l Install agents and register machines. You can select which components to install on the
machines by clicking Select components. For more details, refer to "Selecting components
for installation" (p. 98).
On the Select components screen, define the account under which the services will run by
specifying Logon account for the agent service. You can select one of the following:
o Use Service User Accounts (default for the agent service)
Service User Accounts are Windows system accounts that are used to run services. The
advantage of this setting is that the domain security policies do not affect these accounts'
user rights. By default, the agent runs under the Local System account.
o Create a new account
The account name will be Agent User for the agent.
o Use the following account
95 © Acronis International GmbH, 2003-2022
If you install the agent on a domain controller, the system prompts you to specify existing
accounts (or the same account) for the agent. For security reasons, the system does not
automatically create new accounts on a domain controller.
If you chose the Create a new account or Use the following account option, ensure that
the domain security policies do not affect the related accounts' rights. If an account is
deprived of the user rights assigned during the installation, the component may work
incorrectly or not work.
l Register machines with installed agents. This option is used if the agent is already installed
on machines and you need only to register them in Cyber Protection. If no agent is found
inside the machines, then they will be added as Unmanaged machines.
l Add as unmanaged machines. The agent will not be installed on the machines. You will be
able to view them in the console and install or register the agent later.
[If the Install agents and register machines post-discovery action is selected] Restart the
machine if required – if the option is enabled, the machine will be restarted as many times as
required to complete the installation.
Restart of the machine may be required in one of the following cases:
l Installation of prerequisites is completed and restart is required to continue the installation
l Installation is completed but restart is required as some files are locked during installation
l Installation is completed but restart is required for other previously installed software
[If Restart the machine if required is selected] Do not restart if the user logged in – if the
option is enabled, the machine will not be automatically restarted if the user is logged in to the
system. For example, if a user is working while installation requires restart, the system will not be
restarted.
If the prerequisites were installed and then the reboot was not done because a user was logged
in, then to complete the agent installation you need to reboot the machine and start the
installation again.
If the agent was installed but then the reboot was not done, then you need to reboot the
machine.
[If there are units in your organization] User for whom to register the machines – select the
user of your unit or subordinate units for whom the machines will be registered.
If you have selected one of the first two post-discovery actions, then there is also an option to
apply the protection plan to the machines. If you have several protection plans, you can select
which one to use.
10. Specify the credentials of the user with administrator rights for all of the machines.
Important
Note that remote installation of agent works without any preparations only if you specify the
credentials of the built-in administrator account (the first account created when the operating
system is installed). If you want to define some custom administrator credentials, then you
should do additional manual preparations as described in "Enabling remote installation of an
agent for a custom administrator" below.
96 © Acronis International GmbH, 2003-2022
11. The system checks connectivity to all of the machines. If the connection to some of the machines
fails, you can change the credentials for these machines.
When the discovery of machines is initiated, you will find the corresponding task in Monitoring>
Activities > Discovering machines activity.
Preparing a machine for remote installation
1. For successful installation on a remote machine running Windows 7 or later, the option Control
panel > Folder options > View > Use Sharing Wizard must be disabled on that machine.
2. For successful installation on a remote machine that is not a member of an Active Directory
domain, User Account Control (UAC) must be disabled on that machine. For more information on
how to disable it, refer to "Requirements on User Account Control (UAC)" > To disable UAC.
3. By default, the credentials of the built-in administrator account are required for remote
installation on any Windows machine. To perform remote installation by using the credentials of
another administrator account, User Account Control (UAC) remote restrictions must be disabled.
For more information on how to disable them, refer to "Requirements on User Account Control
(UAC)" > To disable UAC remote restrictions.
4. File and Printer Sharing must be enabled on the remote machine. To access this option:
l On a machine running Windows 2003 Server: go to Control panel > Windows Firewall >
Exceptions > File and Printer Sharing.
l On a machine running Windows Server 2008, Windows 7, or later: go to Control panel >
Windows Firewall > Network and Sharing Center > Change advanced sharing settings.
5. Cyber Protection uses TCP ports 445, 25001, and 43234 for remote installation.
Port 445 is automatically opened when you enable File and Printer Sharing. Ports 43234 and
25001 are automatically opened through Windows Firewall. If you use a different firewall, make
sure that these three ports are open (added to exceptions) for both incoming and outgoing
requests.
After the remote installation is complete, port 25001 is automatically closed through Windows
Firewall. Ports 445 and 43234 need to remain open if you want to update the agent remotely in
the future. Port 25001 is automatically opened and closed through Windows Firewall during each
update. If you use a different firewall, keep all the three ports open.
Requirements on User Account Control (UAC)
On a machine that is running Windows 7 or later and is not a member of an Active Directory
domain, centralized management operations (including remote installation) require that UAC and
UAC remote restrictions be disabled.
To disable UAC
Do one of the following depending on the operating system:
97 © Acronis International GmbH, 2003-2022
l In a Windows operating system prior to Windows 8:
Go to Control panel > View by: Small icons > User Accounts > Change User Account
Control Settings, and then move the slider to Never notify. Then, restart the machine.
l In any Windows operating system:
1. Open Registry Editor.
2. Locate the following registry key: HKEY_LOCAL_
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
3. For the EnableLUA value, change the setting to 0.
4. Restart the machine.
To disable UAC remote restrictions
1. Open Registry Editor.
2. Locate the following registry key: HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. For LocalAccountTokenFilterPolicy value, change the setting to 1.
If the LocalAccountTokenFilterPolicy value does not exist, create it as DWORD (32-bit). For
more information about this value, refer to the Microsoft documentation:
https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-
remote-restrictions-in-windows.
Note
For security reasons, it is recommended that after finishing the management operation – for
example, remote installation, both of the settings be reverted to their original state: EnableLUA=1
and LocalAccountTokenFilterPolicy = 0
Selecting components for installation
You can find the description of mandatory and additional components in the following table:
Component Description
Mandatory component
Agent for This agent backs up disks, volumes, files and will be installed on Windows machines. It
Windows will be always installed, not selectable.
Additional components
Agent for Data This agent enables you to limit the user access to local and redirected peripheral devices,
Loss ports, and clipboard on machines under protection plans. It will be installed if selected.
Prevention
Antimalware This component enables the Antivirus & Antimalware protection module and
and URL filtering module in protection plans. Even if you select not to install it, it will be
URL filtering automatically installed later, if any of these modules is enabled in a protection plan for
the machine.
98 © Acronis International GmbH, 2003-2022
Agent for This agent backs up Hyper-V virtual machines and will be installed on Hyper-V hosts. It
Hyper-V will be installed if selected and detected Hyper-V role on a machine.
Agent for SQL This agent backs up SQL Server databases and will be installed on machines running
Microsoft SQL Server. It will be installed if selected and application detected on a
machine.
Agent for This agent backs up Exchange databases and mailboxes and will be installed on
Exchange machines running the Mailbox role of Microsoft Exchange Server. I will be installed if
selected and application detected on a machine.
Agent for This agent backs up the data of Active Directory Domain Services and will be installed on
Active domain controllers. It will be installed if selected and application detected on a machine.
Directory
Agent for This agent backs up VMware virtual machines and will be installed on Windows machines
VMware that have network access to vCenter Server. It will be installed if selected.
(Windows)
Agent for This agent backs up Microsoft 365 mailboxes to a local destination and will be installed
Microsoft 365 on Windows machines. It will be installed if selected.
Agent for This agent backs up Oracle databases and will be installed on machines running Oracle
Oracle Database. It will be installed if selected.
Cyber This component enables a user to monitor execution of running tasks in the notification
Protection area and will be installed on Windows machines. It will be installed if selected.
Monitor
Supported on Windows 7 Service Pack 1 and later, and Windows Server 2008 R2 Service
Pack 1 and later.
Managing discovered machines
After the discovery process is performed, you can find all of the discovered machines in Devices>
Unmanaged machines.
This section is divided into subsections by the discovery method used. The full list of machine
parameters is shown below (it may vary depending on the discovery method):
Name Description
Name The name of the machine. The IP address will be shown if the name of the machine
could not be discovered.
IP address The IP address of the machine.
Discovery type The discovery method that was used to detect the machine.
Organizational The organizational unit in Active Directory that the machine belongs to. This column
unit is shown if you view the list of machines in Unmanaged machines > Active
Directory.
99 © Acronis International GmbH, 2003-2022
Operating The operating system installed in the machine.
system
There is an Exceptions section, where you can add the machines that must be skipped during the
discovery process. For example, if you do not need the exact machines to be discovered, you can
add them to this list.
To add a machine to Exceptions, select it in the list and click Add to exceptions. To remove a
machine from Exceptions, go to Unmanaged machines > Exceptions, select the machine, and
click Remove from exceptions.
You can install the protection agent and register a batch of discovered machines in Cyber Protection
by selecting them in the list and clicking Install and register. The opened wizard also allows you to
assign the protection plan to a batch of machines.
After the protection agent is installed on machines, those machines will be shown in the Devices>
Machines with agents section.
To check your protection status, go to Monitoring> Overview and add the Protection status
widget or the Discovered machine widget.
Troubleshooting
If you have any issues with the autodiscovery functionality, try to check the following:
l Check that NetBIOS over TCP/IP is enabled or set to default.
l In the “Control Panel\Network and Sharing Center\Advanced sharing settings” turn on network
discovery.
100 © Acronis International GmbH, 2003-2022
l Check that the Function Discovery Provider Host service is running on the machine that does
discovery and on the machines to be discovered.
l Check that the Function Discovery Resource Publication service is running on the machines to be
discovered.
Deploying Agent for VMware (Virtual Appliance)
Before you start
System requirements for the agent
By default, the virtual appliance is assigned 4 GB of RAM and 2 vCPUs, which is optimal and
sufficient for most operations. We recommend increasing these resources to 8 GB of RAM and 4
vCPUs if the backup traffic bandwidth is expected to exceed 100 MB per second (for example, in 10-
GBit networks), in order to improve backup performance.
The appliance's own virtual disks occupy no more than 6 GB. Thick or thin disk format does not
matter, it does not affect the appliance performance.
101 © Acronis International GmbH, 2003-2022
How many agents do I need?
Even though one virtual appliance is able to protect an entire vSphere environment, the best
practice is deploying one virtual appliance per vSphere cluster (or per host, if there are no clusters).
This makes for faster backups because the appliance can attach the backed-up disks by using the
HotAdd transport, and therefore the backup traffic is directed from one local disk to another.
It is normal to use both the virtual appliance and Agent for VMware (Windows) at the same time, as
long as they are connected to the same vCenter Server or they are connected to different ESXi hosts.
Avoid cases when one agent is connected to an ESXi directly and another agent is connected to the
vCenter Server which manages this ESXi.
We do not recommend using locally attached storage (i.e. storing backups on virtual disks added to
the virtual appliance) if you have more than one agent. For more considerations, see "Using a locally
attached storage".
Disable automatic DRS for the agent
If the virtual appliance is deployed to a vSphere cluster, be sure to disable automatic vMotion for it.
In the cluster DRS settings, enable individual virtual machine automation levels, and then set
Automation level for the virtual appliance to Disabled.
Deploying the OVF template
1. Click All devices > Add > VMware ESXi > Virtual Appliance (OVF).
The .zip archive is downloaded to your machine.
2. Unpack the .zip archive. The folder contains one .ovf file and two .vmdk files.
3. Ensure that these files can be accessed from the machine running vSphere Client.
4. Start vSphere Client and log on to the vCenter Server.
5. Deploy the OVF template.
l When configuring storage, select the shared datastore, if it exists. Thick or thin disk format
does not matter, as it does not affect the appliance performance.
l When configuring network connections, be sure to select a network that allows an Internet
connection, so that the agent can properly register itself in the cloud.
Configuring the virtual appliance
1. In vSphere Client, display the Inventory, right-click the virtual appliance's name, and then select
Power > Power On. Select the Console tab.
2. The agent's network connection is configured automatically by using Dynamic Host
Configuration Protocol (DHCP). To change the default configuration, under Agent options, in
eth0, click Change and specify the desired network settings.
3. Under Agent options, in vCenter/ESX(i), click Change and specify the vCenter Server name or
IP address. The agent will be able to back up and recover any virtual machine managed by the
102 © Acronis International GmbH, 2003-2022
vCenter Server.
If you do not use a vCenter Server, specify the name or IP address of the ESXi host whose virtual
machines you want to back up and recover. Normally, backups run faster when the agent backs
up virtual machines hosted on its own host.
Specify the credentials that the agent will use to connect to the vCenter Server or ESXi. We
recommend using an account that has the Administrator role assigned. Otherwise, provide an
account with the necessary privileges on the vCenter Server or ESXi.
You can click Check connection to ensure the access credentials are correct.
4. Under Agent options, in Management Server, click Change.
a. In Server name/IP, select Cloud. The software displays the Cyber Protection service address.
Do not change this address unless instructed otherwise.
b. In User name and Password, specify the user name and password for the Cyber Protection
service. The agent and the virtual machines managed by the agent will be registered under
this account.
5. Under Virtual machine, in Time zone, click Change. Select the time zone of your location to
ensure that the scheduled operations run at the appropriate time.
6. [Optional] Add local storage.
You can attach an additional disk to the virtual appliance so the Agent for VMware can back up to
this locally attached storage.
Add the disk by editing the settings of the virtual machine and click Refresh. The Create storage
link becomes available. Click this link, select the disk, and then specify a label for it.
7. [If a proxy server is enabled in your network] Configure the proxy server.
a. To start the command shell, press CTRL+SHIFT+F2 while in the virtual appliance UI.
b. Open the file /etc/Acronis/Global.config in a text editor.
c. Do one of the following:
l If the proxy settings were specified during the agent installation, find the following section:
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
103 © Acronis International GmbH, 2003-2022
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
In order to perform automatic or manual update of a virtual appliance located behind a proxy, you
must configure the proxy server on the appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
Deploying Agent for Scale Computing HC3 (Virtual
Appliance)
Before you start
This appliance is a pre-configured virtual machine that you deploy in a Scale Computing HC3 cluster.
It contains a protection agent that enables you to administer cyber protection for all virtual
machines in the cluster.
System requirements for the agent
By default, the virtual machine with the agent uses 2 vCPUs and 4 GiB of RAM. These settings are
sufficient for most operations but you can change them by editing the virtual machine in the Scale
Computing HC3 web interface. We recommend increasing these resources to 4 vCPUs and 8 GiB of
RAM if the backup traffic bandwidth is expected to exceed 100 MB per second (for example, in 10-
GBit networks), in order to improve backup performance.
The size of the appliance virtual disk is about 9 GB.
How many agents do I need?
One agent can protect the entire cluster. However, you can have more than one agent in the cluster
if you need to distribute the backup traffic bandwidth load.
If you have more than one agent in a cluster, the virtual machines are automatically evenly
distributed between the agents, so that each agent manages a similar number of machines.
104 © Acronis International GmbH, 2003-2022
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
cluster. The management server will assign the most appropriate machines to the new agent. The
old agents' load will reduce. When you remove an agent from the management server, the
machines assigned to the agent are redistributed among the remaining agents. However, this will
not happen if an agent gets corrupted or is deleted manually from the Scale Computing HC3 cluster.
Redistribution will start only after you remove such an agent from the Cyber Protection service
console.
To check which agent manages a specific machine
1. In the Cyber Protection service console, click Devices, and then select Scale Computing.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
Deploying the QCOW2 template
1. Log in to your Cyber Protection account.
2. Click Devices > All devices > Add > Scale Computing HC3.
The .zip archive is downloaded to your machine.
3. Unpack the .zip archive, and then save the .qcow2 file and the .xml file to a folder named
ScaleAppliance.
4. Upload the ScaleAppliance folder to a network share and ensure that the Scale Computing HC3
cluster can access it.
5. Log in to the Scale Computing HC3 cluster as an administrator who has the VM Create/Edit role
assigned. For more information about the roles required for operations with Scale Computing
HC3 virtual machines, refer to "Agent for Scale Computing HC3 – required roles" (p. 107).
6. In the Scale Computing HC3 web interface, import the virtual machine template from the
ScaleAppliance folder.
a. Click the Import HC3 VM icon.
b. In the Import HC3 VM window, specify the following:
l A name for the new virtual machine.
l The network share on which the ScaleAppliance folder is located.
l The user name and password required for accessing this network share.
l [Optional] A domain tag for the new virtual machine.
l The path to the ScaleAppliance folder on the network share.
c. Click Import.
After the deployment completes, you must configure the virtual appliance. For more information on
how to configure it, refer to "Configuring the virtual appliance" (p. 106).
105 © Acronis International GmbH, 2003-2022
Note
If you need more than one virtual appliance in your cluster, repeat the steps above and deploy
additional virtual appliances. Do not clone an existing virtual appliance by using the Clone
VM option in the Scale Computing HC3 web interface.
Configuring the virtual appliance
After deploying the virtual appliance, you need to configure it so that it can reach both the Scale
Computing HC3 cluster that it will protect and the Cyber Protection service.
To configure the virtual appliance
1. Log in to your Scale Computing HC3 account.
2. Select the appliance virtual machine that you need to configure, and then click the Console icon.
3. In the eth0 field, configure the network interfaces of the appliance.
Ensure that automatically assigned DHCP addresses (if any) are valid within the networks that
your virtual machine uses or assign them manually. Depending on the number of networks that
the appliance uses, there may be one or more interfaces to configure.
4. In the Scale Computing field, click Change to specify the Scale Computing HC3 cluster address
and credentials for accessing it:
a. In the Server name/IP field, enter the DNS name or IP address of the cluster.
b. In the User name and Password fields, enter the credentials for the Scale Computing HC3
administrator account.
Ensure that this account has the roles required for operations with Scale Computing HC3
virtual machines. For more information about these roles, refer to "Agent for Scale
Computing HC3 – required roles" (p. 107).
c. [Optional] Click Check connection to ensure that the provided credentials are correct.
d. Click OK.
5. In the Management Server field, click Change to specify the Cyber Protection service address
and credentials for accessing it.
a. In the Server name/IP field, select Cloud, and then specify the Cyber Protection service
address.
b. In the User name and Password fields, enter the credentials for your account in the Cyber
Protection service.
c. Click OK.
6. [Optional] In the Name field, click Change to edit the default name for the virtual appliance,
which is localhost. This name is shown in the Cyber Protection service console.
7. [Optional] In the Time field, click Change, and then select the time zone of your location to
ensure that the scheduled operations run at the appropriate time.
8. [If a proxy server is enabled in your network] Configure the proxy server.
a. To start the command shell, press CTRL+SHIFT+F2 while in the virtual appliance UI.
b. Open the file /etc/Acronis/Global.config in a text editor.
106 © Acronis International GmbH, 2003-2022
c. Do one of the following:
l If the proxy settings were specified during the agent installation, find the following section:
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
In order to perform automatic or manual update of a virtual appliance located behind a proxy, you
must configure the proxy server on the appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
To protect virtual machines in the Scale Computing HC3 cluster
1. Log in to your Cyber Protection account.
2. Navigate to Devices > Scale Computing HC3> <your cluster> or find your machines in Devices >
All devices.
3. Select the desired machines and apply a protection plan for them.
Agent for Scale Computing HC3 – required roles
This section describes the roles required for operations with Scale Computing HC3 virtual machines.
107 © Acronis International GmbH, 2003-2022
Operation Role
Back up a virtual machine Backup
VM Create/Edit
VM Delete
Recover to an existing virtual machine Backup
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
Recover to a new virtual machine Backup
VM Create/Edit
VM Power Control
VM Delete
Cluster Settings
Deploying Agent for Virtuozzo Hybrid Infrastructure
(Virtual Appliance)
Before you start
This appliance is a pre-configured virtual machine that you deploy in Virtuozzo Hybrid
Infrastructure. It contains a protection agent that enables you to administer cyber protection for all
virtual machines in a Virtuozzo Hybrid Infrastructure cluster.
Note
To ensure that backups with enabled Volume Shadow Copy Service (VSS) for virtual machines
backup option run properly and capture data in application-consistent state, verify that Virtuozzo
Guest Tools are installed and up-to-date on the protected virtual machines.
System requirements for the agent
When deploying the virtual appliance, you can choose between different predefined combinations
of vCPUs and RAM (flavors). You can also create your own flavors.
2 vCPUs and 4 GB of RAM (medium flavor) are optimal and sufficient for most operations. We
recommend increasing these resources to 4 vCPUs and 8 GB of RAM if the backup traffic bandwidth
is expected to exceed 100 MB per second (for example, in 10-GBit networks), in order to improve
backup performance.
108 © Acronis International GmbH, 2003-2022
How many agents do I need?
One agent can protect the entire cluster. However, you can have more than one agent in the cluster
if you need to distribute the backup traffic bandwidth load.
If you have more than one agent in a cluster, the virtual machines are automatically evenly
distributed between the agents, so that each agent manages a similar number of machines.
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
cluster. The management server will assign the most appropriate machines to the new agent. The
old agents' load will reduce. When you remove an agent from the management server, the
machines assigned to the agent are redistributed among the remaining agents. However, this will
not happen if an agent gets corrupted or is deleted manually from the Virtuozzo Hybrid
Infrastructure node. Redistribution will start only after you remove such an agent from the Cyber
Protection web interface.
To check which agent manages a specific machine
1. In the Cyber Protection service console, click Devices, and then select Virtuozzo Hybrid
Infrastructure.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
Limitations
l Virtuozzo Hybrid Infrastructure appliance cannot be deployed remotely.
l Application-aware backup of virtual machines is not supported.
Configuring networks in Virtuozzo Hybrid Infrastructure
Before deploying and configuring the virtual appliance, you need to have your networks in Virtuozzo
Hybrid Infrastructure configured.
Network requirements for the Agent for Virtuozzo Hybrid Infrastructure (Virtual
Appliance)
l The virtual appliance requires 2 network adapters.
l The virtual appliance must be connected to Virtuozzo networks with the following network traffic
types:
o Compute API
o VM Backup
o ABGW Public
o VM Public
109 © Acronis International GmbH, 2003-2022
For more information about configuring the networks, see Compute cluster requirements in the
Virtuozzo documentation.
Configuring user accounts in Virtuozzo Hybrid Infrastructure
To configure the virtual appliance, you need a Virtuozzo Hybrid Infrastructure user account. This
account must have the Administrator role in the Default domain. For more information about
users, refer to Managing admin panel users in the Virtuozzo Hybrid Infrastructure documentation.
Ensure that you granted this account access to all projects in the Default domain.
To grant access to all projects in the Default domain
1. Create an environment file for the system administrator. To do this, run the following script in
the Virtuozzo Hybrid Infrastructure cluster via the OpenStack Command-Line Interface. For more
information on how to connect to this interface, refer to Connecting to OpenStack command-line
interface in the Virtuozzo Hybrid Infrastructure documentation.
su - vstoradmin
kolla-ansible post-deploy
exit
2. Use the environment file to authorize further OpenStack commands:
. /etc/kolla/admin-openrc.sh
3. Run the following commands:
openstack --insecure user set --project admin --project-domain Default --domain
Default <username>
openstack --insecure role add --domain Default --user <username> --user-domain
Default compute --inherited
Here, <username> is the Virtuozzo Hybrid Infrastructure account with the Administrator role in
the Default domain. The virtual appliance will use this account in order to back up and restore
the virtual machines in any child project under the Default domain.
Example
su - vstoradmin
kolla-ansible post-deploy
exit
. /etc/kolla/admin-openrc.sh
openstack --insecure user set --project admin --project-domain Default --domain Default
johndoe
openstack --insecure role add --domain Default --user johndoe --user-domain Default
compute --inherited
To manage backups for virtual machines in a domain that is different from the Default domain, run
the following command as well.
110 © Acronis International GmbH, 2003-2022
To grant access to all projects in a different domain
openstack --insecure role add --domain <domain name> --inherited --user <username> --
user-domain Default admin
Here, <domain name> is the domain to the projects in which the <username> account will have
access.
Example
openstack --insecure role add --domain MyNewDomain --inherited --user johndoe --user-
domain Default admin
After granting access to projects, check what roles are assigned to the account.
To check assigned roles
openstack --insecure role assignment list --user <username> --names
Here, <username> is the Virtuozzo Hybrid Infrastructure account.
Example
openstack --insecure role assignment list --user johndoe --names -c Role -c User -c
Project -c Domain
+--------------+-----------------+---------+-------------+
| Role | User | Project | Domain |
+--------------+-----------------+---------+-------------+
| admin | johndoe@Default | | MyNewDomain |
| compute | johndoe@Default | | Default |
| domain_admin | johndoe@Default | | Default |
| domain_admin | johndoe@Default | | Default |
+--------------+-----------------+---------+-------------+
In this example, the options -c Role, -c User, -c Project, and -c Domain are used to abridge the
command output to fit the page.
To check what effective roles are assigned to the account in all projects, run the following command
as well.
To check effective roles in all projects
openstack --insecure role assignment list --user <username> --names --effective
Here, <username> is the Virtuozzo Hybrid Infrastructure account.
111 © Acronis International GmbH, 2003-2022
Example
openstack --insecure role assignment list --user johndoe --names --effective -c Role -c
User -c Project -c Domain
+--------------+-----------------+-----------------+---------+
| Role | User | Project | Domain |
+--------------+-----------------+-----------------+---------+
| domain_admin | johndoe@Default | | Default |
| compute | johndoe@Default | admin@Default | |
| compute | johndoe@Default | service@Default | |
| domain_admin | johndoe@Default | admin@Default | |
| domain_admin | johndoe@Default | service@Default | |
| project_user | johndoe@Default | service@Default | |
| member | johndoe@Default | service@Default | |
| reader | johndoe@Default | service@Default | |
| project_user | johndoe@Default | admin@Default | |
| member | johndoe@Default | admin@Default | |
| reader | johndoe@Default | admin@Default | |
| project_user | johndoe@Default | | Default |
| member | johndoe@Default | | Default |
| reader | johndoe@Default | | Default |
+--------------+-----------------+-----------------+---------+
In this example, the options -c Role, -c User, -c Project, and -c Domain are used to abridge the
command output to fit the page.
Deploying the QCOW2 template
1. Log in to your Cyber Protection account.
2. Click Devices > All devices > Add > Virtuozzo Hybrid Infrastructure.
The .zip archive is downloaded to your machine.
3. Unpack the .zip archive. It contains a .qcow2 image file.
4. Log in to your Virtuozzo Hybrid Infrastructure account.
5. Add the .qcow2 image file to the Virtuozzo Hybrid Infrastructure compute cluster as follows:
l On the Compute > Virtual machines > Images tab, click Add image.
l In the Add image window, click Browse, and then select the .qcow2 file.
l Specify the image name, select the Generic Linux OS type, and then click Add.
6. In the Compute > Virtual machines > Virtual machines tab, click Create virtual machine. A
window will open where you need to specify the following parameters:
l A name for the new virtual machine.
l In Deploy from, choose Image.
l In the Images window, select the .qcow2 image file of the appliance, and then click Done.
l In the Volumes window, you don’t need to add any volumes. The volume that is added
automatically for the system disk is sufficient.
112 © Acronis International GmbH, 2003-2022
l In the Flavor window, choose your desired combination of vCPUs and RAM, and then click
Done. Usually, 2 vCPUs and 4 GiB of RAM are enough.
l In the Network interfaces window, click Add, select the virtual network of type public, and
then click Add. It will appear in the Network interfaces list.
If you use a setup with more than one physical network (and thus, with more than one virtual
network of type public), repeat this step and select the virtual networks that you need.
7. Click Done.
8. Back in the Create virtual machine window, click Deploy to create and boot the virtual
machine.
Configuring the virtual appliance
After deploying the Agent for Virtuozzo Hybrid Infrastructure (Virtual Appliance), you need to
configure the virtual appliance so that it can reach both the Virtuozzo Hybrid Infrastructure cluster
that it will protect and the Cyber Protection cloud service.
To configure the virtual appliance
1. Log in to your Virtuozzo Hybrid Infrastructure account.
2. On the Compute > Virtual machines > Virtual Machines tab, select the virtual machine that
you created. Then, click Console.
3. Configure the network interfaces of the appliance. There may be one or more interfaces to
configure – it depends on the number of virtual networks that the appliance uses. Ensure that
automatically assigned DHCP addresses (if any) are valid within the networks that your virtual
machine uses or assign them manually.
113 © Acronis International GmbH, 2003-2022
4. Specify the Virtuozzo cluster address and credentials:
l DNS name or IP address of the Virtuozzo Hybrid Infrastructure cluster – this is the address of
the management node of the cluster. The default port 5000 will be automatically set. If you
use a different port, you need to specify it manually.
l In the User domain name field, specify your domain in Virtuozzo Hybrid Infrastructure. For
example, Default.
The domain name is case-sensitive.
l In the User name and Password fields, enter the credentials for Virtuozzo Hybrid
Infrastructure user account with Administrator role in the specified domain. For more
information about users, roles, and domains, refer to Configuring user accounts in Virtuozzo
Hybrid Infrastructure.
114 © Acronis International GmbH, 2003-2022
5. Specify the Cyber Protection management server address and credentials for accessing it.
6. [If a proxy server is enabled in your network] Configure the proxy server.
115 © Acronis International GmbH, 2003-2022
a. To start the command shell, press CTRL+SHIFT+F2 while in the virtual appliance UI.
b. Open the file /etc/Acronis/Global.config in a text editor.
c. Do one of the following:
l If the proxy settings were specified during the agent installation, find the following section:
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
In order to perform automatic or manual update of a virtual appliance located behind a proxy, you
must configure the proxy server on the appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
To protect the virtual machines in the Virtuozzo Hybrid Infrastructure cluster
1. Log in to your Cyber Protection account.
2. Navigate to Devices > Virtuozo Hybrid Infrastructure> <your cluster> > Default project >
admin or find your machines in Devices > All devices.
116 © Acronis International GmbH, 2003-2022
3. Select the desired machines and apply a protection plan for them.
Deploying Agent for oVirt (Virtual Appliance)
Before you start
This appliance is a pre-configured virtual machine that you deploy in a Red Hat Virtualization/oVirt
data center. The appliance contains a protection agent that enables you to administer cyber
protection for all virtual machines in the data center.
System requirements for the agent
By default, the virtual machine with the agent uses 2 vCPUs and 4 GiB of RAM. These settings are
sufficient for most operations but you can edit them in Red Hat Virtualization/oVirt Administration
Portal. We recommend increasing these resources to 4 vCPUs and 8 GiB of RAM if the backup traffic
bandwidth is expected to exceed 100 MB per second (for example, in 10-GBit networks), in order to
improve backup performance.
The size of the appliance virtual disk is 8 GiB.
How many agents do I need?
One agent can protect the entire data center. However, you can have more than one agent in the
data center if you need to distribute the backup traffic bandwidth load.
If you have more than one agent in the data center, the virtual machines are automatically
distributed between the agents, so that each agent manages a similar number of machines.
Automatic redistribution occurs when the load imbalance among the agents reaches 20 percent.
This may happen after you add or remove a machine or an agent. For example, you realize that you
need more agents to help with throughput and you deploy an additional virtual appliance to the
data center. The management server will assign the most appropriate machines to the new agent.
117 © Acronis International GmbH, 2003-2022
The old agents' load will reduce. When you remove an agent, the machines assigned to the agent
are redistributed among the remaining agents. However, this will not happen if an agent gets
corrupted or is deleted manually from Red Hat Virtualization/oVirt Administration Portal.
Redistribution will start only after you remove such an agent from the Cyber Protection service
console.
To check which agent manages a specific machine
1. In the Cyber Protection service console, click Devices, and then select oVirt.
2. Click the gear icon in the upper right corner of the table, and under System, select the Agent
check box.
3. Check the name of the agent in the column that appears.
Limitations
The following operations are not supported for Red Hat Virtualization/oVirt virtual machines:
l Application-aware backup
l Running a virtual machine from a backup
l Replication of virtual machines
l Changed block tracking
Deploying the OVA template
1. Log in to your Cyber Protection account.
2. Click Devices > All devices > Add > Red Hat Virtualization (oVirt).
The .zip archive is downloaded to your machine.
3. Unpack the .zip archive. It contains one .ova file.
4. Upload the .ova file to a host in the Red Hat Virtualization/oVirt data center that you want to
protect.
5. Log in to Red Hat Virtualization/oVirt Administration Portal as an administrator. For more
information about the roles required for operations with virtual machines, refer to "Agent for
oVirt – required roles and ports" (p. 121).
6. From the navigation menu, select Compute > Virtual machines.
7. Click the vertical ellipsis icon above the main table, and then click Import.
8. In the Import Virtual Machine(s) window, do the following:
a. In Data center, select the data center that you want to protect.
b. In Source, select Virtual Appliance (OVA).
c. In Host, select the host on which you uploaded the .ova file.
d. In File Path, specify the path to the directory that contains the .ova file.
e. Click Load.
The oVirt virtual appliance template from the .ova file appears in the Virtual Machines on
Source panel.
118 © Acronis International GmbH, 2003-2022
If the template does not appear in this panel, ensure that you have specified the correct path
to the file, the file is not damaged, and the host can be reached.
f. In Virtual Machines on Source, select the oVirt virtual appliance template, and then click the
right arrow.
The template appears in the Virtual machines to import panel.
g. Click Next.
9. In the new window, click the appliance name, and then configure the following settings:
l On the Network interfaces tab, configure the network interfaces.
l [Optional] On the General tab, change the default name of the virtual machine with the agent.
The deployment is now complete. Next, you have to configure the virtual appliance. For more
information on how to configure it, refer to "Configuring the virtual appliance" (p. 119).
Note
If you need more than one virtual appliance in your data center, repeat the steps above and deploy
additional virtual appliances. Do not clone an existing virtual appliance by using the Clone
VM option in Red Hat Virtualization/oVirt Administration Portal.
To exclude the virtual appliance from dynamic group backups, you must also exclude it from the list
of virtual machines in the Cyber Protection service console. To exclude it, in Red Hat
Virtualization/oVirt Administration Portal, select the virtual machine with the agent, and then assign
the tag acronis_virtual_appliance to it.
Configuring the virtual appliance
After deploying the virtual appliance, you need to configure it so that it can reach both the oVirt
engine and the Cyber Protection service.
To configure the virtual appliance
1. Log in to Red Hat Virtualization/oVirt Administration Portal.
2. Select the virtual machine with the agent that you need to configure, and then click the Console
icon.
3. In the eth0 field, configure the network interfaces of the appliance.
Ensure that automatically assigned DHCP addresses (if any) are valid within the networks that
your virtual machine uses or assign them manually. Depending on the number of networks that
the appliance uses, there may be one or more interfaces to configure.
4. In the oVirt field, click Change to specify the oVirt engine address and credentials for accessing
it:
a. In the Server name/IP field, enter the DNS name or IP address of the engine.
b. In the User name and Password fields, enter the administrator credentials for this engine.
Ensure that this administrator account has the roles required for operations with Red Hat
Virtualization/oVirt virtual machines. For more information about these roles, refer to "Agent
for oVirt – required roles and ports" (p. 121).
