Understanding EDR and AV tamper protection

This article describes how to prevent Datto EDR and Datto AV services from being tampered with.

There are different levels of protection offered when using Datto EDR and/or Datto AV.

Datto EDR

The Datto EDR policy includes a tamper protection option. When enabled, users will be unable to stop or restart the EDR service in the Service Manager, which is the traditional method for stopping a service.

To stop the service users will need to disable the Tamper Protection toggle during a maintenance window. This will allow the service to be stopped on the endpoint.

Datto AV

Datto AV will automatically protect the endpoint protection processes and related files. When installed with Datto EDR, Datto AV will also protect the EDR service from being killed.

To stop this service, the partner will need to disable the Datto AV policy in their platform. This will uninstall Datto AV from all associated endpoints.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.