Acronis 2020 Active Protection Stops Etcher from Modifyng Master Boot Record - Ransomeware?

I just installed balenaEtcher version on my Windows 10 computer. When I tried to copy an .img file (Raspian Buster image for raspberry pi) to an SD card, my Acronis True Image 2020 Active Protection module stopped the process with the warning:

   "Acronis Active Protection Possible Ransomware Detected

Acronis Active Protection paused the program that tried to modify your Master Boot Record"

Is it possible the download has been altered to include ransomware? Why should Etcher be modifying the Master Boot Record? I have blacklisted Etcher for now. Any help would be appreciated. Not sure what is going on.
Also, Etcher displays a message about getting stopped and says to inform the Etcher team. Not sure how to do this directly. Hopefully the team looks at the forum…

The most direct way to the etcher developers would be to open an issue on Github here: but we do read the forums as well :slight_smile:

Your issue sounds very similar to this issue that somebody reported in connection to the windows 10 built-in “Ransomware Protection” and Malwarebytes software:

Apparently you’re not the first person with this issue, here are some more comments on the etcher issue tracker about Acronis:

The second one has a “fix” but I personally have zero experience with Acronis so I don’t know what that means for you…

Thanks for looking into this, Robert. I have looked on the Acronis site, but did not find any threads regarding this problem. I will place a post over there and see if I can get any info from the Acronis perspective.

Would you like me to copy my post to the github link you sent me? Not sure what the most efficient issue tracking path is for you. I will post any info that I get from the Acronis side to help clarify this.

@harpbench yeah I think linking your post on the Acronis side to the github issue will be a good way to go. Thanks for reporting!

I believe this issue can be closed. I removd the balena Etcher entry from the Acronis True Image 2020 BlackList, turned off Active Protection, a monitoring feature of Acronis, and re-ran Etcher. As expected, it created an image on the destination thumb drive. I also have Bitdefender running, which contains anti-rootkit monitoring, and there were no complaints, also as expected. This is an Acronis false positive issue and I will take it up with them. I have not yet had the time to put together my issue entry for them, but will do so shortly. I will relay any information I get from them to this forum.
Thanks to the balena folks that looked into this for me. Etcher is a very nice product! Thanks!

Hi @harpbench,
Thanks for reporting this and taking it up with Acronis, let us know if you need any assistance there.

I have submitted my report to Acronis and have received an automated confirmation that it has been received.

I have closed my issue regarding an Acronis false positive message with Acronis support. The support agent did not seem to understand what it means when a message stating that there was an attempt to write to the master boot record is displayed. They did look at log files that Acronis keeps and told me that there was no record in them of attempted boot record information. I have pointed out that there can now be 1 of two bugs in Acronis - either a false positive for Etcher, or an incomplete log file that failed to record a very important event. I was told several times that if I trust a piece of software, add its name to the Acronis whitelist. I have told them several times that I cannot really know if I can trust a piece of software for which such a warning has been displayed and that their lab needs to verify by testing. I am pretty sure that will not happen based on my conversations. Bottom line is that Etcher is working well and I believe this is a closed issue. I still like the Acronis software as well, but left them with a plea to look at their messages more closely and see if they can improve their warnings. Thanks Etcher team for researching this. I hope others find my information about this problem if they run into it.

Thank you for taking the time to both investigate and also check back with us about your conversation with Acronis. We really appreciate it and it will indeed be valuable information to share with others.