Working with Enhanced Ransomware Detection
NAVIGATION Policies
PERMISSIONS Datto EDR subscription with administrator, analyst, or external analyst-level platform access
PERMISSIONS Service account or administrator-level rights on the target endpoint
Overview
Datto EDR’s Enhanced Monitoring feature improves ransomware detection by enabling the Datto Rollback service to operate in a low-overhead mode. This enhancement introduces advanced capabilities.
What’s improved
- Faster ransomware detection: Detects ransomware after an average of ~4 encrypted files (previously ~12), stopping attacks earlier in the encryption cycle.
- Smarter, more aggressive containment: Terminates not only the offending process but the entire process chain (parent and grandparent), minimizing blast radius.
- Improved rollback efficiency: File rollback is more targeted and configurable, allowing protection of critical folders and file types without full-disk tracking overhead.
- Lower performance impact: Enhanced detection leverages existing rollback telemetry without significant resource usage increases.
- Better operational control: Rollback and response actions are preserved during upgrades, ensuring no disruption to existing configurations.
Why This Matters
- Faster recovery (lower MTTR): Quickly restore critical business files so you can get back to work sooner after an attack.
- Less business disruption: Early detection and aggressive containment reduce file impact.
- Practical ransomware protection: Enhanced Ransomware Detection is not a backup replacement. It complements backup solutions by addressing time-critical recovery needs.
- Balanced security and performance: Strong ransomware protection without over-provisioning systems.
Requirements
- You must have an active Datto EDR subscription.
- Ransomware detection must be enabled and configured with the Enhanced option. For more information, refer to Ransomware configuration options.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor and those devices must be able to communicate with your EDR instance.
Comparing Standard and Enhanced Ransomware Detection
The following table summarizes key differences between Datto EDR’s Standard and Enhanced Ransomware Detection.
| Feature | Standard | Enhanced |
|---|---|---|
| Detect file changes to alert against ransomware activity | Available | Available |
| Kill suspected ransomware process | Available | Available |
| Kill parent and grandparent process of suspected ransomware process | Not available | Available |
| Block suspected ransomware processes from writing to disk | Not available | Available |
FAQs
Will Enhanced Monitoring automatically be enabled in my ransomware policy after this upgrade?
No. Users must enable Enhanced Monitoring in their ransomware policy.
Do I need a leading dot for custom extensions (e.g., .txt) defined in the Folders & Extensions option?
No. Enter the extension name (e.g., txt). If a leading dot is detected, it will be removed automatically.
Can I write custom paths like C:\CustomFolder1\?
No. Custom paths are not supported currently.
Is cache retention limited to 7 days?
Yes. Cache retention can be set to a maximum of 7 days.
Do custom extensions under Folders & Extensions apply as exclusions or inclusions?
They apply as exclusions. The Rollback Driver agent monitors events for these file types to enrich telemetry for ransomware detection.
How will Enhanced Ransomware Policy alerts appear in the portal?
Alerts will appear with the same look and feel as standard ransomware alerts.
Alerts page
Alert Detail page
Are there additional license types or costs for Enhanced Monitoring?
No. Enhanced Ransomware Detection is included in your Datto EDR subscription.
Why use Standard over Enhanced Monitoring?
Standard monitoring may be preferred in environments where minimizing resource usage is critical. Enhanced monitoring adds advanced protection but runs an additional low-overhead process, which can slightly increase resource consumption.
| Revision | Date |
|---|---|
| Initial release. | 12/17/25 |