119 © Acronis International GmbH, 2003-2022
If Keycloak is the Single-Sign-On (SSO) provider for the oVirt engine (default in oVirt 4.5.1), use
the Keycloak format when specifying the user name. For example, specify the default
administrator account as admin@ovirt@internalsso instead of admin@internal.
c. [Optional] Click Check connection to ensure that the provided credentials are correct.
d. Click OK.
5. In the Management Server field, click Change to specify the Cyber Protection service address
and credentials for accessing it.
a. In the Server name/IP field, select Cloud, and then specify the Cyber Protection service
address.
b. In the User name and Password fields, enter the credentials for your account in the Cyber
Protection service.
c. Click OK.
6. [Optional] In the Name field, click Change to edit the default name for the virtual appliance,
which is localhost. This name is shown in the Cyber Protection service console.
7. [Optional] In the Time field, click Change, and then select the time zone of your location to
ensure that the scheduled operations run at the appropriate time.
8. [Optional] [If a proxy server is enabled in your network] Configure the proxy server.
a. To start the command shell, press CTRL+SHIFT+F2 while in the virtual appliance UI.
b. Open the file /etc/Acronis/Global.config in a text editor.
c. Do one of the following:
l If the proxy settings were specified during the agent installation, find the following section:
<key name="HttpProxy">
<value name="Enabled" type="Tdword">"1"</value>
<value name="Host" type="TString">"ADDRESS"</value>
<value name="Port" type="Tdword">"PORT"</value>
<value name="Login" type="TString">"LOGIN"</value>
<value name="Password" type="TString">"PASSWORD"</value>
</key>
l Otherwise, copy the above lines and paste them into the file between the <registry
name="Global">...</registry> tags.
d. Replace ADDRESS with the new proxy server host name/IP address, and PORT with the decimal
value of the port number.
e. If your proxy server requires authentication, replace LOGIN and PASSWORD with the proxy server
credentials. Otherwise, delete these lines from the file.
f. Save the file.
g. Open the file /opt/acronis/etc/aakore.yaml in a text editor.
h. Locate the env section or create it and add the following lines:
env:
http-proxy: proxy_login:proxy_password@proxy_address:port
https-proxy: proxy_login:proxy_password@proxy_address:port
120 © Acronis International GmbH, 2003-2022
i. Replace proxy_login and proxy_password with the proxy server credentials, and proxy_
address:port with the address and port number of the proxy server.
j. Run the reboot command.
Note
In order to perform automatic or manual update of a virtual appliance located behind a proxy, you
must configure the proxy server on the appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
To protect virtual machines in the Red Hat Virtualization/oVirt data center
1. Log in to your Cyber Protection account.
2. Navigate to Devices > oVirt > <your cluster> or find your machines in Devices > All devices.
3. Select the desired machines and apply a protection plan for them.
Agent for oVirt – required roles and ports
Required roles
For its deployment and operation, Agent for oVirt requires an administrator account with the
following roles assigned.
oVirt/Red Hat Virtualization 4.2 and 4.3/Oracle Virtualization Manager 4.3
l DiskCreator
l UserVmManager
l TagManager
l UserVmRunTimeManager
l VmCreator
oVirt/Red Hat Virtualization 4.4
l SuperUser
Required ports
Agent for oVirt connects to the oVirt engine by using the URL that you specify when you configure
the virtual appliance. Usually, the engine URL has the following format: https://ovirt.company.com.
In this case, the HTTPS protocol and port 443 are used.
Non-default oVirt settings may require another port. You can find the exact port by analyzing the
URL format. For example:
121 © Acronis International GmbH, 2003-2022
oVirt engine URL Port Protocol
https://ovirt.company.com/ 443 HTTPS
http://ovirt.company.com/ 80 HTTP
https://ovirt.company.com:1234/ 1234 HTTPS
No additional ports are required for disk Read/Write operations, because the backup is performed
in the HotAdd mode.
Deploying agents through Group Policy
You can centrally install (or deploy) Agent for Windows onto machines that are members of an
Active Directory domain, by using Group Policy.
In this section, you will find out how to set up a Group Policy object to deploy agents onto machines
in an entire domain or in its organizational unit.
Every time a machine logs on to the domain, the resulting Group Policy object will ensure that the
agent is installed and registered.
Prerequisites
Before proceeding with agent deployment, ensure that:
l You have an Active Directory domain with a domain controller running Microsoft Windows Server
2003 or later.
l You are a member of the Domain Admins group in the domain.
l You have downloaded the All agents for Windows setup program. The download link is
available on the Add devices page in the service console.
Step 1: Generating a registration token
A registration token passes the identity of an user to the agent setup program without storing the
user credentials for the service console. This enables users to register any number of machines
under their account without having to log in. For security reasons, tokens have limited lifetime that
you can adjust. The default period is 3 days.
To generate a registration token for your account
1. Sign in to the service console.
2. Click Devices > All devices > Add.
3. Scroll down to Registration token, and then click Generate.
4. Specify the token lifetime.
5. [Optional] To enable the user of the token to apply and revoke a protection plan on the added
machines, select the plan from the drop-down list.
122 © Acronis International GmbH, 2003-2022
Note that you will need to run a script that will apply or revoke a protection plan on the added
machines. Refer to this knowledge base article for more details.
6. Click Generate token.
7. Copy the token or write it down.
Be sure to save the token if you need it for further use.
You can click Manage active tokens to view and delete the tokens that are generated for your
account.
Note
For security reasons, the Active Tokens table does not display full token values.
To generate a registration token on behalf of a user in the tenants that you can manage
1. Sign in to the service console as a Partner or Customer administrator.
If you are already signed in to the management console, on the Cyber Protection tab, click
Manage service to navigate to the service console.
2. From the drop-down list in the upper left, select the tenant that contains the user on whose
behalf you want to create a token.
3. Under Devices, click All devices > Add.
The Add devices dialog opens on the right.
4. Scroll down to Registration token, and then click Generate.
5. Specify the token lifetime.
6. Select the user for whom you want to generate a token.
Note
Agents registered with the token will be registered under the user account that you select here.
7. [Optional] To enable the user of the token to apply and revoke a protection plan on the added
machines, select the plan from the drop-down list.
Note that you will need to run a script that will apply or revoke a protection plan on the added
machines. Refer to this knowledge base article for more details.
8. Click Generate token.
9. Copy the token or write it down.
Be sure to save the token if you need it for further use.
You can click Manage active tokens to view and delete the tokens that are generated for users that
you can manage.
Note
For security reasons, the Active Tokens table does not display full token values.
123 © Acronis International GmbH, 2003-2022
Step 2: Creating the .mst transform and extracting the installation
package
1. Log on as an administrator on any machine in the domain.
2. Create a shared folder that will contain the installation packages. Ensure that domain users can
access the shared folder—for example, by leaving the default sharing settings for Everyone.
3. Start the setup program.
4. Click Create .mst and .msi files for unattended installation.
5. Click Specify next to Registration settings, and then enter the token you generated.
You can change the method of registering the machine in the Cyber Protection service from Use
registration token (default) to Use credentials or Skip registration. The Skip registration
option presumes that you will register the machine at a later time.
6. Review or modify the installation settings that will be added to the .mst file, and then click
Proceed.
7. In Save the files to, specify the path to the folder you created.
8. Click Generate.
As a result, the .mst transform is generated and the .msi and .cab installation packages are
extracted to the folder you created.
Step 3: Setting up the Group Policy objects
1. Log on to the domain controller as a domain administrator; if the domain has more than one
domain controller, log on to any of them as a domain administrator.
2. If you are planning to deploy the agent in an organizational unit, ensure that the organizational
unit exists in the domain. Otherwise, skip this step.
3. In the Start menu, point to Administrative Tools, and then click Active Directory Users and
Computers (in Windows Server 2003) or Group Policy Management (in Windows Server 2008
or later).
4. In Windows Server 2003:
l Right-click the name of the domain or organizational unit, and then click Properties. In the
dialog box, click the Group Policy tab, and then click New.
In Windows Server 2008 or later:
l Right-click the name of the domain or organizational unit, and then click Create a GPO in this
domain, and Link it here.
5. Name the new Group Policy object Agent for Windows.
6. Open the Agent for Windows Group Policy object for editing, as follows:
l In Windows Server 2003, click the Group Policy object, and then click Edit.
l In Windows Server 2008 or later, under Group Policy Objects, right-click the Group Policy
object, and then click Edit.
7. In the Group Policy object editor snap-in, expand Computer Configuration.
124 © Acronis International GmbH, 2003-2022
8. In Windows Server 2003 and Windows Server 2008:
l Expand Software Settings.
In Windows Server 2012 or later:
l Expand Policies > Software Settings.
9. Right-click Software installation, then point to New, and then click Package.
10. Select the agent's .msi installation package in the shared folder that you previously created, and
then click Open.
11. In the Deploy Software dialog box, click Advanced, and then click OK.
12. On the Modifications tab, click Add, and then select the .mst transform that you previously
created.
13. Click OK to close the Deploy Software dialog box.
Updating agents
You can update all agents manually either by using the service console or by downloading and
running the installation file.
You can configure automatic updates for the following agents:
l Agent for Windows
l Agent for Linux
l Agent for Mac
5 GB of free space in the following location is required to update an agent automatically, or
manually by using the service console:
l For Linux and macOS – the root directory
l For Windows – the volume where the agent is installed
Note
[For all agents provided in the form of a virtual appliance, including Agent for VMware, Agent for
Scale Computing, Agent for Virtuozzo Hybrid Infrastructure, Agent for RHV (oVirt)]
In order to perform automatic or manual update of a virtual appliance located behind a proxy, the
proxy server must be configured on each appliance as follows.
In the /opt/acronis/etc/va-updater/config.yaml file, add the following line to the bottom of the file
and enter the values specific to your environment:
httpProxy: http://proxy_login:proxy_password@proxy_address:port
Updating agents manually
You can update agents either by using the service console or by downloading and running the
installation file.
Virtual appliances with the following versions must be updated only by using the service console:
125 © Acronis International GmbH, 2003-2022
l Agent for VMware (Virtual Appliance): version 12.5.23094 and later.
l Agent for Virtuozzo Hybrid Infrastructure (Virtual Appliance): version 12.5.23094 and later.
Agents with the following versions can also be updated by using the service console:
l Agent for Windows, Agent for VMware (Windows), Agent for Hyper-V: version 12.5.23094 and
later.
l Agent for Linux: version 12.5.23094 and later.
l Other agents: version 12.5.23094 and later.
To find the agent version, in the service console, select the machine, and then click Details.
To update earlier agent versions of those agents, download and install the newest version manually.
To find the download links, click All devices > Add.
Prerequisites
On Windows machines, Cyber Protect features require Microsoft Visual C++ 2017 Redistributable.
Ensure that it is already installed on your machine or install it before updating the agent. After the
installation, a restart may be required. You can find the Microsoft Visual C++ Redistributable
package on the Microsoft website: https://support.microsoft.com/help/2999226/update-for-
universal-c-runtime-in-windows.
To update an agent by using the service console
1. Click Settings > Agents.
The software displays the list of machines. The machines with outdated agent versions are
marked with an orange exclamation mark.
2. Select the machines that you want to update the agents on. The machines must be online.
3. Click Update agent.
Note
During the update, any backups that are in progress will fail.
To update Agent for VMware (Virtual Appliance) whose version is below 12.5.23094
1. Click Settings > Agents > the agent that you want to update > Details, and then examine the
Assigned virtual machines section. You will need to re-enter these settings after the update.
a. Make note of the position of the Automatic assignment switch.
b. To find out what virtual machines are manually assigned to the agent, click the Assigned: link.
The software displays the list of assigned virtual machines. Make note of the machines that
have (M) after the agent name in the Agent column.
2. Remove Agent for VMware (Virtual Appliance), as described in "Uninstalling agents". In step 5,
delete the agent from Settings > Agents, even though you are planning to install the agent
again.
3. Deploy Agent for VMware (Virtual Appliance), as described in "Deploying the OVF template".
126 © Acronis International GmbH, 2003-2022
4. Configure Agent for VMware (Virtual Appliance), as described in "Configuring the virtual
appliance".
If you want to reconstruct the locally attached storage, in step 7 do the following:
a. Add the disk containing the local storage to the virtual appliance.
b. Click Refresh > Create storage > Mount.
c. The software displays the original Letter and Label of the disk. Do not change them.
d. Click OK.
5. Click Settings > Agents > the agent that you want to update > Details, and then reconstruct the
settings that you made note of in step 1. If some virtual machines were manually assigned to the
agent, assign them again as described in "Virtual machine binding".
Once the agent configuration is completed, the protection plans that were applied to the old
agent are re-applied automatically to the new agent.
6. The plans with application-aware backup enabled require the guest OS credentials to be re-
entered. Edit these plans and re-enter the credentials.
7. The plans that back up ESXi configuration require the "root" password to be re-entered. Edit
these plans and re-enter the password.
To update the Cyber Protection definitions on a machine
1. Click Settings > Agents.
2. Select the machine on which you want to update the Cyber Protection definitions and click
Update definitions. The machine must be online.
To assign the Updater role to an agent
1. Click Settings > Agents.
2. Select the machine to which you want to assign the Updater role, click Details, then in the Cyber
Protection definitions section, enable Use this agent to download and distribute patches
and updates.
To clear cached data on an agent
1. Click Settings > Agents.
2. Select the machine on which you want to clear the cached data (outdated update files and patch
management data) and click Clear cache.
Updating agents automatically
To facilitate management of multiple workloads, you can configure automatic updates for Agent for
Windows, Agent for Linux, and Agent for Mac. Automatic updates are available for agents version
15.0.26986 (released in May 2021) or later. Older agents must be updated manually to the latest
version, first.
Automatic updates are supported on machines running any of the following operating systems:
l Windows XP SP 3 and later
l Red Hat Enterprise Linux 6 and later, CentOS 6 and later
127 © Acronis International GmbH, 2003-2022
l OS X 10.9 Mavericks and later
The settings for automatic updates are preconfigured on a data center level. A company
administrator can customize these settings – for all machines in a company or a unit, or for
individual machines. If no custom settings are applied, then the settings from the upper level are
used, in this order:
1. Cyber Protection data center
2. Company (customer tenant)
3. Unit
4. Machine
For example, a unit administrator can configure custom auto-update settings for all machines in the
unit, which might differ from the setting applied to the machines on the company level. The
administrator can also configure different settings for one or more individual machines in the unit,
to which neither the unit settings nor the company settings will be applied.
After enabling the automatic updates, you can configure the following options:
l Update channel
The update channel defines which version of the agents will be used – the most up-to-date one or
the latest version from the previous release.
l Maintenance window
The maintenance window defines when updates can be installed. If the maintenance window is
disabled, updates can run anytime.
Even within the enabled maintenance window, updates will not be installed while the agent is
running any of the following operations:
o Backup
o Recovery
o Backup replication
o Virtual machine replication
o Testing a replica
o Running a virtual machine from backup (including finalization)
o Disaster recovery failover
o Disaster recovery failback
o Running a script (for Cyber Scripting functionality)
o Patch installation
o ESXi configuration backup
To customize auto-update settings
128 © Acronis International GmbH, 2003-2022
1. In the service console, go to Settings > Agents.
2. Select the scope for the settings:
l To change the settings for all machines, click Edit default agent update settings.
l To change the settings for specific machines, select the desired machines, and then click
Agent update settings.
3. Configure the settings according to your needs, and then click Apply.
To remove the custom auto-update settings
1. In the service console, go to Settings > Agents.
2. Select the scope for the settings:
l To remove the custom settings for all machines, click Edit default agent update settings.
l To remove the custom settings for specific machines, select the desired machines, and then
click Agent update settings.
3. Click Reset to default settings, and then click Apply.
To check the auto-update status
1. In the service console, go to Settings > Agents.
2. Click the gear icon in the upper right corner of the table, and then ensure that Auto-update
check box is selected.
3. Check the status that is shown in the Auto-update column.
Preventing unauthorized uninstallation or modification
of agents
You can protect Agent for Windows against unauthorized uninstallation or modification, by enabling
the Password protection setting in a protection plan. This setting is available only when the Self-
protection setting is enabled.
To enable Password protection
1. In a protection plan, expand the Antivirus & Antimalware protection module (Active
Protection module for Cyber Backup editions).
2. Click Self-protection and ensure that the Self-protection switch is enabled.
3. Enable the Password protection switch.
4. In the window that opens, copy the password that you need to uninstall or modify the
components of a protected Agent for Windows.
This password is unique and you will not be able to recover it once you close this window. If you
lose or forget this password, you can edit the protection plan and create a new password.
5. Click Close.
6. In the Self-protection pane, click Done.
7. Save the protection plan.
129 © Acronis International GmbH, 2003-2022
Password protection will be enabled for the machines to which this protection plan is applied.
Password protection is only available for Agent for Windows version 15.0.25851 or newer. The
machines must be online.
You can apply a protection plan with Password protection enabled to a machine running macOS,
but no protection will be provided. You cannot apply such a plan to a machine running Linux.
Also, you cannot apply more than one protection plan with Password protection enabled to the
same Windows machine. To learn how to resolve a possible conflict, refer to Resolving plan conflicts.
To change the password in an existing protection plan
1. In the protection plan, expand the Antivirus & Antimalware protection module (Active
Protection module for Cyber Backup edition).
2. Click Self-protection.
3. Click Create new password.
4. In the window that opens, copy the password that you need to uninstall or modify the
components of a protected Agent for Windows.
This password is unique and you will not be able to recover it once you close this window. If you
lose or forget this password, you can edit the protection plan and create a new password.
5. Click Close.
6. In the Self-protection pane, click Done.
7. Save the protection plan.
Uninstalling agents
In Windows
If you want to remove individual product components (for example, one of the agents or Cyber
Protection Monitor), run the All agents for Windows setup program, choose to modify the product,
and clear the selection of the components that you want to remove. The link to the setup program is
present on the Downloads page (click the account icon in the top-right corner > Downloads).
If you want to remove all of the product components from a machine, follow the steps described
below.
1. Log on as an administrator.
2. Go to Control panel, and then select Programs and Features (Add or Remove Programs in
Windows XP) > Acronis Cyber Protection Agent > Uninstall.
3. [For password-protected agent] Specify the password that you need to uninstall the agent, and
then click Next.
4. [Optional] Select the Remove the logs and configuration settings check box.
If you are planning to install the agent again, keep this check box cleared. If you select the check
box, the machine may be duplicated in the service console and the backups of the old machine
130 © Acronis International GmbH, 2003-2022
may not be associated with the new machine.
5. Click Uninstall.
In Linux
1. As the root user, run /usr/lib/Acronis/BackupAndRecovery/uninstall/uninstall.
2. [Optional] Select the Clean up all product traces (Remove the product's logs, tasks, vaults,
and configuration settings) check box.
If you are planning to install the agent again, keep this check box cleared. If you select the check
box, the machine may be duplicated in the service console and the backups of the old machine
may not be associated with the new machine.
3. Confirm your decision.
In macOS
1. Double-click the installation file (.dmg).
2. Wait while the operating system mounts the installation disk image.
3. Inside the image, double-click Uninstall.
4. If prompted, provide administrator credentials.
5. Confirm your decision.
Removing Agent for VMware (Virtual Appliance)
1. Start vSphere Client and log on to the vCenter Server.
2. If the virtual appliance (VA) is powered on, right-click it, and then click Power > Power Off.
Confirm your decision.
3. If the virtual appliance uses a locally attached storage on a virtual disk and you want to preserve
data on that disk, do the following:
a. Right-click the virtual appliance, and then click Edit Settings.
b. Select the disk with the storage, and then click Remove. Under Removal Options, click
Remove from virtual machine.
c. Click OK.
As a result, the disk remains in the datastore. You can attach the disk to another virtual
appliance.
4. Right-click the virtual appliance, and then click Delete from Disk. Confirm your decision.
5. [Optional] If you are planning to install the agent again, skip this step. Otherwise, in the service
console, click Backup storage > Locations, and then delete the location corresponding to the
locally attached storage.
Removing machines from the service console
After uninstalling an agent, it will be unregistered from the Cyber Protection service, and the
machine where the agent was installed will be automatically removed from the service console.
131 © Acronis International GmbH, 2003-2022
However, if during this operation the connection to the service is lost – due to a network problem,
for example – the agent might be uninstalled but its machine might still be shown in the service
console. In this case, you need to remove the machine from the service console manually.
To remove a machine from the service console manually
1. Log in to the Cyber Protection service as an administrator.
2. In the service console, go to Settings > Agents.
3. Select the machine where the agent was installed.
4. Click Delete.
Protection settings
To configure the general protection settings for Cyber Protection, in the service console, go to
Settings > Protection.
Automatic updates for components
By default, all agents can connect to the Internet and download updates.
An administrator can minimize the network bandwidth traffic by selecting one or several agents in
the environment and assigning the Updater role to them. Thus, the dedicated agents will connect to
the Internet and download updates. All other agents will connect to the dedicated updater agents
by using peer-to-peer technology, and then download the updates from them.
The agents without the Updater role will connect to the Internet if there is no dedicated updater
agent in the environment, or if the connection to a dedicated updater agent cannot be established
for about five minutes.
Before assigning the Updater role to an agent, ensure that the machine on which the agent runs is
powerful enough, and has a stable high-speed Internet connection and enough disk space.
To prepare a machine for the Updater role
1. On agent machine where you plan to enable the Updater role, apply the following firewall rules:
l Inbound (incoming) "updater_incoming_tcp_ports": allow connection to TCP ports 18018 and
6888 for all firewall profiles (public, private, and domain).
l Inbound (incoming) "updater_incoming_udp_ports": allow connection to UDP port 6888 for all
firewall profiles (public, private, and domain).
2. Restart the Acronis Agent Core Service.
3. Restart the Firewall Service.
If you do not apply these rules and the firewall is enabled, peer agents will download the updates
from the Cloud.
To assign the Updater role to a protection agent
1. In the service console, go to Settings > Agents.
2. Select the machine with the agent to which you want to assign the Updater role.
132 © Acronis International GmbH, 2003-2022
3. Click Details, and then enable the Use this agent to download and distribute patches and
updates switch.
The peer-to-peer update works as follows.
1. The agent with the Updater role checks by schedule the index file provided by the service
provider to update the core components.
2. The agent with the Updater role starts to download and distribute updates to all agents.
You can assign the Updater role to multiple agents in the environment. Thus, if an agent with the
Updater role is offline, other agents with this role can serve as the source for definition updates.
Updating the Cyber Protection definitions by schedule
On the Schedule tab, you can set up the schedule for automatic update of the Cyber Protection
definitions for each of the following components:
l Antimalware
l Vulnerability assessment
l Patch management
To change the definition updates setting, navigate to Settings > Protection > Protection
definitions update > Schedule.
Schedule type:
l Daily – define on which days of the week to update definitions.
Start at – select at what time to update definitions.
l Hourly – define more granular hourly schedule for updates.
Run every – define the periodicity of updates.
From ... To – define a specific time range for the updates.
Updating the Cyber Protection definitions on-demand
To update the Cyber Protection definitions for a particular machine on-demand
1. In the service console, go to Settings > Agents.
2. Select the machines on which you want to update the protection definitions, and then click
Update definitions.
Cache storage
The location of cached data is the following:
l On Windows machines: C:\ProgramData\Acronis\Agent\var\atp-downloader\Cache
l On Linux machines: /opt/acronis/var/atp-downloader/Cache
l On macOS machines: /Library/Application Support/Acronis/Agent/var/atp-downloader/Cache
133 © Acronis International GmbH, 2003-2022
To change the cache storage setting, navigate to Settings > Protection > Protection definitions
update > Cache Storage.
In Outdated update files and patch management data, specify after what period to remove
cached data.
Maximum cache storage size (GB) for agents:
l Updater role – define storage size for cache on the machines with the Updater role.
l Other roles – define storage size for cache on other machines.
Remote connection
To enable the remote connection to machines via RDP or HTML client
1. In the service console, go to Settings > Protection.
2. Click Remote desktop connection, and then enable the Remote desktop connection switch.
If this switch is disabled, the Connect via RDP client / Connect via HTML5 client options will
be hidden in the service console, and users will not be able to connect to machines remotely.
This option affects all users of your organization.
To enable sharing the remote connection
1. In the service console, go to Settings > Protection.
2. Select the Share remote desktop connection check box.
As a result, the option Share remote connection appears under Cyber Protection Desktop in the
right-hand menu. The right-hand menu opens when you select a machine in the Devices tab.
By clicking Share remote connection, you generate a link that you can share with other users. This
link allows accessing the selected machine remotely.
Next-Generation Antivirus
Next-Generation Antivirus (NGAV) uses a more modern, resource-efficient approach to protect
workloads from malware.
If the Allows upgrade to NGAV switch is enabled, you agree for your workload to be upgraded to
the Next-generation Antivirus (NGAV).
Changing the service quota of machines
A service quota is automatically assigned when a protection plan is applied to a machine for the first
time.
The most appropriate quota is assigned, depending on the type of the protected machine, its
operating system, required level of protection, and the quota availability. If the most appropriate
quota is not available in your organization, the second-best quota is assigned. For example, if the
most appropriate quota is Web Hosting Server but it is not available, the Server quota is assigned.
134 © Acronis International GmbH, 2003-2022
Examples of quota assignment:
l A physical machine that runs a Windows Server or a Linux operating system is assigned the
Server quota.
l A physical machine that runs a desktop Windows operating system is assigned the Workstation
quota.
l A physical machine that runs Windows 10 with enabled Hyper-V role is assigned the Workstation
quota.
l A desktop machine that runs on a virtual desktop infrastructure and whose protection agent is
installed inside the guest operating system (for example, Agent for Windows), is assigned the
Virtual machine quota. This type of machine can also use the Workstation quota if the Virtual
machine quota is not available.
l A desktop machine that runs on a virtual desktop infrastructure and which is backed up in the
agentless mode (for example, by Agent for VMware or Agent for Hyper-V), is assigned the Virtual
machine quota.
l A Hyper-V or vSphere server is assigned the Server quota.
l A server with cPanel or Plesk is assigned the Web Hosting Server quota. It can also use the
Virtual machine or the Server quota, depending on the type of machine on which the web
server runs, if the Web Hosting Server quota is not available.
l The application-aware backup requires the Server quota, even for a workstation.
You can manually change the original assignment later. For example, to apply a more advanced
protection plan to the same machine, you might need to upgrade the machine's service quota. If the
features required by this protection plan are not supported by the currently assigned service quota,
the protection plan will fail.
Alternatively, you can change the service quota if you purchase a more appropriate quota after the
original one is assigned. For example, the Workstation quota is assigned to a virtual machine. After
you purchase a Virtual machines quota, you can manually assign this quota to the machine,
instead of the original Workstation quota.
You can also release the currently assigned service quota, and then assign this quota to another
machine.
You can change the service quota of an individual machine or for a group of machines.
To change the service quota of an individual machine
1. In the Cyber Protection service console, go to Devices.
2. Select the desired machine, and then click Details.
3. In the Service quota section, click Change.
4. In the Change license window, select the desired service quota or No quota, and then click
Change.
To change the service quota for a group of machines
135 © Acronis International GmbH, 2003-2022
1. In the Cyber Protection service console, go to Devices.
2. Select more than one machine, and then click Assign quota.
3. In the Change license window, select the desired service quota or No quota, and then click
Change.
Cyber Protection services installed in your environment
Cyber Protection installs some or all of the following services, depending on the Cyber Protection
options that you use.
Services installed in Windows
Service name Purpose
Acronis Managed Machine Provides backup, recovery, replication, retention, validation
Service functionality
Acronis Scheduler2 Service Executes scheduled tasks on certain events
Acronis Active Protection Service Provides protection against ransomware
Acronis Cyber Protection Service Provides antimalware protection
Services installed in macOS
Service name and location Purpose
/Library/LaunchDaemons/com.acronis.aakore.plist Serves for communication between the agent
and management components
/Library/LaunchDaemons/com.acronis.cyber-protect- Provides detection of malware
service.plist
/Library/LaunchDaemons/com.acronis.mms.plist Provides backup and recovery functionality
/Library/LaunchDaemons/com.acronis.schedule.plist Executes scheduled tasks
136 © Acronis International GmbH, 2003-2022
Managing workloads
This section describes how to manage your workloads in the service console.
Device groups
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Device groups are designed for convenient management of a large number of registered devices.
You can apply a protection plan to a group. Once a new device appears in the group, the device
becomes protected by the plan. If a device is removed from the group, the device will no longer be
protected by the plan. A plan that is applied to a group cannot be revoked from a member of the
group, only from the group itself.
Only devices of the same type can be added to a group. For example, under Hyper-V you can create
a group of Hyper-V virtual machines. Under Machines with agents, you can create a group of
machines with installed agents. Under All devices, you cannot create a group.
A single device can be a member of more than one group.
Built-in groups
Once a device is registered, it appears in one of the built-in root groups on the Devices tab.
Root groups cannot be edited or deleted. You cannot apply plans to root groups.
Some of the root groups contain built-in sub-root groups. These groups cannot be edited or deleted.
However, you can apply plans to sub-root built-in groups.
Custom groups
Protecting all devices in a built-in group with a single protection plan may not be satisfactory
because of the different roles of the machines. The backed-up data is specific for each department;
some data has to be backed up frequently, other data is backed up twice a year. Therefore, you may
want to create various protection plans applicable to different sets of machines. In this case,
consider creating custom groups.
A custom group can contain one or more nested groups. Any custom group can be edited or
deleted. There are the following types of custom groups:
l Static groups
Static groups contain the machines that were manually added to them. The static group content
never changes unless you explicitly add or delete a machine.
Example: You create a custom group for the accounting department and manually add the
accountants' machines to this group. Once you apply a protection plan to the group, the
137 © Acronis International GmbH, 2003-2022
accountants' machines become protected. If a new accountant is hired, you will have to add the
new machine to the group manually.
l Dynamic groups
Dynamic groups contain the machines added automatically according to the search criteria
specified when creating a group. The dynamic group content changes automatically. A machine
remains in the group while it meets the specified criteria.
Example 1: The host names of the machines that belong to the accounting department contain
the word "accounting". You specify the partial machine name as the group membership criterion
and apply a protection plan to the group. If a new accountant is hired, the new machine will be
added to the group as soon as it is registered, and thus will be protected automatically.
Example 2: The accounting department forms a separate Active Directory organizational unit
(OU). You specify the accounting OU as the group membership criterion and apply a protection
plan to the group. If a new accountant is hired, the new machine will be added to the group as
soon as it is registered and added to the OU (regardless of which comes first), and thus will be
protected automatically.
Creating a static group
1. Click Devices, and then select the built-in group which contains the devices for which you want
to create a static group.
2. Click the gear icon next to the group in which you want to create a group.
3. Click New group.
4. Specify the group name, and then click OK.
The new group appears in the groups tree.
Adding devices to static groups
1. Click Devices, and then select one or more devices that you want to add to a group.
2. Click Add to group.
The software displays a tree of groups to which the selected device can be added.
3. If you want to create a new group, do the following. Otherwise, skip this step.
a. Select the group in which you want to create a group.
b. Click New group.
c. Specify the group name, and then click OK.
4. Select the group to which you want to add the device, and then click Done.
Another way to add devices to a static group is to select the group and click Add devices.
Creating a dynamic group
1. Click Devices, and then select the group which contains the workloads for which you want to
create a dynamic group.
138 © Acronis International GmbH, 2003-2022
Note
You cannot create dynamic groups for the All devices group.
2. Search for workloads by using the search field. You can use multiple attributes and operators
described below.
3. Click Save as next to the search field.
Note
Some attributes are not supported for group creation. See the table in the section Search query
below.
4. Specify the group name, and then click OK.
Search query
The following table summarizes the available attributes that you can use in your search queries.
Supported
Attribute Meaning Search query examples for group
creation
name l Host name for physical name = 'en-00' Yes
machines
l Name for virtual
machines
l Database name
l Email address for
mailboxes
comment Comment for a device. It comment = 'important machine' Yes
can be specified
comment = '' (all machines without
automatically or manually.
a comment)
Default value:
l For physical machines
running Windows, the
computer description in
Windows is automatically
copied as a comment.
This value is
synchronized every 15
minutes.
l Empty for other devices.
139 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
Note
When there is manually
added text in the comment
field, the automatic
synchronization with the
Windows description is
disabled. To enable it again,
clear the comment that you
have added.
To refresh the automatically
synchronized comments for
your devices, restart the
Managed Machine Service in
Windows Services or run
the following commands at
the command prompt:
net stop mms
net start mms
To view a device comment,
under Devices, select the
device, click Details, and
then locate the Comment
section.
To add or change a
comment manually, click
Add or Edit.
For devices on which a
protection agent is installed,
there are two separate
comment fields:
l Agent comment
o For physical machines
running Windows, the
computer description
in Windows is
automatically copied
as a comment. This
140 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
value is synchronized
every 15 minutes.
o Empty for other
devices.
l Device comment
o If the agent comment
is specified
automatically, it is
copied as a device
comment. Manually
added agent
comments are not
copied as device
comments.
o Device comments are
not copied as agent
comments.
A device can have one or
both of these comments
specified, or have the both
of them blank. If the both
comments are specified, the
device comment has
priority.
To view an agent comment,
under Settings > Agents,
select the device with the
agent, click Details, and
then locate the Comment
section.
To view a device comment,
under Devices, select the
device, click Details, and
then locate the Comment
section.
To add or change a
comment manually, click
Add or Edit.
141 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
Note
When there is manually
added text in the comment
field, the automatic
synchronization with the
Windows description is
disabled. To enable it again,
clear the comment that you
have added.
ip IP address (only for physical ip RANGE Yes
machines). ('10.250.176.1','10.250.176.50')
memorySize RAM size in megabytes memorySize < 1024 Yes
(MiB).
diskSize Hard drive size in gigabytes diskSize < 300GB No
or megabytes (only for diskSize >= 3000000MB
physical machines).
insideVm Virtual machine with an insideVm = true Yes
agent inside.
Possible values:
l true
l false
osName Operating system name. osName LIKE '%Windows XP%' Yes
osType Operating system type. osType IN ('linux', 'macosx') Yes
Possible values:
l 'windows'
l 'linux'
l 'macosx'
osProductType The operating system osProductType = 'server' Yes
product type.
Possible values:
l 'dc'
Stands for Domain
Controller.
Note When the domain
controller role is assigned
142 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
on a Windows server, the
osProductType changes
from "server" to "dc".
