Using the Analyze page

Click to select or create a pre-defined time box filter for designated locations.

NOTE  Once you have selected a filter, click to apply it. Note that queries in excess of 250,000 records will cause report generation to fail. Contact Technical Support if you require a report in excess of this threshold.

Filters the returned results to a designated date range.

Assign a user-defined workflow or status category to the selected items; to create and personalize flags, visit > Admin > File Flags.

Perform a threat analysis against selected items or all items in the current filter

Exports the current report to a Comma-Separated Values (CSV) file; to export the records for only certain hosts, check the corresponding boxes to the left of the hosts' names

During discovery, EDR collects data on all endpoints on the network, including OS version, open ports, and remote access protocols. Enumerated here are all endpoints from which the platform has received telemetry data.

EDR captures a list of currently running programs and their metadata. The report is stacked by signature, so there are no duplicates of the same processes across different host in the list, unless their hashes are different. In that case, the processes may have different versions or potentially malicious code injected.

Appearing in this report is metadata for all libraries and all current users. It is common to see .DLL files from Windows hosts and .SO files from Linux-based hosts.

Drivers normally run with administrator-like permissions and are digitally signed by their manufacturer to ensure authenticity. Datto EDR monitors all drivers that load on an endpoint, along with their metadata, and surfaces that information in human-readable format.

EDR searches process (volatile) memory for anomalies similar, but not limited to, how Volatility’s MALFIND operates. Malware can also be injected into memory and run without a file from the hard disk. This information represents the findings of that scan.

To determine if account credentials have been compromised, EDR collects data for all system and domain users and compares it against accounts with currently running malware.

Enumerated here are the results of a Shimcache (aka "AppCompatCache") inspection. The information returned is a list of all recently executed binaries, and if available, the corresponding executable & parse metadata.

From this location, you can review all processes or scripts that run as soon as the operating system boots up.

EDR collects the network connections for each process with the network status of LISTENING or ESTABLISHED and reports that information here.

To help you identify potentially malicious commands being carried out on your protected hosts, EDR collects all scripts currently executed in memory, all strings inside those scripts, and all references within those scripts, and details them on this page.

This page provides a list of all installed applications on the endpoint, including out of date or unwanted applications, along with applications that should be installed but aren’t, including antivirus software.

Objects included in a package manager tend to be less likely to be malicious than unmanaged objects.

The more antivirus engines that have flagged the file as malicious, the higher the likelihood is that it may be malicious.

Most malware is unsigned. A digitally signed object is inherently less likely to be malicious than one that is unsigned.

If the object is only available for Linux, the malware risk is lower, since most software for this platform comes from repositories.

The object has not been submitted for static analysis either because there is adequate existing threat intelligence information about it or because there are not enough current indicators that the object is malicious to do so.