Online Manual

Installation, removal and how-to instructions for AppCheck Anti-Ransomware Solution.

AppCheck Anti-Ransomware Menu Configuration

① Main Menu

Image - Main menu

  • Genuine Registration:: Purchase guide and genuine online registration.
  • Tools: Provides threat log, quarantine and event lig information.
  • Options: General, Ransom Guard, Auto Backup, WHitelist settings.
  • Empty RansomShelter: Click to delete files and folders of <Backup(AppCheck)> in each disk drives.
  • Real-time Protection: Enable/Disable Ransomware behavior protection, MBR Protection, Network Drive protection, Ransom Shelter<Backup(AppCheck)> and Auto Backup <AutoBackup(AppCheck)> Folder Protection.
  • Exploit Guard: Enable/Disable exploit code protection implemented through bugs in the applications(Web Browser, Plugin, Media Player and Office).
  • MBR Protection: Enable/Disable protection of Master Boot Record(MBR) and GUID Partition Table(GPT) from alteration.
  • Network drive Protection: Protect files shared through network drives. (Pro only)
  • Cleaner: System integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal features.

[ 1-1 ] Cleaner

Cleaner features system integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal features. Through multiple scanners, AppCheck Cleaner removes various malicious codes, ransomware, and other temporary files and folders that are unnecessary on your PC.

Image - Cleaner

To run Cleaner, you can do it through Cleaner button on the main screen of AppCheck, “AppCheck Cleaner” in the program list, or “Run Cleaner” menu provided in AppCheck menu on the taskbar notification area.

Image - Cleaner scan

Cleaner button provided on AppCheck main screen displays messages saying “no threats found” or “All threats removed. Click to confirm.” depending on whether they are threats or not at the completion of examination.

Image - Cleaner infect

If you click the Cleaner button on the main screen during the Cleaner inspection, an additional window will be created to check scanned items, detailed detection logs and processing results.

Image - Cleaner restart requirement #1

When detected in system integrity scan, it creates message “System is altered and requires to reboot system. Continue to reboot? (Yes: Scan after reboot, No: Cancel the scanning process)” and automatically rescan after reboot.

Image - Cleaner restart requirement #2

If there are “Delete after reboot” items during the Cleaner scan, it creates message “System requires to reboot to remove malware. Cancel may leave malware in system. Continue to reboot?” and remove detected malware by reboot.

Image - Cleaner result

Detected and removed details by Cleaner scan can be found in the detection log of AppCheck tool, and if you want to restore any of the removed items, you can find backup items in quarantine and restore them.

[ 1-2 ] Real-time Protection

Real-time protection includes RansomGuard (Ransomware Proactive Defense, RansomShelter, File Destruction Detection, MBR Protection, Netork drive Protection, File Protection in Shared Folders), automatic deletion of files stored in Ransom Shelter, and enable/disable protection on both Ransom Shelter <Backup (AppCheck)> folder and Auto Backup <AutoBackup (AppCheck)> folder.

Image - Disable real-time monitoring

While Auto Backup feature is independent of Real-time protection, Automatic Backup folder <AutoBackup (AppCheck)> cannot be protected when Real-time protection is disabled.

Depending on Real-time protection is enabled or disabled, the AppCheck icon changes color in the system tray.

Image - System tray notification area comparison

  • Green icon: Real-time protection enabled
  • Gray icon: Real-time protection disabled

Real-time protection alerts in the taskbar notification area when detects ransomware or malicious code attacks through Ransom Guard and Exploit Guard features.

If user clicks the Ransomware Activity Detection Notification window, it provides blocked program information and detailed options.

Image - Ransomware block notification

  • Details: Opens AppCheck Tools, and you can review threat log, quarantine, event log information.
  • Move to Quarantine: Move detected file to quarantine to stop running. System files and codesigned files are only blocked and cannot be removed.
  • Add to Whitelist: If the detection is considered as normal behavior, the user may add them to the whitelist, and AppCheck will not monitor the application in the future.

Note that AppCheck (Free) only blocks the process when ransomware behavior is detected, while AppCheck Pro provides removal.

[ 1-3 ] Exploit Guard

Exploit Guard blocks bugs and vulnerabilities in applications(Web Browser, Plugin, Media Player and Office) which cause malware infection.