Such machines will be
not included in search
results for filter
"osProductType='server'.
l 'server'
l 'workstation'
virtualType Virtual machine type. virtualType = 'vmwesx' Yes
Possible values:
l 'vmwesx'
VMware virtual
machines.
l 'mshyperv'
Hyper-V virtual machines.
l 'pcs'
Virtuozzo virtual
machines.
l 'hci'
Virtuozzo Hybrid
Infrastructure virtual
machines.
l 'scale'
Scale Computing HC3
virtual machines.
l 'ovirt'
oVirt virtual machines
tenant The name of the unit to tenant = 'Unit 1' Yes
which the device belongs.
tenantId The identifier of the unit to tenantId = '3bfe6ca9-9c6a-4953- Yes
which device belongs. 9cb2-a1323f454fc9'
To get the unit ID, under
Devices, select the device,
click Details > All
properties. The ID is shown
in the ownerId field.
state Device state. state = 'backup' No
143 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
Possible values:
l 'idle'
l 'interactionRequired'
l 'canceling'
l 'backup'
l 'recover'
l 'install'
l 'reboot'
l 'failback'
l 'testReplica'
l 'run_from_image'
l 'finalize'
l 'failover'
l 'replicate'
l 'createAsz'
l 'deleteAsz'
l 'resizeAsz'
protectedByPlan Devices that are protected protectedByPlan = '4B2A7A93- No
by a protection plan with a A44F-4155-BDE3-A023C57C9431'
given ID.
To see the plan ID, in
Management > Protection
plans, select a plan, click the
bar in the Status column,
and then click the status
name. A new search with
the plan ID will be created.
okByPlan Devices that are protected okByPlan = '4B2A7A93-A44F-4155- No
by a protection plan with a BDE3-A023C57C9431'
given ID and have an OK
status.
errorByPlan Devices that are protected errorByPlan = '4B2A7A93-A44F- No
by a protection plan with a 4155-BDE3-A023C57C9431'
given ID and have an Error
status.
warningByPlan Devices that are protected warningByPlan = '4B2A7A93-A44F- No
by a protection plan with a 4155-BDE3-A023C57C9431'
given ID and have a
144 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
Warning status.
runningByPlan Devices that are protected runningByPlan = '4B2A7A93-A44F- No
by a protection plan with a 4155-BDE3-A023C57C9431'
given ID and have a
Running status.
interactionByPlan Devices that are protected interactionByPlan = '4B2A7A93- No
by a protection plan with a A44F-4155-BDE3-A023C57C9431'
given ID and have an
Interaction Required
status.
ou Machines that belong to the ou IN ('RnD', 'Computers') Yes
specified Active Directory
organizational unit.
id Device ID. id != '4B2A7A93-A44F-4155-BDE3- Yes
A023C57C9431'
To get the device ID, under
Devices, select the device,
click Details > All
properties. The ID is shown
in the id field.
lastBackupTime* The date and time of the lastBackupTime > '2022-03-11' No
last successful backup.
lastBackupTime <= '2022-03-11
The format is 'YYYY-MM-DD 00:15'
HH:MM'.
lastBackupTime is null
lastBackupTryTime* The time of the last backup lastBackupTryTime >= '2022-03- No
attempt. 11'
The format is 'YYYY-MM-DD
HH:MM'.
nextBackupTime* The time of the next backup. nextBackupTime >= '2022-08-11' No
The format is 'YYYY-MM-DD
HH:MM'.
agentVersion Version of the installed agentVersion LIKE '12.0.*' Yes
protection agent.
hostId Internal ID of the protection hostId = '4B2A7A93-A44F-4155- Yes
agent. BDE3-A023C57C9431'
145 © Acronis International GmbH, 2003-2022
Supported
Attribute Meaning Search query examples for group
creation
To get the protection agent
ID, under Devices, select
the machine, click Details >
All properties. Use the "id"
value of the agent property.
resourceType Resource type. resourceType = 'machine' Yes
Possible values: resourceType in ('mssql_aag_
database', 'mssql_database')
l 'machine'
l 'virtual_
machine.vmwesx'
l 'virtual_
machine.mshyperv'
l 'virtual_machine.scale'
l 'virtual_machine.hci'
l 'virtual_machine.ovirt'
l virtual_machine.pcs
Note
If you skip the hour and minutes value, the start time is considered to be YYYY-MM-DD 00:00, and
the end time is considered to be YYYY-MM-DD 23:59:59. For example, lastBackupTime = 2020-02-20,
means that the search results will include all backups from the interval
lastBackupTime >= 2020-02-20 00:00 and lastBackup time <= 2020-02-20 23:59:59
Operators
The following table summarizes the available operators.
Operator Meaning Examples
AND Logical conjunction operator. name like 'en-00' AND tenant =
'Unit 1'
OR Logical disjunction operator. state = 'backup' OR state =
'interactionRequired'
IN (<value1>,... This operator is used to test if an osType IN ('windows', 'linux')
<valueN>) expression matches any value in a list of
values.
NOT Logical negation operator. NOT(osProductType = 'workstation')
NOT IN This operator is the opposite of the IN NOT osType IN ('windows', 'linux')
146 © Acronis International GmbH, 2003-2022
Operator Meaning Examples
operator.
LIKE 'wildcard This operator is used to test if an name LIKE 'en-00'
pattern' expression matches the wildcard pattern.
name LIKE '*en-00'
The following wildcard operators can be
name LIKE '*en-00*'
used:
name LIKE 'en-00_'
l * or % The asterisk and the percent sign
represent zero, one, or multiple
characters
l _ The underscore represents a single
character
RANGE(<starting_ This operator is used to test if an ip RANGE
value>, <ending_ expression is within a range of values ('10.250.176.1','10.250.176.50')
value>) (inclusive).
= or == Equal to operator. osProductType = 'server'
!= or <> Not equal to operator. id != '4B2A7A93-A44F-4155-BDE3-
A023C57C9431'
< Less than operator. memorySize < 1024
> Greater than operator. diskSize > 300GB
<= Less than or equal to operator. lastBackupTime <= '2022-03-11
00:15'
>= Greater than or equal to operator. nextBackupTime >= '2022-08-11'
Applying a protection plan to a group
1. Click Devices, and then select the built-in group that contains the group to which you want to
apply a protection plan.
The software displays the list of child groups.
2. Select the group to which you want to apply a protection plan.
3. Click Group backup.
The software displays the list of protection plans that can be applied to the group.
4. Do one of the following:
l Expand an existing protection plan, and then click Apply.
l Click Create new, and then create a new protection plan as described in "Protection plan".
147 © Acronis International GmbH, 2003-2022
Protection plan and modules
The protection plan is a plan that combines several data protection modules, including:
l Backup – allows you to back up your data sources to local or cloud storage.
l "Disaster recovery" (p. 411) - allows you to to launch exact copies of your machines in the cloud
site and switch the workload from the corrupted original machines to the recovery servers in the
cloud.
l Antivirus and Antimalware protection – allows you to check your machines with the built-in
antimalware solution.
l URL filtering – allows you to protect your machines from threats coming from the Internet by
blocking access to malicious URLs and content to be downloaded.
l Windows Defender Antivirus – allows you to manage the settings of Windows Defender Antivirus
to protect your environment.
l Microsoft Security Essentials – allows you to manage the settings of Microsoft Security Essentials
to protect your environment.
l Vulnerability assessment – automatically checks the Microsoft, Linux, macOS, Microsoft third-
party products, and macOS third-party products installed on your machines for vulnerabilities
and notifies you about them.
l Patch management – enables you to install patches and updates for the Microsoft, Linux, macOS,
Microsoft third-party products, and macOS third-party products on your machines to close the
discovered vulnerabilities.
l Data protection map – allows you to discover the data in order to monitor the protection status
of important files.
l Device control - allows you to specify devices that users are allowed or restricted to use on your
machines.
l Advanced Data Loss Prevention - prevents leakage of sensitive data via peripheral devices (such
as printers or removable storage) or through internal and external network transfers, based on a
data flow policy.
Use the protection plan to protect your data sources completely from external and internal threats.
By enabling and disabling different modules and setting up the module settings, you can build
flexible plans satisfying various business needs.
148 © Acronis International GmbH, 2003-2022
Creating a protection plan
A protection plan can be applied to multiple workloads at the time of its creation, or later. When you
create a plan, the system checks the operating system and the device type (for example,
workstation, virtual machine, etc.) and shows only those plan modules that are applicable to your
devices.
A protection plan can be created in the following ways.
l In the Devices section – when you select the device or devices to be protected and then create a
plan for them.
l In the Management > Protection plans section – when you create a plan and then select the
machines to be applied to.
To create a protection plan in the Devices section
1. In the service console, go to Devices > All devices.
2. Select the machines that you want to protect, and then click Protect.
3. [If there are already applied plans] Click Add plan.
4. Click Create plan > Protection.
A protection plan template opens.
5. [Optional] To modify the protection plan name, click the pencil icon.
6. [Optional] To enable or disable the plan module, click the switch next to the module name.
7. [Optional] To configure the module parameters, click the corresponding section of the protection
plan.
8. When ready, click Create.
To run a module on demand (such as Backup, Antivirus and Antimalware protection,
Vulnerability assessment, Patch management, or Data protection map), click Run now.
Watch the how-to video Creating the First Protection Plan.
149 © Acronis International GmbH, 2003-2022
For more information on the Disaster recovery module, see "Create a disaster recovery protection
plan" (p. 415).
For more information on the Device control module, see "Device control" (p. 586).
Default protection plans
Three preconfigured plans, available by default, ensure quick protection for specific workloads:
l Office workers (Acronis Antivirus)
This plan is optimized for users working in the office and having a preference to use the Acronis
antivirus software.
l Office workers (third-party Antivirus)
This plan is optimized for users working in the office and having a preference to use a third-party
antivirus software. The main difference is that this plan has the Antivirus and Antimalware
protection module and Active Protection disabled.
l Remote workers
This plan is optimized specifically for users working remotely. It has more frequent tasks (such as
backup, antimalware protection, vulnerability assessment), stricter protection actions, and
optimized performance and power options.
l Data loss prevention
This plan contains a module that analyzes the content and context of data transfers on protected
workstations. The module prevents leakage of sensitive data via peripheral devices (such as
printers or removable storage) or through internal and external network transfers, based on a
data flow policy. The data flow policy rules can be defined manually by a company administrator
or automatically by the self-learning feature of Advanced Data loss prevention plan.
To apply a default protection plan
150 © Acronis International GmbH, 2003-2022
1. In the service console, go to Devices > All devices.
2. Select the machines that you want to protect.
3. Click Protect.
4. Select one of the default plans, and then click Apply.
Note
You can also configure your own protection plan by clicking Create plan.
To modify an applied default protection plan
1. In the service console, go to Management> Protection plans.
2. Select the plan that you want to modify, and then click Edit.
3. Modify the modules that are included in this plan, or their options, and then click Save.
Important
Some settings cannot be changed for an existing protection plan.
Default plan options
The preconfigured plans use the default options for each module*, with the following modifications:
Modules and Office workers Office workers Remote workers
options/Plan (Acronis (third-party
Antivirus) Antivirus)
"Backup" (p. 163)
What to back up Entire machine Entire machine Entire machine
Continuous data Disabled Disabled Enabled
protection (CDP)
Where to back up Cloud storage Cloud storage Cloud storage
Backup scheme Always incremental Always incremental Always incremental (single-file)
(single-file) (single-file)
Schedule Default daily Default daily Daily: Monday to Friday at 12:00 PM
schedule schedule
Additionally enabled options and start
conditions:
l If the machine is turned off, run
missed tasks at the machine startup
l Wake up from the sleep or
hibernate mode to start a scheduled
backup
l Save battery power: Do not start
when on battery
151 © Acronis International GmbH, 2003-2022
l Do not start when on metered
connection
How long to keep Monthly: 12 Monthly: 12 months Monthly: 12 months
months
Weekly: 4 weeks Weekly: 4 weeks
Weekly: 4 weeks
Daily: 7 days Daily: 7 days
Daily: 7 days
Backup options Default options Default options Default options, plus:
Performance and backup window (the
green set):
l CPU priority: Low
l Output speed: 50%
"Antivirus and antimalware protection" (p. 481)
Schedule scan Scan type: Quick n/a Scan type: Full
Additionally enabled options and start
conditions:
l If the machine is turned off, run
missed tasks at the machine startup
l Wake up from the sleep or
hibernate mode to start a scheduled
backup
l Save battery power: Do not start
when on battery
"URL filtering" (p. 501)
Malicious Always ask user Always ask user Block
websites access
"Vulnerability assessment" (p. 542)
Default Default Default
"Patch management" (p. 549)
Schedule Default Default Daily: Monday to Friday at 02:20PM
Pre-update Off Off On
backup
"Data protection map" (p. 579)
Extensions Default options Default options Default options, plus:
Images:
l .bmp
152 © Acronis International GmbH, 2003-2022
l .png
l .ico
l .wbmp
l .gif
l .bmp
l .xcf
l .psd
l .tiff
l .jpeg, .jpg
l .dwg
Audio:
l .wav
l .aif, .aifc, .aiff
l .au, .snd
l .mid, .midi
l .mid
l .mpga, .mp3
l .oga
l .flac
l .oga
l .oga
l .opus
l .oga
l .spx
l .oga
l .ogg
l .ogx
l .ogx
l .mp4
"Device control" (p. 586)
Device control Disabled Disabled Disabled
"Advanced Data Loss Prevention" (p. 519)
Operation mode Observation (Allow Observation (Allow Observation (Allow all)
all) all)
Advanced Security level: basic Security level: basic Security level: basic
settings
Channels in Channels in allowlist: Channels in allowlist: none
allowlist: none none
Remote hosts in allowlist: none
Remote hosts in Remote hosts in
Applications in allowlist: none
allowlist: none allowlist: none
153 © Acronis International GmbH, 2003-2022
Applications in Applications in
allowlist: none allowlist: none
* The number of modules in the default protection plan may vary between editions of the Cyber
Protection service.
Resolving plan conflicts
A protection plan can be in the following statuses:
l Active - a plan that is assigned to devices and executed on them.
l Inactive - a plan that is assigned to devices but disabled and not executed on them.
Applying several plans to a device
You can apply several protection plans to a single device. As a result, you will get a combination of
different protection plans assigned on a single device. For example, you may apply a plan that has
only the Antivirus and Antimalware protection module enabled in the plan and another plan that
contains only the backup module. The protection plans can be combined only if they do not have
intersecting modules. If there are similar enabled modules in the applied protection plans, you must
resolve conflicts between such modules.
Resolving plan conflicts
Plan conflicts with already applied plans
When you create a new plan on a device or devices with already applied plans that conflict with the
new plan, you can resolve a conflict with one of the following ways:
l Create a new plan, apply it, and disable all already applied conflicting plans.
l Create a new plan and disable it.
When you edit a plan on a device or devices with already applied plans that conflict with the
changes made, you can resolve a conflict with one of the following ways:
l Save changes to the plan and disable all already applied conflicting plans.
l Save changes to the plan and disable it.
A device plan conflicts with a group plan
If a device is included in a group of devices with an assigned group plan, and you try to assign a new
plan to a device, then the system will ask you to resolve the conflict by doing one of the following:
l Remove a device from the group and apply a new plan to the device.
l Apply a new plan to the whole group or edit the current group plan.
154 © Acronis International GmbH, 2003-2022
License issue
The assigned quota on a device must be appropriate for the protection plan to be performed,
updated, or applied. To resolve the license issue, do one of the following:
l Disable the modules that are unsupported by the assigned quota and continue using the
protection plan.
l Change the assigned quota manually: go to Devices > <particular_device> > Details > Service
quota, then revoke the existing quota and assign a new one.
Operations with protection plans
Available actions with a protection plan
You can perform the following actions with a protection plan:
l Rename a plan.
l Enable/disable modules and edit each module setting.
l Enable/disable a plan.
A disabled plan will not be carried out on the devices to which it is applied.
This action is convenient for administrators who intend to protect the same device with the same
plan later. The plan is not revoked from the device and to restore the protection, you must only
re-enable the plan.
l Apply a plan to a device or a group of devices.
l Revoke a plan from a device.
A revoked plan is not applied to a device anymore.
This action is convenient for administrators who do not need to protect quickly the same device
with the same plan again. To restore the protection of a revoked plan, you must know the name
of this plan, select it from the list of available plans, and then re-apply it to the desired device.
l Stop a plan.
This action will stop all running backup operations on all workloads to which the plan is applied.
Backups will start again according to the schedule configured in the plan.
Antimalware scanning is not affected and will proceed per the schedule configured in the plan.
l Import/export a plan.
Note
You can import protection plans created in Cyber Protection 9.0 (released in March 2020) and
later. Plans created in earlier product versions are incompatible with versions 9.0 and later.
l Delete a plan.
To apply an existing protection plan
155 © Acronis International GmbH, 2003-2022
1. Select the machines that you want to protect.
2. Click Protect. If a protection plan is already applied to the selected machines, click Add plan.
3. The software displays previously created protection plans.
4. Select a protection plan to apply and click Apply.
To edit a protection plan
1. If you want to edit the protection plan for all machines to which it is applied, select one of these
machines. Otherwise, select the machines for which you want to edit the protection plan.
2. Click Protect.
3. Select the protection plan that you want to edit.
4. Click the Ellipsis icon next to the protection plan name, and then click Edit.
5. To modify the plan parameters, click the corresponding section of the protection plan panel.
6. Click Save changes.
7. To change the protection plan for all machines to which it is applied, click Apply the changes to
this protection plan. Otherwise, click Create a new protection plan only for the selected
devices.
To revoke a protection plan from machines
1. Select the machines that you want to revoke the protection plan from.
2. Click Protect.
3. If several protection plans are applied to the machines, select the protection plan that you want
to revoke.
4. Click the ellipsis icon next to the protection plan name, and then click Revoke.
To delete a protection plan
1. Select any machine to which the protection plan that you want to delete is applied.
2. Click Protect.
3. If several protection plans are applied to the machine, select the protection plan that you want to
delete.
4. Click the ellipsis icon next to the protection plan name, and then click Delete.
As a result, the protection plan is revoked from all of the machines and completely removed
from the web interface.
156 © Acronis International GmbH, 2003-2022
#CyberFit Score for machines
#CyberFit Score provides you with a security assessment and scoring mechanism that evaluates the
security posture of your machine. It identifies security gaps in the IT environment and open attack
vectors to endpoints and provides recommended actions for improvements in the form of a report.
This feature is available in all Cyber Protect editions.
The #CyberFit Score functionality is supported on:
l Windows 7 (first version) and later versions
l Windows Server 2008 R2 and later versions
How it works
The protection agent that is installed on a machine performs a security assessment and calculates
the #CyberFit Score for the machine. The #CyberFit Score of a machine is automatically periodically
recalculated.
#CyberFit scoring mechanism
The #CyberFit Score for a machine is calculated, based on the following metrics:
l Antimalware protection 0-275
l Backup protection 0-175
l Firewall 0-175
l Virtual private network (VPN) 0-75
l Full disk encryption 0-125
l Network security 0-25
The maximum #CyberFit Score for a machine is 850.
Metric What is Recommendations to users Scoring
assessed?
Antimalware The agent checks Findings: 275 -
whether antimalware
l You have antimalware protection enabled (+275
antimalware software is
points)
software is installed on a
l You don’t have antimalware protection, your
installed on a machine
system may be at risk (0 points)
machine.
0 - no
Recommendations provided by #CyberFit Score:
antimalware
You should have an antimalware solution installed software is
and enabled on your machine to stay protected installed on a
from security risks. machine
You should refer to websites such as AV-Test or AV-
Comparatives for a list of recommended
157 © Acronis International GmbH, 2003-2022
antimalware solutions.
Backup The agent checks Findings: 175 - a backup
if a backup solution is
l You have a backup solution protecting your data
solution is installed on a
(+175 points)
installed on a machine
l No backup solution was found, your data may be
machine.
at risk (0 points) 0 - no backup
solution is
Recommendations provided by #CyberFit Score:
installed on a
We recommend that you back up your data machine
regularly to prevent data loss or ransomware
attacks. Below are some backup solutions that you
should consider using:
l Acronis Cyber Protect / Cyber Backup / True
Image
l Windows Server Backup (Windows Server 2008
R2 and later)
Firewall The agent checks Findings: 100 - Windows
whether a public firewall
l You have a firewall enabled for public and
firewall is is enabled
private networks, or a 3-rd party firewall solution
available and
is found (+175 points) 75 - Windows
enabled in your
l You have a firewall enabled only for public private firewall
environment.
networks (+100 points) is enabled
The agent does l You have a firewall enabled only for private
175 - Windows
the following: networks (+75 points) public and
1. Checks l You have no firewall enabled, your network private firewall
Windows Firewall connection is not secure (0 points) are enabled
and Network Recommendations provided by #CyberFit Score: OR
Protection a third-party
whether a public It is recommended to enable firewall for your public firewall
firewall is turned and private networks to improve your security solution is
on. protection against malicious attacks on your enabled
system. Below are provided detailed guides on
2. Checks setting-up your Windows firewall, depending on 0 - neither a
Windows Firewall your security needs and network architecture: Windows
and Network firewall, nor a
Protection Guides for end-users/employees: third-party
whether a How to set up Windows Defender Firewall on your firewall
private firewall is PC solution are
turned on. enabled
How to set up Windows Firewall on your PC
3. Checks for a 3-
rd party firewall Guides for system administrators and engineers:
solution/agent if How to deploy Window Defender Firewall with
Windows public Advanced Security
158 © Acronis International GmbH, 2003-2022
and private How to create Advanced Rules in Windows Firewall
firewalls are
disabled.
Virtual Private The agent checks Findings: 75 - VPN is
Network (VPN) whether a VPN enabled and
l You have a VPN solution and can safely receive
solution is running
and send data across public and shared
installed on a
networks (+75 points) 0 - VPN is not
machine and
l No VPN solution was found, your connection to enabled
whether the VPN
public and shared networks is not secure (0
is enabled and
points)
running.
Recommendations provided by #CyberFit Score:
It is recommended to use VPN to access your
corporate network and confidential data. It is
critical to use a VPN to keep your communications
safe and private, especially if you use
complimentary Internet access from a cafe, library,
airport, or elsewhere. Below are some VPN
solutions that you should consider using:
l Acronis Business VPN
l OpenVPN
l Cisco AnyConnect
l NordVPN
l TunnelBear
l ExpressVPN
l PureVPN
l CyberGhost VPN
l Perimeter 81
l VyprVPN
l IPVanish VPN
l Hotspot Shield VPN
l Fortigate VPN
l ZYXEL VPN
l SonicWall GVPN
l LANCOM VPN
Disk The agent checks Findings: 125 - all disks
encryption whether a are encrypted
l You have full disk encryption enabled, your
machine has disk
machine is protected against physical tampering 75 - at least
encryption
(+125 points) one of your
enabled.
l Only some hard drives are encrypted, your disks is
The agent checks machine may be at risk from physical tampering encrypted but
whether (+75 points) there are also
159 © Acronis International GmbH, 2003-2022
Windows l No disk encryption was found, your machine is unencrypted
BitLocker is at risk from physical tampering (0 points) disks
turned on.
Recommendations provided by #CyberFit Score: 0 - no disks
are encrypted
It is recommended to turn on Windows BitLocker to
improve protection of your data and files.
Guide: How to turn on device encryption on
Windows
Network The agent checks Findings: 25 - outgoing
security whether a NTLM traffic is
l Outgoing NTLM traffic to remote servers is
(outgoing machine has set to DenyAll
denied, your credentials are protected (+25
NTLM traffic to restricted
points) 0 - outgoing
remote outgoing NTLM
l Outgoing NTLM traffic to remote servers is not NTLM traffic is
servers) traffic to remote
denied, your credentials may be vulnerable to set to another
servers.
exposure (0 points) value
Recommendations provided by #CyberFit Score:
It is recommended to deny all outgoing NTLM
traffic to remote servers for better security
protection. You can find information on how to
change the NTLM settings and add exceptions by
following the link below.
Guide: Restrict outgoing NTLM traffic to remote
servers
Based on the summed points awarded to each metric, the total #CyberFit Score of a machine can fit
one of the following ratings that reflect the endpoint's level of protection:
l 0 - 579 - Poor
l 580 - 669 - Fair
l 670 - 739 - Good
l 740 - 799 - Very good
l 800 - 850 - Excellent
You can see the #CyberFit Score for your machines in the service console: go to Devices > All
devices. In the list of devices, you can see the #CyberFit Score column. You can also run the
#CyberFit Score scan for a machine to check its security posture.
160 © Acronis International GmbH, 2003-2022
You can also get information about the #CyberFit Score in the corresponding widget and report
pages.
Running a #CyberFit Score scan
To run a #CyberFit Score scan
1. In the service console, go to Devices.
2. Select the machine and click #CyberFit Score.
3. If the machine has never been scanned before, then click Run a first scan.
4. After the scan is completed, you will see the total #CyberFit Score for the machine along with the
scores of each of the six assessed metrics - Antimalware, Backup, Firewall, Virtual Private
Network (VPN), Disk encryption, and NT LAN Manager (NTLM) traffic.
161 © Acronis International GmbH, 2003-2022
5. To check how to increase the score of each metric for which the security configurations could be
improved, expand the corresponding section and read the recommendations.
6. After addressing the recommendations, you can always recalculate the #CyberFit Score of the
machine by clicking on the arrow button right under the total #CyberFit Score.
162 © Acronis International GmbH, 2003-2022
Backup and recovery
The backup module enables backup and recovery of physical and virtual machines, files, and
databases to local or cloud storage.
Backup
A protection plan with the Backup module enabled is a set of rules that specify how the given data
will be protected on a given machine.
A protection plan can be applied to multiple machines at the time of its creation, or later.
To create the first protection plan with the Backup module enabled
1. Select the machines that you want to back up.
2. Click Protect.
Protection plans that are applied to the machine are shown. If the machine does not have any
plans already assigned to it, then you will see the default protection plan that can be applied.
You can adjust the settings as needed and apply this plan or create a new one.
3. To create a new plan, click Create plan. Enable the Backup module and unroll the settings.
163 © Acronis International GmbH, 2003-2022
4. [Optional] To modify the protection plan name, click the default name.
5. [Optional] To modify the Backup module parameters, click the corresponding setting of the
protection plan panel.
6. [Optional] To modify the backup options, click Change next to Backup options.
7. Click Create.
To apply an existing protection plan
1. Select the machines that you want to back up.
2. Click Protect. If a common protection plan is already applied to the selected machines, click Add
plan.
The software displays previously created protection plans.
164 © Acronis International GmbH, 2003-2022
3. Select a protection plan to apply.
4. Click Apply.
Protection plan cheat sheet
The following table summarizes the available protection plan parameters. Use the table to create a
protection plan that best fits your needs.
ITEMS TO
BACK UP WHERE SCHEDULE HOW LONG TO
WHAT TO BACK UP TO BACK
Selection Backup schemes KEEP
UP
methods
Cloud Always incremental By backup age
Direct
(Single-file) (single rule/per
selection Local
Disks/volumes (physical backup set)
folder Always full
machines1) Policy rules
Network Weekly full, Daily By number of
File filters backups
folder incremental
1A machine that is backed up by an agent installed in the operating system.
165 © Acronis International GmbH, 2003-2022
NFS*
Secure
Zone**
Monthly full, Weekly
Cloud
differential, Daily
Local incremental (GFS)
Disks/volumes (virtual Policy rules folder
Custom (F-D-I)
machines1) File filters Network
folder
NFS*
Cloud
Local
Direct folder Always incremental
selection (Single-file)
Files (physical machines Network
only2) Policy rules folder Always full By total size of
File filters NFS* Weekly full, Daily backups***
Secure incremental Keep indefinitely
Zone** Monthly full, Weekly
Local differential, Daily
folder incremental (GFS)
Direct Custom (F-D-I)
ESXi configuration Network
selection
folder
NFS*
Websites (files and MySQL Direct
Cloud —
databases) selection
Always full
System state
Cloud Weekly full, daily
Local incremental
Direct
SQL databases folder Custom (F-I)
selection
Network Always incremental
folder (Single-file) - only for SQL
Exchange databases
databases
Microsoft Direct Always incremental
Mailboxes Cloud
365 selection (Single-file)
1A virtual machine that is backed up at a hypervisor level by an external agent such as Agent for VMware or Agent for
Hyper-V. A virtual machine with an agent inside is treated as physical from the backup standpoint.
2A machine that is backed up by an agent installed in the operating system.
166 © Acronis International GmbH, 2003-2022
Local
(local Agent folder
for Microsoft
365) Network
folder
Mailboxes
(cloud Agent
for Microsoft
Direct
365)
selection
Public folders
Cloud —
Teams
OneDrive files Direct
selection
SharePoint
Online data Policy rules
Gmail Direct
mailboxes selection
Google Google Drive
Direct Cloud —
Workspace files
selection
Shared drive
Policy rules
files
* Backup to NFS shares is not available in Windows.
** Secure Zone cannot be created on a Mac.
*** The By total size of backups retention rule is not available with the Always incremental
(single-file) backup scheme or when backing up to the cloud storage.
Selecting data to back up
Selecting entire machine
A backup of an entire machine is a backup of all its non-removable disks. For more information
about disk backup, refer to "Selecting disks/volumes" (p. 168).
Note
Disk/volume backups are not supported for encrypted APFS volumes that are locked.
During a backup of an entire machine, such volumes are skipped.
167 © Acronis International GmbH, 2003-2022
Selecting disks/volumes
A disk-level backup contains a copy of a disk or a volume in a packaged form. You can recover
individual disks, volumes, or files from a disk-level backup.
Note
Disk/volume backups are not supported for encrypted APFS volumes that are locked.
During a backup of an entire machine, such volumes are skipped.
Disks connected via the iSCSI protocol to a physical machine can also be backed up though there are
limitations if you use Agent for VMware or Agent for Hyper-V for backing up the iSCSI-connected
disks.
There are two ways of selecting disks/volumes: directly on each machine or by using policy rules.
You can exclude files from a disk backup by setting the file filters.
Direct selection
Direct selection is available only for physical machines.
1. In What to back up, select Disks/volumes.
2. Click Items to back up.
3. In Select items for backup, select Directly.
4. For each of the machines included in the protection plan, select the check boxes next to the disks
or volumes to back up.
5. Click Done.
Using policy rules
1. In What to back up, select Disks/volumes.
2. Click Items to back up.
3. In Select items for backup, select Using policy rules.
4. Select any of the predefined rules, type your own rules, or combine both.
The policy rules will be applied to all of the machines included in the protection plan. If no data
meeting at least one of the rules is found on a machine when the backup starts, the backup will
fail on that machine.
5. Click Done.
Rules for Windows, Linux, and macOS
l [All Volumes] selects all volumes on machines running Windows and all mounted volumes on
machines running Linux or macOS.
168 © Acronis International GmbH, 2003-2022
Rules for Windows
l Drive letter (for example C:\) selects the volume with the specified drive letter.
l [Fixed Volumes (physical machines)] selects all volumes of physical machines, other than
removable media. Fixed volumes include volumes on SCSI, ATAPI, ATA, SSA, SAS, and SATA
devices, and on RAID arrays.
l [BOOT+SYSTEM] selects the system and boot volumes. This combination is the minimal set of data
that ensures recovery of the operating system from the backup.
l [Disk 1] selects the first disk of the machine, including all volumes on that disk. To select another
disk, type the corresponding number.
Rules for Linux
l /dev/hda1 selects the first volume on the first IDE hard disk.
l /dev/sda1 selects the first volume on the first SCSI hard disk.
l /dev/md1 selects the first software RAID hard disk.
To select other basic volumes, specify /dev/xdyN, where:
l "x" corresponds to the disk type
l "y" corresponds to the disk number (a for the first disk, b for the second disk, and so on)
l "N" is the volume number.
To select a logical volume, specify its path as it appears after running the ls /dev/mapper command
under the root account. For example:
[root@localhost ~]# ls /dev/mapper/
control vg_1-lv1 vg_1-lv2
This output shows two logical volumes, lv1 and lv2, that belong to the volume group vg_1. To back
up these volumes, enter:
/dev/mapper/vg_1-lv1
/dev/mapper/vg-l-lv2
Rules for macOS
l [Disk 1] Selects the first disk of the machine, including all volumes on that disk. To select another
disk, type the corresponding number.
What does a disk or volume backup store?
A disk or volume backup stores a disk or a volume file system as a whole and includes all of the
information necessary for the operating system to boot. It is possible to recover disks or volumes as
a whole from such backups as well as individual folders or files.
169 © Acronis International GmbH, 2003-2022
With the sector-by-sector (raw mode) backup option enabled, a disk backup stores all the disk
sectors. The sector-by-sector backup can be used for backing up disks with unrecognized or
unsupported file systems and other proprietary data formats.
Windows
A volume backup stores all files and folders of the selected volume independent of their attributes
(including hidden and system files), the boot record, the file allocation table (FAT) if it exists, the root
and the zero track of the hard disk with the master boot record (MBR).
A disk backup stores all volumes of the selected disk (including hidden volumes such as the vendor's
maintenance partitions) and the zero track with the master boot record.
The following items are not included in a disk or volume backup (as well as in a file-level backup):
l The swap file (pagefile.sys) and the file that keeps the RAM content when the machine goes into
hibernation (hiberfil.sys). After recovery, the files will be re-created in the appropriate place with
the zero size.
l If the backup is performed under the operating system (as opposed to bootable media or backing
up virtual machines at a hypervisor level):
o Windows shadow storage. The path to it is determined in the registry value VSS Default
Provider which can be found in the registry key HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup. This
means that in operating systems starting with Windows Vista, Windows Restore Points are not
backed up.
o If the Volume Shadow Copy Service (VSS) backup option is enabled, files and folders that are
specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
registry key.
Linux
A volume backup stores all files and directories of the selected volume independent of their
attributes, a boot record, and the file system super block.
A disk backup stores all disk volumes as well as the zero track with the master boot record.
Mac
A disk or volume backup stores all files and directories of the selected disk or volume, plus a
description of the volume layout.
The following items are excluded:
l System metadata, such as the file system journal and Spotlight index
l The Trash
l Time machine backups
170 © Acronis International GmbH, 2003-2022
Physically, disks and volumes on a Mac are backed up at a file level. Bare metal recovery from disk
and volume backups is possible, but the sector-by-sector backup mode is not available.
Selecting files/folders
File-level backup is available for physical machines and virtual machines backed up by an agent
installed in the guest system. Files and folders located on disks connected via the iSCSI protocol to a
physical machine can also be backed up though there are limitations if you use Agent for VMware or
Agent for Hyper-V for backing up data on the iSCSI-connected disks.
A file-level backup is not sufficient for recovery of the operating system. Choose file backup if you
plan to protect only certain data (the current project, for example). This will reduce the backup size,
thus saving storage space.
There are two ways of selecting files: directly on each machine or by using policy rules. Either
method allows you to further refine the selection by setting the file filters.
Direct selection
1. In What to back up, select Files/folders.
2. Specify Items to back up.
3. In Select items for backup, select Directly.
4. For each of the machines included in the protection plan:
a. Click Select files and folders.
b. Click Local folder or Network folder.
The share must be accessible from the selected machine.
c. Browse to the required files/folders or enter the path and click the arrow button. If prompted,
specify the user name and password for the shared folder.
