Frequently Asked Questions

Check out our FAQ for installation and usage, purchases and license registration for AppCheck

Q.
While using the AutoCAD design program, disk space is insufficient due to a ransomware shelter folder (RansomShelter) backup issue.
A.
Due to an issue where files in the "C:\Users\%UserName%\AppData\Local\Temp\.das.local.jobsroot" folder are backed up to the shelter while the AutoCAD program is running, select "Options - Exception Settings - Trusted Process List ( Please add the file "C:\Program Files\Autodesk\AutoCAD <version>\Design Automation\Bin\Das.Local.exe" to "Always allow" and use it.
Q.
I get message to "install Windows update".
A.
In order to use properly for AppCheck in Windows, you need to install update related to SHA-2 Certificate.

Clicking the message will redirect you to Microsoft website providing the patch. If message has disappeared and to need to check again, then right click on "AppCheck" Tray Icon > "Check Update"

Find out more details in:
https://www.checkmal.com/notice/read/2710/?lang=en&p=1
Q.
What is the difference between AppCheck Free and AppCheck Pro?
A.
The main difference between of AppCheck Pro and Free version is below.

1. Automatic Remediation and Block

AppCheck Free only blocks and kills the process while AppCheck Pro blocks and deletes(remediates) the detected Ransomware behaved files.

Automatic recovery of damaged files are both supported.

2. Network Drive and SMB Server Protection

AppCheck Pro provides protection of Network Shared folders. Any file damage or encryption behavior to attached shared folder will be detected and blocked. Especially SMB Server Protection provides protection against unwanted file change of current host's shared folder.

3. Auto Backup

AppCheck Pro provides additional protection through flexible scheduled backup of user specified folder or files.


More details and comparison chart can be found in
this page.
Q.
Autobackup is completed. (Error: 53)
A.
Message is logged "Automatic Backup is completed (error: 53)".
If this message occurs, please check your IP address or computer name is correct for "Server" field, and shared folder is correct "Share" field in "Option > Auto Backup"

Below is example for entry of each field.
 
Q.
Can I recover files encrypted by Ransomware with AppCheck?
A.
You may recover your original files if infection happened if AppCheck is installed beforehand.

However, neither AppCheck and AppCheck Pro does not support the recovery once files were encrypted before the installation.
Q.
Error message while update (ERROR=12175)
A.

You could encounter a message “an error occurred while update. (ERROR=12175)” when you run "AppCheck Information → Check Updates" menu in the environment with AppCheck installed.

 

This error could be caused by preventing to get an update server security certificate because the computer date is set differently from the current time.

Please adjust the computer date and try again.

Q.
Auto Backup Completed (Error: 86)
A.
This is due to invalid credential of target network share.
 

Please check id and password, and try again.
Q.
Cannot continue backup due to insufficient space.
A.
Due to the insufficient space of destination, AppCheck Auto Backup cannot continue the backup.
 

You may change the destination or remove unnecessary files to free up disk space.
Q.
Auto Backup is Completed (Errror: 1223)
A.
While running Auto Backup, unexpected interruption happens, such as system rebooting or AppCheck update, AppCheck logs "Auto Backup is completed (Error: 1223)".
AppCheck will re-run Auto Backup in next schedule and continue to backup that are not completed.
Q.
Auto Backup Completed (Errror: 3)
A.
When AppCheck Auto Backup cannot reach to target location, AppCheck logs "Auto Backup is completed (Error: 3)".
 

Check destination folder or path is available.
Q.
Auto Backup is completed (Error: 67)
A.
This is error when you have enabled Auto Backup to Network Drive, but unable to reach to destination server because of invalid server address or destination share name.
 

Please check information and try again.
Q.
Error message while update (ERROR = 12007)
A.
 When you encounter error message (ERROR=21007), it is most likely related to your Internet connection.
 

Please check your Internet connection and try again. If error persists, please contact to Online Support.
Q.
I’m unable to restore quarantine file. (Code: 5)
A.
This is because AppCheck application doesn’t have permission to destination folder.

To recover files, please follow the instruction below:

1) Right click on AppCheck in tray and select Quit.

2) In Program List, locate AppCheck Anti-Ransomware and right click to bring the context menu.

3) Click "Run program as administrator...".

4) Select files you would like to recover in quarantine and right click.