Image - Vulnerability exploit blocking notice

When detected exploit attack while using a Web browser, you can view the information of Process Command-line, Target Command-line, Distribution URL, Referrer URL and Exploit URL through the alarm.

On PCs with exploit attack detection, check the security updates of Web Browser, Plugin, Media Player and Office program and update to the latest version.

[ 1-4 ] MBR Protection

Image - MBR Protection

MBR Protection enables to protect any alteration process or behavior of Master Boot Record(MBR) and GUID Partition Table(GPT).

[ 1-5 ] Network drive Protection

The network drive protection feature provided in AppCheck Pro is designed to block(remove) and protect files located in the shared folder connected through the network drive. Files are automatically restored when the file encryption behavior is detected.

Unlike SMB server protection, network drive protection blocks if the ransomware tries to encrypt files in network drive in the AppCheck installed PC.

[ 1-6 ] Genuine Registration

AppCheck Anti-Ransomware Free has some features limited in Ransom Guard and Auto Backup. Individuals who want to use without limitations or for companies and government should purchase AppCheck Pro.

Image - Genuine registration

After purchasing AppCheck Pro license, please click “Register for activation” button (key icon) at the top of AppCheck main screen to register.

Image - Genuine registration

For online registration and activation Internet connection is required. You may receive license information through your email. Enter email and license key provided and click “OK” to complete the online activation.

Image - License expiration

You may receive license expiration information before 30 days of expiration. You may need to purchase for the license renewal in this period.

Image - License status

When AppCheck license is expired, all features are disabled. If you have a new license purchased, you may need to remove AppCheck and reinstall to enter the new license.

Image - License expiration

For renewal before AppCheck license expires, click “Extend Period” button to proceed purchasing the license at discounted price.

[ 1-7 ] Empty RansomShelter

RansomShelter is a temporary backup folder <Backup(AppCheck)> created in each drives, while files are created/modified/deleted in certain conditions. These files can be maintained up to seven days.

The purpose of this backup is to keep your original files and recover them in case of Ransomware encrypts files.

The folder is safely protected while Real-Time Protection is on. In some cases user might need extra spaces in the disk drive, may click “Empty RansomShelter”(trash icon), to delete RansomShelter folders in each drives.

Image - Empty RansomShelter folders

Files are completely removed from the disk and not moved to windows Recycle Bin. In cases of files are not removed due to the permission issue, you may turn off Real-Time Protection while manually deleting the folders.

② AppCheck context menu in system tray

Image - System tray

  • Open AppCheck: Open AppCheck main screen.
  • Run Cleaner: Run Cleaner for system integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal.
  • Real-time Protection: Enable/Disable RansomGuard (Ransomware protection, RansomShelter, MBR protection, network drive protection, file protection in shared folder, automatic deletion of files stored in Ransomware shelter), Ransomware shelter <Backup(AppCheck)>, <AutoBackup(AppCheck)> Folder protection.
  • Tools: Check detection log, quarantine, event log information.
  • Options: Opens for General, Ransom Guard, Auto Backup, Whitelist File Settings.
  • About AppCheck: AppCheck version, update check, copyright and license information, genuine registration information is displayed.
  • Exit: Exit the system tray.

[ 2-1 ] Tools

The AppCheck Tools provides detailed information of threat, quarantine, and event log. The log is automatically cleaned up if the accumulated amount of events exceeds a certain level.

If you double click Threat Logs, Quarantine, and General tabs in AppCheck tool will perform a refresh.

AppCheck Tools: Detection Log

Detection Log displays detailed information of Ransom Guard activity(Detecting Ransomware Behavior), Processed threats by Cleaner (Bloced, Removed, Restored, Block Failed).

  • Blocked: Ransomware file encryption or exploit behavior is detected and URL or process is blocked.
  • Removed: File or Registry that were detected by Detection Engine is removed automatically.
  • Recovered: Damaged Files that are damaged by ransomware behavior were recovered to original location.
  • Block Failed: Due to the system restriction the was unable to removed, however, will be removed after system reboot.

