Working with Ransomware Rollback
NAVIGATION Policies
PERMISSIONS Datto EDR subscription with administrator, analyst, or external analyst-level platform access
PERMISSIONS Service account or administrator-level rights on the target endpoint
Ransomware Rollback is a lightweight, efficient system that monitors changes to endpoint disk space and provides rollback functionality for files impacted by ransomware.
It leverages agent software installed on your protected endpoints to track file changes in the background silently, and a desktop application for monitoring and managing the rollback process. The solution works in tandem with Datto EDR’s ransomware detection engine to protect documents and databases targeted by ransomware attacks.
This topic explores the Ransomware Rollback feature and answers questions frequently asked by our partners. For information about our ransomware detection feature, refer to Understanding Datto EDR's Ransomware Detection.
BEFORE YOU BEGIN If Ransomware Rollback is unavailable in your EDR instance, please contact Technical Support to enable it.
Overview
- Quick and efficient recovery: Ransomware Rollback application swiftly restores files to their original state, minimizing downtime and enabling users to regain access to their documents.
- Lightweight and non-intrusive: The application operates seamlessly in the background without causing noticeable performance degradation or disruptions to daily operations.
- Custom minifilter driver for enhanced protection: By using a custom minifilter driver, Ransomware Rollback avoids reliance on Windows Shadow Copy, which is often targeted by ransomware attacks, ensuring a higher level of protection.
- Comprehensive ransomware detection: Our integrated ransomware detection feature enables the solution to work in tandem with the rollback mechanism for maximum effectiveness.
- Scalability: This solution is suitable for businesses of all sizes, ensuring that data remains protected no matter the scale of the organization.
- Robust file deletion handling: The handling of file deletions, through the creation of hard links in a tracking directory, ensures that users can quickly restore deleted files, even in the case of accidental removal.
- Application compatibility: Ransomware Rollback works with various database applications, including SQL Server and QuickBooks, ensuring comprehensive protection across different types of software.
- Minimize downtime: Quickly recover from ransomware attacks, reducing the impact on productivity for your organization.
- Enhance business continuity: By enabling the rollback of critical files, our solution helps maintain business continuity, ensuring that essential operations can continue even in the face of a ransomware attack.
- Save costs: Recovering from ransomware attacks can be expensive, involving not only the potential ransom payment but also the costs of data recovery and IT support. Ransomware Rollback can help mitigate these expenses by streamlining the recovery process.
- Improve your security posture: Adding rollback functionality to your endpoint protection provides an additional layer of protection to your existing security measures, bolstering your organization's overall security posture and resilience against ransomware threats.
- Simplify the recovery process: Ransomware Rollback enables you to perform targeted rollbacks based on specific ransomware processes or time frames, making the recovery process more straightforward and efficient.
- Integrate with ease: Our solution works seamlessly with Windows 10 and 11 operating systems. It also integrates with the EDR portal, ensuring easy adoption and implementation for a wide range of businesses.
- Customize resource allocation: Because you can adjust disk space allocation for the ransomware rollback driver, you can tailor the solution to your specific needs, optimizing resource usage and efficiency.
- Feel confident: Knowing that your organization has an additional layer of protection against ransomware attacks provides peace of mind and a sense of security, enabling you to focus on your core business operations.
Ransomware Rollback is supported on Windows 10 and above and Windows Server 2012 and above.
We do not recommend installing Ransomware Rollback on database, domain controller, Exchange, or Active Directory servers. These types of endpoints generate very high amounts of reads and writes to the disk, which may impact host performance. Instead, use a solution specifically designed to protect complex application servers, such as Datto BCDR's Rapid Rollback.
For more information, see Hardware and operating system requirements.
NOTE Ransomware Rollback does not track changes on virtual disk images, including Hyper-V, VirtualBox, and Windows hard disk image files, including AVHDX, AVHD, VHD, VHDX, and VDI.
Getting started
To use Ransomware Rollback, install the rollback agent on all endpoints you'd like to protect and ensure that they're being monitored by your Datto EDR ransomware policy. When a ransomware alert occurs, use the Rollback Driver Desktop application on the affected endpoint to investigate, triage, and remediate the attack. You can also initiate file rollback directly from the Alert Detail page (described in the section Responding to ransomware alerts).
Perform the following steps to set up the agent and protect your endpoints.
Before you can start protecting your endpoints with Ransomware Rollback, your environment must meet the following criteria:
- You must have an active Datto EDR subscription.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
- Ransomware detection must be enabled and configured. For more information, refer to Ransomware configuration options.
Procedure
To deploy the rollback agent and Rollback Driver Desktop application to your monitored endpoints, you'll need to enable a File Recovery option in your ransomware policy. Perform the following steps to do so.