Backing up a folder with anonymous access is not supported.
d. Select the required files/folders.
e. Click Done.
Using policy rules
1. In What to back up, select Files/folders.
2. Specify Items to back up.
3. In Select items for backup, select Using policy rules.
4. Select any of the predefined rules, type your own rules, or combine both.
The policy rules will be applied to all of the machines included in the protection plan. If no data
meeting at least one of the rules is found on a machine when the backup starts, the backup will
fail on that machine.
5. Click Done.
171 © Acronis International GmbH, 2003-2022
Selection rules for Windows
l Full path to a file or folder, for example D:\Work\Text.doc or C:\Windows.
l Templates:
o [All Files] selects all files on all volumes of the machine.
o [All Profiles Folder] selects the folder where all user profiles are located (typically, C:\Users
or C:\Documents and Settings).
l Environment variables:
o %ALLUSERSPROFILE% selects the folder where the common data of all user profiles is located
(typically, C:\ProgramData or C:\Documents and Settings\All Users).
o %PROGRAMFILES% selects the Program Files folder (for example, C:\Program Files).
o %WINDIR% selects the folder where Windows is located (for example, C:\Windows).
You can use other environment variables or a combination of environment variables and text. For
example, to select the Java folder in the Program Files folder, type: %PROGRAMFILES%\Java.
Selection rules for Linux
l Full path to a file or directory. For example, to back up file.txt on the volume /dev/hda3
mounted on /home/usr/docs, specify /dev/hda3/file.txt or /home/usr/docs/file.txt.
o /home selects the home directory of the common users.
o /root selects the root user's home directory.
o /usr selects the directory for all user-related programs.
o /etc selects the directory for system configuration files.
l Templates:
o [All Profiles Folder] selects /home. This is the folder where all user profiles are located by
default.
Selection rules for macOS
l Full path to a file or directory.
l Templates:
o [All Profiles Folder] selects /Users. This is the folder where all user profiles are located by
default.
Examples:
l To back up file.txt on a user's desktop, specify /Users/<user name>/Desktop/file.txt.
l To back up the Desktop, the Documents, or the Downloads folders of a user, specify
/Users/<user name>/Desktop, /Users/<user name>/Documents, or /Users/<user
name>/Downloads, respectively.
l To back up the home folders of all users who have an account on this machine, specify /Users.
l To back up the directory where the applications are installed, specify /Applications.
172 © Acronis International GmbH, 2003-2022
Selecting system state
System state backup is available for machines running Windows 7 and later.
To back up system state, in What to back up, select System state.
A system state backup is comprised of the following files:
l Task scheduler configuration
l VSS Metadata Store
l Performance counter configuration information
l MSSearch Service
l Background Intelligent Transfer Service (BITS)
l The registry
l Windows Management Instrumentation (WMI)
l Component Services Class registration database
Selecting ESXi configuration
A backup of an ESXi host configuration enables you to recover an ESXi host to bare metal. The
recovery is performed under bootable media.
The virtual machines running on the host are not included in the backup. They can be backed up
and recovered separately.
A backup of an ESXi host configuration includes:
l The bootloader and boot bank partitions of the host.
l The host state (configuration of virtual networking and storage, SSL keys, server network settings,
and local user information).
l Extensions and patches installed or staged on the host.
l Log files.
Prerequisites
l SSH must be enabled in the Security Profile of the ESXi host configuration.
l You must know the password for the 'root' account on the ESXi host.
Limitations
l ESXi configuration backup is not supported for VMware vSphere 7.0.
l An ESXi configuration cannot be backed up to the cloud storage.
To select an ESXi configuration
1. Click Devices > All devices, and then select the ESXi hosts that you want to back up.
2. Click Protect.
3. In What to back up, select ESXi configuration.
173 © Acronis International GmbH, 2003-2022
4. In ESXi 'root' password, specify a password for the 'root' account on each of the selected hosts
or apply the same password to all of the hosts.
Continuous data protection (CDP)
Continuous data protection (CDP) is part of the Advanced Backup pack. It backs up critical data
immediately after this data is changed, ensuring that no changes will be lost if your system fails
between two scheduled backups. You can configure Continuous data protection for the following
data:
l Files or folders in specific locations
l Files modified by specific applications
Continuous data protection is supported only for the NTFS file system and the following operating
systems:
l Desktop: Windows 7 and later
l Server: Windows Server 2008 R2 and later
Only local folders are supported. Network folders cannot be selected for Continuous data
protection.
Continuous data protection is not compatible with the Application backup option.
How it works
Changes in the files and folders that are tracked by Continuous data protection are immediately
saved to a special CDP backup. There is only one CDP backup in a backup set, and it is always the
most recent one.
174 © Acronis International GmbH, 2003-2022
When a scheduled regular backup starts, Continuous data protection is put on hold because the
latest data is to be included in the scheduled backup. When the schedules backup finishes,
Continuous data protection resumes, the old CDP backup is deleted, and a new CDP backup is
created. Thus, the CDP backup always stays the most recent backup in the backup set and stores
only the latest state of the tracked files or folders.
175 © Acronis International GmbH, 2003-2022
If your machine crashes during a regular backup, Continuous data protection resumes automatically
after the machine restarts and creates a CDP backup on top of the last successful scheduled
backup.
Continuous data protection requires that at least one regular backup is created before the CDP
backup. That is why, when you run a protection plan with Continuous data protection for the first
time, a full backup is created, and a CDP backup is immediately added on top of it. If you enable the
Continuous data protection option for an existing protection plan, the CDP backup is added to the
existing backup set.
Note
Continuous Data protection is enabled by default for protection plans that you create from the
Devices tab, if the Advanced Backup functionality is enabled for you and you are not using other
Advanced Backup features for the selected machines. If you already have a plan with Continuous
data protection for a selected machine, Continuous data protection will not be enabled by default
for that machine in newly created plans.
Continuous data protection is not enabled by default for plans created for device groups.
Supported data sources
You can configure Continuous data protection with the following data sources:
l Entire machine
l Disks/volumes
l Files/folders
176 © Acronis International GmbH, 2003-2022
After selecting the data source in What to backup section in the protection plan, in the Items to
protect continuously section, select the files, folders, or applications for Continuous data
protection. For more information on how to configure Continuous data protection, refer to
"Configuring a CDP backup" (p. 177).
Supported destinations
You can configure Continuous data protection with the following destinations:
l Local folder
l Network folder
l Cloud storage
l Acronis Cyber Infrastructure
l Location defined by a script
Note
You can define by a script only the locations listed above.
Configuring a CDP backup
You can configure Continuous data protection in the Backup module of a protection plan. For more
information on how to create a protection plan, refer to "Creating a protection plan" (p. 149).
To configure the Continuous data protection settings
1. In the Backup module of a protection plan, enable the Continuous data protection (CDP)
switch.
This switch is available only for the following data sources:
l Entire machine
l Disk/volumes
l Files/folders
2. In Items to protect continuously, configure Continuous data protection for Applications or
Files/folders, or both.
l Click Applications to configure CDP backup for files that are modified by specific applications.
You can select applications from predefined categories or add other applications by specifying
the path to the their executable file, for example:
o C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
o *:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
l Click Files/folders to configure CDP backup for files in specific locations.
You can define these locations by using selection rules or by selecting the files and folders
directly.
o [For all machines] To create a selection rule, use the text box.
You can use the full paths to files or paths with wildcard characters (* and ?). The asterisk
matches zero or more characters. The question mark matches a single character.
177 © Acronis International GmbH, 2003-2022
Important
To create a CDP backup for a folder, you must specify its content by using the asterisk
wildcard character:
Correct path: D:\Data\*
Incorrect path: D:\Data\
o [For online machines] To select files and folders directly:
n In Machine to browse from, select the machine on which the files or folders reside.
n Click Select files and folders to browse the selected machine.
Your direct selection creates a selection rule. If you apply the protection plan to multiple
machines and a selection rule is not valid for a machine, it will be skipped on this
machine.
3. In the protection plan pane, click Create.
As a result, the data that you specified will be backed up continuously between the scheduled
backups.
Selecting a destination
Click Where to back up, and then select one of the following:
l Cloud storage
Backups will be stored in the cloud data center.
l Local folders
If a single machine is selected, browse to a folder on the selected machine or type the folder
path.
If multiple machines are selected, type the folder path. Backups will be stored in this folder on
each of the selected physical machines or on the machine where the agent for virtual machines is
installed. If the folder does not exist, it will be created.
l Network folder
This is a folder shared via SMB/CIFS/DFS.
Browse to the required shared folder or enter the path in the following format:
o For SMB/CIFS shares: \\<host name>\<path>\ or smb://<host name>/<path>/
o For DFS shares: \\<full DNS domain name>\<DFS root>\<path>
For example, \\example.company.com\shared\files
Then, click the arrow button. If prompted, specify the user name and password for the shared
folder. You can change these credentials at any time by clicking the key icon next to the folder
name.
Backing up to a folder with anonymous access is not supported.
l NFS folder (available for machines running Linux or macOS)
Verify that the nfs-utils package is installed on the Linux server where the Agent for Linux is
installed.
178 © Acronis International GmbH, 2003-2022
Browse to the required NFS folder or enter the path in the following format:
nfs://<host name>/<exported folder>:/<subfolder>
Then, click the arrow button.
Note
It is not possible to back up to an NFS folder protected with a password.
l Secure Zone (available if it is present on each of the selected machines)
Secure Zone is a secure partition on a disk of the backed-up machine. This partition has to be
created manually prior to configuring a backup. For information about how to create Secure
Zone, its advantages and limitations, refer to "About Secure Zone" (p. 180).
Advanced storage option
Note
This functionality is available only in the Advanced edition of the Cyber Protection service.
Defined by a script (available for machines running Windows)
You can store each machine's backups in a folder defined by a script. The software supports scripts
written in JScript, VBScript, or Python 3.5. When deploying the protection plan, the software runs the
script on each machine. The script output for each machine should be a local or network folder
path. If a folder does not exist, it will be created (limitation: scripts written in Python cannot create
folders on network shares). On the Backup storage tab, each folder is shown as a separate backup
location.
In Script type, select the script type (JScript, VBScript, or Python), and then import, or copy and
paste the script. For network folders, specify the access credentials with the read/write permissions.
Examples:
l The following JScript script outputs the backup location for a machine in the format
\\bkpsrv\<machine name>:
WScript.Echo("\\\\bkpsrv\\" + WScript.CreateObject("WScript.Network").ComputerName);
As a result, the backups of each machine will be saved in a folder of the same name on the server
bkpsrv.
l The following JScript script outputs the backup location in a folder on the machine where the
script runs:
WScript.Echo("C:\\Backup");
As a result, the backups of this machine will be saved in the folder C:\Backup on the same
machine.
179 © Acronis International GmbH, 2003-2022
Note
The location path in these scripts is case-sensitive. Therefore, C:\Backup and C:\backup are
displayed as different locations in the service console. Also, use upper case for the drive letter.
About Secure Zone
Secure Zone is a secure partition on a disk of the backed-up machine. It can store backups of disks
or files of this machine.
Should the disk experience a physical failure, the backups located in the Secure Zone may be lost.
That's why Secure Zone should not be the only location where a backup is stored. In enterprise
environments, Secure Zone can be thought of as an intermediate location used for backup when an
ordinary location is temporarily unavailable or connected through a slow or busy channel.
Why use Secure Zone?
Secure Zone:
l Enables recovery of a disk to the same disk where the disk's backup resides.
l Offers a cost-effective and handy method for protecting data from software malfunction, virus
attack, human error.
l Eliminates the need for a separate media or network connection to back up or recover the data.
This is especially useful for roaming users.
l Can serve as a primary destination when using replication of backups.
Limitations
l Secure Zone cannot be organized on a Mac.
l Secure Zone is a partition on a basic disk. It cannot be organized on a dynamic disk or created as
a logical volume (managed by LVM).
l Secure Zone is formatted with the FAT32 file system. Because FAT32 has a 4-GB file size limit,
larger backups are split when saved to Secure Zone. This does not affect the recovery procedure
and speed.
How creating Secure Zone transforms the disk
l Secure Zone is always created at the end of the hard disk.
l If there is no or not enough unallocated space at the end of the disk, but there is unallocated
space between volumes, the volumes will be moved to add more unallocated space to the end of
the disk.
l When all unallocated space is collected but it is still not enough, the software will take free space
from the volumes you select, proportionally reducing the volumes' size.
l However, there should be free space on a volume, so that the operating system and applications
can operate; for example, create temporary files. The software will not decrease a volume where
free space is or becomes less than 25 percent of the total volume size. Only when all volumes on
180 © Acronis International GmbH, 2003-2022
the disk have 25 percent or less free space, will the software continue decreasing the volumes
proportionally.
As is apparent from the above, specifying the maximum possible Secure Zone size is not advisable.
You will end up with no free space on any volume, which might cause the operating system or
applications to work unstably and even fail to start.
Important
Moving or resizing the volume from which the system is booted requires a reboot.
How to create Secure Zone
1. Select the machine that you want to create Secure Zone on.
2. Click Details > Create Secure Zone .
3. Under Secure Zone disk, click Select, and then select a hard disk (if several) on which to create
the zone.
The software calculates the maximum possible size of Secure Zone.
4. Enter the Secure Zone size or drag the slider to select any size between the minimum and the
maximum ones.
The minimum size is approximately 50 MB, depending on the geometry of the hard disk. The
maximum size is equal to the disk's unallocated space plus the total free space on all of the disk's
volumes.
5. If all unallocated space is not enough for the size you specified, the software will take free space
from the existing volumes. By default, all volumes are selected. If you want to exclude some
volumes, click Select volumes. Otherwise, skip this step.
181 © Acronis International GmbH, 2003-2022
6. [Optional] Enable the Password protection switch and specify a password.
The password will be required to access the backups located in Secure Zone. Backing up to
Secure Zone does not require a password, unless the backup if performed under bootable
media.
7. Click Create.
The software displays the expected partition layout. Click OK.
8. Wait while the software creates Secure Zone.
You can now choose Secure Zone in Where to back up when creating a protection plan.
How to delete Secure Zone
1. Select a machine with Secure Zone.
2. Click Details.
3. Click the gear icon next to Secure Zone , and then click Delete.
4. [Optional] Specify the volumes to which the space freed from the zone will be added. By default,
all volumes are selected.
The space will be distributed equally among the selected volumes. If you do not select any
volumes, the freed space will become unallocated.
Resizing the volume from which the system is booted requires a reboot.
5. Click Delete.
182 © Acronis International GmbH, 2003-2022
As a result, Secure Zone will be deleted along with all backups stored in it.
Schedule
The schedule employs the time settings (including the time zone) of the operating system where the
agent is installed. The time zone of Agent for VMware (Virtual Appliance) can be configured in the
agent's interface.
For example, if a protection plan is scheduled to run at 21:00 and applied to several machines
located in different time zones, the backup will start on each machine at 21:00 local time.
Backup schemes
You can choose one of the predefined backup schemes or create a custom scheme. A backup
scheme is a part of the protection plan that includes the backup schedule and the backup methods.
In Backup scheme, select one of the following:
l Always incremental (single-file)
By default, backups are performed on a daily basis, Monday to Friday. You can select the time to
run the backup.
If you want to change the backup frequency, move the slider, and then specify the backup
schedule.
The backups use the single-file backup format1.
The first backup is full, which means that it is the most time-consuming. All subsequent backups
are incremental and take significantly less time.
This scheme is highly recommended if the backup location is cloud storage. Other backup
schemes may include multiple full backups that consume much time and network traffic.
l Always full
By default, backups are performed on a daily basis, Monday to Friday. You can select the time to
run the backup.
If you want to change the backup frequency, move the slider, and then specify the backup
schedule.
All backups are full.
l Weekly full, Daily incremental
By default, backups are performed on a daily basis, Monday to Friday. You can modify the days of
the week and the time to run the backup.
1A backup format, in which the initial full and subsequent incremental backups are saved to a single .tibx file. This
format leverages the speed of the incremental backup method, while avoiding its main disadvantage–difficult deletion
of outdated backups. The software marks the blocks used by outdated backups as "free" and writes new backups to
these blocks. This results in extremely fast cleanup, with minimal resource consumption. The single-file backup format
is not available when backing up to locations that do not support random-access reads and writes.
183 © Acronis International GmbH, 2003-2022
A full backup is created once a week. All other backups are incremental. The day on which the full
backup is created depends on the Weekly backup option (click the gear icon, then Backup
options > Weekly backup).
l Monthly full, Weekly differential, Daily incremental (GFS)
By default, incremental backups are performed on a daily basis, Monday to Friday; differential
backups are performed every Saturday; full backups are performed on the first day of each
month. You can modify these schedules and the time to run the backup.
This backup scheme is displayed as a Custom scheme on the protection plan panel.
l Custom
Specify schedules for full, differential, and incremental backups.
Differential backup is not available when backing up SQL data, Exchange data, or system state.
With any backup scheme, you can schedule the backup to run by events, instead of by time. To do
this, select the event type in the schedule selector. For more information, refer to "Schedule by
events".
Note
Once the protection plan is created, you cannot switch between single-file and multi-file format of
backup schemes. Always incremental is a single-file format, and the rest of the schemes are multi-
file format. If you want to switch between formats, create a new protection plan.
Additional scheduling options
With any destination, you can do the following:
l Specify the backup start conditions, so that a scheduled backup is performed only if the
conditions are met. For more information, refer to "Start conditions".
l Set a date range for when the schedule is effective. Select the Run the plan within a date range
check box, and then specify the date range.
l Disable the schedule. While the schedule is disabled, the retention rules are not applied unless a
backup is started manually.
l Introduce a delay from the scheduled time. The delay value for each machine is selected
randomly and ranges from zero to the maximum value you specify. You may want to use this
setting when backing up multiple machines to a network location, to avoid excessive network
load.
In the protection plan in the Backup module settings, go to Backup options > Scheduling. Select
Distribute backup start times within a time window, and then specify the maximum delay.
The delay value for each machine is determined when the protection plan is applied to the
machine and remains the same until you edit the protection plan and change the maximum delay
value.
Note
This option is enabled by default, with the maximum delay set to 30 minutes.
184 © Acronis International GmbH, 2003-2022
l Click Show more to access the following options:
o If the machine is turned off, run missed tasks at the machine startup (disabled by
default)
o Prevent the sleep or hibernate mode during backup (enabled by default)
This option is effective only for machines running Windows.
o Wake up from the sleep or hibernate mode to start a scheduled backup (disabled by
default)
This option is effective only for machines running Windows whose power plan has the Allow
wake timers setting enabled.
This option is not effective when the machine is powered off, i.e. the option does not employ
the Wake-on-LAN functionality.
185 © Acronis International GmbH, 2003-2022
Schedule by events
When setting up a schedule for the Backup module of the protection plan, you can select the event
type in the schedule selector. The backup will be launched as soon as the event occurs.
You can choose one of the following events:
l Upon time since last backup
This is the time since the completion of the last successful backup within the same protection
plan. You can specify the length of time.
Note
Because the schedule is based on a successful backup event, if a backup fails, the scheduler will
not run the job again until an operator runs the plan manually and the run completes
successfully.
l When a user logs on to the system
By default, logging on of any user will initiate a backup. You can change any user to a specific user
account.
l When a user logs off the system
By default, logging off of any user will initiate a backup. You can change any user to a specific user
account.
Note
The backup will not run at a system shutdown because shutting down is not the same as logging
off.
l On the system startup
l On the system shutdown
l On Windows Event Log event
You must specify the event properties.
The table below lists the events available for various data under Windows, Linux, and macOS.
WHAT TO BACK Upon time When a When a On the On the On
UP since last user logs on user logs system system Windows
backup to the off the startup shutdown Event Log
system system event
Disks/volumes Windows, Windows Windows Windows, Windows Windows
or files (physical Linux, Linux,
machines) macOS macOS
Disks/volumes Windows, – – – – –
(virtual Linux
machines)
186 © Acronis International GmbH, 2003-2022
ESXi Windows, – – – – –
configuration Linux
Microsoft 365 Windows – – – – Windows
mailboxes
Exchange Windows – – – – Windows
databases and
mailboxes
SQL databases Windows – – – – Windows
On Windows Event Log event
You can schedule a backup to start when a certain Windows event has been recorded in one of the
event logs, such as the Application, Security, or System log.
For example, you may want to set up a protection plan that will automatically perform an
emergency full backup of your data as soon as Windows discovers that your hard disk drive is about
to fail.
To browse the events and view the event properties, use the Event Viewer snap-in available in the
Computer Management console. To be able to open the Security log, you must be a member of
the Administrators group.
Event properties
Log name
Specifies the name of the log. Select the name of a standard log (Application, Security, or
System) from the list, or type a log name—for example: Microsoft Office Sessions
Event source
Specifies the event source, which typically indicates the program or the system component
that caused the event—for example: disk.
Any event source that contains the specified string will trigger the scheduled backup. This
option is not case sensitive. Thus, if you specify the string service, both Service Control Manager
and Time-Service event sources will trigger a backup.
Event type
Specifies the event type: Error, Warning, Information, Audit success, or Audit failure.
Event ID
Specifies the event number, which typically identifies the particular kind of events among
events from the same source.
187 © Acronis International GmbH, 2003-2022
For example, an Error event with Event source disk and Event ID 7 occurs when Windows
discovers a bad block on a disk, whereas an Error event with Event source disk and Event ID 15
occurs when a disk is not ready for access yet.
Example: "Bad block" emergency backup
One or more bad blocks that have suddenly appeared on a hard disk usually indicate that the hard
disk drive will soon fail. Suppose that you want to create a protection plan that will back up hard
disk data as soon as such a situation occurs.
When Windows detects a bad block on a hard disk, it records an event with the event source disk
and the event number 7 into the System log; the type of this event is Error.
When creating the plan, type or select the following in the Schedule section:
l Log name: System
l Event source: disk
l Event type: Error
l Event ID: 7
Important
To ensure that such a backup will complete despite the presence of bad blocks, you must make the
backup ignore bad blocks. To do this, in Backup options, go to Error handling, and then select the
Ignore bad sectors check box.
Start conditions
These settings add more flexibility to the scheduler, enabling it to execute a backup with respect to
certain conditions. With multiple conditions, all of them must be met simultaneously to enable a
backup to start. Start conditions are not effective when a backup is started manually.
To access these settings, click Show more when setting up a schedule for a protection plan.
The scheduler behavior, in case the condition (or any of multiple conditions) is not met, is defined by
the Backup start conditions backup option. To handle the situation when the conditions are not met
for too long and further delaying the backup is becoming risky, you can set the time interval after
which the backup will run irrespective of the condition.
The table below lists the start conditions available for various data under Windows, Linux, and
macOS.
WHAT TO Disks/volumes Disks/volumes ESXi Microsoft Exchange SQL
BACK UP or files (virtual configuration 365 databases databases
(physical machines) mailboxes and
machines) mailboxes
User is idle Windows – – – – –
The backup Windows, Windows, Linux Windows, Windows Windows Windows
188 © Acronis International GmbH, 2003-2022
location's Linux, macOS Linux
host is
available
Users Windows – – – – –
logged off
Fits the Windows, Windows, Linux – – – –
time Linux, macOS
interval
Save Windows – – – – –
battery
power
Do not Windows – – – – –
start when
on
metered
connection
Do not Windows – – – – –
start when
connected
to the
following
Wi-Fi
networks
Check Windows – – – – –
device IP
address
User is idle
"User is idle" means that a screen saver is running on the machine or the machine is locked.
Example
Run the backup on the machine every day at 21:00, preferably when the user is idle. If the user is
still active by 23:00, run the backup anyway.
l Schedule: Daily, Run every day. Start at: 21:00.
l Condition: User is idle.
l Backup start conditions: Wait until the conditions are met, Start the backup anyway after 2
hour(s).
As a result,
(1) If the user becomes idle before 21:00, the backup will start at 21:00.
189 © Acronis International GmbH, 2003-2022
(2) If the user becomes idle between 21:00 and 23:00, the backup will start immediately after the
user becomes idle.
(3) If the user is still active at 23:00, the backup will start at 23:00.
The backup location's host is available
"The backup location's host is available" means that the machine hosting the destination for storing
backups is available over the network.
This condition is effective for network folders, the cloud storage, and locations managed by a
storage node.
This condition does not cover the availability of the location itself — only the host availability. For
example, if the host is available, but the network folder on this host is not shared or the credentials
for the folder are no longer valid, the condition is still considered met.
Example
Data is backed up to a network folder every workday at 21:00. If the machine that hosts the folder is
not available at that moment (for instance, due to maintenance work), you want to skip the backup
and wait for the scheduled start on the next workday.
l Schedule: Daily, Run Monday to Friday. Start at: 21:00.
l Condition: The backup location's host is available.
l Backup start conditions: Skip the scheduled backup.
As a result:
(1) If 21:00 comes and the host is available, the backup will start immediately.
(2) If 21:00 comes but the host is unavailable, the backup will start on the next workday if the host is
available.
(3) If the host is never available on workdays at 21:00, the backup will never start.
Users logged off
Enables you to put a backup on hold until all users log off from Windows.
Example
Run the backup at 20:00 every Friday, preferably when all users are logged off. If one of the users is
still logged on at 23:00, run the backup anyway.
l Schedule: Weekly, on Fridays. Start at: 20:00.
l Condition: Users logged off.
l Backup start conditions: Wait until the conditions are met, Start the backup anyway after 3
hour(s).
As a result:
190 © Acronis International GmbH, 2003-2022
(1) If all users are logged off at 20:00, the backup will start at 20:00.
(2) If the last user logs off between 20:00 and 23:00, the backup will start immediately after the user
logs off.
(3) If any user is still logged on at 23:00, the backup will start at 23:00.
Fits the time interval
Restricts a backup start time to a specified interval.
Example
A company uses different locations on the same network-attached storage for backing up users'
data and servers. The workday starts at 08:00 and ends at 17:00. Users' data should be backed up as
soon as the users log off, but not earlier than 16:30. Every day at 23:00 the company's servers are
backed up. So, all the users' data should preferably be backed up before this time, in order to free
network bandwidth. It is assumed that backing up user's data takes no more than one hour, so the
latest backup start time is 22:00. If a user is still logged on within the specified time interval, or logs
off at any other time – do not back up the users' data, i.e., skip backup execution.
l Event: When a user logs off the system. Specify the user account: Any user.
l Condition: Fits the time interval from 16:30 to 22:00.
l Backup start conditions: Skip the scheduled backup.
As a result:
(1) if the user logs off between 16:30 and 22:00, the backup will start immediately following the
logging off.
(2) if the user logs off at any other time, the backup will be skipped.
Save battery power
Prevents a backup if the device (a laptop or a tablet) is not connected to a power source. Depending
on the value of the Backup start conditions backup option, the skipped backup will or will not be
started after the device is connected to a power source. The following options are available:
l Do not start when on battery
A backup will start only if the device is connected to a power source.
l Start when on battery if the battery level is higher than
A backup will start if the device is connected to a power source or if the battery level is higher
than the specified value.
Example
Data is backed up every workday at 21:00. If the device is not connected to a power source (for
instance, the user is attending a late meeting), you want to skip the backup to save the battery
power and wait until the user connects the device to a power source.
191 © Acronis International GmbH, 2003-2022
l Schedule: Daily, Run Monday to Friday. Start at: 21:00.
l Condition: Save battery power, Do not start when on battery.
l Backup start conditions: Wait until the conditions are met.
As a result:
(1) If 21:00 comes and the device is connected to a power source, the backup will start immediately.
(2) If 21:00 comes and the device is running on battery power, the backup will start as soon as the
device is connected to a power source.
Do not start when on metered connection
Prevents a backup (including a backup to a local disk) if the device is connected to the Internet by
using a connection that is set as metered in Windows. For more information about metered
connections in Windows, refer to https://support.microsoft.com/en-us/help/17452/windows-
metered-internet-connections-faq.
As an additional measure to prevent backups over mobile hotspots, when you enable the Do not
start when on metered connection condition, the condition Do not start when connected to
the following Wi-Fi networks is enabled automatically. The following network names are specified
by default: "android", "phone", "mobile", and "modem". You can delete these names from the list by
clicking on the X sign.
Example
Data is backed up every workday at 21:00. If the device is connected to the Internet by using a
metered connection (for instance, the user is on a business trip), you want to skip the backup to
save the network traffic and wait for the scheduled start on the next workday.
l Schedule: Daily, Run Monday to Friday. Start at: 21:00.
l Condition: Do not start when on metered connection.
l Backup start conditions: Skip the scheduled backup.
As a result:
(1) If 21:00 comes and the device is not connected to the Internet by using a metered connection,
the backup will start immediately.
(2) If 21:00 comes and the device is connected to the Internet by using a metered connection, the
backup will start on the next workday.
(3) If the device is always connected to the Internet by using a metered connection on workdays at
21:00, the backup will never start.
Do not start when connected to the following Wi-Fi networks
Prevents a backup (including a backup to a local disk) if the device is connected to any of the
specified wireless networks. You can specify the Wi-Fi network names, also known as service set
identifiers (SSID).
192 © Acronis International GmbH, 2003-2022
The restriction applies to all networks that contain the specified name as a substring in their name,
case-insensitive. For example, if you specify "phone" as the network name, the backup will not start
when the device is connected to any of the following networks: "John's iPhone", "phone_wifi", or
"my_PHONE_wifi".
This condition is useful to prevent backups when the device is connected to the Internet by using a
mobile phone hotspot.
As an additional measure to prevent backups over mobile hotspots, the Do not start when
connected to the following Wi-Fi condition is enabled automatically when you enable the Do not
start when on metered connection condition. The following network names are specified by
default: "android", "phone", "mobile", and "modem". You can delete these names from the list by
clicking on the X sign.
Example
Data is backed up every workday at 21:00. If the device is connected to the Internet by using a
mobile hotspot (for example, a laptop is connected in the tethering mode), you want to skip the
backup and wait for the scheduled start on the next workday.
l Schedule: Daily, Run Monday to Friday. Start at: 21:00.
l Condition: Do not start when connected to the following networks, Network name: <SSID
of the hotspot network>.
l Backup start conditions: Skip the scheduled backup.
As a result:
(1) If 21:00 comes and the machine is not connected to the specified network, the backup will start
immediately.
(2) If 21:00 comes and the machine is connected to the specified network, the backup will start on
the next workday.
(3) If the machine is always connected to the specified network on workdays at 21:00, the backup
will never start.
Check device IP address
Prevents a backup (including a backup to a local disk) if any of the device IP addresses are within or
outside of the specified IP address range. The following options are available:
l Start if outside IP range
l Start if within IP range
With either option, you can specify several ranges. Only IPv4 addresses are supported.
This condition is useful in the event of a user being overseas, to avoid large data transit charges.
Also, it helps to prevent backups over a Virtual Private Network (VPN) connection.
193 © Acronis International GmbH, 2003-2022
Example
Data is backed up every workday at 21:00. If the device is connected to the corporate network by
using a VPN tunnel (for instance, the user is working from home), you want to skip the backup and
wait until the user brings the device to the office.
l Schedule: Daily, Run Monday to Friday. Start at: 21:00.
l Condition: Check device IP address, Start if outside IP range, From: <beginning of the VPN IP
address range>, To: <end of the VPN IP address range>.
l Backup start conditions: Wait until the conditions are met.
As a result:
(1) If 21:00 comes and the machine IP address is not in the specified range, the backup will start
immediately.
(2) If 21:00 comes and the machine IP address is in the specified range, the backup will start as soon
as the device obtains a non-VPN IP address.
(3) If the machine IP address is always in the specified range on workdays at 21:00, the backup will
never start.
Retention rules
1. Click How long to keep.
2. In Cleanup, choose one of the following:
l By backup age (default)
Specify how long to keep backups created by the protection plan. By default, the retention
rules are specified for each backup set1 separately. If you want to use a single rule for all
backups, click Switch to single rule for all backup sets.
l By number of backups
Specify the maximum number of backups to keep.
l By total size of backups
Specify the maximum total size of backups to keep.
This setting is not available with the Always incremental (single-file) backup scheme or
1A group of backups to which an individual retention rule can be applied. For the Custom backup scheme, the backup
sets correspond to the backup methods (Full, Differential, and Incremental). In all other cases, the backup sets are
Monthly, Daily, Weekly, and Hourly. A monthly backup is the first backup created after a month starts. A weekly
backup is the first backup created on the day of the week selected in the Weekly backup option (click the gear icon,
then Backup options > Weekly backup). If a weekly backup is the first backup created after a month starts, this backup
is considered monthly. In this case, a weekly backup will be created on the selected day of the next week. A daily
backup is the first backup created after a day starts, unless this backup falls within the definition of a monthly or
weekly backup. An hourly backup is the first backup created after an hour starts, unless this backup falls within the
definition of a monthly, weekly, or daily backup.
194 © Acronis International GmbH, 2003-2022
when backing up to the cloud storage.
l Keep backups indefinitely
3. Select when to start the cleanup:
l After backup (default)
The retention rules will be applied after a new backup is created.
l Before backup
The retention rules will be applied before a new backup is created.
This setting is not available when backing up Microsoft SQL Server clusters or Microsoft
Exchange Server clusters.
What else you need to know
l The last backup created by the protection plan is kept in all cases, unless you configure a
retention rule to clean up backups before starting a new backup operation and set the number of
backups to keep to zero.
Warning!
If you delete the only backup that you have by applying the retention rules in this way, then if the
backup fails you will not have a backup with which to restore data because there will be no
available backup to use.
l If, according to the backup scheme and backup format, each backup is stored as a separate file,
this file cannot be deleted until the lifetime of all its dependent (incremental and differential)
backups expires. This requires extra space for storing backups whose deletion is postponed. Also,
the backup age, number, or size of backups may exceed the values you specify.
This behavior can be changed by using the "Backup consolidation" backup option.
l Retention rules are a part of a protection plan. They stop working for a machine's backups as
soon as the protection plan is revoked from the machine, or deleted, or the machine itself is
deleted from the Cyber Protection service. If you no longer need the backups created by the plan,
delete them as described in "Deleting backups".
Replication
You can enable backup replication to copy each backup to a second location immediately after its
creation in the primary backup destination. If earlier backups were not replicated (for example, the
network connection was lost), the software also replicates all of the backups that appeared after the
last successful replication. If backup replication is interrupted in the middle of a process, then on the
next replication start the already replicated data will not be replicated again which allows reducing
time loss.
Replicated backups do not depend on the backups remaining in the original location and vice versa.
You can recover data from any backup, without access to other locations.
195 © Acronis International GmbH, 2003-2022
Usage examples
l Reliable disaster recovery
Store your backups both on-site (for immediate recovery) and off-site (to secure the backups
from local storage failure or a natural disaster).
l Using the cloud storage to protect data from a natural disaster
Replicate the backups to the cloud storage by transferring only the data changes.
l Keeping only the latest recovery points
Delete older backups from a fast storage according to retention rules, in order to not overuse
expensive storage space.
