Working with the Policies page
NAVIGATION Policies
SECURITY Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access
BEFORE YOU BEGIN The type of subscription you have may define the features available to you on this page. For a comprehensive overview of features available to Datto EDR and Datto AV customers, refer to Datto EDR and Datto AV access control.
From the Policies page, you can create and customize the rules used by the analysis engine to detect threats in your environment. You can also manage your instance's ransomware, Datto AV, and Windows Defender policies and determine the actions that the platform takes when it identifies a suspected threats on an endpoint.
This article describes the page's layout and functions.
Overview
To access the Policies page, perform the following steps:
-
To access the Policies page, in the top navigation menu, click Policies.
-
The page will load, with the Policy List view selected by default.
-
Select a page to continue.
Policy List
The Policy List page enables you to enable, disable, and configure the settings for your global ransomware detection and Microsoft Defender Antivirus policies. To learn more about these features, refer to Understanding Datto EDR's ransomware detection, Protecting endpoints with Datto Antivirus (AV), and Leveraging Microsoft Defender Antivirus with Datto EDR.
Feature | Definition |
Search |
Enter a partial or whole value to filter current view to matching records |
Create Policy |
Begins the policy creation workflow; for more information, refer to Named policies |
Click any header to sort the displayed records by the column's value.
Detection Rules
Detection rules run automatically against endpoint audit data as it is received by your instance. It helps Datto EDR identify potential threats and how to address them. The rules we provide analyze your endpoints for processes and behaviors that match the top known Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) techniques. When a rule is triggered, Datto EDR will generate an alert and follow the workflow you define.
You can selectively enable, disable, and customize rules to tailor your instance's threat analysis procedures to the needs of your environment. You'll find these management options on the Detection page.
When you visit the Detection Rules page, the Rules view is selected by default.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records; click Filter to apply additional search criteria |
Add Rule |
Enables you to create a new detection rule by using the rule editor; for more information, refer to the Adding or editing rules section of this article |
Publish Rules | Click to publish new rules and rules with configuration changes since the last publish |
Import Rules |
Enables you to import new rules in YAML format; maximum file size is 100 MB. |
Export Rules |
Enables you to export existing rules in YAML format; only custom rules can be exported |
Field name | Definition |
Name |
The name of the rule; clicking it will open the rule editor; for more information, refer to the Adding or editing rules section of this article |
Defines the characteristics that must be met before Datto EDR will act on the rule: Item: Agent will evaluate, alert, and take action against individual events as they are received to determine if the events are notable attacker behaviors EXAMPLE A PowerShell command's arguments would be evaluated by the rule and identified as a Correlation: Agent will evaluate all recent behaviors observed to determine if there is a pattern of threat behavior and, if so, act accordingly EXAMPLE A |
|
Severity |
The severity level of the alert that will generate if the rule is triggered |
Response Actions |
If the rule is capable of automated response, indicates the type of action the Endpoint Security agent will attempt to take upon detection of a threat; the following values are possible:
|
Author |
The name of the author who created the rule |
Active |
Click the icon in this field to activate or deactivate the policy; indicates that the policy is active; indicates that the policy is inactive |
Last Modified |
The time and date the rule was last updated |
Versions |
Indicates how many versions of this specific rule have existed in your instance; version number iterates each time the rule is modified |
Click to delete the rule or view its previous versions |
The Publish History view displays a log of rule publication activity for your instance.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records |
Field name | Definition |
Published On |
The date and time of the rule's publication |
Published By |
The identity of the user or process that published the rule |
From the Detection Rules page, click Add Rule or click the name of an existing rule to open the editor. Populate or change the following fields, and then click Save.
IMPORTANT Once you create or edit an existing rule, you'll need to ensure that it's active and then click Publish Rules from the Detection Rules page before it will go into effect.
NOTE Rules included with Datto EDR and Datto AV by default are not editable. To create your own version of these rules, use the Copy button described in the below table.
Field or feature name | Definition |
Name |
The name of the rule |
Actions |
When active, rule will generate alerts; when inactive, no alerts will generate |
Severity |
The severity level of the alert that will generate if the rule is triggered |
MITRE ID |
The specific MITRE ATT&CK knowledge base ID to which the rule maps |
MITRE tactic |
The specific MITRE ATT&CK tactic to which the rule maps |
Short description |
A brief description of the rule that will appear in alerts that it generates |
Rule type |
Defines the characteristics that must be met before Datto EDR will act on the rule: Item: Agent will evaluate, alert, and take action against individual events as they are received to determine if the events are notable attacker behaviors EXAMPLE A PowerShell command's arguments would be evaluated by the rule and identified as a Correlation: Agent will evaluate all recent behaviors observed to determine if there is a pattern of threat behavior and, if so, act accordingly EXAMPLE A |
Description | The extended description of the policy's purpose, functions, and any other pertinent information |
Copy |
Creates a copy of the current rule for editing |
Rule Body |
Free-text editor in which you can specify the endpoint actions that Datto EDR should take if this rule is triggered; all syntax must be in YAML format |
Alert Suppression
From this page, you can view, manage, and publish suppression rules for specific types of alerts. To learn more about this feature, refer to Suppressing alerts.
