Best practices for creating Datto AV policies

When creating a new Datto AV policy, your goal should be to achieve maximum protection while minimizing the resource utilization impact on the endpoint.

This article provides optimal settings and use cases for each section of the Datto AV policy configuration page.

NOTE  For a comprehensive overview of the Policies page, refer to our Working with the Policies page.

Antivirus tab - Security Profile

Setting name Recommended configuration
Alert Only When first enabling a Datto AV policy, enabling Alert Only mode allows you to monitor results without quarantining any files. This prevents false positives from being quarantined. You can create exclusions to fine-tune the policy.
Protect & Quarantine After fine-tuning the policy in Alert Only mode, enable Protect & Quarantine. This enables Real-time Protection Scans automatically.
Disable Click to disable real-time protection scans and scheduled scans. Only use this option for diagnosis and testing. No files will be detected or quarantined.

Real-time Protection Scan

Setting name Recommended configuration
Enable Real-time Protection Scans Enabled: Real-time protection provides on-access monitoring of newly-created files and processes. It is a critical component and provides protection for every situation.
Enable Scan Archives Disabled: Archives are files such as ISO or compressed files. Real-time protection of archive files can help protect your endpoints from malware that uses compression to evade detection.

Scan storage devices on local networks

Disabled: Scanning these drives does provide protection, but it is not necessary when the network shares are protected by antivirus solutions. Using Datto AV to scan network drives diverts resources from the host to scan the network files.
Enable Behavior Based Malware Detection

Enabled: Considerations:

  • Common applications (e.g., MS Office, Adobe): False positive behavioral detections are highly unlikely.
  • Uncommon applications (e.g., not signed): Behavioral engine may act on file. Use the Datto AV File Submission feature to submit files you don't want flagged by Datto AV.

Exclusions

Setting name Recommended configuration
Include Universal AV Exclusion Disabled: This feature is only necessary if you have created a Universal AV Exclusion list.
Add Exclusion None: These features are only necessary when a known, safe object continues to trigger alerts. Exclusions must be formatted as a full path and are not case-sensitive.

Scheduled File Scan Settings

Files

Setting name Recommended configuration
Scan Recommended File Types Only Enabled: During a scheduled scan, Datto AV will scan file extensions of known malware and traditional objects. Scanning all file types may create additional load on the endpoint while the amount of additional protection will be limited. Some situations may benefit from scanning all file types, such as a file host that typically has limited resource utilization, or a server that does not have other controls to limit the file types that can be saved.
Scan Archives Disabled: Real-time scanning will analyze archive files when accessed by any process. Scanning archives with scheduled scans does not limit the number of files, file size, or nested folders, which can significantly impact resources on the endpoint.

Schedule Full Scan & Schedule Quick Scan

Setting name Recommended configuration
Schedule Full Scan Disabled: Full scans are not necessary under normal conditions with real-time scanning. Full scans will analyze all objects in all directories. Specific situations may benefit from full scans, such as a server that hosts personally identifiable information (PII) or other sensitive information and which can support high resource utilization without disrupting business.
Schedule Quick Scan Enabled: Schedule quick scans daily at a time of low system usage. Quick scans provide a low-resource way to scan folders that are frequently leveraged by a majority of malware. Quick scans can detect malware that has yet to be opened by a malicious process.

Logging

Setting name Recommended configuration
Enable Debug Logging Disabled: However, this feature is useful for troubleshooting and the Support team may request this to be enabled when troubleshooting AV issues.