Online Manual

AppCheck Anti-Ransomware Menu Configuration

① Main Menu

Image - Main menu

  • Genuine Registration:: Purchase guide and genuine online registration.
  • Tools: Provides threat log, quarantine and event lig information.
  • Options: Displays AppCheck Option (General, RansomGuard, ExploitGuard, Cleaner, Auto Backup, Whitelist, SMB Allow/Block List)
  • Empty RansomShelter: Click to delete files and folders of <Backup(AppCheck)> in each disk drives.
  • Real-time Protection: Enable/Disable Ransomware behavior protection, MBR Protection, Network Drive protection, Ransom Shelter<Backup(AppCheck)> and Auto Backup <AutoBackup(AppCheck)> Folder Protection.
  • Exploit Guard: Enable/Disable exploit code protection implemented through bugs in the applications(Web Browser, Plugin, Media Player and Office).
  • MBR Protection: Enable/Disable protection of Master Boot Record(MBR) and GUID Partition Table(GPT) from alteration.
  • Network drive Protection: Files in network shared folders are protected when they are encrypted by Ransomware infection from the local PC. (AppCheck Pro Only)
  • Cleaner: System integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal features.

[ 1-1 ] Cleaner

Cleaner features system integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal features. Through multiple scanners, AppCheck Cleaner removes various malicious codes, ransomware, and other temporary files and folders that are unnecessary on your PC.

Image - Cleaner

To run Cleaner, you can do it through Cleaner button on the main screen of AppCheck, “AppCheck Cleaner” in the program list, or “Run Cleaner” menu provided in AppCheck menu on the taskbar notification area.

Image - Cleaner scan

Cleaner button provided on AppCheck main screen displays messages saying “no threats found” or “All threats removed. Click to confirm.” depending on whether they are threats or not at the completion of examination.

Image - Cleaner infect

Opens Cleaner diagnostic window when click on Cleaner button while running cleaner, to display detailed scan items and remediation results.

Image - Cleaner restart requirement #1

When detected in system integrity scan, it creates message “System is altered and requires to reboot system. Continue to reboot? (Yes: Scan after reboot, No: Cancel the scanning process)” and automatically rescan after reboot.

Image - Cleaner restart requirement #2

If there are “Delete after reboot” items during the Cleaner scan, it creates message “System requires to reboot to remove malware. Cancel may leave malware in system. Continue to reboot?” and remove detected malware by reboot.

Image - Cleaner result

Detected and removed details by Cleaner scan can be found in the detection log of AppCheck tool, and if you want to restore any of the removed items, you can find backup items in quarantine and restore them.

[ 1-2 ] Real-time Protection

Real-time protection includes RansomGuard (Ransomware Proactive Defense, RansomShelter, File Destruction Detection, MBR Protection, Netork drive Protection, File Protection in Shared Folders), automatic deletion of files stored in Ransom Shelter, and enable/disable protection on both Ransom Shelter <Backup (AppCheck)> folder and Auto Backup <AutoBackup (AppCheck)> folder.

Image - Disable real-time monitoring

While Auto Backup feature is independent of Real-time protection, Automatic Backup folder <AutoBackup (AppCheck)> cannot be protected when Real-time protection is disabled.

Depending on Real-time protection is enabled or disabled, the AppCheck icon changes color in the system tray.

Image - System tray notification area comparison

  • Green icon: Real-time protection enabled
  • Gray icon: Real-time protection disabled

Real-time protection alerts in the taskbar notification area when detects ransomware or malicious code attacks through Ransom Guard and Exploit Guard features.

If user clicks the Ransomware Activity Detection Notification window, it provides blocked program information and detailed options.

Image - Ransomware block notification

  • Details: Opens AppCheck Tools, and you can review threat log, quarantine, event log information.
  • Move to Quarantine: Move detected file to quarantine to stop running. System files and codesigned files are only blocked and cannot be removed.
  • Add to Whitelist: If the detection is considered as normal behavior, the user may add them to the whitelist, and AppCheck will not monitor the application in the future.