IMPORTANT If your endpoint requires managed reboots or must adhere to specific update policies, refer to the Managing Ransomware Rollback installation and updates section of this article for important information.
-
Navigate to the Policies page and locate your ransomware policy. Ensure that it is enabled. To learn how to do so, refer to Working with the Policies page.
-
Click the name of your ransomware policy to open its Edit Policy page.
-
Review the Details, Detection, and Response sections of the page. Make any configuration changes necessary. For feature definitions, refer to Ransomware monitoring options.
- Scroll down to File Recovery and click the Full Disk Tracking OR Folders & Extensions toggle to activate Ransomware Rollback. Doing so automatically begins the deployment process of the rollback agent's components to all monitored and supported Windows endpoints.

- Make any desired customizations to the cache configuration of the rollback agent. Review File Recovery options for details about the available options.
-
Once you've finished configuring your ransomware policy, click Save.
-
To verify that the rollback agent has successfully deployed to your endpoints, log in to any protected system and check for the Rollback Driver Desktop application in the Windows Start Menu and the Apps section of the Settings control panel.
Agent components
During the installation of the rollback agent, we add the following components to each protected system.
-
Kernel minifilter driver (cbfilter22.sys)
-
Datto Rollback System Service
-
Datto Rollback Status and Datto Rollback Updater scheduled tasks
-
Rollback Driver Desktop application and Start Menu icon
-
Cache folder at %SYSTEMDRIVE%\$.td and in the root directory of any additional tracked volumes
These resources are critical to the monitoring and protection of the endpoint's file system.
The rollback agent and its management application must be installed on all endpoints that you'd like to be able to restore. Once you've installed them, a link to the Rollback Driver Desktop application will become available in the Windows Start Menu. When you launch the program, you'll see the following features and fields.
| Header menu | |
|---|---|
| Feature | Definition |
|
Drive |
Volume filter; shows the alerts, history, and recovery options for each logical drive on the endpoint |
|
Refresh the current view |
|
Application is functioning without issue and connected to rollback system service |
|
Show Rollback Driver Desktop version information |
Overview
We are continuously improving the Datto Rollback agent and Rollback Driver Desktop application. It will automatically update when a new release is available. You do not need to take any action to keep the endpoint software current. However, should you wish to manage the delivery of these updates, the following sections of this article will assist you in doing so.
Update types
Ransomware Rollback integrates deep within the Windows kernel. We may occasionally release updates that require a system reboot to complete the installation. We classify our updates as minor and major.
Minor updates are for bug fixes, performance updates, and other infrastructure enhancements that are part of the continuous improvement cycle of the solution. On average, we will release a minor update every four to eight weeks. Minor updates are silent, always installed, and happen in the background without any pop-ups or visible effect on screen.
Major updates require a reboot of the host for the installation to finalize. Unless disabled, major updates surface a notification and then force a reboot under user control within 24 hours of the system receiving the update. This mechanism is the default delivery method for the rollback engine. Any update that will require a reboot will be announced in your Datto EDR instance at least one month in advance to enable you to schedule appropriate maintenance windows. Normally, we only release one major update per year.
Major updates are installed if the following conditions are met:
-
The
HKEY_LOCAL_MACHINE\SOFTWARE\Datto\RollbackDriver\DisableRollbackReboot=trueWindows Registry flag is not set; or... -
The
--forceupdatecommand line switch is specified for the Datto Rollback Updater scheduled task.
When minor and major updates take place, the Datto Rollback System Service restarts.
When an update requires a reboot, the updater creates a Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Datto\RollbackDriver\RestartFlag key in the endpoint's Windows Registry.
Datto Rollback uses the Datto Rollback Updater scheduled task every four hours to check for and download updates. The updater utility resides on protected endpoints at %SystemDrive%\Program Files\Datto\Datto Rollback Driver\updater.exe.
IMPORTANT If you disable this task, be sure to run Ransomware Rollback's updater.exe during your scheduled maintenance window to ensure that the latest patches and fixes are applied.
As described in the previous section of this article, the Datto Rollback Updater will set the RestartFlag Windows Registry key if it determines that a reboot is
required to finalize an update. Its purpose is twofold:
-
If you are updating during a service window, the presence of the flag enables you to know whether a reboot is actually required. Once the reboot completes, the
RestartFlagclears. -
The Datto Rollback Status scheduled task monitors for the presence of this key. If it exists, the user will be prompted to reboot the endpoint to finalize the update. Users have 24 hours to do so, after which, a forced reboot will occur.
If you do not want Ransomware Rollback installed on certain devices, you can avoid installation by creating a string key named DisableRollbackInstall within Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Datto\EDR in the registry and setting its value to 1.
If Ransomware Rollback has been installed on a device and you need to uninstall it while the policy is enabled, insert the key as instructed and manually uninstall Ransomware Rollback. This key will block automatic reinstallation.