When you visit the Alert Suppression page, the Rules view is selected by default.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records |
Add Rule |
Enables you to create a new suppression rule; for more information, refer to Managing and publishing suppression rules |
Publish Rules | Click to publish new rules and rules with configuration changes since the last publish |
Field name | Definition |
Name |
The name of the rule; clicking it will open the rule editor; for more information, refer to the Adding or editing rules section of this article |
Organization |
The organization to which the rule applies |
Location |
The location to which the rule applies |
Author |
The name of the author who created the rule |
Active |
Click the icon in this field to activate or deactivate the policy; indicates that the policy is active; indicates that the policy is inactive |
Last Modified |
The time and date the rule was last updated |
Versions |
Indicates how many versions of this specific rule have existed in your instance; version number iterates each time the rule is modified |
The Publish History view displays a log of rule publication activity for your instance.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records |
Field name | Definition |
Published On |
The date and time of the rule's publication |
Published By |
The identity of the user or process that published the rule |
Policy types
NOTE This policy is only available to users with an active Datto AV subscription.
The following configuration options are available for Datto Antivirus (AV) policies. For extended details about this policy type, refer to Best practices for creating Datto AV policies and Protecting endpoints with Datto Antivirus (AV).
Details | |
---|---|
Field name | Definition |
The type of policy |
|
Name |
The name of the policy |
Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
Real-time Protection Scan | ||
---|---|---|
Feature name | Definition | |
Enable Real-time Protection Scans |
Click to enable or disable continuous threat scans on protected endpoints |
|
Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
|
Customize Archive Scanning |
Limit Number Of Nested Zip Folders To |
Restricts scans of archives within archives to the given value |
Limit Number Of Files To |
Do not analyze more than this number of files within the archive |
|
Limit File Size To (In MB) |
Exclude analysis of archived files greater than the designated limit |
Network Drives | |
---|---|
Feature name | Definition |
Scan storage devices on local networks |
Enable to scan any mapped network drives within the local network (such as F:\ to Z:\) |
Behavioral Detection | |
---|---|
Feature name | Definition |
Enable behavior based malware detection |
When active, leverages Datto EDR's advanced behavioral analysis and heuristics to identify malicious activity through detection of suspicious file and process activity on the protected host |
Scanning exclusions | |
---|---|
Feature name | Definition |
Exclude Folders |
Excludes specific folders, files, and processes from scanning |
Exclude Files | |
Excluded Processes |
Scheduled File Scan Settings | |
---|---|
Feature name | Definition |
Scan All File Types |
Scans all files on the host |
Scan Recommended File Types Only |
Scans the following file types: 386, ?HT*, ACAD, ACM, ADE, ADP, ANI, APK, APP, ASD, ASF, ASP, ASX, AU3, AWX, AX, BAS, BAT, BIN, BOO, CDF, CHM, CLASS, CMD, CNV, COM, CPL, CPX, CRT, CSH, CSS, CSV, DEX, DLL, DLO, DO*, DRV, DWG, EMF, EML, EXD, EXE*, FAS, FLT, FOT, HLP, HT*, INF, INI, INS, ISP, J2K, JAR, JFF, JFI, JFIF, JIF, JMH, JNG, JOB, JP2, JPE, JPEG, JPG, JS*, LNK, LSP, MD?, MOD, MPP, MPT, MS?, NWS, OBJ, OCX, OLB, ONE, OSD, OV?, PCD, PDF, PDR, PGM, PHP, PIF, PKG, PL*, PNG, POT*, PPAM, PPS*, PPT*, PRC, PRG, PROJ, PS1, PSH, PWZ, PY, PYC, PYD, R0?, R1?, R2?, RAR, REG, RPL, RTF, SBF, SCF, SCR, SCRIPT, SCT, SH, SHA, SHB, SHS, SIS, SLD?, SPL, SWF, SYS, TLB, TSP, TTF, URL, VB?, VCS, VLM, VXD, VXO, WIZ, WLL, WMA, WMD, WMF, WMS, WMV, WMZ, WPC, WSC, WSF, WSH, WWK, XAR, XL*, XML, XXX, ZIP, and files with no extensions |
Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
Mailbox Formats | When selected, includes analysis of BSD, MBOX, MBX, PMM, PMI, CNM, PST, OST, and Squid cache files in the scheduled scan |
Disk Image Formats | When selected, includes analysis of ISO 9660 and WIM files in the scheduled scan |