Note that AppCheck (Free) only blocks the process when ransomware behavior is detected, while AppCheck Pro provides removal.

[ 1-3 ] Exploit Guard

Exploit Guard blocks bugs and vulnerabilities in applications(Web Browser, Plugin, Media Player and Office) which cause malware infection.

Image - Vulnerability exploit blocking notice

When detected exploit attack while using a Web browser, you can view the information of Process Command-line, Target Command-line, Distribution URL, Referrer URL and Exploit URL through the alarm.

On PCs with exploit attack detection, check the security updates of Web Browser, Plugin, Media Player and Office program and update to the latest version.

[ 1-4 ] MBR Protection

MBR Protection enables to protect any alteration process or behavior of Master Boot Record(MBR) and GUID Partition Table(GPT).

Image - MBR Protection

Detected files are only blocked not deleted.

[ 1-5 ] Network drive Protection

The network drive protection feature provided in AppCheck Pro is designed to block(remove) and protect files located in the shared folder connected through the network drive. Files are automatically restored when the file encryption behavior is detected.

Network Drive Protection differs from SMB Server protection as this function blocks infected PC is attempting to encrypt outbound shared resources.

[ 1-6 ] Genuine Registration

AppCheck Anti-Ransomware Free has some features limited in Ransom Guard and Auto Backup. Individuals who want to use without limitations or for companies and government should purchase AppCheck Pro.

Image - Genuine registration

After purchasing AppCheck Pro license, please click “Register for activation” button (key icon) at the top of AppCheck main screen to register.

Image - Genuine registration

For online registration and activation Internet connection is required. You may receive license information through your email. Enter email and license key provided and click “OK” to complete the online activation.

Image - License expiration

You may receive license expiration information before 30 days of expiration. You may need to purchase for the license renewal in this period.

Image - License status

When AppCheck license is expired, all features are disabled. If you have a new license purchased, you may need to remove AppCheck and reinstall to enter the new license.

Image - License expiration

For renewal before AppCheck license expires, click “Extend Period” button to proceed purchasing the license at discounted price.

[ 1-7 ] Empty RansomShelter

Ransom Shelter automatically keeps files in <Backup(AppCheck)> when any suspicious file creation/modification/deletion behavior is detected. Files in RansomShelter are deleted automatically maximum of 7 days depending on user configuration.

The purpose of this backup is to keep your original files and recover them in case of Ransomware encrypts files.

The folder is safely protected while Real-Time Protection is on. In some cases user might need extra spaces in the disk drive, may click “Empty RansomShelter”(trash icon), to delete RansomShelter folders in each drives.

Image - Empty RansomShelter folders

Files are completely removed from the disk and not moved to windows Recycle Bin. In cases of files are not removed due to the permission issue, you may turn off Real-Time Protection while manually deleting the folders.

② AppCheck context menu in system tray

Image - System tray

  • Open AppCheck: Open AppCheck main screen.
  • Run Cleaner: Run Cleaner for system integrity scan, network environment scan, malware scan, adware scan, browser extension scan, malicious shortcut urls scan, ransomnote files removal, and temporary file/folder removal.
  • Real-time Protection: Enable/Disable RansomGuard (Ransomware protection, RansomShelter, MBR protection, network drive protection, file protection in shared folder, automatic deletion of files stored in Ransomware shelter), Ransomware shelter <Backup(AppCheck)>, <AutoBackup(AppCheck)> Folder protection.
  • Tools: Check detection log, quarantine, event log information.
  • Options: Configuration of General, Ransom Guard, Exploit Guard, Cleaner, AutoBackup, Whitelist, SMB Allow/Block List.
  • About AppCheck: AppCheck version, update check, copyright and license information, genuine registration information is displayed.

[ 2-1 ] Tools

The AppCheck Tools provides detailed information of threat, quarantine, and event log. The log is automatically cleaned up if the accumulated amount of events exceeds a certain level.