Supported locations
You can replicate a backup from any of these locations:
l A local folder
l A network folder
l Secure Zone
You can replicate a backup to any of these locations:
l A local folder
l A network folder
l The cloud storage
To enable replication of backups
1. On the protection plan panel, in the Backup section, click Add location.
Note
The Add location control is available only if replication is supported from the last selected
backup or replication location.
2. From the list of available locations, select the location where the backups will be replicated.
The location appears in the protection plan as 2nd location, 3rd location, 4th location, or 5th
location, depending on the number of locations you added for replication.
3. [Optional] Click the gear icon to view the available replication options for the location.
l Performance and backup window – set the backup window for the chosen location, as
described in "Performance and backup window" (p. 227). These settings will define the
replication performance.
l Remove location – delete the currently selected replication location.
l [Only for the Cloud storage location] Physical Data Shipping – save the initial backup on a
removable storage device and ship it for upload to cloud instead of replicating it over the
Internet. This option is suitable for locations with slow network connection or when you want
to save bandwidth on big file transfers over the network. Enabling the option does not require
196 © Acronis International GmbH, 2003-2022
advanced Cyber Protect service quotas, but you will need a Physical Data Shipping service
quota to create a shipping order and track it. See "Physical Data Shipping" (p. 231).
Note
This option is supported with Cyber Protect agent version from release C21.06 or later.
4. [Optional] In the How long to keep row under the location, configure the retention rules for the
selected location, as described in "Retention rules" (p. 194).
5. [Optional] Repeat steps 1 – 4 to add locations where you want to replicate the backups. You can
configure up to four replication locations, as long as replication is supported by the previously
selected backup or replication location.
Important
If you enable backup and replication in the same protection plan, ensure that the replication
completes before the next scheduled backup. If the replication is still in progress, the scheduled
backup will not start―for example, a scheduled backup that runs once every 24 hours will not start
if the replication takes 26 hours to complete.
To avoid the this dependency, use a separate plan for backup replication. For more information
about this specific plan, refer to "Backup replication" (p. 614).
Encryption
We recommend that you encrypt all backups that are stored in the cloud storage, especially if your
company is subject to regulatory compliance.
There are no length or complexity requirements for the encryption password.
Warning!
There is no way to recover encrypted backups if you lose or forget the password.
Encryption in a protection plan
To enable encryption, specify the encryption settings when creating a protection plan. After a
protection plan is applied, the encryption settings cannot be modified. To use different encryption
settings, create a new protection plan.
For accounts in the Enhanced security mode, you cannot set the encryption password in a
protection plan. You must set this password locally, on the protected device.
To specify the encryption settings in a protection plan
1. On the protection plan panel in the Backup module settings, enable the Encryption switch.
2. Specify and confirm the encryption password.
3. Select one of the following encryption algorithms:
l AES 128 – the backups will be encrypted by using the Advanced Encryption Standard (AES)
algorithm with a 128-bit key.
197 © Acronis International GmbH, 2003-2022
l AES 192 – the backups will be encrypted by using the AES algorithm with a 192-bit key.
l AES 256 – the backups will be encrypted by using the AES algorithm with a 256-bit key.
4. Click OK.
Encryption as a machine property
You can enforce encryption of backups or set a unique encryption password for a machine,
regardless of the settings in its protection plan. The backups will be encrypted using the AES
algorithm with a 256-bit key.
Saving the encryption settings on a machine affects the protection plans in the following way:
l Protection plans that are already applied to the machine. If the encryption settings in a
protection plan are different, the backups will fail.
l Protection plans that will be applied to the machine later. The encryption settings saved on
a machine will override the encryption settings in a protection plan. Any backup will be encrypted,
even if encryption is disabled in the Backup module settings.
This option can also be used on a machine running Agent for VMware. However, be careful if you
have more than one Agent for VMware connected to the same vCenter Server. It is mandatory to
use the same encryption settings for all of the agents, because there is a type of load balancing
among them.
Important
Change the encryption settings on a machine only before its protection plan creates any backups. If
you change the encryption settings later, the protection plan will fail and you will need a new
protection plan to continue backing up this machine.
After the encryption settings are saved, they can be changed or reset as described below.
To save the encryption settings on a machine
1. Log on as an administrator (in Windows) or the root user (in Linux).
2. Run the following script:
l In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --set-
password <encryption_password>
Here, <installation_path> is the protection agent installation path. By default, it is
%ProgramFiles%\BackupClient.
l In Linux: /usr/sbin/acropsh -m manage_creds --set-password <encryption_password>
l In a virtual appliance: /./sbin/acropsh -m manage_creds --set-password <encryption_
password>
To reset the encryption settings on a machine
1. Log on as an administrator (in Windows) or root user (in Linux).
2. Run the following script:
198 © Acronis International GmbH, 2003-2022
l In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --reset
Here, <installation_path> is the protection agent installation path. By default, it is
%ProgramFiles%\BackupClient.
l In Linux: /usr/sbin/acropsh -m manage_creds --reset
l In a virtual appliance: /./sbin/acropsh -m manage_creds --reset
To change the encryption settings by using the Cyber Protect Monitor
1. Log on as an administrator in Windows or macOS.
2. Click the Cyber Protect Monitor icon in the notification area (in Windows) or the menu bar (in
macOS).
3. Click the gear icon.
4. Click Encryption.
5. Do one of the following:
l Select Set a specific password for this machine. Specify and confirm the encryption
password.
l Select Use encryption settings specified in the protection plan.
6. Click OK.
How the encryption works
The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a
randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the
longer it will take for the program to encrypt the backups and the more secure your data will be.
The encryption key is then encrypted with AES-256 using an SHA-2 (256-bit) hash of the password as
a key. The password itself is not stored anywhere on the disk or in the backups; the password hash
is used for verification purposes. With this two-level security, the backup data is protected from any
unauthorized access, but recovering a lost password is not possible.
Notarization
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Notarization enables you to prove that a file is authentic and unchanged since it was backed up. We
recommend that you enable notarization when backing up your legal document files or other files
that require proved authenticity.
Notarization is available only for file-level backups. Files that have a digital signature are skipped,
because they do not need to be notarized.
Notarization is not available:
l If the backup format is set to Version 11
l If the backup destination is Secure Zone
199 © Acronis International GmbH, 2003-2022
How to use notarization
To enable notarization of all files selected for backup (except for the files that have a digital
signature), enable the Notarization switch when creating a protection plan.
When configuring recovery, the notarized files will be marked with a special icon, and you can verify
the file authenticity.
How it works
During a backup, the agent calculates the hash codes of the backed-up files, builds a hash tree
(based on the folder structure), saves the tree in the backup, and then sends the hash tree root to
the notary service. The notary service saves the hash tree root in the Ethereum blockchain database
to ensure that this value does not change.
When verifying the file authenticity, the agent calculates the hash of the file, and then compares it
with the hash that is stored in the hash tree inside the backup. If these hashes do not match, the file
is considered not authentic. Otherwise, the file authenticity is guaranteed by the hash tree.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected file is guaranteed to be authentic. Otherwise, the software displays a
message that the file is not authentic.
Starting a backup manually
1. Select a machine that has at least one applied protection plan.
2. Click Protect.
3. If more than one protection plans are applied, select the protection plan.
4. Do one of the following:
l Click Run now. An incremental backup will be created.
l If the backup scheme includes several backup methods, you can choose the method to use.
Click the arrow on the Run now button, and then select Full, Incremental, or Differential.
The first backup created by a protection plan is always full.
The backup progress is shown in the Status column for the machine.
Default backup options
The default values of backup options exist at the company, unit, and user level. When a unit or a
user account is created within a company or within a unit, it inherits the default values set for the
company or for the unit.
200 © Acronis International GmbH, 2003-2022
Company administrators, unit administrators, and every user without the administrator rights can
change a default option value against the pre-defined one. The new value will be used by default in
all protection plans created at the respective level after the change takes place.
When creating a protection plan, a user can override a default value with a custom value that will be
specific for this plan only.
To change a default option value
1. Do one of the following:
l To change the default value for the company, sign in to the service console as a company
administrator.
l To change the default value for a unit, sign in to the service console as an administrator of the
unit.
l To change the default value for yourself, sign in to the service console by using an account
without the administrator rights.
2. Click Settings > System settings.
3. Expand the Default backup options section.
4. Select the option, and then make the necessary changes.
5. Click Save.
Backup options
To modify the backup options, click Change next to Backup options in the Backup module of the
protection plan.
Availability of the backup options
The set of available backup options depends on:
l The environment the agent operates in (Windows, Linux, macOS).
l The type of the data being backed up (disks, files, virtual machines, application data).
l The backup destination (the cloud storage, local or network folder).
The following table summarizes the availability of the backup options.
Disk-level backup File-level backup Virtual machines SQL
and
Exchan
ge
Windo Linu mac Windo Linu mac ESX Hype Virtuoz Windo
ws x OS ws x OS i r-V zo ws
Alerts + + + + + + + + + +
Backup + + + + + + + + + -
consolidation
201 © Acronis International GmbH, 2003-2022
Backup file name + + + + + + + + + +
Backup format + + + + + + + + + +
Backup validation + + + + + + + + + +
Changed block + - - - - - + + - -
tracking (CBT)
Cluster backup - - - - - - - - - +
mode
Compression + + + + + + + + + +
level
Error handling
Re-attempt, if an + + + + + + + + + +
error occurs
Do not show + + + + + + + + + +
messages and
dialogs while
processing (silent
mode)
Ignore bad + - + + - + + + + -
sectors
Re-attempt, if an - - - - - - + + + -
error occurs
during VM
snapshot
creation
Fast + + + - - - - - - -
incremental/diffe
rential backup
File-level backup - - - + + + - - - -
snapshot
File filters + + + + + + + + + -
Forensic data + - - - - - - - - -
Log truncation - - - - - - + + - SQL
only
LVM snapshotting - + - - - - - - - -
Mount points - - - + - - - - - -
202 © Acronis International GmbH, 2003-2022
Multi-volume + + - + + - - - - -
snapshot
Performance and + + + + + + + + + +
backup window
Physical Data + + + + + + + + + -
Shipping
Pre/Post + + + + + + + + + +
commands
Pre/Post data + + + + + + - - - +
capture
commands
Scheduling
Distribute start + + + + + + + + + +
times within a
time window
Limit the number - - - - - - + + + -
of simultaneously
running backups
Sector-by-sector + + - - - - + + + -
backup
Splitting + + + + + + + + + +
Task failure + + + + + + + + + +
handling
Task start + + - + + - + + + +
conditions
Volume Shadow + - - + - - - + - +
Copy Service
(VSS)
Volume Shadow - - - - - - + + - -
Copy Service
(VSS) for virtual
machines
Weekly backup + + + + + + + + + +
Windows event + - - + - - + + - +
log
203 © Acronis International GmbH, 2003-2022
Alerts
No successful backups for a specified number of consecutive days
The preset is: Disabled.
This option determines whether to generate an alert if no successful backups were performed by
the protection plan for a specified period of time. In addition to failed backups, the software counts
backups that did not run on schedule (missed backups).
The alerts are generated on a per-machine basis and are displayed on the Alerts tab.
You can specify the number of consecutive days without backups after which the alert is generated.
Backup consolidation
This option defines whether to consolidate backups during cleanup or to delete entire backup
chains.
The preset is: Disabled.
Consolidation is the process of combining two or more subsequent backups into a single backup.
If this option is enabled, a backup that should be deleted during cleanup is consolidated with the
next dependent backup (incremental or differential).
Otherwise, the backup is retained until all dependent backups become subject to deletion. This
helps avoid the potentially time-consuming consolidation, but requires extra space for storing
backups whose deletion is postponed. The backups' age or number can exceed the values specified
in the retention rules.
Important
Please be aware that consolidation is just a method of deletion, but not an alternative to deletion.
The resulting backup will not contain data that was present in the deleted backup and was absent
from the retained incremental or differential backup.
This option is not effective if any of the following is true:
l The backup destination is the cloud storage.
l The backup scheme is set to Always incremental (single-file).
l The backup format is set to Version 12.
Backups stored in the cloud storage, as well as single-file backups (both version 11 and 12 formats),
are always consolidated because their inner structure makes for fast and easy consolidation.
However, if version 12 format is used, and multiple backup chains are present (every chain being
stored in a separate .tibx file), consolidation works only within the last chain. Any other chain is
deleted as a whole, except for the first one, which is shrunk to the minimum size to keep the meta
information (~12 KB). This meta information is required to ensure the data consistency during
204 © Acronis International GmbH, 2003-2022
simultaneous read and write operations. The backups included in these chains disappear from the
GUI as soon as the retention rule is applied, although they physically exist until the entire chain is
deleted.
In all other cases, backups whose deletion is postponed are marked with the trash can icon ( ) in
the GUI. If you delete such a backup by clicking the X sign, consolidation will be performed.
Backup file name
This option defines the names of the backup files created by the protection plan.
These names can be seen in a file manager when browsing the backup location.
What is a backup file?
Each protection plan creates one or more files in the backup location, depending on which backup
scheme and which backup format is used. The following table lists the files that can be created per
machine or mailbox.
Always incremental (single-file) Other backup schemes
Version One TIB file and one XML metadata file Multiple TIB files and one XML metadata file
11 backup
format
Version One TIBX file per backup chain (a full or differential backup, and all incremental backups that
12 backup depend on it). If the size of a file stored in a local or network (SMB) folder exceeds 200 GB, the
format file is split to 200-GB files by default.
All files have the same name, with or without the addition of a timestamp or a sequence number.
You can define this name (referred to as the backup file name) when creating or editing a protection
plan.
Note
Timestamp is added to the backup file name only in the version 11 backup format.
After you change a backup file name, the next backup will be a full backup, unless you specify a file
name of an existing backup of the same machine. If the latter is the case, a full, incremental, or
differential backup will be created according to the protection plan schedule.
Note that it is possible to set backup file names for locations that cannot be browsed by a file
manager (such as the cloud storage). This makes sense if you want to see the custom names on the
Backup storage tab.
Where can I see backup file names?
Select the Backup storage tab, and then select the group of backups.
205 © Acronis International GmbH, 2003-2022
l The default backup file name is shown on the Details panel.
l If you set a non-default backup file name, it will be shown directly on the Backup storage tab, in
the Name column.
Limitations for backup file names
l A backup file name cannot end with a digit.
In the default backup file name, to prevent the name from ending with a digit, the letter "A" is
appended. When creating a custom name, always make sure that it does not end with a digit.
When using variables, the name must not end with a variable, because a variable might end with
a digit.
l A backup file name cannot contain the following symbols: ()&?*$<>":\|/#, line endings (\n), and
tabs (\t).
Default backup file name
The default backup file name for backups of entire physical and virtual machines, disks/volumes,
files/folders, Microsoft SQL Server databases, Microsoft Exchange Server databases, and ESXi
configuration is [Machine Name]-[Plan ID]-[Unique ID]A.
The default name for Exchange mailbox backups and Microsoft 365 mailbox backups created by a
local Agent for Microsoft 365 is [Mailbox ID]_mailbox_[Plan ID]A.
The default name for cloud application backups created by cloud agents is [Resource Name]_
[Resource Type]_[Resource Id]_[Plan Id]A.
The default name consists of the following variables:
l [Machine Name] This variable is replaced with the name of the machine (the same name that is
shown in the service console).
l [Plan ID], [Plan Id] These variables are replaced with the unique identifier of the protection
plan. This value does not change if the plan is renamed.
l [Unique ID] This variable is replaced with the unique identifier of the selected machine. This
value does not change if the machine is renamed.
l [Mailbox ID] This variable is replaced with the mailbox user's principal name (UPN).
l [Resource Name] This variable is replaced with the cloud data source name, such as the user's
principal name (UPN), SharePoint site URL, or Shared drive name.
l [Resource Type] This variable is replaced with the cloud data source type, such as mailbox,
O365Mailbox, O365PublicFolder, OneDrive, SharePoint, GDrive.
l [Resource ID] This variable is replaced with the unique identifier of the cloud data source. This
value does not change if the cloud data source is renamed.
l "A" is a safeguard letter that is appended to prevent the name from ending with a digit.
The diagram below shows the default backup file name.
206 © Acronis International GmbH, 2003-2022
The diagram below shows the default backup file name for Microsoft 365 mailbox backups
performed by a local agent.
Names without variables
If you change the backup file name to MyBackup, the backup files will look like the following
examples. Both examples assume daily incremental backups scheduled at 14:40, starting from
September 13, 2016.
For the version 12 format with the Always incremental (single-file) backup scheme:
MyBackup.tibx
For the version 12 format with other backup schemes:
MyBackup.tibx
MyBackup-0001.tibx
MyBackup-0002.tibx
...
Using variables
Besides the variables that are used by default, you can use the following variables:
l The [Plan name] variable, which is replaced with the name of the protection plan.
l The [Virtualization Server Type] variable, which is replaced with "vmwesx" if virtual machines
are backed up by Agent for VMware or with "mshyperv" if virtual machines are backed up by
Agent for Hyper-V.
If multiple machines or mailboxes are selected for backup, the backup file name must contain the
[Machine Name], the [Unique ID], the [Mailbox ID], the [Resource Name], or the [Resource Id]
variable.
207 © Acronis International GmbH, 2003-2022
Usage examples
l View user-friendly file names
You want to easily distinguish backups when browsing the backup location with a file manager.
l Continue an existing sequence of backups
Let's assume a protection plan is applied to a single machine, and you have to remove this
machine from the service console or to uninstall the agent along with its configuration settings.
After the machine is re-added or the agent is reinstalled, you can force the protection plan to
continue backing up to the same backup or backup sequence. To do this, in the backup options of
the protection plan, click Backup file name, and then click Select to select the desired backup.
The Select button shows the backups in the location selected in the Where to back up section of
the protection plan panel. It cannot browse anything outside this location.
Note
The Select button is only available for protection plans that are created for and applied to a
single device.
Backup format
The Backup format option defines the format of the backups created by the protection plan. This
option is available only for protection plans that already use the version 11 backup format. If this is
the case, you can change the backup format to version 12. After you switch the backup format to
version 12, the option becomes unavailable.
l Version 11
The legacy format preserved for backward compatibility.
Note
You cannot back up Database Availability Groups (DAG) by using the backup format version 11.
Backing up of DAG is supported only in the version 12 format.
208 © Acronis International GmbH, 2003-2022
l Version 12
The backup format that was introduced in Acronis Backup 12 for faster backup and recovery.
Each backup chain (a full or differential backup, and all incremental backups that depend on it) is
saved to a single TIBX file.
Backup format and backup files
For backup locations that can be browsed with a file manager (such as local or network folders), the
backup format determines the number of files and their extension. The following table lists the files
that can be created per machine or mailbox.
Always incremental (single-file) Other backup schemes
Version One TIB file and one XML metadata file Multiple TIB files and one XML metadata file
11 backup
format
Version One TIBX file per backup chain (a full or differential backup, and all incremental backups that
12 backup depend on it). If the size of a file stored in a local or network (SMB) folder exceeds 200 GB, the
format file is split to 200-GB files by default.
Changing the backup format to version 12 (TIBX)
If you change the backup format from version 11 (TIB format) to version 12 (TIBX format):
l The next backup will be full.
l In backup locations that can be browsed with a file manager (such as local or network folders), a
new TIBX file will be created. The new file will have the name of the original file, appended with
the _v12A suffix.
l Retention rules and replication will be applied only to the new backups.
l The old backups will not be deleted and will remain available on the Backup storage tab. You
can delete them manually.
l The old cloud backups will not consume the Cloud storage quota.
l The old local backups will consume the Local backup quota until you delete them manually.
In-archive deduplication
The TIBX backup format of version 12 supports in-archive deduplication that brings the following
advantages:
l Significantly reduced backup size, with built-in block-level deduplication for any type of data
l Efficient handling of hard links ensures that there are no storage duplicates
l Hash-based chunking
209 © Acronis International GmbH, 2003-2022
Note
In-archive deduplication is enabled by default for all backups in the TIBX format. You do not have to
enable it in the backup options, and you cannot disable it.
Backup validation
Validation is an operation that checks the possibility of data recovery from a backup. When this
option is enabled, each backup created by the protection plan is validated immediately after
creation. This operation is performed by the protection agent.
The preset is: Disabled.
Validation calculates a checksum for every data block that can be recovered from the backup. The
only exception is validation of file-level backups that are located in the cloud storage. These backups
are validated by checking consistency of the metadata saved in the backup.
Validation is a time-consuming process, even for an incremental or differential backup, which are
small in size. This is because the operation validates not only the data physically contained in the
backup, but all of the data recoverable by selecting the backup. This requires access to previously
created backups.
While the successful validation means a high probability of successful recovery, it does not check all
factors that influence the recovery process. If you back up the operating system, we recommend
performing a test recovery under the bootable media to a spare hard drive or running a virtual
machine from the backup in the ESXi or Hyper-V environment.
Note
Depending on the settings chosen by your service provider, validation might not be available when
backing up to the cloud storage.
Changed block tracking (CBT)
This option is effective for the following backups:
l Disk-level backups of virtual machines
l Disk-level backups of physical machines running Windows
l Backups of Microsoft SQL Server databases
l Backups of Microsoft Exchange Server databases
The preset is: Enabled.
This option determines whether to use Changed Block Tracking (CBT) when performing an
incremental or differential backup.
The CBT technology accelerates the backup process. Changes to the disk or database content are
continuously tracked at the block level. When a backup starts, the changes can be immediately
saved to the backup.
210 © Acronis International GmbH, 2003-2022
Cluster backup mode
Note
The availability of this feature depends on the service quotas that are enabled for your account.
These options are effective for database-level backup of Microsoft SQL Server and Microsoft
Exchange Server.
These options are effective only if the cluster itself (Microsoft SQL Server Always On Availability
Groups (AAG) or Microsoft Exchange Server Database Availability Group (DAG)) is selected for
backup, rather than the individual nodes or databases inside of it. If you select individual items
inside the cluster, the backup will not be cluster-aware and only the selected copies of the items will
be backed up.
Microsoft SQL Server
This option determines the backup mode for SQL Server Always On Availability Groups (AAG). For
this option to be effective, Agent for SQL must be installed on all of the AAG nodes. For more
information about backing up Always On Availability Groups, refer to "Protecting Always On
Availability Groups (AAG)".
The preset is: Secondary replica if possible.
You can choose one of the following:
l Secondary replica if possible
If all secondary replicas are offline, the primary replica is backed up. Backing up the primary
replica may slow down the SQL Server operation, but the data will be backed up in the most
recent state.
l Secondary replica
If all secondary replicas are offline, the backup will fail. Backing up secondary replicas does not
affect the SQL server performance and allows you to extend the backup window. However,
passive replicas may contain information that is not up-to-date, because such replicas are often
set to be updated asynchronously (lagged).
l Primary replica
If the primary replica is offline, the backup will fail. Backing up the primary replica may slow down
the SQL Server operation, but the data will be backed up in the most recent state.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the SYNCHRONIZED or SYNCHRONIZING states when the backup starts.
If all databases are skipped, the backup fails.
Microsoft Exchange Server
This option determines the backup mode for Exchange Server Database Availability Groups (DAG).
For this option to be effective, Agent for Exchange must be installed on all of the DAG nodes. For
211 © Acronis International GmbH, 2003-2022
more information about backing up Database Availability Groups, refer to "Protecting Database
Availability Groups (DAG)".
The preset is: Passive copy if possible.
You can choose one of the following:
l Passive copy if possible
If all passive copies are offline, the active copy is backed up. Backing up the active copy may slow
down the Exchange Server operation, but the data will be backed up in the most recent state.
l Passive copy
If all passive copies are offline, the backup will fail. Backing up passive copies does not affect the
Exchange Server performance and allows you to extend the backup window. However, passive
copies may contain information that is not up-to-date, because such copies are often set to be
updated asynchronously (lagged).
l Active copy
If the active copy is offline, the backup will fail. Backing up the active copy may slow down the
Exchange Server operation, but the data will be backed up in the most recent state.
Regardless of the value of this option, to ensure the database consistency, the software skips
databases that are not in the HEALTHY or ACTIVE states when the backup starts. If all databases are
skipped, the backup fails.
Compression level
Note
This option is not available for cloud-to-cloud backups. Compression for these backups is enabled
by default with a fixed level that corresponds to the Normal level below.
The option defines the level of compression applied to the data being backed up. The available
levels are: None, Normal, High, Maximum.
The preset is: Normal.
A higher compression level means that the backup process takes more time, but the resulting
backup occupies less space. Currently, the High and Maximum levels work similarly.
The optimal data compression level depends on the type of data being backed up. For example,
even maximum compression will not significantly reduce the backup size if the backup contains
essentially compressed files, such as .jpg, .pdf or .mp3. However, formats such as .doc or .xls will be
compressed well.
Error handling
These options enable you to specify how to handle errors that might occur during backup.
212 © Acronis International GmbH, 2003-2022
Re-attempt, if an error occurs
The preset is: Enabled. Number of attempts: 30. Interval between attempts: 30 seconds.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds or the specified number of attempts are performed, depending on which
comes first.
For example, if the backup destination on the network becomes unavailable or not reachable during
a running backup, the software will attempt to reach the destination every 30 seconds, but no more
than 30 times. The attempts will be stopped as soon as the connection is resumed or the specified
number of attempts is performed, depending on which comes first.
However, if the backup destination is not available when the backup starts, only 10 attempts will be
made.
Cloud storage
If the cloud storage is selected as a backup destination, the option value is automatically set to
Enabled. Number of attempts: 300. Interval between attempts: 30 seconds.
In this case, the actual number of attempts is unlimited, but the timeout before the backup failure is
calculated as follows: (300 seconds + Interval between attempts) * (Number of attempts + 1).
Examples:
l With the default values, the backup will fail after (300 seconds + 30 seconds) * (300 + 1) = 99330
seconds, or ~27.6 hours.
l If you set Number of attempts to 1 and Interval between attempts to 1 second, the backup
will fail after (300 seconds + 1 second) * (1 + 1) = 602 seconds, or ~10 minutes.
If the calculated timeout exceeds 30 minutes, and the data transfer has not started yet, the actual
timeout is set to 30 minutes.
Do not show messages and dialogs while processing (silent mode)
The preset is: Enabled.
With the silent mode enabled, the program will automatically handle situations requiring user
interaction (except for handling bad sectors, which is defined as a separate option). If an operation
cannot continue without user interaction, it will fail. Details of the operation, including errors, if any,
can be found in the operation log.
Ignore bad sectors
The preset is: Disabled.
213 © Acronis International GmbH, 2003-2022
When this option is disabled, each time the program comes across a bad sector, the backup activity
will be assigned the Interaction required status. In order to back up the valid information on a
rapidly dying disk, enable ignoring bad sectors. The rest of the data will be backed up and you will
be able to mount the resulting disk backup and extract valid files to another disk.
Note
Skipping bad sectors is not supported on Linux. You can back up Linux systems with bad sectors in
offline mode, by using the bootable media builder in the on-premises version of Cyber Protect.
Using the on-premises bootable media builder requires a separate license. Contact support for
assistance.
Re-attempt, if an error occurs during VM snapshot creation
The preset is: Enabled. Number of attempts: 3. Interval between attempts: 5 minutes.
When taking a virtual machine snapshot fails, the program re-attempts to perform the unsuccessful
operation. You can set the time interval and the number of attempts. The attempts will be stopped
as soon as the operation succeeds OR the specified number of attempts are performed, depending
on which comes first.
Fast incremental/differential backup
This option is effective for incremental and differential disk-level backup.
This option is not effective (always disabled) for volumes formatted with the JFS, ReiserFS3,
ReiserFS4, ReFS, or XFS file systems.
The preset is: Enabled.
Incremental or differential backup captures only data changes. To speed up the backup process, the
program determines whether a file has changed or not by the file size and the date/time when the
file was last modified. Disabling this feature will make the program compare the entire file contents
to those stored in the backup.
File filters
File filters define which files and folders to skip during the backup process.
File filters are available for disk-level backups, entire machine backups, and file-level backups, unless
stated otherwise.
To enable file filters
1. Select the data to back up.
2. Click Change next to Backup options.
3. Select File filters.
4. Use any of the options described below.
214 © Acronis International GmbH, 2003-2022
Exclude files matching specific criteria
There are two options that function in an inverse manner.
l Back up only files matching the following criteria
Example: If you select to back up the entire machine and specify C:\File.exe in the filter criteria,
only this file will be backed up.
Note
This filter is not effective for file-level backup if Version 11 is selected in Backup format and the
backup destination is NOT cloud storage.
l Do not back up files matching the following criteria
Example: If you select to back up the entire machine and specify C:\File.exe in the filter criteria,
only this file will be skipped.
It is possible to use both options simultaneously. The latter option overrides the former, i.e. if you
specify C:\File.exe in both fields, this file will be skipped during a backup.
Criteria
l Full path
Specify the full path to the file or folder, starting with the drive letter (when backing up Windows)
or the root directory (when backing up Linux or macOS).
Both in Windows and Linux/macOS, you can use a forward slash in the file or folder path (as in
C:/Temp/File.tmp). In Windows, you can also use the traditional backslash (as in
C:\Temp\File.tmp).
l Name
Specify the name of the file or folder, such as Document.txt. All files and folders with that name
will be selected.
The criteria are not case-sensitive. For example, by specifying C:\Temp, you will also select C:\TEMP,
C:\temp, and so on.
You can use one or more wildcard characters (*, **, and ?) in the criterion. These characters can be
used both within the full path and in the file or folder name.
The asterisk (*) substitutes for zero or more characters in a file name. For example, the criterion
Doc*.txt matches files such as Doc.txt and Document.txt
[Only for backups in the Version 12 format] The double asterisk (**) substitutes for zero or more
characters in a file name and path, including the slash character. For example, the criterion
**/Docs/**.txt matches all txt files in all subfolders of all folders Docs.
The question mark (?) substitutes for exactly one character in a file name. For example, the criterion
Doc?.txt matches files such as Doc1.txt and Docs.txt, but not the files Doc.txt or Doc11.txt.
215 © Acronis International GmbH, 2003-2022
File-level backup snapshot
This option is effective only for file-level backup.
This option defines whether to back up files one by one or by taking an instant data snapshot.
Note
Files that are stored on network shares are always backed up one by one.
The preset is:
l If only machines running Linux are selected for backup: Do not create a snapshot.
l Otherwise: Create snapshot if it is possible.
You can select one of the following:
l Create a snapshot if it is possible
Back up files directly if taking a snapshot is not possible.
l Always create a snapshot
The snapshot enables backing up of all files including files opened for exclusive access. The files
will be backed up at the same point in time. Choose this setting only if these factors are critical,
that is, backing up files without a snapshot does not make sense. If a snapshot cannot be taken,
the backup will fail.
l Do not create a snapshot
Always back up files directly. Trying to back up files that are opened for exclusive access will
result in a read error. Files in the backup may be not time-consistent.
Forensic data
Viruses, malware, and ransomware can carry out malicious activities, such as stealing or changing
data. These activities may need to be investigated, which is possible only if digital evidence is
provided. However, pieces of digital evidence, such as files or activity traces, may be deleted or the
machine on which the malicious activity happened may become unavailable.
Backups with forensic data allow investigators to analyze disk areas that are not usually included in
a regular disk backup. The Forensic data backup option allows you to collect the following pieces of
digital evidence that can be used in forensic investigations: snapshots of unused disk space,
memory dumps, and snapshots of running processes.
Backups with forensic data are automatically notarized.
The Forensic data option is available only for entire machine backups of Windows machines that
run the following operating systems:
l Windows 8.1, Windows 10
l Windows Server 2012 R2 – Windows Server 2019
Backups with forensic data are not available for the following machines:
216 © Acronis International GmbH, 2003-2022
l Machines that are connected to your network through VPN and do not have direct access to the
Internet
l Machines with disks that are encrypted by BitLocker
Note
You cannot modify the forensic data settings after you apply a protection plan with enabled Backup
module to a machine. To use different forensic data settings, create a new protection plan.
You can store backups with forensic data in the following locations:
l Cloud storage
l Local folder
Note
The local folder location is supported only for external hard disks connected via USB.
Local dynamic disks are not supported as a location for backups with forensic data.
l Network folder
Forensic backup process
The system performs the following during a forensic backup process:
1. Collects raw memory dump and the list of running processes.
2. Automatically reboots a machine into the bootable media.
3. Creates the backup that includes both the occupied and unallocated space.
4. Notarizes the backed-up disks.
5. Reboots into the live operating system and continues plan execution (for example, replication,
retention, validation and other).
To configure forensic data collection
1. In the service console, go to Devices > All devices. Alternatively, the protection plan can be
created from the Management tab.
2. Select the device and click Protect.
3. In the protection plan, enable the Backup module.
4. In What to back up, select Entire machine.
5. In Backup options, click Change.
6. Find the Forensic data option.
7. Enable Collect forensic data. The system will automatically collect a memory dump and create
a snapshot of running processes.
Note
Full memory dump may contain sensitive data such as passwords.
8. Specify the location.
217 © Acronis International GmbH, 2003-2022
9. Click Run Now to perform a backup with forensic data right away or wait until the backup is
created according to the schedule.
10. Go to Monitoring > Activities, verify that the backup with forensic data was successfully
created.
As a result, backups will include forensic data and you will be able to get them and analyze. Backups
with forensic data are marked and can be filtered among other backups in Backup storage >
Locations by using the Only with forensic data option.
How to get forensic data from a backup?
1. In the service console, go to Backup storage, select the location with backups that include
forensic data.
2. Select the backup with forensic data and click Show backups.
3. Click Recover for the backup with forensic data.
l To get only the forensic data, click Forensic data.
The system will show a folder with forensic data. Select a memory dump file or any other
forensic file, and then click Download.
218 © Acronis International GmbH, 2003-2022
l To recover a full forensic backup, click Entire machine. The system will recover the backup
without the boot mode. Thus, it will be possible to check that the disk was not changed.
You can use the provided memory dump with several of third-party forensic software, for example,
use Volatility Framework at https://www.volatilityfoundation.org/ for further memory analysis.
Notarization of backups with forensic data
To ensure that a backup with forensic data is exactly the image that was taken and it was not
compromised, the backup module provides the notarization of backups with forensic data.
How it works
Notarization enables you to prove that a disk with forensic data is authentic and unchanged since it
was backed up.
During a backup, the agent calculates the hash codes of the backed-up disks, builds a hash tree,
saves the tree in the backup, and then sends the hash tree root to the notary service. The notary
service saves the hash tree root in the Ethereum blockchain database to ensure that this value does
not change.
When verifying the authenticity of the disk with forensic data, the agent calculates the hash of the
disk, and then compares it with the hash that is stored in the hash tree inside the backup. If these
hashes do not match, the disk is considered not authentic. Otherwise, the disk authenticity is
guaranteed by the hash tree.
To verify that the hash tree itself was not compromised, the agent sends the hash tree root to the
notary service. The notary service compares it with the one stored in the blockchain database. If the
hashes match, the selected disk is guaranteed to be authentic. Otherwise, the software displays a
message that the disk is not authentic.
