Best practices for creating Datto AV policies

When creating a new Datto AV policy, your goal should be to achieve maximum protection while minimizing the resource utilization impact on the endpoint.

This article provides optimal settings and use cases for each section of the Datto AV policy configuration page.

NOTE  For a comprehensive overview of the Policies page, refer to our Working with the Policies page.

Real-time Protection Scan

Real-time Protection

Setting name Recommended configuration
Enable Real-time Protection Scans Enabled: Real-time protection provides on-access monitoring of newly-created files and processes. It is a critical component and provides protection for every situation.

Archives

Setting name Recommended configuration
Scan Archives Enabled: Archives are files such as ISO or compressed files. Real-time protection of archive files can help protect your endpoints from malware that uses compression to evade detection.
Limit Number Of Nested Zip Folders is 1 One: Real-time protection automatically scans the files and folders of a zipped archive when a process attempts to interact with any object within a zipped folder. Scanning one layer deep in nested folders can protect from traditional malware evasion tactics. It also reduces the resource utilization that can occur when scanning deeper into nested folders.
Limit Number Of Files is 25 25: Limiting the number of files scanned in an archive can save resources during real-time scans. When a process interacts directly with a zipped folder, real-time protection will attempt to quickly scan the files within that folder. In normal situations, there is no need to scan more than 25 files, because with real-time monitoring, any file that is opened by a process will be scanned by the Endpoint Security agent.
Maximum File Size is 1MB 1 MB: Real-time scanning must load files into memory to analyze them. Archives may contain multiple files. Selecting file sizes larger than 1 MB will increase the amount of memory that Datto AV must utilize on the endpoint, decreasing its performance.

Network Drives

Setting name Recommended configuration

Scan storage devices on local networks

Disabled: Scanning these drives does provide protection, but it is not necessary when the network shares are protected by antivirus solutions. Using Datto AV to scan network drives diverts resources from the host to scan the network files.

Exclude Folders, Exclude Files, and Excluded Processes

Setting name Recommended configuration
Exclude Folders, Exclude Files, and Excluded Processes None: These features are only necessary when a known, safe object continues to trigger alerts. Exclusions must be formatted as a full path and are not case-sensitive.

Scheduled File Scan Settings

Files

Setting name Recommended configuration
Scan Recommended File Types Only Enabled: During a scheduled scan, Datto AV will scan file extensions of known malware and traditional objects. Scanning all file types may create additional load on the endpoint while the amount of additional protection will be limited. Some situations may benefit from scanning all file types, such as a file host that typically has limited resource utilization, or a server that does not have other controls to limit the file types that can be saved.
Scan Archives Disabled: Real-time scanning will analyze archive files when accessed by any process. Scanning archives with scheduled scans does not limit the number of files, file size, or nested folders, which can significantly impact resources on the endpoint.
Exclude Folders None: This feature is only necessary when a known, safe object continues to trigger alerts.

Schedule Full Scan & Schedule Quick Scan

Setting name Recommended configuration
Schedule Full Scan Disabled: Full scans are not necessary under normal conditions with real-time scanning. Full scans will analyze all objects in all directories. Specific situations may benefit from full scans, such as a server that hosts personally identifiable information (PII) or other sensitive information and which can support high resource utilization without disrupting business.
Schedule Quick Scan Enabled: Schedule quick scans daily at a time of low system usage. Quick scans provide a low-resource way to scan folders that are frequently leveraged by a majority of malware. Quick scans can detect malware that has yet to be opened by a malicious process.