If you double click Threat Logs, Quarantine, and General tabs in AppCheck tool will perform a refresh.


User can enable to display MD5 Hash values.

AppCheck Tools: Detection Log

Detection Log displays detailed information of Ransom Guard activity(Detecting Ransomware Behavior), Processed threats by Cleaner (Bloced, Removed, Restored, Block Failed).

  • Blocked: Ransomware file encryption or exploit behavior is detected and URL or process is blocked.
  • Removed: File or Registry that were detected by Detection Engine is removed automatically.
  • Recovered: Damaged Files that are damaged by ransomware behavior were recovered to original location.
  • Block Failed: Due to the system restriction the was unable to removed, however, will be removed after system reboot.

Image - Detection pop-up menu

  • Open file location: Open the file location (destination path) of selected file through file explorer.
  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view
AppCheck Tools: Quarantine

Quarantine Log displays the Ransomware files, Encrypted files, and Ransomware payment information files that have been deleted through the Ransomware Behavior Detection and kept in the Quarantine folder. The Quarantine folder is located at “C:\ProgramData\CheckMAL\AppCheck\Quarantine”

Image - Quarantine pop-up menu


When clicking empty quarantine, it prompts “Files will be removed from the Quarantine and this action is irreversible. Are you sure to continue?”. Deleted files are completly removed not moved to Recycle Bin.

  • Restore to original location: Selected file is restored to its original location.
  • Export to specified location: Export selected file to user specified folder.
  • Delete: Delete file in Quarantine (This action is irreversible)
  • Open file location: Open location using file explorer.
  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view
AppCheck Tools: Event Log

Event Log displays logs of Start and End of Application Service, Realtime Protection, RansomGuard, Cleaner. Also other logs such as update, auto backup, option changes, notification messages and etc.

Image - Log pop-up menu

  • Copy: Copy the selected rows in plain-text into the clipboard.
  • Select All: Select all items listed.
  • Refresh: Update current view

[ 2-2 ] Options

The AppCheck option provides Normal, Ransom Guard, Cleaner, Auto Backup (AppCheck Pro only), and Whitelist and SMB Block/Allow List settings.

AppCheck Options: General

Image - General tab

  • Enable Tray Icon: Enable to display AppCheck Tray Icon in System Tray. (If “Enable Tray Icon” option is enabled, it will continuously check tray icon and restarts if tray process(AppCheck.exe) has terminated.)
  • Alert when execution is blocked: Notification window is displayed when detecting Ransomware, MBR modification, Exploit activity.
  • Use Auto Update: Checks update for every 6-12 hours. (AppCheck free version)
  • Send suspicious files when detected(Information is completely anonymously and only used for analysis purposes): Information collected and blocked by Ransom Guard and Exploit Guard while using AppCheck are sent anonymously to CheckMAL.
  • Enable Password Lock : Password Lock to disable any changes of options, real-time protection and uninstallation. (AppCheck Pro only. AppCheck Pro for CMS doesn't support this feature.)

    Once lock is enabled, screen displays requiring password. This window shows user cannot change options nor uninstall the software. Password cannot be recovered when it is lost.
    Password can be 6 to 30 characters log and you may enable show password option to display on left bottom.

    If password doesn't meet the length requirement, “Length is invalid (enter 6~30 characters)” message is />
    If password doesn't match "Password does not match" message is displayed.

    When user tries to uninstall while lock is enabled, “You cannot uninstall due to the lock. Please unlock and try again” message is displayed.

    To unlock, click to disable “Enable Password Lock”, then enter password when you enabled the lock.

    If entered password is invalid, “Password is invalid” message is displayed.
  • Default: Reset options to default.

Image - Version Update Notification Window

Auto Update checks every 6 - 12 hour for update, and when updated, displays notification message: “New version has updated. Click to find out more.”