Image - Detection pop-up menu

  • Open file location: Open the file location (destination path) of selected file through file explorer.
  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view
AppCheck Tools: Quarantine

Quarantine Log displays the Ransomware files, Encrypted files, and Ransomware payment information files that have been deleted through the Ransomware Behavior Detection and kept in the Quarantine folder. The Quarantine folder is located at “C:\ProgramData\CheckMAL\AppCheck\Quarantine”

Image - Quarantine pop-up menu

  • Restore to original location: Selected file is restored to its original location.
  • Export to specified location: Export selected file to user specified folder.
  • Delete: Delete file in Quarantine (This action is irreversible)
  • Open file location: Open location using file explorer.
  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view
AppCheck Tools: Event Log

Event log displays information about terminations and start of Program itself, service, real-time protection, Ransom Guard, Auto Backup, option changes, update and alert messages.

Image - Log pop-up menu

  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view

[ 2-2 ] Options

The AppCheck option provides Normal, Ransom Guard, Cleaner, Auto Backup (AppCheck Pro only), and Whitelist and SMB Block/Allow List settings.

AppCheck Options: General

Image - General tab

  • Enable Tray Icon: Enable to display AppCheck Tray Icon in System Tray.
  • Alert when execution is blocked: Notification window is displayed when detecting Ransomware activity.
  • Use Auto Update: Enable to check update for every 6 hours.
  • Send suspicious files when detected(It will be treated anonymously and not used for analysis or other purposes.): Information collected and blocked by Ransom Guard and Exploit Guard while using AppCheck are sent anonymously to CheckMAL server.

Image - Version Update Notification Window

Auto Update checks for updates for every 6 hours and notifies at boot time if a higher version is updated.

If the user clicks the notification window, release note in CheckMAL website is displayed in the default system web browser.

The user may click “Check for Update” link in the About AppCheck, and the will be notified “Current version is up-to-date.” if installed AppCheck is the latest version.

AppCheck Options: Ransom Guard

Image - Ransom Guard tab

  • Enable Real-Time Ransomware Protection: Enable to be notified and block the encryption process.
  • Using Ransomware Protective Shelter: Enable to automatically backup Original files to Ransomware Shelter folder <Backup (AppCheck)> for automatic recovery. To delete the Ransom Shelter folder and internal files, you need to temporarily disable real-time protection.
  • Enable File Destruction Behavior Detection: Enable to stop the behavior of file destruction activity
  • Protect MBR: Block alteration behavior of Master Boot Record(MBR) and GUID Partition Table(GPT)
  • Delete files in Ransomware Shelter: Select days to remove files older than selected days in Ransom Shelter folder <Backup (AppCheck)>.(default: 7 days)
  • Automatically remove ransomware after the detection: Enable to automatically remediate(delete) ransomware after the detection. This feature is only available for AppCheck Pro.
  • File extension list for protection (delimiter , or;): Protected extensions are 55 by default (7z, ai, bmp, cer, crt, csv, der, doc, docx, dwg, eps, gif, hwp, jbw, jpeg, jpg, jps, jtd, key, lic, lnk, mp3, nc, odp, ods, odt, ogg, one, ost, p12, p7b, p7c, pdf, pef, pem, pfx, png, ppt, pptx, psd, pst, ptx, rdp, rtf, srw, tap, tif, tiff, txt, uti, x3f, xls, xlsx, xps, zip). The additional file extension is available in AppCheck Pro.
  • Network Drive Protection: Files existing in the shared folder connected through the network drive are blocked and restored automatically when the network drive is encrypted by Ransomware infection from the local PC where AppCheck is installed.
  • Removable Drive Protection: Automatically block and restore damaged files in USB or CF Memory cards if files are encrypted by ransomware. However, the external hard disk drives connected via USB port is protected by default Ransomware Protection.
  • SMB Server Protection: Enable to protect shared folder file encryption from the remote location. If a local folder is shared through the network, and a PC is infected to Ransomware, your shared folder is also can be encrypted.
AppCheck Options: Exploit Guard

Image - Exploit Guard tab

Exploit Guard blocks bugs and vulnerabilities in applications which cause malware infection. If you turn off “Enable Exploit Guard Protection” check box will stop the entire feature. However, you can protect specific application programs you want by selecting the check boxes.

  • Web Browser: Internet Explorer, Edge, Chrome, Firefox, Opera
  • Plugin: Java, Adobe Flash
  • Media Player: Windows Media Player, Windows Media Center, GomPlayer, PotPlayer
  • Office: Microsoft Office, Hancom Office, Adobe Acrobat

You can only activate application protection for Office on the original version of AppCheck Pro.