The scheme below shows shortly the notarization process for backups with forensic data.
219 © Acronis International GmbH, 2003-2022
To verify the notarized disk backup manually, you can get the certificate for it and follow the
verification procedure shown with the certificate by using the tibxread tool.
Getting the certificate for backups with forensic data
To get the certificate for a backup with forensic data from the console, do the following:
1. Go to Backup storage and select the backup with forensic data.
2. Recover the entire machine.
3. The system opens the Disk Mapping view.
4. Click the Get certificate icon for the disk.
5. The system will generate the certificate and open a new window in the browser with the
certificate. Below the certificate you will see the instruction for manual verification of notarized
disk backup.
The tool "tibxread" for getting the backed-up data
Cyber Protection provides the tool, called tibxread, for manual check of the backed-up disk integrity.
The tool allows you to get data from a backup and calculate hash of the specified disk. The tool is
installed automatically with the following components: Agent for Windows, Agent for Linux, and
Agent for Mac.
The installation path: the same folder as the agent has (for example, C:\Program
Files\BackupClient\BackupAndRecovery).
The supported locations are:
l The local disk
l The network folder (CIFS/SMB) that can be accessed without the credentials.
In case of a password-protected network folder, you can mount the network folder to the local
folder by using the OS tools and then the local folder as the source for this tool.
220 © Acronis International GmbH, 2003-2022
l The cloud storage
You should provide the URL, port, and certificate. The URL and port can be obtained from the
Windows registry key or configuration files on Linux/Mac machines.
For Windows:
HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\BackupAndRecovery\Settings\OnlineBackup\FesAddressCache\Defa
ult\<tenant_login>\FesUri
For Linux:
/etc/Acronis/BackupAndRecovery.config
For macOS:
/Library/Application Support/Acronis/Registry/BackupAndRecovery.config
The certificate can be found in the following locations:
For Windows:
%allusersprofile%\Acronis\BackupAndRecovery\OnlineBackup\Default
For Linux:
/var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default
For macOS:
/Library/Application Support/Acronis/BackupAndRecovery/OnlineBackup/Default
The tool has the following commands:
l list backups
l list content
l get content
l calculate hash
list backups
Lists recovery points in a backup.
SYNOPSIS:
tibxread list backups --loc=URI --arc=BACKUP_NAME --raw
Options
--loc=URI
--arc=BACKUP_NAME
--raw
221 © Acronis International GmbH, 2003-2022
--utc
--log=PATH
Output template:
GUID Date Date timestamp
---- ------ --------------
<guid> <date> <timestamp>
<guid> – a backup GUID.
<date> – a creation date of the backup. Format is “DD.MM.YYYY HH24:MM:SS”. In local timezone by
default (can be changed by using the --utc option).
Output example:
GUID Date Date timestamp
---- ------ --------------
516FCE73-5E5A-49EF-B673-A9EACB4093B8 18.12.2019 16:01:05 1576684865
516FCE73-5E5A-49EF-B673-A9EACB4093B9 18.12.2019 16:02:05 1576684925
list content
Lists content in a recovery point.
SYNOPSIS:
tibxread list content --loc=URI --arc=BACKUP_NAME --password --backup=RECOVERY_POINT_ID
--raw --log=PATH
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--raw
--log=PATH
Output template:
Disk Size Notarization status
-------- ------ ---------------------
<number> <size> <notarization_status>
<number> – identifier of the disk.
<size> – size in bytes.
222 © Acronis International GmbH, 2003-2022
<notarization_status> – the following statuses are possible: Without notarization, Notarized, Next
backup.
Output example:
Disk Size Notary status
-------- ------ --------------
1 123123465798 Notarized
2 123123465798 Notarized
get content
Writes content of the specified disk in the recovery point to the standard output (stdout).
SYNOPSIS:
tibxread get content --loc=URI --arc=BACKUP_NAME --password --backup=RECOVERY_POINT_ID -
-disk=DISK_NUMBER --raw --log=PATH --progress
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--disk=DISK_NUMBER
--raw
--log=PATH
--progress
calculate hash
Calculates the hash of the specified disk in the recovery point by using the SHA-2 (256-bit) algorithm
and writes it to the stdout.
SYNOPSIS:
tibxread calculate hash --loc=URI --arc=BACKUP_NAME --password --backup=RECOVERY_POINT_
ID --disk=DISK_NUMBER --raw --log=PATH --progress
Options
--loc=URI
--arc=BACKUP_NAME
--password
--backup=RECOVERY_POINT_ID
--disk=DISK_NUMBER
--raw
--log=PATH
223 © Acronis International GmbH, 2003-2022
Options description
Option Description
--arc=BACKUP_ The backup file name that you can get from the backup properties in the web
NAME console. The backup file must be specified with the extension .tibx.
-- The recovery point identifier
backup=RECOVE
RY_POINT_ID
--disk=DISK_ Disk number (the same as was written to the output of the "get content" command)
NUMBER
--loc=URI A backup location URI. The possible formats of the "--loc" option are:
l Local path name (Windows)
c:/upload/backups
l Local path name (Linux)
/var/tmp
l SMB/CIFS
\\server\folder
l Cloud storage
--loc=<IP_address>:443 --cert=<path_to_certificate> [--storage_path=/1]
<IP_address> – you can find it in the registry key in Windows: HKEY_LOCAL_
MACHINE\SOFTWARE\Acronis\BackupAndRecovery\Settings\OnlineBackup\FesAdd
ressCache\Default\<tenant_login>\FesUri
<path_to_certificate> – a path to the certificate file to access Cyber Cloud. For
example, in Windows this certificate is located in
C:\ProgramData\Acronis\BackupAndRecovery\OnlineBackup\Default\<username>.crt
where <username> – is your account name to access Cyber Cloud.
--log=PATH Enables writing the logs by the specified PATH (local path only, format is the same as
for --loc=URI parameter). Logging level is DEBUG.
-- An encryption password for your backup. If the backup is not encrypted, leave this
password=PASS value empty.
WORD
--raw Hides the headers (2 first rows) in the command output. It is used when the
command output should be parsed.
Output example without "--raw":
GUID Date Date timestamp
---- ------ --------------
516FCE73-5E5A-49EF-B673-A9EACB4093B8 18.12.2019 16:01:05 1576684865
516FCE73-5E5A-49EF-B673-A9EACB4093B9 18.12.2019 16:02:05 1576684925
Output with"--raw":
224 © Acronis International GmbH, 2003-2022
516FCE73-5E5A-49EF-B673-A9EACB4093B8 18.12.2019 16:01:05 1576684865
516FCE73-5E5A-49EF-B673-A9EACB4093B9 18.12.2019 16:02:05 1576684925
--utc Shows dates in UTC
--progress Shows progress of the operation.
For example:
1%
2%
3%
4%
...
100%
Log truncation
This option is effective for backup of Microsoft SQL Server databases and for disk-level backup with
enabled Microsoft SQL Server application backup.
This option defines whether the SQL Server transaction logs are truncated after a successful backup.
The preset is: Enabled.
When this option is enabled, a database can be recovered only to a point in time of a backup
created by this software. Disable this option if you back up transaction logs by using the native
backup engine of Microsoft SQL Server. You will be able to apply the transaction logs after a
recovery and thus recover a database to any point in time.
LVM snapshotting
This option is effective only for physical machines.
This option is effective for disk-level backup of volumes managed by Linux Logical Volume Manager
(LVM). Such volumes are also called logical volumes.
This option defines how a snapshot of a logical volume is taken. The backup software can do this on
its own or rely on Linux Logical Volume Manager (LVM).
The preset is: By the backup software.
l By the backup software. The snapshot data is kept mostly in RAM. The backup is faster and
unallocated space on the volume group is not required. Therefore, we recommend changing the
preset only if you are experiencing problems with backing up logical volumes.
l By LVM. The snapshot is stored on unallocated space of the volume group. If the unallocated
space is missing, the snapshot will be taken by the backup software.
225 © Acronis International GmbH, 2003-2022
Mount points
This option is effective only in Windows for a file-level backup of a data source that includes
mounted volumes or cluster shared volumes.
This option is effective only when you select for backup a folder that is higher in the folder hierarchy
than the mount point. (A mount point is a folder on which an additional volume is logically
attached.)
l If such folder (a parent folder) is selected for backup, and the Mount points option is enabled, all
files located on the mounted volume will be included in the backup. If the Mount points option is
disabled, the mount point in the backup will be empty.
During recovery of a parent folder, the mount point content will or will not be recovered,
depending on whether the Mount points option for recovery is enabled or disabled.
l If you select the mount point directly, or select any folder within the mounted volume, the
selected folders will be considered as ordinary folders. They will be backed up regardless of the
state of the Mount points option and recovered regardless of the state of the Mount points
option for recovery.
The preset is: Disabled.
Note
You can back up Hyper-V virtual machines residing on a cluster shared volume by backing up the
required files or the entire volume with file-level backup. Just power off the virtual machines to be
sure that they are backed up in a consistent state.
Example
Let's assume that the C:\Data1\ folder is a mount point for the mounted volume. The volume
contains folders Folder1 and Folder2. You create a protection plan for file-level backup of your
data.
If you select the check box for volume C and enable the Mount points option, the C:\Data1\ folder
in your backup will contain Folder1 and Folder2. When recovering the backed-up data, be aware of
proper using the Mount points option for recovery.
If you select the check box for volume C, and disable the Mount points option, the C:\Data1\ folder
in your backup will be empty.
If you select the check box for the Data1, Folder1 or Folder2 folder, the checked folders will be
included in the backup as ordinary folders, regardless of the state of the Mount points option.
Multi-volume snapshot
This option is effective for backups of physical machines running Windows or Linux.
226 © Acronis International GmbH, 2003-2022
This option applies to disk-level backup. This option also applies to file-level backup when the file-
level backup is performed by taking a snapshot. (The "File-level backup snapshot" option
determines whether a snapshot is taken during file-level backup).
This option determines whether to take snapshots of multiple volumes at the same time or one by
one.
The preset is:
l If at least one machine running Windows is selected for backup: Enabled.
l Otherwise: Disabled.
When this option is enabled, snapshots of all volumes being backed up are created simultaneously.
Use this option to create a time-consistent backup of data spanning multiple volumes; for instance,
for an Oracle database.
When this option is disabled, the volumes' snapshots are taken one after the other. As a result, if the
data spans several volumes, the resulting backup may be not consistent.
Performance and backup window
This option enables you to set one of three levels of backup performance (high, low, prohibited) for
every hour within a week. This way, you can define a time window when backups are allowed to
start and run. The high and low performance levels are configurable in terms of the process priority
and output speed.
This option is not available for backups executed by the cloud agents, such as website backups or
backups of servers located on the cloud recovery site.
You can configure this option separately for each location specified in the protection plan. To
configure this option for a replication location, click the gear icon next to the location name, and
then click Performance and backup window.
This option is effective only for the backup and backup replication processes. Post-backup
commands and other operations included in a protection plan (for example, validation) will run
regardless of this option.
The preset is: Disabled.
When this option is disabled, backups are allowed to run at any time, with the following parameters
(no matter if the parameters were changed against the preset value):
l CPU priority: Low (in Windows, corresponds to Below normal).
l Output speed: Unlimited.
When this option is enabled, scheduled backups are allowed or blocked according to the
performance parameters specified for the current hour. At the beginning of an hour when backups
are blocked, a backup process is automatically stopped and an alert is generated.
Even if scheduled backups are blocked, a backup can be started manually. It will use the
performance parameters of the most recent hour when backups were allowed.
227 © Acronis International GmbH, 2003-2022
Backup window
Each rectangle represents an hour within a week day. Click a rectangle to cycle through the
following states:
l Green: backup is allowed with the parameters specified in the green section below.
l Blue: backup is allowed with the parameters specified in the blue section below.
This state is not available if the backup format is set to Version 11.
l Gray: backup is blocked.
You can click and drag to change the state of multiple rectangles simultaneously.
228 © Acronis International GmbH, 2003-2022
CPU priority
This parameter defines the priority of the backup process in the operating system.
The available settings are: Low, Normal, High.
229 © Acronis International GmbH, 2003-2022
The priority of a process running in a system determines the amount of CPU and system resources
allocated to that process. Decreasing the backup priority will free more resources for other
applications. Increasing the backup priority might speed up the backup process by requesting the
operating system to allocate more resources like the CPU to the backup application. However, the
resulting effect will depend on the overall CPU usage and other factors like disk in/out speed or
network traffic.
This option sets the priority of the backup process (service_process.exe) in Windows and the
niceness of the backup process (service_process) in Linux and OS X.
Output speed during backup
This parameter enables you to limit the hard drive writing speed (when backing up to a local folder)
or the speed of transferring the backup data through the network (when backing up to a network
share or to cloud storage).
When this option is enabled, you can specify the maximum allowed output speed:
l As a percentage of the estimated writing speed of the destination hard disk (when backing up to a
local folder) or of the estimated maximum speed of the network connection (when backing up to
a network share or cloud storage).
This setting works only if the agent is running in Windows.
l In KB/second (for all destinations).
230 © Acronis International GmbH, 2003-2022
Physical Data Shipping
This option is available if the backup or recovery destination is the cloud storage and the backup
format is set to Version 12.
This option is effective for disk-level backups and file backups created by Agent for Windows, Agent
for Linux, Agent for Mac, Agent for VMware, Agent for Hyper-V, and Agent for Virtuozzo.
Use this option to ship the first full backup created by a protection plan to the cloud storage on a
hard disk drive by using the Physical Data Shipping service. The subsequent incremental backups
are performed over the network.
For local backups that are replicated to cloud, incremental backups continue and are saved locally
until the initial backup is uploaded in the cloud storage. Then all incremental changes are replicated
to the cloud and the replication continues per the backup schedule.
The preset is: Disabled.
About the Physical Data Shipping service
The Physical Data Shipping service web interface is available only to administrators.
For detailed instructions about using the Physical Data Shipping service and the order creation tool,
refer to the Physical Data Shipping Administrator's Guide. To access this document in the Physical
Data Shipping service web interface, click the question mark icon.
Overview of the physical data shipping process
1. [To ship backups that have cloud storage as the primary backup location]
a. Create a new protection plan with backup to cloud.
b. In the Backup options row, click Change.
c. In the list of available options, click Physical Data Shipping.
You can back up directly to a removable drive or back up to a local or a network folder, and then
copy/move the backup(s) to the drive.
2. [To ship local backups that are replicated to cloud]
Note
This option is supported with Cyber Protect agent version from release C21.06 or later.
a. Create a new protection plan with backup to a local or network storage.
b. Click Add location and select Cloud storage.
c. In the Cloud storage location row, click the gear wheel and select Physical Data Shipping.
3. Under Use Physical Data Shipping, click Yes and Done.
The Encryption option is enabled automatically in the protection plan because all backups that
are shipped must are encrypted.
4. In the Encryption row, click Specify a password and enter a password for encryption.
231 © Acronis International GmbH, 2003-2022
5. In the Physical Data Shipping row, select the removable drive where the initial backup will be
saved.
6. Click Create to save the protection plan.
7. After the first backup is complete, use the Physical Data Shipping service web interface to
download the order creation tool and create the order.
To access this web interface, log in to the management portal, click Overview > Usage, and then
click Manage service under Physical Data Shipping.
Important
Once the initial full backup is done, the subsequent backups must be performed by the same
protection plan. Another protection plan, even with the same parameters and for the same
machine, will require another Physical Data Shipping cycle.
8. Package the drives and ship them to the data center.
Important
Ensure that you follow the packaging instructions provided in the Physical Data Shipping
Administrator's Guide.
9. Track the order status by using the Physical Data Shipping service web interface. Note that the
subsequent backups will fail until the initial backup is uploaded to the cloud storage.
Pre/Post commands
The option enables you to define the commands to be automatically executed before and after the
backup procedure.
The following scheme illustrates when pre/post commands are executed.
Pre-backup command Backup Post-backup command
Examples of how you can use the pre/post commands:
l Delete some temporary files from the disk before starting backup.
l Configure a third-party antivirus product to be started each time before the backup starts.
l Selectively copy backups to another location. This option may be useful because the replication
configured in a protection plan copies every backup to subsequent locations.
The agent performs the replication after executing the post-backup command.
The program does not support interactive commands, i.e. commands that require user input (for
example, "pause").
Pre-backup command
To specify a command/batch file to be executed before the backup process starts
232 © Acronis International GmbH, 2003-2022
1. Enable the Execute a command before the backup switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Check box Selection
Fail the Selected Cleared Selected Cleared
backup if
the
command
execution
fails*
Do not back Selected Selected Cleared Cleared
up until the
command
execution is
complete
Result
Preset Perform the backup N/A Perform the backup
after the command concurrently with the
Perform the backup only
is executed despite command execution
after the command is
execution failure or and irrespective of the
successfully executed. Fail
success. command execution
the backup if the command
result.
execution fails.
* A command is considered failed if its exit code is not equal to zero.
Note
If a script fails due to a conflict related to a required library version in Linux, exclude the LD_LIBRARY_
PATH and LD_PRELOAD environmental variables, by adding the following lines in your script:
#!/bin/sh
unset LD_LIBRARY_PATH
unset LD_PRELOAD
Post-backup command
To specify a command/executable file to be executed after the backup is completed
233 © Acronis International GmbH, 2003-2022
1. Enable the Execute a command after the backup switch.
2. In the Command... field, type a command or browse to a batch file.
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field, specify the command execution arguments, if required.
5. Select the Fail the backup if the command execution fails check box if successful execution
of the command is critical for you. The command is considered failed if its exit code is not equal
to zero. If the command execution fails, the backup status will be set to Error.
When the check box is not selected, the command execution result does not affect the backup
failure or success. You can track the command execution result by exploring the Activities tab.
6. Click Done.
Pre/Post data capture commands
The option enables you to define the commands to be automatically run before and after data
capture (that is, taking the data snapshot). Data capture is performed at the beginning of the backup
procedure.
The following scheme illustrates when the pre/post data capture commands are run.
<---------------------------- Backup ---------------------------->
Pre-backup Pre-data Data Post-data Write data to Post-backup
command capture capture capture the backup command
command command set
Interaction with other backup options
Running of the pre/post data capture commands can be modified by other backup options.
If the Multi-volume snapshot option is enabled, the pre/post data capture commands will run only
once, because the snapshots for all volumes are created simultaneously. If the Multi-volume
snapshot option is disabled, the pre/post data capture commands will run for every volume that is
being backed up because the snapshots are created sequentially, one volume after another.
If the Volume Shadow Copy Service (VSS) option is enabled, the pre/post data capture commands
and the Microsoft VSS actions will run as follows:
Pre-data capture commands > VSS Suspend > Data capture > VSS Resume > Post-data capture commands
By using the pre/post data capture commands, you can suspend and resume a database or
application that is not compatible with VSS. Because the data capture takes seconds, the database
or application idle time will be minimal.
Pre-data capture command
To specify a command/batch file to be executed before data capture
234 © Acronis International GmbH, 2003-2022
1. Enable the Execute a command before the data capture switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Check box Selection
Fail the backup Selected Cleared Selected Cleared
if the command
execution fails*
Do not perform Selected Selected Cleared Cleared
the data
capture until
the command
execution is
complete
Result
Preset Perform the data N/A Perform the data
capture after the capture concurrently
Perform the data capture
command is with the command
only after the command is
executed despite and irrespective of
successfully executed. Fail
execution failure or the command
the backup if the
success. execution result.
command execution fails.
* A command is considered failed if its exit code is not equal to zero.
Note
If a script fails due to a conflict related to a required library version in Linux, exclude the LD_LIBRARY_
PATH and LD_PRELOAD environmental variables, by adding the following lines in your script:
#!/bin/sh
unset LD_LIBRARY_PATH
unset LD_PRELOAD
Post-data capture command
To specify a command/batch file to be executed after data capture
235 © Acronis International GmbH, 2003-2022
1. Enable the Execute a command after the data capture switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Check box Selection
Fail the Selected Cleared Selected Cleared
backup if the
command
execution
fails*
Do not back Selected Selected Cleared Cleared
up until the
command
execution is
complete
Result
Preset Continue the backup N/A Continue the backup
after the command is concurrently with the
Continue the
executed despite command execution and
backup only after
command execution irrespective of the
the command is
failure or success. command execution
successfully
result.
executed.
* A command is considered failed if its exit code is not equal to zero.
Scheduling
This option defines whether backups start as scheduled or with a delay, and how many virtual
machines are backed up simultaneously.
The preset is: Distribute backup start times within a time window. Maximum delay: 30
minutes.
You can select one of the following:
l Start all backups exactly as scheduled
Backups of physical machines will start exactly as scheduled. Virtual machines will be backed up
one by one.
236 © Acronis International GmbH, 2003-2022
l Distribute start times within a time window
Backups of physical machines will start with a delay from the scheduled time. The delay value for
each machine is selected randomly and ranges from zero to the maximum value you specify. You
may want to use this setting when backing up multiple machines to a network location, to avoid
excessive network load. The delay value for each machine is determined when the protection
plan is applied to the machine and remains the same until you edit the protection plan and
change the maximum delay value.
Virtual machines will be backed up one by one.
l Limit the number of simultaneously running backups by
This option defines how many virtual machines an agent can back up simultaneously when
executing the given protection plan. Also, enabling this option allows the protection plan to run
together with other plans that are being run by the same agent at the same time. If this option is
disabled, the protection plan will run only after all other plans complete.
If, according to the protection plan, an agent has to start backing up multiple machines at once, it
will choose two machines. (To optimize the backup performance, the agent tries to match
machines stored on different storages.) Once any of the two backups is completed, the agent
chooses the third machine and so on.
You can change the number of virtual machines for an agent to simultaneously back up. The
maximum value is 10. However, if the agent executes multiple protection plans that overlap in
time, the numbers specified in their options are added up. You can limit the total number of
virtual machines that an agent can back up simultaneously, no matter how many protection plans
are running.
Backups of physical machines will start exactly as scheduled.
Sector-by-sector backup
The option is effective only for disk-level backup.
This option defines whether an exact copy of a disk or volume on a physical level is created.
The preset is: Disabled.
If this option is enabled, all disk or volume's sectors will be backed up, including unallocated space
and those sectors that are free of data. The resulting backup will be equal in size to the disk being
backed up (if the "Compression level" option is set to None). The software automatically switches to
the sector-by-sector mode when backing up drives with unrecognized or unsupported file systems.
Note
It will be impossible to perform a recovery of application data from the backups which were created
in the sector-by-sector mode.
Splitting
This option enables you to select the method of splitting of large backups into smaller files.
237 © Acronis International GmbH, 2003-2022
Note
Splitting is not available in protection plans that use the cloud storage as a backup location.
The preset is:
l If the backup location is a local or network (SMB) folder, and the backup format is Version 12:
Fixed size - 200 GB
This setting allows the backup software to work with large volumes of data on the NTFS file
system, without negative effects caused by file fragmentation.
l Otherwise: Automatic
The following settings are available:
l Automatic
A backup will be split if it exceeds the maximum file size supported by the file system.
l Fixed size
Enter the desired file size or select it from the drop-down list.
Task failure handling
This option determines the program behavior when a scheduled execution of a protection plan fails.
This option is not effective when a protection plan is started manually.
If this option is enabled, the program will try to execute the protection plan again. You can specify
the number of attempts and the time interval between the attempts. The program stops trying as
soon as an attempt completes successfully OR the specified number of attempts is performed,
depending on which comes first.
The preset is: Disabled.
Task start conditions
This option is effective in Windows and Linux operating systems.
This option determines the program behavior in case a task is about to start (the scheduled time
comes or the event specified in the schedule occurs), but the condition (or any of multiple
conditions) is not met. For more information about conditions refer to "Start conditions".
The preset is: Wait until the conditions from the schedule are met.
Wait until the conditions from the schedule are met
With this setting, the scheduler starts monitoring the conditions and launches the task as soon as
the conditions are met. If the conditions are never met, the task will never start.
To handle the situation when the conditions are not met for too long and further delaying the task is
becoming risky, you can set the time interval after which the task will run irrespective of the
condition. Select the Run the task anyway after check box and specify the time interval. The task
238 © Acronis International GmbH, 2003-2022
will start as soon as the conditions are met OR the maximum time delay lapses, depending on which
comes first.
Skip the task execution
Delaying a task might be unacceptable, for example, when you need to execute a task strictly at the
specified time. Then it makes sense to skip the task rather than wait for the conditions, especially if
the tasks occur relatively often.
Volume Shadow Copy Service (VSS)
This option is effective only for Windows operating systems.
The option defines whether a Volume Shadow Copy Service (VSS) provider has to notify VSS-aware
applications that the backup is about to start. This ensures the consistent state of all data used by
the applications; in particular, completion of all database transactions at the moment of taking the
data snapshot by the backup software. Data consistency, in turn, ensures that the application will be
recovered in the correct state and become operational immediately after recovery.
The preset is: Enabled. Automatically select snapshot provider.
You can select one of the following:
l Automatically select snapshot provider
Automatically select among the hardware snapshot provider, software snapshot providers, and
Microsoft Software Shadow Copy provider.
l Use Microsoft Software Shadow Copy provider
We recommend choosing this option when backing up application servers (Microsoft Exchange
Server, Microsoft SQL Server, Microsoft SharePoint, or Active Directory).
Disable this option if your database is incompatible with VSS. Snapshots are taken faster, but data
consistency of the applications whose transactions are not completed at the time of taking a
snapshot cannot be guaranteed. You may use Pre/Post data capture commands to ensure that the
data is backed up in a consistent state. For instance, specify pre-data capture commands that will
suspend the database and flush all caches to ensure that all transactions are completed; and specify
post-data capture commands that will resume the database operations after the snapshot is taken.
Note
If this option is enabled, files and folders that are specified in the HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot registry
key are not backed up. In particular, offline Outlook Data Files (.ost) are not backed up because they
are specified in the OutlookOST value of this key.
Enable VSS full backup
If this option is enabled, logs of Microsoft Exchange Server and of other VSS-aware applications
(except for Microsoft SQL Server) will be truncated after each successful full, incremental or
239 © Acronis International GmbH, 2003-2022
differential disk-level backup.
The preset is: Disabled.
Leave this option disabled in the following cases:
l If you use Agent for Exchange or third-party software for backing up the Exchange Server data.
This is because the log truncation will interfere with the consecutive transaction log backups.
l If you use third-party software for backing up the SQL Server data. The reason for this is that the
third-party software will take the resulting disk-level backup for its "own" full backup. As a result,
the next differential backup of the SQL Server data will fail. The backups will continue failing until
the third-party software creates the next "own" full backup.
l If other VSS-aware applications are running on the machine and you need to keep their logs for
any reason.
Enabling this option does not result in the truncation of Microsoft SQL Server logs. To truncate the
SQL Server log after a backup, enable the Log truncation backup option.
Volume Shadow Copy Service (VSS) for virtual machines
This option defines whether quiesced snapshots of virtual machines are taken. To take a quiesced
snapshot, the backup software applies VSS inside a virtual machine by using VMware Tools, Hyper-V
Integration Services, Virtuozzo Guest Tools, Red Hat Virtualization Guest Tools, or QEMU Guest
Tools, respectively.
Note
For Red Hat Virtualization (oVirt) virtual machines, we recommend that you install QEMU Guest
Tools instead of Red Hat Virtualization Guest Tools. Some versions of Red Hat Virtualization Guest
Tools do not support application-consistent snapshots.
The preset is: Enabled.
If this option is enabled, transactions of all VSS-aware applications running in a virtual machine are
completed before taking snapshot. If a quiesced snapshot fails after the number of re-attempts
specified in the "Error handling" option, and application backup is disabled, a non-quiesced
snapshot is taken. If application backup is enabled, the backup fails.
Enabling the Volume Shadow Copy Service (VSS) for virtual machines option also triggers the
pre‐freeze and post‐thaw scripts that you might have on backed-up the virtual machine. For more
information on these scripts, refer to "Running pre‐freeze and post‐thaw scripts automatically" (p.
383).
If this option is disabled, a non-quiesced snapshot is taken. The virtual machine will be backed up in
a crash-consistent state.
Note
This option does not affect Scale Computing HC3 virtual machines. For them, quiescing depends on
whether Scale Tools are installed on the virtual machine.
240 © Acronis International GmbH, 2003-2022
Weekly backup
This option determines which backups are considered "weekly" in retention rules and backup
schemes. A "weekly" backup is the first backup created after a week starts.
The preset is: Monday.
Windows event log
This option is effective only in Windows operating systems.
This option defines whether the agents have to log events of the backup operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
The preset is: Disabled.
Recovery
Recovery cheat sheet
The following table summarizes the available recovery methods. Use the table to choose a recovery
method that best fits your need.
Note
Recovery through the web interface is not available for tenants in the Enhanced security mode.
What to recover Recovery method
Physical machine Using the web interface
(Windows or Linux) Using bootable media
Physical machine
Using bootable media
(Mac)
Virtual machine Using the web interface
(VMware, Hyper-V, Red Hat Virtualization (oVirt),
or Scale Computing HC3) Using bootable media
Virtual machine or container
(Virtuozzo, Virtuozzo Hybrid Server, or Virtuozzo Using the web interface
Hybrid Infrastructure)
ESXi configuration Using bootable media
Files/Folders Using the web interface
241 © Acronis International GmbH, 2003-2022
Downloading files from the cloud storage
Using bootable media
Extracting files from local backups
System state Using the web interface
SQL databases Using the web interface
Exchange databases Using the web interface
Exchange mailboxes Using the web interface
Websites Using the web interface
Microsoft 365
Mailboxes
Using the web interface
(local Agent for Microsoft 365)
Mailboxes
Using the web interface
(cloud Agent for Microsoft 365)
Public folders Using the web interface
OneDrive files Using the web interface
SharePoint Online data Using the web interface
Google Workspace
Mailboxes Using the web interface
Google Drive files Using the web interface
Shared drive files Using the web interface
Note for Mac users
l Starting with 10.11 El Capitan, certain system files, folders, and processes are flagged for
protection with an extended file attribute com.apple.rootless. This feature is called System
Integrity Protection (SIP). The protected files include preinstalled applications and most of the
folders in /system, /bin, /sbin, /usr.
The protected files and folders cannot be overwritten during a recovery under the operating
system. If you need to overwrite the protected files, perform the recovery under bootable media.
l Starting with macOS Sierra 10.12, rarely used files can be moved to iCloud by the Store in Cloud
feature. Small footprints of these files are kept on the file system. These footprints are backed up
242 © Acronis International GmbH, 2003-2022
instead of the original files.
When you recover a footprint to the original location, it is synchronized with iCloud and the
original file becomes available. When you recover a footprint to a different location, it cannot be
synchronized and the original file will be unavailable.
Safe recovery
A backed-up OS image can have malware that can reinfect a machine after recovery.
The safe recovery functionality allows you to prevent recurrence of infections by using the
integrated antimalware scanning and malware deletion during the recovery process.
Limitations:
l Safe recovery is supported only for physical or virtual Windows machines with Agent for Windows
installed inside the machine.
l The supported backup types are "Entire machine" or "Disks/volumes" backups.
l Safe recovery is supported only for the volumes with NTFS file system. Non-NTFS partitions will
be recovered without antimalware scanning.
l Safe recovery is not supported for CDP backups. The machine will be recovered based on the last
regular backup without the data in the CDP backup. To recover the CDP data, start a Files/folders
recovery.
How it works
If you enable the Safe recovery option during the recovery process, then the system will perform the
following:
1. Scan the image backup for malware and mark the infected files. One of the following statuses is
assigned to a backup:
l No malware – no malware was found in a backup during scanning.
l Malware detected – malware was found in a backup during scanning.
l Not scanned – backup was not scanned for malware.
243 © Acronis International GmbH, 2003-2022
1. Recover the backup to the selected machine.
2. Delete the detected malware.
You can filter backups by using the Status parameter.
Recovering a machine
Recovering physical machines
This section describes recovery of physical machines by using the web interface.
Use bootable media instead of the web interface if you need to recover:
l A machine running macOS
l A machine from a tenant in the Enhanced security mode
l Any operating system to bare metal or to an offline machine
l The structure of logical volumes (volumes created by Logical Volume Manager in Linux). The
media enables you to recreate the logical volume structure automatically.
Recovery with restart
Recovery of an operating system and recovery of volumes that are encrypted with BitLocker
requires a restart. You can choose whether to restart the machine automatically or assign it the
Interaction required status. The recovered operating system goes online automatically.
Important
Backed-up encrypted volumes are recovered as non-encrypted.
244 © Acronis International GmbH, 2003-2022
Recovery of BitLocker-encrypted volumes requires that there is a non-encrypted volume on the
same machine, and that this volume has at least 1 GB of free space. If either condition is not met,
the recovery fails.
Recovering an encrypted system volume does not require any additional actions. To recover an
encrypted non-system volume, you must lock it first, for example, by opening a file that resides on
this volume. Otherwise, the recovery will continue without restart and the recovered volume might
not be recognized by Windows.
Note
If the recovery fails and your machine restarts with the Cannot get file from partition error, try
disabling Secure Boot. For more information on how to do it, refer to Disabling Secure Boot in the
Microsoft documentation.
To recover a physical machine
1. Select the backed-up machine.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do any of the following:
l If the backup location is cloud or shared storage (i.e. other agents can access it), click Select
machine, select a target machine that is online, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
l Recover the machine as described in "Recovering disks by using bootable media".
4. Click Recover > Entire machine.
The software automatically maps the disks from the backup to the disks of the target machine.
To recover to another physical machine, click Target machine, and then select a target machine
that is online.
245 © Acronis International GmbH, 2003-2022
5. If you are unsatisfied with the mapping result or if the disk mapping fails, click Volume mapping
to re-map the disks manually.
The mapping section also enables you to choose individual disks or volumes for recovery. You
can switch between recovering disks and volumes by using the Switch to... link in the top-right
corner.
246 © Acronis International GmbH, 2003-2022
6. [Optional] Enable Safe recovery to scan the backup for malware. If malware is detected, it will
be marked in the backup and deleted right after the recovery process is completed.
7. Click Start recovery.
8. Confirm that you want to overwrite the disks with their backed-up versions. Choose whether to
restart the machine automatically.
The recovery progress is shown on the Activities tab.
Physical machine to virtual
You can recover a physical machine to a virtual machine on one of the supported hypervisors. This
is also a mechanism to migrate a physical machine to a virtual machine. For more information about
supported P2V migration paths, refer to "Machine migration".
This section describes the recovery of a physical machine as a virtual machine by using the web
interface. This operation can be performed if at least one agent for the relevant hypervisor is
installed and registered in Acronis Management Server. For example, recovery to VMware ESXi
requires at least one Agent for VMware, recovery to Hyper-V requires at least one Agent for Hyper-V
installed and registered in the environment.
Recovery through the web interface is not available for tenants in the Enhanced security mode.