If the user clicks the notification window, release note in CheckMAL website is displayed in the default system web browser.

The user may click “Check for Update” link in the About AppCheck, and the will be notified “Current version is up-to-date.” if installed AppCheck is the latest version.

AppCheck Options: Ransom Guard

Image - Ransom Guard tab

  • Enable Real-Time Ransomware Protection: Enable to be notified and block the encryption process.
  • Enable File Destruction Behavior Detection: Enable to stop the behavior of file destruction activity
  • Protect MBR: Block alteration behavior of Master Boot Record(MBR) and GUID Partition Table(GPT)
  • Using Ransomware Protective Shelter: Enable to automatically backup Original files to Ransomware Shelter folder <Backup (AppCheck)> for automatic recovery. To delete the Ransom Shelter folder and internal files, you need to temporarily disable real-time protection.
  • Image
    Show Usage Status: Usage Status displays RansomShelter usage in each drive.

    Empty Selected: User can select the RansomShelter in specific drive and empty.

    Empty All: User can empty all RansomShelters current drives.
  • Hide RansomShelter folder: Enable to hide RansomShelter in all drives. This option only applies to RansomShelters in local drives.
  • Delete files in RansomShelter: Select the periods to delete files in RansomShelter. (1/3/6/12 hours, 1~7 days). Default value is 7 days.
  • Automatically remove ransomware after the detection: Enable to automatically remediate(delete) ransomware after the detection. This feature is only available for AppCheck Pro.
  • File extension list for protection (delimiter , or;): Default 55 file extenstions for protection are (7z, ai, bmp, cer, crt, csv, der, doc, docx, dwg, eps, gif, hwp, jbw, jpeg, jpg, jps, jtd, key, lic, lnk, mp3, nc, odp, ods, odt, ogg, one, ost, p12, p7b, p7c, pdf, pef, pem, pfx, png, ppt, pptx, psd, pst, ptx, rdp, rtf, srw, tap, tif, tiff, txt, uti, x3f, xls, xlsx, xps, zip) and and adding extenstions are only available in AppCheck Pro.
  • Network Drive Protection(For AppCheck Pro): Files encryption behavior to external shared folder are blocked and restored automatically at local PC.
  • Removable Drive Protection(For AppCheck Pro): Automatically block and restore damaged files in USB or CF Memory cards if files are encrypted by ransomware. However, the external hard disk drives connected via USB port is protected by default Ransomware Protection.
  • SMB Server Protection(For AppCheck Pro): Files encryption behavior in shared folder from the external PC are blocked for 1 hour. Files are restored automatically. After 1 hour, block is automatically released. For detail, please check SMB Allow/Block List option.
  • Default: Reset options to default.
AppCheck Options: Exploit Guard

Image - Exploit Guard tab

Exploit Guard blocks bugs and vulnerabilities in applications which cause malware infection. If you turn off “Enable Exploit Guard Protection” check box will stop the entire feature. However, you can protect specific application programs you want by selecting the check boxes.

  • Web Browser: Internet Explorer, Edge, Chrome, Firefox, Opera
  • Plugin: Java, Adobe Flash
  • Media Player: Windows Media Player, Windows Media Center, GomPlayer, PotPlayer
  • Office: Microsoft Office, Hancom Office, Adobe Acrobat
  • Default: Reset options to default.

You can only activate application protection for Office on the original version of AppCheck Pro.

AppCheck Options: Cleaner

Image - Cleaner tab

  • Scan system integrity: Check and restores modified files or registries for Windows Operating System. Asks to reboot system if is required. This scan item is required.
  • Network Environment Scan: Check the network configuration information of the system and modify it if it has malicious settings.
  • Malwares Scan: Remove malicious program if it is installed on your system.
  • Adwares Scan: Remove advertisement programs installed on your system that may cause inconvenience.
  • Browser Extensions Scan: Remove malicious browser extension program(BHO) which that works through web browser.
  • Malicious Shortcut URLs Scan: Create a shortcut on the desktop or in the Favorites area to remove it if a connects to a malicious site when clicks.
  • Ransomnote Files Removal: Remove any payment guide files generated by Ransomware infection.
  • Temporary Files/folders Removal: Remove unnecessary files and folders exist in the temporary folder(%Temp%).
  • Default: Reset options to default.
AppCheck Options: Auto Backup

Image - Auto Backup tab

  • Schedule Setting: AutoBackup schedule can be configured to Repeated, Once, Every Week, Every Month.