If you'd like to prevent Datto EDR from installing major Ransomware Rollback updates while allowing minor updates to be applied, perform the following steps:
If you'd like to prevent Datto EDR from installing any Ransomware Rollback updates on a system until you're ready to do so, perform the following steps on the applicable endpoint:
-
Disable the Windows scheduled task called Datto Rollback Updater. Doing so prevents all automated updates.
-
During your service window, from an elevated Command Prompt or PowerShell session, run
updater.exe --forceupdate, which will download and install any available updates, minor and major. -
At the end of your service window, force a reboot of the endpoint to finalize the update.
Responding to ransomware alerts
When you receive a ransomware alert, you can perform a file rollback directly from the Alert Detail page or by using the Rollback Driver Desktop application.
IMPORTANT Ransomware Rollback cannot roll back the entire system state. It is designed to facilitate the recovery of critical business files only. If your operating system has also been compromised by ransomware, you may need to leverage your BCDR solution to achieve full restoration.
-
Navigate to the Alerts page by clicking Alerts in the top navigation menu.
-
The page will load. Locate the ransomware alert to which you'd like to respond and click its name.
- To perform file rollback directly from the Alert Detail page:
- Click Rollback.
- In the Rollback dialog box, select one of the following options to recover and restore files:
- Recover to Original Files & Paths: (Selected by default). Restores all encrypted and deleted files for the selected alert to their original file paths.
- Recover defined path: Restores all encrypted and deleted files for the selected alert to the file path you specify.
- In the Rollback dialog box, click Rollback.
The system automatically logs a comment on the alert with the timestamp and initiating user to maintain auditability.
-
To perform file rollback using the Rollback Driver Desktop application, proceed to the next section of this article.
-
Using an administrator-level account, log in to the endpoint with the host name you identified in the previous section of this article. If the machine has been isolated from the network and you need to access it remotely, you can do so from your Datto RMM platform.
-
Launch the Rollback Driver Desktop application and navigate to the Ransomware Alert tab.
-
Click the alert that corresponds to the Alert Time value you recorded from Datto EDR.
-
Ensure that the Extension value shown in Rollback Driver Desktop matches the Extension value from Datto EDR.

-
Review the impact of the ransomware attack by using the information provided by each of the application's tabs. If you chose to protect multiple volumes on the endpoint, be sure to repeat the process for each logical drive shown in the Drive drop-down.
-
When you're ready to take corrective action, you can click the Rollback button on the Process History tab or the File History tab to undo all file-level changes identified in the alert. If you'd prefer to take a more granular approach to recovery, you can use the options described in the Rollback Driver Desktop features section of this article to do so.
-
Once you've recovered your lost or compromised files, copy all business-critical data on the machine to a backup appliance, removable media, or NAS share.
-
Re-image the endpoint if you suspect that it still contains remnants of ransomware.
-
Restore all business-critical files to the machine.
Sending feedback
Understanding your experience with Ransomware Rollback is critical to our continuous improvement. When contacting our team to provide feedback or to report a problem about a specific endpoint, be sure to include your device details. To do so, perform the following steps:
-
Launch the Rollback Driver Desktop application on the endpoint you'd like to discuss.
-
From the header menu, click the
icon. The About window will open. -
Right-click the value shown in the DeviceId field. Then, click Copy DeviceId to Clipboard.

-
Provide the copied information to your Datto Account Executive or Technical Support Expert so that we can best assist you.
FAQs
Ransomware Rollback is a software agent that tracks changes made to files on a user's disk and provides a rollback mechanism to restore the original files if they become compromised by ransomware.
NOTE Ransomware Rollback does not track changes on virtual disk images, including Hyper-V, VirtualBox, and Windows hard disk image files, including AVHDX, AVHD, VHD, VHDX, and VDI.
Our solution intercepts file system calls made by applications and performs lightweight tracking of the changes made. It uses a custom minifilter inside Microsoft's file I/O stack in Windows, a system service for tracking changes and performing rollbacks, and a desktop application for user interaction.
No, it focuses on tracking user documents rather than the entire system. It does not track changes to the Windows directory, program files, or app data.
While Ransomware Rollback is compatible with most host-based applications, it may conflict with applications that write or update a large volume of files. In the event that rollback impacts an application, we recommend creating an exclusion for the folder. Refer to How do I enable support for folder exclusions?
Ransomware Rollback saves the data being written on an operation-by-operation basis, allowing you to roll back the entire update if it is compromised by ransomware.
Yes, ransomware detection is integrated with this solution, enabling the two to work together.
No, our agent does not rely on Windows shadow copy, which is often targeted by ransomware attacks. Instead, it uses a custom minifilter to track file changes independently.
Yes, you can monitor the tracked changes through the included desktop application.