Note
You cannot recover macOS virtual machines to Hyper-V hosts, because Hyper-V does not support
macOS. You can recover macOS virtual machines to a VMware host that is installed on Mac
hardware.
Also, you cannot recover backups of macOS physical machines as virtual machines.
To recover a physical machine as a virtual machine
1. Select the backed-up machine.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do any of the following:
l If the backup location is cloud or shared storage (i.e. other agents can access it), click Select
machine, select a machine that is online, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
l Recover the machine as described in "Recovering disks by using bootable media".
4. Click Recover > Entire machine.
5. In Recover to, select Virtual machine.
6. Click Target machine.
247 © Acronis International GmbH, 2003-2022
a. Select the hypervisor.
Note
At least one agent for that hypervisor must be installed and registered in Acronis
Management Server.
b. Select whether to recover to a new or existing machine. The new machine option is
preferable as it does not require the disk configuration of the target machine to exactly
match the disk configuration in the backup.
c. Select the host and specify the new machine name, or select an existing target machine.
d. Click OK.
7. [For Virtuozzo Hybrid Infrastructure] Click VM settings to select Flavor. Optionally, you can
change the memory size, the number of processors, and the network connections of the virtual
machine.
Note
Selecting flavor is a required step for Virtuozzo Hybrid Infrastructure.
8. [Optional] Configure additional recovery options:
l [Not available for Virtuozzo Hybrid Infrastructure] Click Datastore for ESXi or Path for Hyper-
V, and then select the datastore (storage) for the virtual machine.
l Click Disk mapping to select the datastore (storage), interface, and provisioning mode for
each virtual disk. The mapping section also enables you to choose individual disks for
recovery.
For Virtuozzo Hybrid Infrastructure, you can only select the storage policy for the target disks.
To do so, select the desired target disk, and then click Change. In the blade that opens, click
the gear icon, select the storage policy, and then click Done.
l [For VMware ESXi, Hyper-V, and Red Hat Virtualization/oVirt] Click VM settings to change the
memory size, the number of processors, and the network connections of the virtual machine.
248 © Acronis International GmbH, 2003-2022
9. Click Start recovery.
10. When recovering to an existing virtual machine, confirm that you want to overwrite the disks.
The recovery progress is shown on the Activities tab.
Recovering a virtual machine
You can recover virtual machines from their backups.
Note
Recovery through the web interface is not available for tenants in the Enhanced security mode.
Prerequisites
l A virtual machine must be stopped during the recovery to this machine. By default, the software
stops the machine without a prompt. When the recovery is completed, you have to start the
machine manually. You can change the default behavior by using the VM power management
recovery option (click Recovery options > VM power management).
Procedure
249 © Acronis International GmbH, 2003-2022
1. Do one of the following:
l Select a backed-up machine, click Recovery, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
2. Click Recover > Entire machine.
3. If you want to recover to a physical machine, select Physical machine in Recover to. Otherwise,
skip this step.
Recovery to a physical machine is possible only if the disk configuration of the target machine
exactly matches the disk configuration in the backup.
If this is the case, continue to step 4 in "Physical machine". Otherwise, we recommend that you
perform the V2P migration by using bootable media.
4. [Optional] By default, the software automatically selects the original machine as the target
machine. To recover to another virtual machine, click Target machine, and then do the
following:
a. Select the hypervisor (VMware ESXi, Hyper-V, Virtuozzo, Virtuozzo Hybrid Infrastructure,
Scale Computing HC3, or oVirt).
Only Virtuozzo virtual machines can be recovered to Virtuozzo. For more information about
V2V migration, refer to "Machine migration".
b. Select whether to recover to a new or existing machine.
c. Select the host and specify the new machine name, or select an existing target machine.
d. Click OK.
5. Setup up the additional recovery options that you need.
l [Optional] [Not available for Virtuozzo Hybrid Infrastructure and Scale Computing HC3] To
select the datastore for the virtual machine, click Datastore for ESXi, Path for Hyper-V and
Virtuozzo, or Storage domain for Red Hat Virtualization (oVirt), and then select the datastore
(storage) for the virtual machine.
l [Optional] To view the datastore (storage), interface, and the provisioning mode for each
virtual disk, click Disk mapping. You can change these settings, unless you are recovering a
Virtuozzo container or Virtuozzo Hybrid Infrastructure virtual machine.
For Virtuozzo Hybrid Infrastructure, you can only select the storage policy for the target disks.
To do so, select the desired target disk, and then click Change. In the blade that opens, click
the gear icon, select the storage policy, and then click Done.
The mapping section also enables you to choose individual disks for recovery.
l [Optional] [Available for VMware ESXi, Hyper-V, and Virtuozzo] To change the memory size, the
number of processors, and the network connections of the virtual machine, click VM settings.
l [For Virtuozzo Hybrid Infrastructure] To change the memory size and the number of
processors of the virtual machine, select Flavor.
250 © Acronis International GmbH, 2003-2022
6. Click Start recovery.
7. When recovering to an existing virtual machine, confirm that you want to overwrite the disks.
The recovery progress is shown on the Activities tab.
Recovering disks by using bootable media
For information about how to create bootable media, refer to "Creating physical bootable media" (p.
626).
To recover disks by using bootable media
1. Boot the target machine by using bootable media.
2. [Only when recovering a Mac] If you are recovering APFS-formatted disks/volumes to a non-
original machine or to bare metal, re-create the original disk configuration manually:
a. Click Disk Utility.
b. Erase and format the target disk into APFS. For instructions, refer to
https://support.apple.com/en-us/HT208496#erasedisk.
c. Re-create the original disk configuration. For instructions, refer to
https://support.apple.com/guide/disk-utility/add-erase-or-delete-apfs-volumes-
dskua9e6a110/19.0/mac/10.15.
d. Click Disk Utility > Quit Disk Utility.
251 © Acronis International GmbH, 2003-2022
3. Click Manage this machine locally or click Rescue Bootable Media twice, depending on the
media type you are using.
4. If a proxy server is enabled in your network, click Tools > Proxy server, and then specify the
proxy server host name/IP address, port, and credentials. Otherwise, skip this step.
5. [Optional] When recovering Windows or Linux, click Tools > Register media in the Cyber
Protection service, and then specify the registration token that you obtained when
downloading the media. If you do this, you will not need to enter credentials or a registration
code to access the cloud storage, as described in step 8.
6. On the welcome screen, click Recover.
7. Click Select data, and then click Browse.
8. Specify the backup location:
l To recover from cloud storage, select Cloud storage. Enter the credentials of the account to
which the backed up machine is assigned.
When recovering Windows or Linux, you have the option to request a registration code and
use it instead of the credentials. Click Use registration code > Request the code. The
software shows the registration link and the registration code. You can copy them and
perform the registration steps on a different machine. The registration code is valid for one
hour.
l To recover from a local or a network folder, browse to the folder under Local folders or
Network folders.
Click OK to confirm your selection.
9. Select the backup from which you want to recover the data. If prompted, type the password for
the backup.
10. In Backup contents, select the disks that you want to recover. Click OK to confirm your
selection.
11. Under Where to recover, the software automatically maps the selected disks to the target disks.
If the mapping is not successful or if you are unsatisfied with the mapping result, you can re-map
disks manually.
Note
Changing disk layout may affect the operating system bootability. Please use the original
machine's disk layout unless you feel fully confident of success.
12. [When recovering Linux] If the backed-up machine had logical volumes (LVM) and you want to
reproduce the original LVM structure:
a. Ensure that the number of the target machine disks and each disk capacity are equal to or
exceed those of the original machine, and then click Apply RAID/LVM.
b. Review the volume structure, and then click Apply RAID/LVM to create it.
13. [Optional] Click Recovery options to specify additional settings.
14. Click OK to start the recovery.
252 © Acronis International GmbH, 2003-2022
Using Universal Restore
The most recent operating systems remain bootable when recovered to dissimilar hardware,
including the VMware or Hyper-V platforms. If a recovered operating system does not boot, use the
Universal Restore tool to update the drivers and modules that are critical for the operating system
startup.
Universal Restore is applicable to Windows and Linux.
To apply Universal Restore
1. Boot the machine from the bootable media.
2. Click Apply Universal Restore.
3. If there are multiple operating systems on the machine, choose the one to apply Universal
Restore to.
4. [For Windows only] Configure the additional settings.
5. Click OK.
Universal Restore in Windows
Preparation
Prepare drivers
Before applying Universal Restore to a Windows operating system, make sure that you have the
drivers for the new HDD controller and the chipset. These drivers are critical to start the operating
system. Use the CD or DVD supplied by the hardware vendor or download the drivers from the
vendor’s website. The driver files should have the *.inf extension. If you download the drivers in the
*.exe, *.cab or *.zip format, extract them using a third-party application.
The best practice is to store drivers for all the hardware used in your organization in a single
repository sorted by device type or by the hardware configurations. You can keep a copy of the
repository on a DVD or a flash drive; pick some drivers and add them to the bootable media; create
the custom bootable media with the necessary drivers (and the necessary network configuration)
for each of your servers. Or, you can simply specify the path to the repository every time Universal
Restore is used.
Check access to the drivers in bootable environment
Make sure you have access to the device with drivers when working under bootable media. Use
WinPE-based media if the device is available in Windows but Linux-based media does not detect it.
253 © Acronis International GmbH, 2003-2022
Universal Restore settings
Automatic driver search
Specify where the program will search for the Hardware Abstraction Layer (HAL), HDD controller
driver and network adapter driver(s):
l If the drivers are on a vendor's disc or other removable media, turn on the Search removable
media.
l If the drivers are located in a networked folder or on the bootable media, specify the path to the
folder by clicking Add folder.
In addition, Universal Restore will search the Windows default driver storage folder. Its location is
determined in the registry value DevicePath, which can be found in the registry key HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. This storage folder is usually
WINDOWS/inf.
Universal Restore will perform the recursive search in all the sub-folders of the specified folder, find
the most suitable HAL and HDD controller drivers of all those available, and install them into the
system. Universal Restore also searches for the network adapter driver; the path to the found driver
is then transmitted by Universal Restore to the operating system. If the hardware has multiple
network interface cards, Universal Restore will try to configure all the cards' drivers.
Mass storage drivers to install anyway
You need this setting if:
l The hardware has a specific mass storage controller such as RAID (especially NVIDIA RAID) or a
fibre channel adapter.
l You migrated a system to a virtual machine that uses a SCSI hard drive controller. Use SCSI
drivers bundled with your virtualization software or download the latest drivers versions from the
software manufacturer website.
l If the automatic drivers search does not help to boot the system.
Specify the appropriate drivers by clicking Add driver. The drivers defined here will be installed,
with appropriate warnings, even if the program finds a better driver.
Universal Restore process
After you have specified the required settings, click OK.
If Universal Restore cannot find a compatible driver in the specified locations, it will display a
prompt about the problem device. Do one of the following:
l Add the driver to any of the previously specified locations and click Retry.
254 © Acronis International GmbH, 2003-2022
l If you do not remember the location, click Ignore to continue the process. If the result is not
satisfactory, reapply Universal Restore. When configuring the operation, specify the necessary
driver.
Once Windows boots, it will initialize the standard procedure for installing new hardware. The
network adapter driver will be installed silently if the driver has the Microsoft Windows signature.
Otherwise, Windows will ask for confirmation on whether to install the unsigned driver.
After that, you will be able to configure the network connection and specify drivers for the video
adapter, USB and other devices.
Universal Restore in Linux
Universal Restore can be applied to Linux operating systems with a kernel version of 2.6.8 or later.
When Universal Restore is applied to a Linux operating system, it updates a temporary file system
known as the initial RAM disk (initrd). This ensures that the operating system can boot on the new
hardware.
Universal Restore adds modules for the new hardware (including device drivers) to the initial RAM
disk. As a rule, it finds the necessary modules in the /lib/modules directory. If Universal Restore
cannot find a module it needs, it records the module’s file name into the log.
Universal Restore may modify the configuration of the GRUB boot loader. This may be required, for
example, to ensure the system bootability when the new machine has a different volume layout
than the original machine.
Universal Restore never modifies the Linux kernel.
Reverting to the original initial RAM disk
You can revert to the original initial RAM disk if necessary.
The initial RAM disk is stored on the machine in a file. Before updating the initial RAM disk for the
first time, Universal Restore saves a copy of it to the same directory. The name of the copy is the
name of the file, followed by the _acronis_backup.img suffix. This copy will not be overwritten if
you run Universal Restore more than once (for example, after you have added missing drivers).
To revert to the original initial RAM disk, do any of the following:
l Rename the copy accordingly. For example, run a command similar to the following:
mv initrd-2.6.16.60-0.21-default_acronis_backup.img initrd-2.6.16.60-0.21-default
l Specify the copy in the initrd line of the GRUB boot loader configuration.
255 © Acronis International GmbH, 2003-2022
Recovering files
Recovering files by using the web interface
Note
Recovery through the web interface is not available for tenants in the Enhanced security mode.
1. Select the machine that originally contained the data that you want to recover.
2. Click Recovery.
3. Select the recovery point. Note that recovery points are filtered by location.
If the selected machine is physical and it is offline, recovery points are not displayed. Do any of
the following:
l [Recommended] If the backup location is cloud or shared storage (i.e. other agents can access
it), click Select machine, select a target machine that is online, and then select a recovery
point.
l Select a recovery point on the Backup storage tab.
l Download the files from the cloud storage.
l Use bootable media.
4. Click Recover > Files/folders.
5. Browse to the required folder or use the search bar to obtain the list of the required files and
folders.
Search is language-independent.
You can use one or more wildcard characters (* and ?). For more details about using wildcards,
refer to "File filters".
Note
Search is not available for disk-level backups that are stored in the cloud storage.
6. Select the files that you want to recover.
7. If you want to save the files as a .zip file, click Download, select the location to save the data to,
and click Save. Otherwise, skip this step.
Downloading is not available if your selection contains folders or the total size of the selected
files exceeds 100 MB. To retrieve larger amounts of data from the cloud, use the procedure
"Downloading files from the cloud storage" (p. 257).
8. Click Recover.
In Recover to, you see one of the following:
l The machine that originally contained the files that you want to recover (if an agent is installed
on this machine).
l The machine where Agent for VMware, Agent for Hyper-V, Agent for Virtuozzo, Agent for Scale
Computing HC3, or Agent for oVirt is installed (if the files originate from an ESXi, Hyper-V,
Virtuozzo, Scale Computing HC3, or Red Hat Virtualization/oVirt virtual machine).
256 © Acronis International GmbH, 2003-2022
This is the target machine for the recovery. You can select another machine, if necessary.
9. In Path, select the recovery destination. You can select one of the following:
l The original location (when recovering to the original machine)
l A local folder on the target machine
Note
Symbolic links are not supported.
l A network folder that is accessible from the target machine.
10. Click Start recovery.
11. Select one of the file overwriting options:
l Overwrite existing files
l Overwrite an existing file if it is older
l Do not overwrite existing files
The recovery progress is shown on the Activities tab.
Downloading files from the cloud storage
You can browse the cloud storage, view the contents of the backups, and download files that you
need.
Limitations
l Backups of system state, SQL databases, and Exchange databases cannot be browsed.
To download files from the cloud storage
1. Select a machine that was backed up.
2. Click Recovery > Download files.
3. Enter the credentials of the account to which the backed up machine is assigned.
4. [When browsing disk-level backups] Under Versions, click the backup from which you want to
recover the files.
[When browsing file-level backups] You can select the backup date and time in the next step,
under the gear icon located to the right of the selected file. By default, files are recovered from
the latest backup.
5. Browse to the required folder or use the search bar to obtain the list of the required files.
Search is language-independent.
257 © Acronis International GmbH, 2003-2022
6. Select the check boxes for the items you need to recover, and then click Download.
If you select a single file, it will be downloaded as is. Otherwise, the selected data will be archived
into a .zip file.
7. Select the location to save the data to, and then click Save.
Verifying file authenticity with Notary Service
If notarization was enabled during backup, you can verify the authenticity of a backed-up file.
To verify the file authenticity
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section, or steps 1-5 of the "Downloading files from the cloud storage" section.
2. Ensure that the selected file is marked with the following icon: . This means that the file is
notarized.
3. Do one of the following:
l Click Verify.
The software checks the file authenticity and displays the result.
l Click Get certificate.
A certificate that confirms the file notarization is opened in a web browser window. The
window also contains instructions that allow you to verify the file authenticity manually.
Signing a file with ASign
Note
The availability of this feature depends on the service quotas that are enabled for your account.
ASign is a service that allows multiple people to sign a backed-up file electronically. This feature is
available only for file-level backups stored in the cloud storage.
258 © Acronis International GmbH, 2003-2022
Only one file version can be signed at a time. If the file was backed up multiple times, you must
choose the version to sign, and only this version will be signed.
For example, ASign can be used for electronic signing of the following files:
l Rental or lease agreements
l Sales contracts
l Asset purchase agreements
l Loan agreements
l Permission slips
l Financial documents
l Insurance documents
l Liability waivers
l Healthcare documents
l Research papers
l Certificates of product authenticity
l Nondisclosure agreements
l Offer letters
l Confidentiality agreements
l Independent contractor agreements
To sign a file version
1. Select the file as described in steps 1-6 of the "Recovering files by using the web interface"
section, or steps 1-5 of the "Downloading files from the cloud storage" section.
2. Ensure that the correct date and time is selected on the left panel.
3. Click Sign this file version.
4. Specify the password for the cloud storage account under which the backup is stored. The login
of the account is displayed in the prompt window.
The ASign service interface is opened in a web browser window.
5. Add other signees by specifying their email addresses. It is not possible to add or remove signees
after sending invitations, so ensure that the list includes everyone whose signature is required.
6. Click Invite to sign to send invitations to the signees.
Each signee receives an email message with the signature request. When all the requested
signees sign the file, it is notarized and signed through the notary service.
You will receive notifications when each signee signs the file and when the entire process is
complete. You can access the ASign web page by clicking View details in any of the email
messages that you receive.
7. Once the process is complete, go to the ASign web page and click Get document to download a
.pdf document that contains:
l The Signature Certificate page with the collected signatures.
l The Audit Trail page with history of activities: when the invitation was sent to the signees,
when each signee signed the file, and so on.
259 © Acronis International GmbH, 2003-2022
Recovering files by using bootable media
For information about how to create bootable media, refer to "Creating bootable media".
To recover files by using bootable media
1. Boot the target machine by using the bootable media.
2. Click Manage this machine locally or click Rescue Bootable Media twice, depending on the
media type you are using.
3. If a proxy server is enabled in your network, click Tools > Proxy server, and then specify the
proxy server host name/IP address, port, and credentials. Otherwise, skip this step.
4. [Optional] When recovering Windows or Linux, click Tools > Register media in the Cyber
Protection service, and then specify the registration token that you obtained when
downloading the media. If you do this, you will not need to enter credentials or a registration
code to access the cloud storage, as described in step 7.
5. On the welcome screen, click Recover.
6. Click Select data, and then click Browse.
7. Specify the backup location:
l To recover from cloud storage, select Cloud storage. Enter the credentials of the account to
which the backed up machine is assigned.
When recovering Windows or Linux, you have the option to request a registration code and
use it instead of the credentials. Click Use registration code > Request the code. The
software shows the registration link and the registration code. You can copy them and
perform the registration steps on a different machine. The registration code is valid for one
hour.
l To recover from a local or a network folder, browse to the folder under Local folders or
Network folders.
Click OK to confirm your selection.
8. Select the backup from which you want to recover the data. If prompted, type the password for
the backup.
9. In Backup contents, select Folders/files.
10. Select the data that you want to recover. Click OK to confirm your selection.
11. Under Where to recover, specify a folder. Optionally, you can prohibit overwriting of newer
versions of files or exclude some files from recovery.
12. [Optional] Click Recovery options to specify additional settings.
13. Click OK to start the recovery.
Extracting files from local backups
You can browse the contents of backups and extract files that you need.
260 © Acronis International GmbH, 2003-2022
Requirements
l This functionality is available only in Windows by using File Explorer.
l A protection agent must be installed on the machine from which you browse a backup.
l The backed-up file system must be one of the following: FAT16, FAT32, NTFS, ReFS, Ext2, Ext3,
Ext4, XFS, or HFS+.
l The backup must be stored in a local folder or on a network share (SMB/CIFS).
To extract files from a backup
1. Browse to the backup location by using File Explorer.
2. Double-click the backup file. The file names are based on the following template:
<machine name> - <protection plan GUID>
3. If the backup is encrypted, enter the encryption password. Otherwise, skip this step.
File Explorer displays the recovery points.
4. Double-click the recovery point.
File Explorer displays the backed-up data.
5. Browse to the required folder.
6. Copy the required files to any folder on the file system.
Recovering system state
Note
Recovery through the web interface is not available for tenants in the Enhanced security mode.
1. Select the machine for which you want to recover the system state.
2. Click Recovery.
3. Select a system state recovery point. Note that recovery points are filtered by location.
4. Click Recover system state.
5. Confirm that you want to overwrite the system state with its backed-up version.
The recovery progress is shown on the Activities tab.
Recovering ESXi configuration
To recover an ESXi configuration, you need Linux-based bootable media. For information about how
to create bootable media, refer to "Creating physical bootable media" (p. 626).
If you are recovering an ESXi configuration to a non-original host and the original ESXi host is still
connected to the vCenter Server, disconnect and remove this host from the vCenter Server to avoid
unexpected issues during the recovery. If you want to keep the original host along with the
recovered one, you can add it again after the recovery is complete.
The virtual machines running on the host are not included in an ESXi configuration backup. They can
be backed up and recovered separately.
261 © Acronis International GmbH, 2003-2022
To recover an ESXi configuration
1. Boot the target machine by using the bootable media.
2. Click Manage this machine locally.
3. On the welcome screen, click Recover.
4. Click Select data, and then click Browse.
5. Specify the backup location:
l Browse to the folder under Local folders or Network folders.
Click OK to confirm your selection.
6. In Show, select ESXi configurations.
7. Select the backup from which you want to recover the data. If prompted, type the password for
the backup.
8. Click OK.
9. In Disks to be used for new datastores, do the following:
l Under Recover ESXi to, select the disk where the host configuration will be recovered. If you
are recovering the configuration to the original host, the original disk is selected by default.
l [Optional] Under Use for new datastore, select the disks where new datastores will be
created. Be careful because all data on the selected disks will be lost. If you want to preserve
the virtual machines in the existing datastores, do not select any disks.
10. If any disks for new datastores are selected, select the datastore creation method in How to
create new datastores: Create one datastore per disk or Create one datastore on all
selected HDDs.
11. [Optional] In Network mapping, change the result of automatic mapping of the virtual switches
present in the backup to the physical network adapters.
12. [Optional] Click Recovery options to specify additional settings.
13. Click OK to start the recovery.
Recovery options
To modify the recovery options, click Recovery options when configuring recovery.
Availability of the recovery options
The set of available recovery options depends on:
l The environment the agent that performs recovery operates in (Windows, Linux, macOS, or
bootable media).
l The type of data being recovered (disks, files, virtual machines, application data).
The following table summarizes the availability of the recovery options.
Disks Files Virtual SQL and
machine Exchang
s e
262 © Acronis International GmbH, 2003-2022
Window Linux Bootabl Window Linux macO Bootabl ESXi, Window
s e media s S e media Hyper-V, s
and
Virtuozz
o
Backup + + + + + + + + +
validation
Boot mode + - - - - - - + -
Date and - - - + + + + - -
time for
files
Error + + + + + + + + +
handling
File - - - + + + + - -
exclusions
File-level - - - + - - - - -
security
Flashback + + + - - - - + -
Full path - - - + + + + - -
recovery
Mount - - - + - - - - -
points
Performan + + - + + + - + +
ce
Pre/post + + - + + + - + +
commands
SID + - - - - - - - -
changing
VM power - - - - - - - + -
manageme
nt
Windows + - - + - - - Hyper-V +
event log only
Backup validation
This option defines whether to validate a backup to ensure that the backup is not corrupted, before
data is recovered from it. This operation is performed by the protection agent.
263 © Acronis International GmbH, 2003-2022
The preset is: Disabled.
Validation calculates a checksum for every data block saved in the backup. The only exception is
validation of file-level backups that are located in the cloud storage. These backups are validated by
checking consistency of the meta information saved in the backup.
Validation is a time-consuming process, even for an incremental or differential backup, which are
small in size. This is because the operation validates not only the data physically contained in the
backup, but all of the data recoverable by selecting the backup. This requires access to previously
created backups.
Note
Depending on the settings chosen by your service provider, validation might not be available when
backing up to the cloud storage.
Boot mode
This option is effective when recovering a physical or a virtual machine from a disk-level backup that
contains a Windows operating system.
This option enables you to select the boot mode (BIOS or UEFI) that Windows will use after the
recovery. If the boot mode of the original machine is different from the selected boot mode, the
software will:
l Initialize the disk to which you are recovering the system volume, according to the selected boot
mode (MBR for BIOS, GPT for UEFI).
l Adjust the Windows operating system so that it can start using the selected boot mode.
The preset is: As on the target machine.
You can choose one of the following:
l As on the target machine
The agent that is running on the target machine detects the boot mode currently used by
Windows and makes the adjustments according to the detected boot mode.
This is the safest value that automatically results in bootable system unless the limitations listed
below apply. Since the Boot mode option is absent under bootable media, the agent on media
always behaves as if this value is chosen.
l As on the backed-up machine
The agent that is running on the target machine reads the boot mode from the backup and
makes the adjustments according to this boot mode. This helps you recover a system on a
different machine, even if this machine uses another boot mode, and then replace the disk in the
backed-up machine.
l BIOS
The agent that is running on the target machine makes the adjustments to use BIOS.
l UEFI
The agent that is running on the target machine makes the adjustments to use UEFI.
264 © Acronis International GmbH, 2003-2022
Once a setting is changed, the disk mapping procedure will be repeated. This will take some time.
Recommendations
If you need to transfer Windows between UEFI and BIOS:
l Recover the entire disk where the system volume is located. If you recover only the system
volume on top of an existing volume, the agent will not be able to initialize the target disk
properly.
l Remember that BIOS does not allow using more than 2 TB of disk space.
Limitations
l Transferring between UEFI and BIOS is supported for:
o 64-bit Windows operating systems starting with Windows 7
o 64-bit Windows Server operating systems starting with Windows Server 2008 SP1
l Transferring between UEFI and BIOS is not supported if the backup is stored on a tape device.
When transferring a system between UEFI and BIOS is not supported, the agent behaves as if the As
on the backed-up machine setting is chosen. If the target machine supports both UEFI and BIOS,
you need to manually enable the boot mode corresponding to the original machine. Otherwise, the
system will not boot.
Date and time for files
This option is effective only when recovering files.
This option defines whether to recover the files' date and time from the backup or assign the files
the current date and time.
If this option is enabled, the files will be assigned the current date and time.
The preset is: Enabled.
Error handling
These options enable you to specify how to handle errors that might occur during recovery.
Re-attempt, if an error occurs
The preset is: Enabled. Number of attempts: 30. Interval between attempts: 30 seconds.
When a recoverable error occurs, the program re-attempts to perform the unsuccessful operation.
You can set the time interval and the number of attempts. The attempts will be stopped as soon as
the operation succeeds OR the specified number of attempts are performed, depending on which
comes first.
Do not show messages and dialogs while processing (silent mode)
The preset is: Disabled.
265 © Acronis International GmbH, 2003-2022
With the silent mode enabled, the program will automatically handle situations requiring user
interaction where possible. If an operation cannot continue without user interaction, it will fail.
Details of the operation, including errors, if any, can be found in the operation log.
Save system information if a recovery with reboot fails
This option is effective for a disk or volume recovery to a physical machine running Windows or
Linux.
The preset is: Disabled.
When this option is enabled, you can specify a folder on the local disk (including flash or HDD drives
attached to the target machine) or on a network share where the log, system information, and crash
dump files will be saved. This file will help the technical support personnel to identify the problem.
File exclusions
This option is effective only when recovering files.
The option defines which files and folders to skip during the recovery process and thus exclude
from the list of recovered items.
Note
Exclusions override the selection of data items to recover. For example, if you select to recover file
MyFile.tmp and to exclude all .tmp files, file MyFile.tmp will not be recovered.
File-level security
This option is effective when recovering files from disk- and file-level backups of NTFS-formatted
volumes.
This option defines whether to recover NTFS permissions for files along with the files.
The preset is: Enabled.
You can choose whether to recover the permissions or let the files inherit their NTFS permissions
from the folder to which they are recovered.
Flashback
This option is effective when recovering disks and volumes on physical and virtual machines, except
for Mac.
This option works only if the volume layout of the disk being recovered exactly matches that of the
target disk.
If the option is enabled, only the differences between the data in the backup and the target disk
data are recovered. This accelerates recovery of physical and virtual machines. The data is
compared at the block level.
When recovering a physical machine, the preset is: Disabled.
266 © Acronis International GmbH, 2003-2022
When recovering a virtual machine, the preset is: Enabled.
Full path recovery
This option is effective only when recovering data from a file-level backup.
If this option is enabled, the full path to the file will be re-created in the target location.
The preset is: Disabled.
Mount points
This option is effective only in Windows for recovering data from a file-level backup.
Enable this option to recover files and folders that were stored on the mounted volumes and were
backed up with the enabled Mount points option.
The preset is: Disabled.
This option is effective only when you select for recovery a folder that is higher in the folder
hierarchy than the mount point. If you select for recovery folders within the mount point or the
mount point itself, the selected items will be recovered regardless of the Mount points option
value.
Note
Please be aware that if the volume is not mounted at the moment of recovery, the data will be
recovered directly to the folder that has been the mount point at the time of backing up.
Performance
This option defines the priority of the recovery process in the operating system.
The available settings are: Low, Normal, High.
The preset is: Normal.
The priority of a process running in a system determines the amount of CPU and system resources
allocated to that process. Decreasing the recovery priority will free more resources for other
applications. Increasing the recovery priority might speed up the recovery process by requesting the
operating system to allocate more resources to the application that will perform the recovery.
However, the resulting effect will depend on the overall CPU usage and other factors like disk I/O
speed or network traffic.
Pre/Post commands
The option enables you to define the commands to be automatically executed before and after the
data recovery.
Example of how you can use the pre/post commands:
267 © Acronis International GmbH, 2003-2022
l Launch the Checkdisk command in order to find and fix logical file system errors, physical errors
or bad sectors to be started before the recovery starts or after the recovery ends.
The program does not support interactive commands, i.e. commands that require user input (for
example, "pause".)
A post-recovery command will not be executed if the recovery proceeds with reboot.
Pre-recovery command
To specify a command/batch file to be executed before the recovery process starts
1. Enable the Execute a command before the recovery switch.
2. In the Command... field, type a command or browse to a batch file. The program does not
support interactive commands, i.e. commands that require user input (for example, "pause".)
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field specify the command’s execution arguments, if required.
5. Depending on the result you want to obtain, select the appropriate options as described in the
table below.
6. Click Done.
Check box Selection
Fail the Selected Cleared Selected Cleared
recovery if
the
command
execution
fails*
Do not Selected Selected Cleared Cleared
recover
until the
command
execution is
complete
Result
Preset Perform the N/A Perform the recovery
recovery after the concurrently with the
Perform the recovery only
command is command execution
after the command is
executed despite and irrespective of the
successfully executed. Fail
execution failure or command execution
the recovery if the
success. result.
command execution failed.
* A command is considered failed if its exit code is not equal to zero.
268 © Acronis International GmbH, 2003-2022
Post-recovery command
To specify a command/executable file to be executed after the recovery is completed
1. Enable the Execute a command after the recovery switch.
2. In the Command... field, type a command or browse to a batch file.
3. In the Working directory field, specify a path to a directory where the command/batch file will
be executed.
4. In the Arguments field, specify the command execution arguments, if required.
5. Select the Fail the recovery if the command execution fails check box if successful execution
of the command is critical for you. The command is considered failed if its exit code is not equal
to zero. If the command execution fails, the recovery status will be set to Error.
When the check box is not selected, the command execution result does not affect the recovery
failure or success. You can track the command execution result by exploring the Activities tab.
6. Click Done.
Note
A post-recovery command will not be executed if the recovery proceeds with reboot.
SID changing
This option is effective when recovering Windows 8.1/Windows Server 2012 R2 or earlier.
This option is not effective when recovery to a virtual machine is performed by Agent for VMware,
Agent for Hyper-V, Agent for Scale Computing HC3, or Agent for oVirt.
The preset is: Disabled.
The software can generate a unique security identifier (Computer SID) for the recovered operating
system. You only need this option to ensure operability of third-party software that depends on
Computer SID.
Microsoft does not officially support changing SID on a deployed or recovered system. So use this
option at your own risk.
VM power management
These options are effective when recovery to a virtual machine is performed by Agent for VMware,
Agent for Hyper-V, Agent for Virtuozzo, Agent for Scale Computing HC3, or Agent for oVirt.
Power off target virtual machines when starting recovery
The preset is: Enabled.
Recovery to an existing virtual machine is not possible if the machine is online, and so the machine
is powered off automatically as soon as the recovery starts. Users will be disconnected from the
machine and any unsaved data will be lost.
269 © Acronis International GmbH, 2003-2022
Clear the check box for this option if you prefer to power off virtual machines manually before the
recovery.
Power on the target virtual machine when recovery is complete
The preset is: Disabled.
After a machine is recovered from a backup to another machine, there is a chance the existing
machine's replica will appear on the network. To be on the safe side, power on the recovered virtual
machine manually, after you take the necessary precautions.
Windows event log
This option is effective only in Windows operating systems.
This option defines whether the agents have to log events of the recovery operations in the
Application Event Log of Windows (to see this log, run eventvwr.exe or select Control Panel >
Administrative tools > Event Viewer). You can filter the events to be logged.
The preset is: Disabled.
Operations with backups
The Backup storage tab
The Backup storage tab provides access to all backups, including backups of offline machines,
backups of machines that are no longer registered in the Cyber Protection service, and orphaned
backups1.
Backups that are stored in a shared location (such as an SMB or NFS share) are visible to all users
that have the read permission for the location.
In Windows, backup files inherit the access permissions from their parent folder. Therefore, we
recommend that you restrict the read permissions for this folder.
In the cloud storage, users have access only to their own backups.
An administrator can view backups to cloud on behalf of any account that belongs to the given unit
or company and its child groups, by selecting the cloud storage for the account. To select the device
that you want to use to obtain data from cloud, click Change in the Machine to browse from row.
The Backup storage tab shows the backups of all machines ever registered under the selected
account.
Backups created by the cloud Agent for Microsoft 365 and backups of Google Workspace data are
shown not in the Cloud storage location, but in a separate section named Cloud applications
backups.
1An orphaned backup is a backup that is not associated to a protection plan anymore.
270 © Acronis International GmbH, 2003-2022
Backup locations that are used in protection plans are automatically added to the Backup storage
tab. To add a custom folder (for example, a detachable USB device) to the list of backup locations,
click Browse and specify the folder path.