    Backup Period (Repetition): Set automatic backup every 10 minutes, 15 minutes, 20 minutes, 30 minutes, 1 hour (default), 3 hours, 6 hours, 12 hours, and daily.

    Backup Period (Once): Set automatic backup once at a specific time on a specific day.

    Backup Period (Weekly) : Set automatic backup at a specific time on a specific day or everyday(Sun~Sat).

    Backup Period (Monthly) : Set automatic backup at a specific time on a specific day or the last day of the month.
  • Backup Source Folder list: Add and remove folders for backup. Subfolders are included.
  • Backup only files have extensions (delimiter , or;): Only specified file extensions in source folders are backed up.
  • Backup exceptions by folders: Add folders to be excluded. Subfolders included.
  • Backup exception by file extensions (delimiter , or ;): Specified extensions is excluded from backup.
  • Backup Location: Select one from Local disk, network shared folder (SMB / CIFS).
  • Local Disk: Maximum disk space available on the local hard disk drive is automatically selected. User can specify folder to locate <AutoBackup (AppCheck)> folder.
  • Number of history file: User can configure number of history files(.history) remaining when running Auto Backup, default value is 3.
  • Network Shared Folder (SMB/CIFS): Enter the Server address (IP address or remote PC hostname), shared folder (remote shared folder name), User ID and Password.

For safety usage of backup to Network Shared Folder, it is recommended by creating a separate account with dedicated folder and not to use it for another purpose.

To delete the Auto Backup folder <AutoBackup(AppCheck)> and internal files, please temporarily disable real-time protection.

AppCheck Options: Whitelist

Image - Whitelist Tab

Whitelist is a feature that allows users to add files that are blocked by ransomware activity detection to be excepted by themselves.

However, system files such as explorer.exe / svchost.exe are highly exploited by ransomware and cannot be detected if they are added to whitelist.

Also, make sure to check “Always allow files registered below” box after adding whitelist.

AppCheck Options: SMB Allow/Block List


SMB Allow/Block option is only provided in AppCheck Pro. User can manage to allow or blocked IP(IPv4/IPv6) list for SMB access.



If the files in the shared folders are damaged due to the ransomware running on the remote PC, a block message notification for IP address(IPv4, IPv6) is displayed.

If user clicks the notification, IP address is displayed on the AppCheck notification window. When the user clicks “Add SMB allow IP address”, the IP address is added to “Allowed address list” in “SMB allowed Address” of AppCheck option to allow further access.

You may check the blocked list in AppCheck Pro Option %gt; SMB Allow/Block List, and by default, Blocked IP are temporally blocked 1 hour from the detection and removed automatically afterwards.


Temporarly blocked IPs are temporally blocked for 1 hour from the detection, and user can allow temporarly or permantly.

  • Allow Temporarily: Unblock once and allow the access to shared folders immediately. Redetection can be occurred.
  • Allow Permanently: Unblock immediately and add to Allowed List to trust the IP address. Any further detection is ignored.

After 1 hour, blocked IP is automatically removed from the list and remote PC can access afterwards.


Adding IP address supports in various ways, starting from single IP address, range, subnet is allowed. User may refer to example for better understanding.

Because adding IP address allows unrestricted access of file modification, it is recommend to install AppCheck in remote host for better protection.

[ 2-3 ] About AppCheck

Image - About

Display information about AppCheck including current version, manual update checks, copyright and licensing information, thanks to, and genuine registration information.