EDR September 25, 2025 v11938 release notes

NOTE Datto EDR leverages a staggered release process. You'll receive an in-product notification when these updates are available to your instance.

Version information

Endpoint Security Agent	Ransomware Agent	Rollback Agent	API
3.17.1.3976	1.5.1	1.3.6.165	5.0.0

New Features

Smart Investigate

Smart Investigate is now available on the Alert Detail page for the Rule Source alert type. This AI-powered feature provides intelligent recommendations and automated assistance, enabling users to analyze Rule Source alerts faster and optimize their security posture. For details about the Smart Investigate feature, see the article Understanding the Alert Detail page.

External Analyst role - Beta

The External Analyst role is now available. With this new feature, you can invite users from your client site into your EDR platform for collaboration while maintaining segmentation from your other customers. For details, refer to the article Adding an external analyst.

IMPORTANT We strongly suggest reading the Adding an external analyst document in full and conducting internal testing with an external analyst user before rollout. This approach will solidify your understanding of the feature and help minimize end-customer inquiries.

NOTE This feature is currently available in Beta, indicating it is fully functional but released early to support ongoing enhancements. Please leave any feedback regarding the External Analyst feature using the in-product link to the Ideas Portal. Your feedback helps us continue improving this feature.

Local detections

We are excited to announce the introduction of local detections for the Datto EDR platform, which provide the following:

Faster detection times: Rules processed locally trigger in near real time, compared to the cloud-based detections which may take longer to process.
Default for customer rules: Any new detection rules created by users will default to utilize local detection.
Control for internal rules: Our Detection Engineering team will determine which internal rules are enabled for local detections.

NOTE Local detections may increase resource usage if rules are not written or edited correctly. We recommend only advanced users write or edit detections rules. For guidance, see the article What are EDR detection rules?

Enhancements

The Alert Details page has been completely redesigned to deliver a more consistent and intuitive experience. Quickly review alert responses, host details, and threat data, with improved navigation across all tabs. For details, see the article Understanding the Alert Detail page.
You can now use type-ahead search for the Organization Name and Location Name fields when creating suppression rules. As you type, results are filtered in real-time, making it easier to select the correct entity, especially in environments with many organizations or locations.
Dark mode has been refined with minor UI updates, including improved button styling, updated navigation backgrounds, and consistent tooltips, making the experience more visually cohesive and user-friendly.
You can now initiate key device management tasks (license assignment, device group assignment, and log fetching) directly from the Device Details page using the ellipses menu.
From the Organization and Location details pages, you can now quickly access and edit assigned policies. The Name column in the Assigned Policies table is now clickable, taking you directly to the policy editor.
To improve platform reliability and prevent performance bottlenecks, scheduled report generation is now automatically staggered. If multiple reports are scheduled to run simultaneously, the system adds a randomized delay (up to 10 minutes) between each report's processing to prevent bottlenecks and ensure reliable delivery.

Fixes

We resolved an issue where some users were unable to edit the description of RMM-synced locations if the original site name in Datto RMM contained a trailing space.
We resolved a UI issue affecting certain users with Receive Email Notifications enabled, where they were redirected to an unexpected application error page.
We addressed an issue where alert suppression data could disappear when scrolling or sorting in the UI.
We have resolved an issue that would cause service deletion during agent reinstall when tamper protection is active.
You can now search for endpoints, alerts, devices, locations, and organizations without worrying about capitalization. All relevant tables now support case-insensitive search, making it easier to find what you need regardless of how you enter search terms.
Sorting by any column or changing the pagination count on the Devices page no longer causes devices from other locations to appear, ensuring accurate device management by location.
Issues with pagination on the Device Groups page has been resolved to ensure all groups are accessible when scrolling, eliminating missing data and empty rows.
The agents upgrade mechanism has been improved to retry upgrades in a staggered manner if any mismatches are detected during an upgrade process.
Unnecessary process exit messages have been removed from standard EDR/AV agent logs.

Artifacts

agent.linux-amd64.f8fc7e9f6ed44fe60360b6c0afc8ec895cf1a11d6f055213418d698ee945fa83.bin.gz
agent.linux-arm64.650ad3b57e26651db03bc2fe084797f688be665df33313785a35abed5e417149.bin.gz
agent.linux-x86.41bc3879bbe329a86b8394e12cd2245df52d38ebf5317e8eaf2062e4e64bdc6d.bin.gz
agent.macos-amd64.409bebbfed1e92857eb4836f0f6aa1e35008621c59ad0526113c2c7dc887d40a.bin.gz
agent.macos-arm64.5b93032a9d6b9a885e2e857aabd95052623626d1355188f870506c77599456bb.bin.gz
agent.windows-amd64.7fba18a312903c3e899766585fedd1ef3e3b5e38762fe239ae9af331f4ab9ae6.exe.gz
agent.windows-x86.959edc924385c81cc9a31e7d0a193c3f4699901569d86cb0947523173923c12e.exe.gz

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.