Limit Number Of Nested Zip Folders To | Restricts scans of archives within archives to the given value |
Exclude Folders | Excludes the designated files and folders from analysis during scans |
Exclude Files |
Schedule Full Scan | |
---|---|
Definition | |
Schedules a thorough check of the entire system and sequentially scans all files on all hard drives, removable storage media and, if selected, network drives. IMPORTANT Full scans are lengthy processes that require considerable OS resources. They can impact performance on servers and other high utilization systems. We recommend performing a full scan no more than once a week for most systems. |
Schedule Quick Scan | |
---|---|
Definition | |
Schedules a scan that examines running processes and the locations most likely to contain malware, such as registry keys, system drivers, and known Windows startup folders. Together with real-time protection, a quick scan helps provide strong protection against malware. In most cases, a quick scan is sufficient and is the option we recommend for scheduled scans. |
Automated response policies are pre-defined detection rules that can carry out recommended actions in response to a threat on an endpoint. These policies can attempt to kill malicious processes, quarantine suspicious files, or isolate the host from the network, mitigating the scope of an attack and preventing it from spreading to other devices in your environment.
When a policy of this type attempts to carry out an action in response to a suspected threat, the triage measure taken and its outcome will appear in the Responses view of the Respond page. For further information, consult the Working with the Policies pagesection of our Navigating the Respond page article.
The following configuration options are available for automated response policies:
Details | |
---|---|
Field name | Definition |
The type of policy |
|
Name |
The name of the policy |
Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
Use Recommended Responses | |
---|---|
Feature name | Definition |
Enable recommended responses |
When toggle is on, policy will query all default automated detection rules listed on the Detection page for matching criteria; if a match is found, policy will deploy the response actions associated with that rule IMPORTANT Disabling this toggle restricts the policy to using only the detection rules and response actions that you designate in the Manage Custom Responses. |
Override Custom Responses / Manage Custom Responses | |
---|---|
Feature name | Definition |
Enable recommended responses |
When toggle is on and a detected object meets matching criteria, policy will trigger appropriate Recommended Actions listed on the Detection page IMPORTANT Disabling this toggle restricts the policy to using only the detection rules and response actions that you designate in the Manage Custom Responses. |
Add Override |
If the Enable recommended responses toggle is on, enables you to designate one or more detection rules that must be included in this policy when it is active |
Customize Response |
If the Enable recommended responses toggle is off, enables you to designate the detection rules and automated response actions that the policy must leverage when it is active |
Bulk Update |
Enables you to activate or deactivate the Isolate Host, Kill Process, and Quarantine File actions for all rules in the response table |
Search |
Enter a partial or whole value to filter current view to matching records; click Filter to apply additional search criteria |
Response table | |
---|---|
Field name | Definition |
Name |
The name of the rule |
Severity |
The severity level of the alert that will generate if the rule is triggered |
Isolate Host |
Performs a local network isolation of a Windows or Linux system by using a filter driver on Windows and iptables or ipfw on Linux |
Kill Process |
Kills a process by path or deletes the associated file |
Quarantine File |
Places the suspicious object in a quarantined status pending further action |
Status indicators | Click to include or suppress the corresponding response action in each rule; indicates that the response will run; indicates that the response will not run |
Click to remove the rule from the policy |
The following configuration options are available for Microsoft Defender Antivirus policies. For extended details about this policy type, refer to Leveraging Microsoft Defender Antivirus with Datto EDR.
