When you apply protections they are always in place.
CryptoPrevent is not a residential app so it is not running all the time. If you don't want protections you can set it to none and apply. As for the updating and emailing portion these are either a scheduled task or a service that runs in the background that emails when a specific event log id's are found and trigger it.
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!