Understanding Datto EDR's ransomware detection
NAVIGATION Policies
SECURITY Datto EDR subscription with administrator or analyst-level platform access
Datto EDR is a secure and fully-featured cloud platform that enables MSPs to remotely monitor, manage, and support their endpoints. It also provides an extra layer of security with native ransomware detection. Datto EDR's ransomware detection monitors for the existence of crypto-ransomware on endpoints by using proprietary behavioral analysis of files. Once ransomware is detected, Datto EDR can alert you, isolate the device, and attempt to stop the ransomware processes to keep the infection from spreading. When paired with Ransomware Rollback, ransomware detection offers a powerful early warning and rapid recovery system against malware.
This topic provides an overview of ransomware detection in Datto EDR and answers questions frequently asked by our partners. For details about Ransomware Rollback, refer to Working with Ransomware Rollback.
Key benefits
- Know about ransomware infections instantly. Instead of waiting for a user to report the issue, Datto EDR will notify you when files get encrypted by the ransomware. You'll have more time to respond and possibly prevent the spread.
- Easily monitor by using policy-driven configuration. The policy-driven approach of Datto EDR enables MSPs to monitor targeted devices easily and at scale for the presence of ransomware. Integrations with key MSP tools, such as Datto RMM, along with email and webhook notification options, ensure that the right resources can be immediately alerted if ransomware is detected.
- Prevent spreading of ransomware with automatic network isolation and termination of ransomware processes. Once ransomware is detected, you can have Datto EDR isolate the affected device from the network and attempt to stop suspected ransomware processes to prevent further spread of the infection to other devices.
- Remediate issues remotely. Devices automatically isolated from the network can still contact Datto EDR, enabling you to take effective action to resolve the issue.
- Recover with Datto Continuity products. When Datto EDR is integrated with Datto RMM + Datto BCDR, you can quickly recover from the ransomware outbreak by restoring the device to a previous state.
Requirements
- You must have an active Datto EDR subscription.
- Ransomware detection must be enabled and configured. For more information, refer to Ransomware policy.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
Supported operating systems
The ransomware monitor is supported by Windows operating systems only.
Ransomware monitor features
You can configure ransomware monitoring to scan an entire host or only the paths you specify. You can also designate the action it takes when it suspects an infection on a host. The ransomware monitoring policy includes the following features:
- Scan parameters that enable you to choose between scanning all local drives on an endpoint or only specific drives. For further granularity, you can designate specific paths on the host to monitor.
- Host isolation that automatically terminates all of the endpoint's network connections except to the EDR portal, which helps prevent the spread of ransomware to other endpoints. You can augment host isolation with custom policies that attempt to terminate known ransomware processes when they are detected, slowing or stopping the spread of ransomware on the infected host.
Ransomware configuration options
You'll find your ransomware detection settings on the Policies page. Clicking the name of a ransomware policy opens its Edit Policy page. From this location, the following configuration options are available.
Click any header to sort the displayed records by the column's value.
Ransomware monitoring options
| Details | |
|---|---|
| Field name | Definition |
|
Name |
The name of the policy; this value is system-defined and cannot be edited |
| Description |
A brief description of the policy's purpose; this value is system-defined and cannot be edited |
| Detection | |
|---|---|
| Field or feature name | Definition |
| Any local drive |
Select the check box to monitor any local drive; network drives, removable drives, and USB mass storage devices are excluded from being monitored |
| Additional paths |
Enter a path to be monitored; we do not recommend adding network drives, removable drives, or USB mass storage devices; to add another path, click the plus sign; to remove a path, click the minus sign; ensure there are no empty rows in this section before saving the monitor |
| Exclude the following extensions |
Ransomware alerts may sometimes be false-positives if a legitimate program uncharacteristically updates files or if suspicious file extensions are present for a legitimate purpose; enter any extensions that should not be included in ransomware scans |
| Response | |
|---|---|
| Feature name | Definition |
| Isolate host |
When this toggle is on, if ransomware is suspected on a host, the agent will automatically isolate the endpoint from all network connections except for the EDR portal. If this response is successful, Automatically shutdown infected systems will not execute. |
| Attempt to kill suspected ransomware process |
If enabled, Datto EDR will attempt to terminate malicious processes when they are detected, reducing the impact of a ransomware attack. |
|
Shut down host |
In the event of a ransomware attack, EDR can automatically attempt to shut down infected systems. If Isolate host or Attempt to kill suspected ransomware process are also enabled, EDR will attempt to complete those steps first. If Isolate host is successful, the shut down response will not execute. |
Ransomware Rollback options
| Rollback and File Recovery | |
|---|---|
| Feature name | Definition |
| Enable Rollback and File Recovery |
Activate this toggle to deploy the rollback agent and Rollback Driver Desktop application to all endpoints monitored by your ransomware policy. To learn how to leverage the recovery feature in your environment, refer to Working with Ransomware Rollback. |
| Monitoring Scope | |
|---|---|
| Feature name | Definition |
| Support additional volumes |
Enabling this option allows you to configure additional volumes in the Rollback Driver Desktop application on the protected device as well as folders to exclude from tracking. |
| Exclude standard Windows folders |
The rollback agent only tracks changes to user areas of the operating system disk, not system areas. The following folders are excluded from change tracking.