If you added or removed some backups by using a file manager, click the gear icon next to the
location name, and then click Refresh.
Warning!
Do not try editing the backup files manually because this may result in file corruption and make the
backups unusable. Also, we recommend that you use the backup replication instead of moving
backup files manually.
A backup location (except for the cloud storage) disappears from the Backup storage tab if all
machines that had ever backed up to the location were deleted from the Cyber Protection service.
This ensures that you do not have to pay for the backups stored in this location. As soon as a
backup to this location occurs, the location is re-added along with all backups that are stored in it.
On the Backup storage tab, you can filter backups in the list by using the following criteria:
l Only with forensic data – only backups having forensic data will be shown.
l Only pre-update backups created by Patch management – only backups that were created
during patch management run before patch installation will be shown.
To select a recovery point by using the Backup storage tab
1. On the Backup storage tab, select the location where the backups are stored.
The software displays all backups that your account is allowed to view in the selected location.
The backups are combined in groups. The group names are based on the following template:
<machine name> - <protection plan name>
2. Select a group from which you want to recover the data.
3. [Optional] Click Change next to Machine to browse from, and then select another machine.
Some backups can only be browsed by specific agents. For example, you must select a machine
running Agent for SQL to browse the backups of Microsoft SQL Server databases.
Important
Please be aware that the Machine to browse from is a default destination for recovery from a
physical machine backup. After you select a recovery point and click Recover, double check the
Target machine setting to ensure that you want to recover to this specific machine. To change
the recovery destination, specify another machine in Machine to browse from.
4. Click Show backups.
5. Select the recovery point.
Mounting volumes from a backup
Mounting volumes from a disk-level backup lets you access the volumes as though they were
physical disks.
271 © Acronis International GmbH, 2003-2022
Mounting volumes in the read/write mode enables you to modify the backup content; that is, save,
move, create, delete files or folders, and run executables consisting of one file. In this mode, the
software creates an incremental backup that contains the changes you make to the backup content.
Note that none of the subsequent backups will contain these changes.
Requirements
l This functionality is available only in Windows by using File Explorer.
l Agent for Windows must be installed on the machine that performs the mount operation.
l The backed-up file system must be supported by the Windows version that the machine is
running.
l The backup must be stored in a local folder, on a network share (SMB/CIFS), or in the Secure
Zone.
Usage scenarios
l Sharing data
Mounted volumes can be easily shared over the network.
l "Band-aid" database recovery solution
Mount a volume that contains an SQL database from a recently failed machine. This will provide
access to the database until the failed machine is recovered. This approach can also be used for
granular recovery of Microsoft SharePoint data by using SharePoint Explorer.
l Offline virus removal
If a machine is infected, mount its backup, clean it with an antivirus program (or find the latest
backup that is not infected), and then recover the machine from this backup.
l Error check
If a recovery with volume resize has failed, the reason may be an error in the backed-up file
system. Mount the backup in the read/write mode. Then, check the mounted volume for errors
by using the chkdsk /r command. After the errors are fixed and a new incremental backup is
created, recover the system from this backup.
To mount a volume from a backup
1. Browse to the backup location by using File Explorer.
2. Double-click the backup file. The file names are based on the following template:
<machine name> - <protection plan GUID>
3. If the backup is encrypted, enter the encryption password. Otherwise, skip this step.
File Explorer displays the recovery points.
4. Double-click the recovery point.
File Explorer displays the backed-up volumes.
272 © Acronis International GmbH, 2003-2022
Note
Double-click a volume to browse its content. You can copy files and folders from the backup to
any folder on the file system.
5. Right-click a volume to mount, and then select one of the following options:
a. Mount
Note
Only the last backup in the archive (backup chain) can be mounted in read-write mode.
b. Mount in read-only mode.
6. If the backup is stored on a network share, provide access credentials. Otherwise, skip this step.
The software mounts the selected volume. The first unused letter is assigned to the volume.
To unmount a volume
1. Browse to Computer (This PC in Windows 8.1 and later) by using File Explorer.
2. Right-click the mounted volume.
3. Click Unmount.
4. [Optional] If the volume was mounted in the read/write mode, and its content was modified,
select whether to create an incremental backup containing the changes. Otherwise, skip this
step.
The software unmounts the selected volume.
Validating backups
Validation is an operation that checks the possibility of data recovery from a backup. For more
information about this operation, refer to "Validation" (p. 615).
To validate a backup
1. Select the backed-up workload.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the workload is offline, the recovery points are not displayed. Do any of the following:
l If the backup location is cloud or shared storage (that is, other agents can access it), click
Select machine, select a target workload that is online, and then select a recovery point.
l Select a recovery point on the Backup storage tab. For more information about the backups
there, refer to "The Backup storage tab" (p. 270).
4. Click the gear icon, and then click Validate.
5. Select the agent that will perform the validation.
6. Select the validation method.
7. If the backup is encrypted, provide the encryption password.
8. Click Start.
273 © Acronis International GmbH, 2003-2022
Exporting backups
The export operation creates a self-sufficient copy of a backup in the location that you specify. The
original backup remains untouched. Exporting backups allows you to separate a specific backup
from a chain of incremental and differential backups for fast recovery, for writing onto removable or
detachable media, or for other purposes.
Note
This functionality is available with the Advanced Backup pack and requires a Server quota for the
machine with the agent that will perform the off-host data processing operations.
The result of an export operation is always a full backup. If you want to replicate the entire backup
chain to a different location and preserve multiple recovery points, use a backup replication plan.
For more information about this plan, refer to "Backup replication" (p. 614).
The backup file name of the exported backup is the same as that of the original backup, except for
the sequence number. If multiple backups from the same backup chain are exported to the same
location, a four-digit sequence number is appended to the file names of all backups except for the
first one.
The exported backup inherits the encryption settings and password from the original backup. When
exporting an encrypted backup, you must specify the password.
To export a backup
1. Select the backed-up workload.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the workload is offline, the recovery points are not displayed. Do any of the following:
l If the backup location is cloud or shared storage (that is, other agents can access it), click
Select machine, select a target workload that is online, and then select a recovery point.
l Select a recovery point on the Backup storage tab. For more information about the backups
there, refer to "The Backup storage tab" (p. 270).
4. Click the gear icon, and then click Export.
5. Select the agent that will perform the export.
6. If the backup is encrypted, provide the encryption password. Otherwise, skip this step.
7. Specify the export destination.
8. Click Start.
Deleting backups
Warning!
If immutable storage is disabled, backup data is permanently deleted and cannot be recovered.
To delete backups of a workload that is online and present in the service console
274 © Acronis International GmbH, 2003-2022
1. On the All devices tab, select a workload whose backups you want to delete.
2. Click Recovery.
3. Select the location to delete the backups from.
4. Delete the desired backups. You can delete the whole backup chain or a single backup in it.
l To delete the whole backup chain, click Delete all.
l To delete a single backup in the selected chain:
a. Select the backup to delete, and then click the gear icon.
b. Click Delete.
5. Confirm your decision.
To delete backups of any workload
1. On the Backup storage tab, select the location from which you want to delete the backups.
The software displays all backups that your account is allowed to view in the selected location.
The backups are combined in backup sets. The backup set names are based on the following
template:
l <workload name> - <protection plan name>
l <user name> or <drive name> - <cloud service> - <protection plan name> – for cloud-to-cloud
backups
2. Select a backup set.
3. Delete the desired backups. You can delete the whole backup set or a single backup in it.
l To delete the whole backup set, click Delete.
l To delete a single backup in the selected set:
a. Click Show backups.
b. Select the backup to delete, and then click the gear icon.
c. Click Delete.
4. Confirm your decision.
To delete backups directly from the cloud storage
1. Log in to the cloud storage, as described in "Downloading files from the cloud storage" (p. 257).
2. Click the name of the workload whose backups you want to delete.
The software displays one or more backup groups.
3. Click the gear icon corresponding to the backup group that you want to delete.
4. Click Remove.
5. Confirm the operation.
What to do if you deleted local backups by using a file manager
We recommend that you delete backups by using the service console, whenever possible. If you
deleted local backups by using a file manager, do the following:
1. On the Backup storage tab, click the gear icon next to the location name.
2. Click Refresh.
This way you will inform the Cyber Protection service that the local storage usage is decreased.
275 © Acronis International GmbH, 2003-2022
Protecting Microsoft applications
Protecting Microsoft SQL Server and Microsoft Exchange Server
There are two methods of protecting these applications:
l Database backup
This is a file-level backup of the databases and the metadata associated with them. The
databases can be recovered to a live application or as files.
l Application-aware backup
This is a disk-level backup that also collects the applications' metadata. This metadata enables
browsing and recovery of the application data without recovering the entire disk or volume. The
disk or volume can also be recovered as a whole. This means that a single solution and a single
protection plan can be used for both disaster recovery and data protection purposes.
For Microsoft Exchange Server, you can opt for Mailbox backup. This is a backup of individual
mailboxes via the Exchange Web Services protocol. The mailboxes or mailbox items can be
recovered to a live Exchange Server or to Microsoft 365. Mailbox backup is supported for Microsoft
Exchange Server 2010 Service Pack 1 (SP1) and later.
Protecting Microsoft SharePoint
A Microsoft SharePoint farm consists of front-end servers that run SharePoint services, database
servers that run Microsoft SQL Server, and (optionally) application servers that offload some
SharePoint services from the front-end servers. Some front-end and application servers may be
identical to each other.
To protect an entire SharePoint farm:
l Back up all of the database servers with application-aware backup.
l Back up all of the unique front-end servers and application servers with usual disk-level backup.
The backups of all servers should be done on the same schedule.
To protect only the content, you can back up the content databases separately.
Protecting a domain controller
A machine running Active Directory Domain Services can be protected by application-aware backup.
If a domain contains more than one domain controller, and you recover one of them, a
nonauthoritative restore is performed and a USN rollback will not occur after the recovery.
Recovering applications
The following table summarizes the available application recovery methods.
276 © Acronis International GmbH, 2003-2022
From a database backup From an application-aware From a
backup disk
backup
Microsoft SQL Server Databases to a live SQL Server Entire machine Entire
instance machine
Databases to a live SQL Server
Databases as files instance
Databases as files
Microsoft Exchange Databases to a live Exchange Entire machine Entire
Server machine
Databases as files Databases to a live Exchange
Granular recovery to a live Databases as files
Exchange or to Microsoft 365*
Granular recovery to a live
Exchange or to Microsoft 365*
Microsoft SharePoint Databases to a live SQL Server Entire machine Entire
database servers instance machine
Databases to a live SQL Server
Databases as files instance
Granular recovery by using Databases as files
SharePoint Explorer
Granular recovery by using
SharePoint Explorer
Microsoft SharePoint - - Entire
front-end web servers machine
Active Directory - Entire machine -
Domain Services
* Granular recovery is also available from a mailbox backup. Recovery of Exchange data items to
Microsoft 365, and vice versa, is supported on the condition that Agent for Microsoft 365 is installed
locally.
Prerequisites
Before configuring the application backup, ensure that the requirements listed below are met.
To check the VSS writers state, use the vssadmin list writers command.
Common requirements
For Microsoft SQL Server, ensure that:
l At least one Microsoft SQL Server instance is started.
l The SQL writer for VSS is turned on.
For Microsoft Exchange Server, ensure that:
277 © Acronis International GmbH, 2003-2022
l The Microsoft Exchange Information Store service is started.
l Windows PowerShell is installed. For Exchange 2010 or later, the Windows PowerShell version
must be at least 2.0.
l Microsoft .NET Framework is installed.
For Exchange 2007, the Microsoft .NET Framework version must be at least 2.0.
For Exchange 2010 or later, the Microsoft .NET Framework version must be at least 3.5.
l The Exchange writer for VSS is turned on.
Note
Agent for Exchange needs a temporary storage to operate. By default, the temporary files are
located in %ProgramData%\Acronis\Temp. Ensure that you have at least as much free space on the
volume where the %ProgramData% folder is located as 15 percent of an Exchange database size.
Alternatively, you can change the location of the temporary files before creating Exchange backups
as described in Changing Temp Files and Folder Location (40040).
On a domain controller, ensure that:
l The Active Directory writer for VSS is turned on.
When creating a protection plan, ensure that:
l For physical machines and machines with the agent installed inside, the Volume Shadow Copy
Service (VSS) backup option is enabled.
l For virtual machines, the Volume Shadow Copy Service (VSS) for virtual machines backup option
is enabled.
Additional requirements for application-aware backups
When creating a protection plan, ensure that Entire machine is selected for backup. The Sector-by-
sector backup option must be disabled in a protection plan, otherwise it will be impossible to
perform a recovery of application data from such backups. If the plan is executed in the Sector-by-
sector mode due to an automatic switch to this mode, then recovery of application data will also be
impossible.
Requirements for ESXi virtual machines
If the application runs on a virtual machine that is backed up by Agent for VMware, ensure that:
l The virtual machine being backed up meets the requirements for application-consistent backup
and restore listed in the article "Windows Backup Implementations" in the VMware
documentation: https://code.vmware.com/docs/1674/virtual-disk-programming-
guide/doc/vddkBkupVadp.9.6.html.
l VMware Tools is installed and up-to-date on the machine.
l User Account Control (UAC) is disabled on the machine. If you do not want to disable UAC, you
must provide the credentials of the built-in domain administrator (DOMAIN\Administrator) when
enabling application backup.
278 © Acronis International GmbH, 2003-2022
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
Requirements for Hyper-V virtual machines
If the application runs on a virtual machine that is backed up by Agent for Hyper-V, ensure that:
l The guest operating system is Windows Server 2008 or later.
l For Hyper-V 2008 R2: the guest operating system is Windows Server 2008/2008 R2/2012.
l The virtual machine has no dynamic disks.
l The network connection exists between the Hyper-V host and the guest operating system. This is
required to execute remote WMI queries inside the virtual machine.
l User Account Control (UAC) is disabled on the machine. If you do not want to disable UAC, you
must provide the credentials of the built-in domain administrator (DOMAIN\Administrator) when
enabling application backup.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
l The virtual machine configuration matches the following criteria:
o Hyper-V Integration Services is installed and up-to-date. The critical update is
https://support.microsoft.com/en-us/help/3063109/hyper-v-integration-components-update-
for-windows-virtual-machines
o In the virtual machine settings, the Management > Integration Services > Backup (volume
checkpoint) option is enabled.
o For Hyper-V 2012 and later: the virtual machine has no checkpoints.
o For Hyper-V 2012 R2 and later: the virtual machine has a SCSI controller (check Settings >
Hardware).
Database backup
Before backing up databases, ensure that the requirements listed in "Prerequisites" are met.
Select the databases as described below, and then specify other settings of the protection plan as
appropriate.
Selecting SQL databases
A backup of an SQL database contains the database files (.mdf, .ndf), log files (.ldf), and other
associated files. The files are backed with the help of the SQL Writer service. The service must be
running at the time that the Volume Shadow Copy Service (VSS) requests a backup or recovery.
279 © Acronis International GmbH, 2003-2022
The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options.
To select SQL databases
1. Click Devices > Microsoft SQL.
The software shows the tree of SQL Server Always On Availability Groups (AAG), machines
running Microsoft SQL Server, SQL Server instances, and databases.
2. Browse to the data that you want to back up.
Expand the tree nodes or double-click items in the list to the right of the tree.
3. Select the data that you want to back up. You can select AAGs, machines running SQL Server,
SQL Server instances, or individual databases.
l If you select an AAG, all databases that are included into the selected AAG will be backed up.
For more information about backing up AAGs or individual AAG databases, refer to
"Protecting Always On Availability Groups (AAG)".
l If you select a machine running an SQL Server, all databases that are attached to all SQL
Server instances running on the selected machine will be backed up.
l If you select a SQL Server instance, all databases that are attached to the selected instance will
be backed up.
l If you select databases directly, only the selected databases will be backed up.
4. Click Protect. If prompted, provide credentials to access the SQL Server data.
If you use Windows authentication, the account must be a member of the Backup Operators or
Administrators group on the machine and a member of the sysadmin role on each of the
instances that you are going to back up.
If you use SQL Server authentication, the account must be a member of the sysadmin role on
each of the instances that you are going to back up.
Selecting Exchange Server data
The following table summarizes the Microsoft Exchange Server data that you can select for backup
and the minimal user rights required to back up the data.
Exchange version Data items User rights
2007 Storage groups Membership in the Exchange Organization
Administrators role group
2010/2013/2016/2019 Databases, Database Membership in the Server Management role
Availability Groups (DAG) group.
A full backup contains all of the selected Exchange Server data.
An incremental backup contains the changed blocks of the database files, the checkpoint files, and a
small number of the log files that are more recent than the corresponding database checkpoint.
Because changes to the database files are included in the backup, there is no need to back up all the
transaction log records since the previous backup. Only the log that is more recent than the
280 © Acronis International GmbH, 2003-2022
checkpoint needs to be replayed after a recovery. This makes for faster recovery and ensures
successful database backup, even with circular logging enabled.
The transaction log files are truncated after each successful backup.
To select Exchange Server data
1. Click Devices > Microsoft Exchange.
The software shows the tree of Exchange Server Database Availability Groups (DAG), machines
running Microsoft Exchange Server, and Exchange Server databases. If you configured Agent for
Exchange as described in "Mailbox backup", mailboxes are also shown in this tree.
2. Browse to the data that you want to back up.
Expand the tree nodes or double-click items in the list to the right of the tree.
3. Select the data that you want to back up.
l If you select a DAG, one copy of each clustered database will be backed up. For more
information about backing up DAGs, refer to "Protecting Database Availability Groups (DAG)".
l If you select a machine running Microsoft Exchange Server, all databases that are mounted to
the Exchange Server running on the selected machine will be backed up.
l If you select databases directly, only the selected databases will be backed up.
l If you configured Agent for Exchange as described in "Mailbox backup", you can select
mailboxes for backup.
4. If prompted, provide the credentials to access the data.
5. Click Protect.
Protecting Always On Availability Groups (AAG)
Note
The availability of this feature depends on the service quotas that are enabled for your account.
SQL Server high-availability solutions overview
The Windows Server Failover Clustering (WSFC) functionality enables you to configure a highly
available SQL Server through redundancy at the instance level (Failover Cluster Instance, FCI) or at
the database level (AlwaysOn Availability Group, AAG). You can also combine both methods.
In a Failover Cluster Instance, SQL databases are located on a shared storage. This storage can only
be accessed from the active cluster node. If the active node fails, a failover occurs and a different
node becomes active.
In an availability group, each database replica resides on a different node. If the primary replica
becomes not available, a secondary replica residing on a different node is assigned the primary role.
Thus, the clusters are already serving as a disaster recovery solution themselves. However, there
might be cases when the clusters cannot provide data protection: for example, in case of a database
logical corruption, or when the entire cluster is down. Also cluster solutions do not protect from
harmful content changes, as they usually immediately replicate to all cluster nodes.
281 © Acronis International GmbH, 2003-2022
Supported cluster configurations
This backup software supports only the Always On Availability Group (AAG) for SQL Server 2012 or
later. Other cluster configurations, such as Failover Cluster Instances, database mirroring, and log
shipping are not supported.
How many agents are required for cluster data backup and recovery?
For successful data backup and recovery of a cluster Agent for SQL has to be installed on each node
of the WSFC cluster.
Backing up databases included in an AAG
1. Install Agent for SQL on each node of the WSFC cluster.
Note
After you install the agent on one of the nodes, the software displays the AAG and its nodes
under Devices > Microsoft SQL > Databases. To install Agents for SQL on the rest of the nodes,
select the AAG, click Details, and then click Install agent next to each of the nodes.
2. Select the AAG to backup as described in "Selecting SQL databases".
You must select the AAG itself to backup all databases of the AAG. To backup a set of databases,
define this set of databases in all nodes of the AAG.
Warning!
The database set must be exactly the same in all nodes. If even one set is different, or not
defined on all nodes, the cluster backup will not work correctly.
3. Configure the "Cluster backup mode" backup option.
Recovery of databases included in an AAG
1. Select the databases that you want to recover, and then select the recovery point from which
you want to recover the databases.
When you select a clustered database under Devices > Microsoft SQL > Databases, and then
click Recover, the software shows only the recovery points that correspond to the times when
the selected copy of the database was backed up.
The easiest way to view all recovery points of a clustered database is to select the backup of the
entire AAG on the Backup storage tab. The names of AAG backups are based on the following
template: <AAG name> - <protection plan name> and have a special icon.
2. To configure recovery, follow the steps described in "Recovering SQL databases", starting from
step 5.
The software automatically defines a cluster node to which the data will be recovered. The
node's name is displayed in the Recover to field. You can manually change the target node.
282 © Acronis International GmbH, 2003-2022
Important
A database that is included in an Always On Availability Group cannot be overwritten during a
recovery because Microsoft SQL Server prohibits this. You need to exclude the target database
from the AAG before the recovery. Or, just recover the database as a new non-AAG one. When
the recovery is completed, you can reconstruct the original AAG configuration.
Protecting Database Availability Groups (DAG)
Note
The availability of this feature depends on the service quotas that are enabled for your account.
Exchange Server clusters overview
The main idea of Exchange clusters is to provide high database availability with fast failover and no
data loss. Usually, it is achieved by having one or more copies of databases or storage groups on the
members of the cluster (cluster nodes). If the cluster node hosting the active database copy or the
active database copy itself fails, the other node hosting the passive copy automatically takes over
the operations of the failed node and provides access to Exchange services with minimal downtime.
Thus, the clusters are already serving as a disaster recovery solution themselves.
However, there might be cases when failover cluster solutions cannot provide data protection: for
example, in case of a database logical corruption, or when a particular database in a cluster has no
copy (replica), or when the entire cluster is down. Also cluster solutions do not protect from harmful
content changes, as they usually immediately replicate to all cluster nodes.
Cluster-aware backup
With cluster-aware backup, you back up only one copy of the clustered data. If the data changes its
location within the cluster (due to a switchover or a failover), the software will track all relocations of
this data and safely back it up.
Supported cluster configurations
Cluster-aware backup is supported only for Database Availability Group (DAG) in Exchange Server
2010 or later. Other cluster configurations, such as Single Copy Cluster (SCC) and Cluster Continuous
Replication (CCR) for Exchange 2007, are not supported.
DAG is a group of up to 16 Exchange Mailbox servers. Any node can host a copy of mailbox
database from any other node. Each node can host passive and active database copies. Up to 16
copies of each database can be created.
283 © Acronis International GmbH, 2003-2022
How many agents are required for cluster-aware backup and recovery?
For successful backup and recovery of clustered databases, Agent for Exchange has to be installed
on each node of the Exchange cluster.
Note
After you install the agent on one of the nodes, the service console displays the DAG and its nodes
under Devices > Microsoft Exchange > Databases. To install Agents for Exchange on the rest of
the nodes, select the DAG, click Details, and then click Install agent next to each of the nodes.
Backing up the Exchange cluster data
1. When creating a protection plan, select the DAG as described in "Selecting Exchange Server
data".
2. Configure the "Cluster backup mode" backup option.
3. Specify other settings of the protection plan as appropriate.
Important
For cluster-aware backup, ensure to select the DAG itself. If you select individual nodes or
databases inside the DAG, only the selected items will be backed up and the Cluster backup mode
option will be ignored.
Recovering the Exchange cluster data
1. Select the recovery point for the database that you want to recover. Selecting an entire cluster
for recovery is not possible.
When you select a copy of a clustered database under Devices > Microsoft Exchange >
Databases > <cluster name> > <node name> and click Recover, the software shows only the
recovery points that correspond to the times when this copy was backed up.
The easiest way to view all recovery points of a clustered database is to select its backup on the
Backup storage tab.
284 © Acronis International GmbH, 2003-2022
2. Follow the steps described in "Recovering Exchange databases", starting from step 5.
The software automatically defines a cluster node to which the data will be recovered. The
node's name is displayed in the Recover to field. You can manually change the target node.
Application-aware backup
Application-aware disk-level backup is available for physical machines, ESXi virtual machines, and
Hyper-V virtual machines.
When you back up a machine running Microsoft SQL Server, Microsoft Exchange Server, or Active
Directory Domain Services, enable Application backup for additional protection of these
applications' data.
Why use application-aware backup?
By using application-aware backup, you ensure that:
1. The applications are backed up in a consistent state and thus will be available immediately after
the machine is recovered.
2. You can recover the SQL and Exchange databases, mailboxes, and mailbox items without
recovering the entire machine.
3. The SQL transaction logs are truncated after each successful backup. SQL log truncation can be
disabled in the protection plan options. The Exchange transaction logs are truncated on virtual
machines only. You can enable the VSS full backup option if you want to truncate Exchange
transaction logs on a physical machine.
4. If a domain contains more than one domain controller, and you recover one of them, a
nonauthoritative restore is performed and a USN rollback will not occur after the recovery.
What do I need to use application-aware backup?
On a physical machine, Agent for SQL and/or Agent for Exchange must be installed, in addition to
Agent for Windows.
On a virtual machine, no agent installation is required; it is presumed that the machine is backed up
by Agent for VMware (Windows) or Agent for Hyper-V.
Note
For Hyper-V and VMware ESXi virtual machines that are running Windows Server 2022, application-
aware backup is not supported in the agentless mode – that is, when the backup is performed by
Agent for Hyper-V or or Agent for VMware, respectively. To protect Microsoft applications on these
machines, install Agent for Windows inside the guest operating system.
285 © Acronis International GmbH, 2003-2022
Agent for VMware (Virtual Appliance) can create application-aware backups, but cannot recover
application data from them. To recover application data from backups created by this agent, you
need Agent for VMware (Windows), Agent for SQL, or Agent for Exchange on a machine that has
access to the location where the backups are stored. When configuring recovery of application data,
select the recovery point on the Backup storage tab, and then select this machine in Machine to
browse from.
Other requirements are listed in the "Prerequisites" and "Required user rights" sections.
Required user rights for application-aware backups
An application-aware backup contains metadata of VSS-aware applications that are present on the
disk. To access this metadata, the agent needs an account with the appropriate rights, which are
listed below. You are prompted to specify this account when enabling application backup.
l For SQL Server:
If you use Windows authentication, the account must be a member of the Backup Operators or
Administrators group on the machine and a member of the sysadmin role on each of the
instances that you are going to back up. If you use SQL Server authentication, the account must
be a member of the sysadmin role on each of the instances that you are going to back up.
l For Exchange Server:
Exchange 2007: The account must be a member of the Administrators group on the machine,
and a member of the Exchange Organization Administrators role group.
Exchange 2010 and later: The account must be a member of the Administrators group on the
machine, and a member of the Organization Management role group.
l For Active Directory:
The account must be a domain administrator.
Additional requirement for virtual machines
If the application runs on a virtual machine that is backed up by Agent for VMware or Agent for
Hyper-V, ensure that User Account Control (UAC) is disabled on the machine. If you do not want to
disable UAC, you must provide the credentials of the built-in domain administrator
(DOMAIN\Administrator) when enabling application backup.
Note
Use the built-in domain administrator account that was configured as part of the creation of the
domain. Accounts created later are not supported.
Mailbox backup
Mailbox backup is supported for Microsoft Exchange Server 2010 Service Pack 1 (SP1) and later.
Mailbox backup is available if at least one Agent for Exchange is registered on the management
server. The agent must be installed on a machine that belongs to the same Active Directory forest as
Microsoft Exchange Server.
286 © Acronis International GmbH, 2003-2022
Before backing up mailboxes, you must connect Agent for Exchange to the machine running the
Client Access server role (CAS) of Microsoft Exchange Server. In Exchange 2016 and later, the CAS
role is not available as a separate installation option. It is automatically installed as part of the
Mailbox server role. Thus, you can connect the agent to any server running the Mailbox role.
To connect Agent for Exchange to CAS
1. Click Devices > Add.
2. Click Microsoft Exchange Server.
3. Click Exchange mailboxes.
If no Agent for Exchange is registered on the management server, the software suggests that you
install the agent. After the installation, repeat this procedure from step 1.
4. [Optional] If multiple Agents for Exchange are registered on the management server, click Agent,
and then change the agent that will perform the backup.
5. In Client Access server, specify the fully qualified domain name (FQDN) of the machine where
the Client Access role of Microsoft Exchange Server is enabled.
In Exchange 2016 and later, the Client Access services are automatically installed as part of the
Mailbox server role. Thus, you can specify any server running the Mailbox role. We refer to this
server as CAS later in this section.
6. In Authentication type, select the authentication type that is used by the CAS. You can select
Kerberos (default) or Basic.
7. [Only for basic authentication] Select which protocol will be used. You can select HTTPS (default)
or HTTP.
8. [Only for basic authentication with the HTTPS protocol] If the CAS uses an SSL certificate that was
obtained from a certification authority, and you want the software to check the certificate when
connecting to the CAS, select the Check SSL certificate check box. Otherwise, skip this step.
9. Provide the credentials of an account that will be used to access the CAS. The requirements for
this account are listed in "Required user rights".
10. Click Add.
As a result, the mailboxes appear under Devices > Microsoft Exchange > Mailboxes.
Selecting Exchange Server mailboxes
Select the mailboxes as described below, and then specify other settings of the protection plan as
appropriate.
To select Exchange mailboxes
1. Click Devices > Microsoft Exchange.
The software shows the tree of Exchange databases and mailboxes.
2. Click Mailboxes, and then select the mailboxes that you want to back up.
3. Click Protect.
287 © Acronis International GmbH, 2003-2022
Required user rights
To access mailboxes, Agent for Exchange needs an account with the appropriate rights. You are
prompted to specify this account when configuring various operations with mailboxes.
Membership of the account in the Organization Management role group enables access to any
mailbox, including mailboxes that will be created in the future.
The minimum required user rights are as follows:
l The account must be a member of the Server Management and Recipient Management role
groups.
l The account must have the ApplicationImpersonation management role enabled for all users
or groups of users whose mailboxes the agent will access.
For information about configuring the ApplicationImpersonation management role, refer to the
following Microsoft knowledge base article: https://msdn.microsoft.com/en-
us/library/office/dn722376.aspx.
Recovering SQL databases
This section describes recovery from both database backups and application-aware backups.
You can recover SQL databases to a SQL Server instance, if Agent for SQL is installed on the machine
running the instance.
If you use Windows authentication, you will need to provide credentials for an account that is a
member of the Backup Operators or Administrators group on the machine and a member of the
sysadmin role on the target instance. If you use SQL Server authentication, you will need to provide
credentials for an account that is a member of the sysadmin role on the target instance.
Alternatively, you can recover the databases as files. This can be useful if you need to extract data
for data mining, audit, or further processing by third-party tools. You can attach the SQL database
files to a SQL Server instance, as described in "Attaching SQL Server databases".
If you use only Agent for VMware (Windows), recovering databases as files is the only available
recovery method. Recovering databases by using Agent for VMware (Virtual Appliance) is not
possible.
System databases are basically recovered in the same way as user databases. The peculiarities of
system database recovery are described in "Recovering system databases".
To recover SQL databases to a SQL Server instance
1. Do one of the following:
l When recovering from an application-aware backup, under Devices, select the machine that
originally contained the data that you want to recover.
l When recovering from a database backup, click Devices > Microsoft SQL, and then select the
databases that you want to recover.
288 © Acronis International GmbH, 2003-2022
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do one of the following:
l [Only when recovering from an application-aware backup] If the backup location is cloud or
shared storage (i.e. other agents can access it), click Select machine, select an online machine
that has Agent for SQL, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions becomes a target machine for
the SQL databases recovery.
4. Do one of the following:
l When recovering from an application-aware backup, click Recover > SQL databases, select
the databases that you want to recover, and then click Recover.
l When recovering from a database backup, click Recover > Databases to an instance.
5. By default, the databases are recovered to the original ones. If the original database does not
exist, it will be recreated. You can select another SQL Server instance (running on the same
machine) to recover the databases to.
To recover a database as a different one to the same instance:
a. Click the database name.
b. In Recover to, select New database.
c. Specify the new database name.
d. Specify the new database path and log path. The folder you specify must not contain the
original database and log files.
6. [Optional] [Not available for a database recovered to its original instance as a new database] To
change the database state after recovery, click the database name, and then choose one of the
following states:
l Ready to use (RESTORE WITH RECOVERY) (default)
After the recovery completes, the database will be ready for use. Users will have full access to
it. The software will roll back all uncommitted transactions of the recovered database that are
stored in the transaction logs. You will not be able to recover additional transaction logs from
the native Microsoft SQL backups.
l Non-operational (RESTORE WITH NORECOVERY)
After the recovery completes, the database will be non-operational. Users will have no access
to it. The software will keep all uncommitted transactions of the recovered database. You will
be able to recover additional transaction logs from the native Microsoft SQL backups and thus
reach the necessary recovery point.
l Read-only (RESTORE WITH STANDBY)
After the recovery completes, users will have read-only access to the database. The software
will undo any uncommitted transactions. However, it will save the undo actions in a temporary
standby file so that the recovery effects can be reverted.
This value is primarily used to detect the point in time when a SQL Server error occurred.
7. Click Start recovery.
289 © Acronis International GmbH, 2003-2022
The recovery progress is shown on the Activities tab.
To recover SQL databases as files
1. Do one of the following:
l When recovering from an application-aware backup, under Devices, select the machine that
originally contained the data that you want to recover.
l When recovering from a database backup, click Devices > Microsoft SQL, and then select the
databases that you want to recover.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location.
If the machine is offline, the recovery points are not displayed. Do one of the following:
l [Only when recovering from an application-aware backup] If the backup location is cloud or
shared storage (i.e. other agents can access it), click Select machine, select an online machine
that has Agent for SQL or Agent for VMware, and then select a recovery point.
l Select a recovery point on the Backup storage tab.
The machine chosen for browsing in either of the above actions becomes a target machine for
the SQL databases recovery.
4. Do one of the following:
l When recovering from an application-aware backup, click Recover > SQL databases, select
the databases that you want to recover, and then click Recover as files.
l When recovering from a database backup, click Recover > Databases as files.
5. Click Browse, and then select a local or a network folder to save the files to.
6. Click Start recovery.
The recovery progress is shown on the Activities tab.
Recovering system databases
All system databases of an instance are recovered at once. When recovering system databases, the
software automatically restarts the destination instance in the single-user mode. After the recovery
completes, the software restarts the instance and recovers other databases (if any).
Other things to consider when recovering system databases:
l System databases can only be recovered to an instance of the same version as the original
instance.
l System databases are always recovered in the "ready to use" state.
Recovering the master database
System databases include the master database. The master database records information about
all databases of the instance. Hence, the master database in a backup contains information about
databases which existed in the instance at the time of the backup. After recovering the master
database, you may need to do the following:
290 © Acronis International GmbH, 2003-2022
l Databases that have appeared in the instance after the backup was done are not visible by the
instance. To bring these databases back to production, attach them to the instance manually by
using SQL Server Management Studio.
l Databases that have been deleted after the backup was done are displayed as offline in the
instance. Delete these databases by using SQL Server Management Studio.