Upon a file's deletion, Ransomware Rollback creates a hard link to the file in a tracking directory while the original deletion operation proceeds. Doing so allows for easy restoration of the deleted file.
Yes, you can initiate a rollback manually through the desktop application or remotely via the EDR portal in future releases.
Ransomware Rollback is intended for use with Windows 10 and 11 operating systems, ensuring a wide range of businesses can benefit from this added layer of protection.
No, the solution does not replace regular backup procedures. Instead, it serves as an additional layer of protection, enabling the rollback of critical files modified by ransomware attacks to ensure business continuity.
You can monitor ransomware alerts through the Endpoint Detection and Response (EDR) portal. To initiate a rollback, you can use the dedicated desktop application, which allows for targeted rollbacks based on the specific ransomware process or a specified timeframe (e.g., rolling back all changes made within the last four hours).
Yes. You'll need to allocate disk space for the ransomware rollback driver to intercept file operations and keep a copy of changes. By default, we reserve 5% of disk space for this purpose. However, you can adjust the quota based on your specific needs.
The rollback application's installation is approximately 10 megabytes in size.
The solution attempts to keep a history of changes for seven days. The duration may be shorter if there is heavy disk activity or a ransomware attack occurs.
Ransomware Rollback does not rely on snapshots. Instead, it continuously records all changes on the disk as they happen in real-time.
Even if a ransomware attack goes undetected, Ransomware Rollback is still recording the changes to the disk, which means you can roll them back and recover your files.
No, for these types of servers, you should use a solution like Datto BCDR's Rapid Rollback, which is designed to protect complex application servers.
Any program running on the background uses resources on the machine. The resources used are as follows:
-
CPU: We only use the CPU when there is I/O activity. Utilization will always be 0% unless file activity takes place. Then, the general overhead is relatively low but measurable under stress tests. File operations will occur in milliseconds. There is no installation indexing happening or periods when the agent actively scans your files; instead, it applies all overhead to file activity instead.
-
Memory: The service uses between 60 to 200 megabytes of RAM. Memory usage can vary based on the device's activity levels.
-
Disk space: We default the cache to 5% of the volume size. You can adjust this allocation in the agent settings. By default, Ransomware Rollback preserves up to seven days of activity. If that seven-day period will consume more than 5%, the agent will preserve a shorter window of time. The rollback agent will only use the maximum allocation if it is necessary for storing the entire history. If the recorded history requires less storage, the agent will reserve less space.
NOTE Using up free space on the disk while simultaneously deleting files can result in additional, unexpected storage consumption. This phenomenon is due to the rollback agent attempting to preserve the deleted files while also recording any additional files being created. It is important that you observe good storage management practices for any endpoint protected by the rollback agent.
-
Network traffic: Ransomware Rollback uses minimal network traffic. We periodically upload diagnostic information so that we can improve the solution.
No. The cache folder for each volume cannot be moved.
Ransomware Rollback supports multiple volumes and folder exclusions. Exclusions can be configured at the folder level only. Rollback file tracking on additional connected drives and optional folder blocklisting facilitate expanded granular control over the data you'd like to protect. Configurable from your ransomware policy, this feature delivers improved protection for endpoints that perform large numbers of read and write operations.
Clicking the settings icon in Rollback Driver Desktop allows you to enter folders to be excluded.

Exclusion examples:
- C:\Users\admin\A1
- C:\Users\admin\D2
- C:\Central
A minifilter is a small software component that works within your computer's file system. Its primary purpose is to monitor and sometimes modify how the operating system and applications access, read, and write files. For example, a minifilter might prevent unauthorized access to sensitive files or automatically encrypt certain types of files before they are saved to disk. In the context of a ransomware rollback solution, a minifilter is responsible for tracking changes made to files, allowing the system to revert those changes if a ransomware attack is detected.
First, disable the Rollback and File Recovery toggle in the Ransomware Protection policy. Then, the EDR agent service (HUNTAgent) must be restarted on the device. While the service typically restarts upon system reboot, an administrator could manually restart it if waiting for a reboot is not feasible.
NOTE If tamper protection is enabled, a reboot will be required to restart the EDR agent.
| Revision | Date |
|---|---|
| Added FAQ: How do I disable Rollback and File Recovery? | 6/2/25 |
| Added folder exclusion examples. | 6/18/25 |
| PR: On the affected endpoint: Edited step 6 - Click the Rollback button on the Process History tab or the File History tab. | 10/22/25 |
| Compatibility: Edited- Ransomware Rollback supports Windows 10 and above and Windows Server 2012 and above. | 11/18/25 |
| Global review, edits. | 12/17/25 |
| Getting started: Added can rollback directly from the Alert Detail page. Responding to ransomware alerts: In Datto EDR: Added steps 3 - 4 (Rollback). | 7/1/26 |