NOTE Currently, it is not possible to deactivate this toggle. |
| Tracking cache size | |
|---|---|
| Feature name | Definition |
| Maximum tracking history |
By default, the rollback agent will attempt to track changes for a seven-day rolling window. To reduce the retention period, select a value from this drop-down. |
|
Cache size |
To track file changes and undo ransomware infections, the rollback agent creates a cache folder on each protected volume in which it stores historical file information. Once the cache space is exhausted, the agent will begin to purge file history. The value you specify here will be used for all monitored disks.
|
To learn how to create and manage policies, refer to Adding or editing rules and Named policies.
FAQs
How can I set up ransomware detection?
Setting up ransomware detection is as easy as enabling it from the Policies page in your EDR portal. To get started, refer to Working with the Policies page.
Will ransomware detection work alongside my other security products, such as antivirus or Microsoft Defender Antivirus?
Ransomware detection is designed to work alongside other security products you deploy to your customer endpoints.
How do I get my devices back in a normal state after they have been isolated from the network?
Device isolation can be reverted by running the Host Isolation Restore extension from the Alerts page. Doing so will revert any isolation that has occurred on a device and return its ability to contact the internet and other devices on the network. Refer to Responding to alerts.
How should I format exclusions?
Enter the full directory path, one per line. For example:
- C:\Users\admin\F1
- C:\Users\admin\F2
Can I test ransomware detection?
The Datto EDR ransomware detection engine looks for the existence of crypto-ransomware on endpoints by using proprietary behavioral analysis of files.
You can run a simulation package to test Datto EDR's ransomware detection. The simulation package (AutoRS.zip) and a set of instructions (Readme.txt) are available to download here.
How to test with simulated ransomware
NOTE How to get or run real ransomware is outside the scope of this procedure. The change described here is intended for demonstration purposes only and should never be left in place on an endpoint after the demonstration is complete.
EDR detects ransomware attacks by analyzing file update behavior and detecting file encryption. To test detection of ransomware, follow these steps:
- Configure EDR with ransomware detection enabled. Refer to Ransomware configuration options.
- Create a folder under the root (for example, C:\User\).
- Place a number of normal-sized user files in the folder (30 to 50 files or more). There should be several different types of files; for example, graphic files, text files, and so forth.
- Wait at least three minutes before starting the ransomware to avoid files being considered as transient.
- Download and start the ransomware. It can take up to a minute or more before the encryption process starts, depending on the type of ransomware.
- If the ransomware begins to encrypt files, EDR should create an alert and try to isolate the host.
IMPORTANT Do not create the folder in the Program Data, AppData, Temp directories or in any other folder not normally targeted by ransomware.
If EDR does not create an alert, check the following:
- If the files in the user folder were not renamed or deleted, it is a sign that the ransomware did not start up or perform any encryption. This behavior can happen for many reasons; for example, the ransomware is outdated, the remote website the ransomware software attempts to connect to is no longer active, it has detected that it is running in a virtual machine, or it has detected that the keyboard of the machine is Russian or Ukrainian.
- If antivirus software is installed, it could block the ransomware. You should disable antivirus software and similar programs when testing.
- Simulation software, such as Ransim from KnowBe4, cannot be used directly because EDR detects that it is originating from a safe application. Use the modified version available from Datto instead. Refer to Can I test ransomware detection?
- If none of the above explained the missing alert, please contact Kaseya Support.
How do I know that ransomware detection works?
We tested Datto EDR's ransomware detection with Datto RMM. Testing included the following:
- Testing the effectiveness of ransomware detection against current strains of ransomware in the wild
- False positive tests where ransomware detection was used alongside legitimate apps that mimic malicious ransomware behaviors
- Performance testing to check impact on system performance for devices running ransomware detection
In addition, we continuously update ransomware detection's threat definitions as new strains are identified.
Where is the ransomware detection log file located on a device?
We store the ransomware detection log on protected endpoints at %SYSTEMDRIVE%\ProgramData\Datto\Datto Rollback Driver\Logs\engine.log. Lines containing DETECTED indicate scans where ransomware detection identified a potential threat.
You can also view details about ransomware alerts from your EDR portal. For more information, refer to Working with the Alerts page.
Need support?
Kaseya is always available to assist further. Your Kaseya Account Executive can enroll you in basic and intermediate-level platform training. For technical assistance, visit our Kaseya Support article to learn how to get in touch.