AppCheck Options: Cleaner

Image - Cleaner tab

  • System Integrity Scan: Modify any Windows OSF related items such as modified files or registry or require Windows reboot if necessary.
  • Network Environment Scan: Check the network configuration information of the system and modify it if it has malicious settings.
  • Malwares Scan: Remove malicious program if it is installed on your system.
  • Adwares Scan: Remove advertisement programs installed on your system that may cause inconvenience.
  • Browser Extensions Scan: Remove malicious browser extension program(BHO) which that works through web browser.
  • Malicious Shortcut URLs Scan: Create a shortcut on the desktop or in the Favorites area to remove it if a connects to a malicious site when clicks.
  • Ransomnote Files Removal: Remove any payment guide files generated by Ransomware infection.
  • Temporary Files/folders Removal: Remove unnecessary files and folders exist in the temporary folder(%Temp%).
AppCheck Options: Auto Backup

Image - Auto Backup tab

  • Schedule Setting: Backup Period(Repetition, Once, Weekly, Monthly)
  • Backup Source Folder list: Add and remove folders for backup. Subfolders are included.
  • Backup only files have extensions (delimiter , or;): Only specified file extensions in source folders are backed up.
  • Backup exceptions by folders: Add folders to be excluded. Subfolders included.
  • Backup exception by file extensions (delimiter , or ;): Specified extensions is excluded from backup.
  • Backup Location: Select one from Local disk, network shared folder (SMB / CIFS).
  • Local Disk: Maximum disk space available on the local hard disk drive is selected automatically by default. User can specify folder to locate <AutoBackup (AppCheck)> folder.
  • Number of history file: User can configure number of history files(.history) remaining when running Auto Backup, default value is 3.
  • Network Shared Folder (SMB/CIFS): Enter the Server address (IP address or remote PC hostname), shared folder (remote shared folder name), User ID and Password.
  • AppCheck Auto Backup Schedule:

    Backup Period (Repetition): Set automatic backup every 10 minutes, 15 minutes, 20 minutes, 30 minutes, 1 hour (default), 3 hours, 6 hours, 12 hours, and daily.

    Backup Period (Once): Set automatic backup once at a specific time on a specific day.

    Backup Period (Weekly) : Set automatic backup at a specific time on a specific day or everyday(Sun~Sat).

    Backup Period (Monthly) : Set automatic backup at a specific time on a specific day or the last day of the month.

For safety usage of backup to Network Shared Folder, it is recommended by creating a separate account with dedicated folder and not to use it for another purpose.

To delete the Auto Backup folder <AutoBackup(AppCheck)> and internal files, please temporarily disable real-time protection.

AppCheck Options: Whitelist

Image - Whitelist Tab

Whitelist is a feature that allows users to add files that are blocked by ransomware activity detection to be excepted by themselves.

However, system files such as explorer.exe / svchost.exe are highly exploited by ransomware and cannot be detected if they are added to whitelist.

Also, make sure to check “Always allow files registered below” box after adding whitelist.

AppCheck Options: SMB Allow/Block List


SMB Allow/Block option is only provided in AppCheck Pro. User can manage to allow or blocked IP(IPv4/IPv6) list for SMB access.


When remote PC damages multiple files in your shared folder, source IP address is blocked and AppCheck notifies user. After the detection, you may find the list of current IP list of blocked Shared Folder access.


Detected IP address is blocked to access Shared folders for one hour, and user may choose to unblock immediately or add the IP address to allow list.

  • Allow Temporarily: Unblock once and allow the access to shared folders immediately. Redetection can be occurred.
  • Allow Permanently: Unblock immediately and add to Allowed List to trust the IP address. Any further detection is ignored.

Once IP is blocked, it will automatically unblocked after one hour from the detection.


Adding IP address supports in various ways, starting from single IP address, range, subnet is allowed. User may refer to example for better understanding.

Because adding IP address allows unrestricted access of file modification, it is recommend to install AppCheck in remote host for better protection.

[ 2-3 ] About AppCheck

Image - About

Display information about AppCheck including current version, manual update checks, copyright and licensing information, thanks to, and genuine registration information.