5) Select "Restore to original position". Your file is restored.
Q.
I’m unable to restore quarantine file. (Code: 3)
A.
This happens when original destination path is not available.

You may restore your file to another folder using the "Export to specified location" context menu in right click.
Q.
I'm getting a blue screen related to AppCheckD.sys while using AppCheck.
A.
If the AppCheck antiransomware product is installed in your environment and the blue screen is caused by the AppCheckD.sys driver file or suspicious symptoms related to AppCheck, please collect the following dump files after rebooting and send them to support@checkmal.com.

To collect a full memory dump for cause analysis, please set the following settings and collect a dump file when a blue screen occurs.

【How to set up full memory dump file generation】

Windows Settings → System → About → Advanced System Settings → Startup and Recovery (click the Settings button) → Write debugging information (change complete memory dump) → Reboot Windows



The dump file location is the “C:\Windows\MEMORY.dmp” file, and by default, the dump file size matches the memory size (※ Example : 16GB), so please deliver it as a .zip compressed file.
Q.
I’d like to recover files which were detected as malicious by AppCheck.
A.
All files deleted by AppCheck is in Quarantine. You may right click and "Restore to original location" to recover files in Quarantine.
Q.
If I disable RansomShelter, does it affect Ransomware Proactive Defense?
A.
Ransomware Proactive Defense includes automatic recovery of damaged files. You may disable RansomShelter, but some damaged files cannot be recovered.

It is recommended to enable RansomShelter because in case of proactive defense cannot block ransomware behavior, you may able to recover files manually.
Q.
I’d like to know which information is sent while using AppCheck.
A.
AppCheck provides detailed information in "Article 4. Data Collection and Use" in "CheckMAL Software License Agreement" provided in first installation of Anti-Ransomware.
Q.
Does AppCheck have self protection?
A.
The AppCheck Anti-Ransomware protects installation folders (?:\Program Files\CheckMAL, ?:\ProgramData\CheckMAL) and AppCheck service file(AppCheckS.exe) and will be added additional security if malicious event identifies which interferes AppCheck to function properly.

However, AppCheck Pro provides additional protection for AppCheck service.
Q.
When running AppCheck, I get the error “The service is not running, do you want to run it now?”
A.
The issue was caused by some configuration files not being updated during the AppCheck update.

If you manually run the update file “C:\Program Files\CheckMAL\AppCheck\Update\AppCheckUpdate.exe”, the AppCheck update will run again, so please enable (ON) AppCheck real-time protection afterwards.
Q.
The "Ransomware Behavior Detected" message is displayed and the normal program is forcibly terminated.
A.
"Ransomware Behavior Detection" protects against data corruption by blocking related processes when tampering multiple file tampering at once.

Sometimes, however, it can also detect suspicious behavior of a normal program.

In this case, you may recover modified files from quarantine as follows.

(1) Check the file path and file name indicated in the item "Detecting Ransomware Behavior" in the "Threat Log" in AppCheck tool.

(2) Add detected normal executive file to whitelist by clicking "User trust file". (※ Please do not add explorer.exe / svchost.exe system file, because it may not prevent file encryption by Ransomware infection.)

(3) Select files for recover in the "Quarantin", and click "Restore to original location" in context menu with the right mouse click.

You might want to report your false positive application to through "Support - Online Support" in our homepage, so we can improve our product for the future.
Q.
How do I delete files stored in RansomShelter Backup Folder <Backup (AppCheck)>?
A.
The option for automatic deletion of files after 7 days is provided.

You may manually delete them by disabling AppCheck real-time protection.
Q.
I want to recover the original file stored in RansomShelter Backup Folder <Backup (AppCheck)> due to Ransomware infection.
A.
First locate the file encrypted files and remove them.

Then browse to the original file stored in the Ransomware Shelter backup folder<DriveLetter\Backup(AppCheck)>, copy (Ctrl + C) and paste (Ctrl + V) it to desired location.
Q.
Is the file automatically blocked(cured) by Ransomware behavior detection?
A.
AppCheck Anti-Ransomware for personal (non-commercial) provides only process block protection from ransomwares.

If you want to remove(remediate) the ransomware itself, please purchase the full version AppCheck Pro.

In case of file tampering behavior is originated from system file, it is only blocked and not deleted and if ransomware binary file is locked and cannot be deleted, file extension is renamed to .bak which prevents from running in the future.

위로