Best practices for creating Datto AV policies
When creating a new Datto AV policy, your goal should be to achieve maximum protection while minimizing the resource utilization impact on the endpoint.
This article provides optimal settings and use cases for each section of the Datto AV policy configuration page.
NOTE For a comprehensive overview of the Policies page, refer to our Working with the Policies page.
Real-time Protection Scan
Real-time Protection
Enable Real-time Protection Scans |
Enabled: Real-time protection provides on-access monitoring of newly-created files and processes. It is a critical component and provides protection for every situation. |
Archives
Scan Archives |
Enabled: Archives are files such as ISO or compressed files. Real-time protection of archive files can help protect your endpoints from malware that uses compression to evade detection. |
Limit Number Of Nested Zip Folders To |
One: Real-time protection automatically scans the files and folders of a zipped archive when a process attempts to interact with any object within a zipped folder. Scanning one layer deep in nested folders can protect from traditional malware evasion tactics. It also reduces the resource utilization that can occur when scanning deeper into nested folders. |
Limit Number Of Files To |
25: Limiting the number of files scanned in an archive can save resources during real-time scans. When a process interacts directly with a zipped folder, real-time protection will attempt to quickly scan the files within that folder. In normal situations, there is no need to scan more than 25 files, because with real-time monitoring, any file that is opened by a process will be scanned by the Endpoint Security agent. |
Limit File Size To (In MB) |
1 MB: Real-time scanning must load files into memory to analyze them. Archives may contain multiple files. Selecting file sizes larger than 1 MB will increase the amount of memory that Datto AV must utilize on the endpoint, decreasing its performance. |
Network Drives
Scan storage devices on local networks
|
Disabled: Scanning these drives does provide protection, but it is not necessary when the network shares are protected by antivirus solutions. Using Datto AV to scan network drives diverts resources from the host to scan the network files. |
Exclude Folders, Exclude Files, and Excluded Processes
Exclude Folders, Exclude Files, and Excluded Processes |
None: These features are only necessary when a known, safe object continues to trigger alerts. Exclusions must be formatted as a full path and are not case-sensitive. |
Scheduled File Scan Settings
Files
Scan Recommended File Types Only |
Enabled: During a scheduled scan, Datto AV will scan file extensions of known malware and traditional objects. Scanning all file types may create additional load on the endpoint while the amount of additional protection will be limited. Some situations may benefit from scanning all file types, such as a file host that typically has limited resource utilization, or a server that does not have other controls to limit the file types that can be saved. |
Scan Archives |
Disabled: Real-time scanning will analyze archive files when accessed by any process. Scanning archives with scheduled scans does not limit the number of files, file size, or nested folders, which can significantly impact resources on the endpoint. |
Exclude Folders |
None: This feature is only necessary when a known, safe object continues to trigger alerts. |
Schedule Full Scan & Schedule Quick Scan
Schedule Full Scan |
Disabled: Full scans are not necessary under normal conditions with real-time scanning. Full scans will analyze all objects in all directories. Specific situations may benefit from full scans, such as a server that hosts personally identifiable information (PII) or other sensitive information and which can support high resource utilization without disrupting business. |
Schedule Quick Scan |
Enabled: Schedule quick scans daily at a time of low system usage. Quick scans provide a low-resource way to scan folders that are frequently leveraged by a majority of malware. Quick scans can detect malware that has yet to be opened by a malicious process. |