Details | |
---|---|
Field name | Definition |
The type of policy |
|
Name |
The name of the policy |
Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
Interface | |
---|---|
Feature name | Definition |
Disable user interface |
Limits the user's ability to view Defender UI, notifications, or change any scanning behavior |
Use a proxy server |
Enables proxy configuration for partners who run updates via a proxy |
Protection | |
---|---|
Feature name | Definition |
Cloud-based protection |
Leverage Microsoft Defender's cloud platform to evaluate file samples and block content determined to be a threat by the Defender community |
Behavior-based protection |
Monitor for threats that are detected through machine learning |
Keep Defender service alive in all circumstances |
Enable the Defender service's keepalive functions |
Monitor file and program activity |
Monitor new files and file-related activity |
Network inspection and protocol recognition |
Monitors outbound HTTP(s) traffic and block connections to sites such as Command & Control (C&C) servers, phishing, and other malicious targets |
Scan scripts used in Microsoft browsers |
Scan for malicious scripts from web pages when using Microsoft browsers |
Block risky DNS request |
Attempts to identify and block connections to URLs known to be risky or host malware |
Detection based on heuristics |
Inspects code for suspicious elements |
Microsoft Outlook protection |
Scan Microsoft Outlook for suspicious emails and attachments |
Scanning exclusions | |
---|---|
Feature name | Definition |
Process exclusions |
Excludes specific processes, files, folders, and extensions from scanning |
File / folder exceptions | |
File extension exclusions |
Defender attack surface reduction | |
---|---|
Feature name | Definition |
Use advanced ransomware protection |
Use your Windows-embedded client and cloud heuristics to determine if a file resembles ransomware; can run in conjunction with your Datto EDR ransomware policy |
Block abuse of exploited / vulnerable signed drivers |
Prevent applications from writing a vulnerable signed driver to disk |
Block untrusted unsigned process running from USB |
Block untrusted processes from executing that are on a USB drive |
Block advanced malware attack techniques |
Block potentially obfuscated scripts, possible persistence through WMI, and processes creations from PSExec and WMI |
Use advanced Office / Adobe Reader protection |
Monitor and block Microsoft Office and Adobe applications that may inject codes, create child processes, or make Win32 API calls; before enabling this toggle, refer to Requirements |
Protection Level |
Enables you to toggle Windows Defender's response level to Audit or Block mode |
Attack surface reduction exclusions | |
---|---|
Field name | Definition |
Process exclusions |
Exclude specific processes from analysis in the Attack surface reduction exclusions ruleset |
Named policies enable you to create your own custom policies and assign them to specific organizations and locations. You can create default policies that apply to all organizations upon their creation, or, you can apply policies to specific organizations or locations you choose.
Good to know
When working with named policies, the following rules of thumb apply:
-
The Microsoft Defender Antivirus policy, Datto AV policy, and Ransomware Policy are system-generated and available by default.
-
Custom policies must be based on Windows Defender, Datto AV, or Ransomware Detection rules.
-
You cannot have more than one default policy of each type.
-
When you apply a policy at the organization level, it will automatically apply to all locations within that organization. After you apply it, you can refine its scope on a location-by-location basis.
-
You can only delete custom policies that are not in effect for any location. To see the locations where policies are in effect, you can review the policy columns on the Locations page within an organization or the All Locations page at the global level.
To add, edit, and manage named policies, perform the following steps:
Creating policies
-
On the Policies page, click Create Policy.
-
The Create Policy modal will open.
-
In the Type drop-down field, define the kind of policy you're creating by selecting Ransomware Detection or Windows Defender.
-
Enter a unique identifier for this policy in the Name field.
-
Input a short summary of the policy's purpose in the Description field.
-
Click Create to save your changes.
-
The policy editor will open. Populate or change the fields defined in the Policy editor section of this article, and then click Save.
-
In the table on the Policy List page, activate your policy and apply any required default settings.
Editing policies
To edit an existing policy, perform the following steps:
-
On the Policies page, click the name of the policy you'd like to edit.
-
The Edit Policy modal will open.
-
Populate or change the fields defined in the Policy editor section of this article, and then click Save.
-
Be sure to review the table on the Policy List page to ensure that your is active and any default settings are applied.
Policy editor
When creating or editing a named policy, you can customize the following settings:
The following configuration options are available for Ransomware Detection policies. For extended details about this policy type, refer to Understanding Datto EDR's ransomware detection.
Details | |
---|---|
Field name | Definition |
Name |
The name of the policy; this value is system-defined and cannot be edited |
Description |
A brief description of the policy's purpose; this value is system-defined and cannot be edited |
Rollback and File Recovery | |
---|---|
Feature name | Definition |
Enable Rollback and File Recovery |
Activate this toggle to deploy the rollback agent and Rollback Driver Desktop application to all endpoints monitored by your ransomware policy. To learn how to leverage the recovery feature in your environment, refer to Working with Ransomware Rollback. |
Monitoring Scope | |
---|---|
Feature name | Definition |
Support additional volumes |
Enabling this option allows you to configure additional volumes in the Rollback Driver Desktop application on the protected device as well as folders to exclude from tracking. |
Managing policies
Once you've created a named policy, it will appear in the table on the Policy List page. From here, you can activate or deactivate your policies, set them as the default policies for newly-created organizations, and delete them. Refer to the Policy List section of this article for more information.