Datto EDR and Datto AV FAQs

Datto EDR customers have access to live forensics and continuous host monitoring built into a single cloud-based platform. Our ASSESS, MONITOR, and RESPOND methodologies enable quick identification of and response to Advanced Persistent Threats (APTs), ransomware, and other malware (file-based or fileless) in your environment, regardless of the locality (including remote or distributed networks).

We refer to this comprehensive solution as Real-Time Security (RTS).

Enabling Real-Time Security

Datto EDR subscribers can enable Real-Time Security on one or all of their devices. All endpoints that you intend to monitor in this manner must reside in "Monitored" locations in EDR. As a result, you may need to relocate some devices to other locations if they are not all to be monitored with RTS. For more information, refer to Creating and managing organizations, locations, and devices.

Due to the enhanced capabilities of RTS, and more efficient use of the asset's resources, you do not need to schedule regular scans. However, if you wish, you can still do so.

To enable Real-Time Security, perform the following steps:

1. In the top navigation menu of your instance, click Organizations.

2. The All Organizations page will load. Click the name of the client organization you'd like to view.

3. The Organization details page opens.

4. Select a location by clicking its name.

5. The Location details page opens.

6. At the top of the page, click the icon.

7. Select Monitor from the menu that opens.

8. Select any extensions you would like to have running on the monitored endpoints, and note the scheduled time that the daily analysis will take place independent of RTS monitoring.

9. Click Enable Monitoring.

9. The Datto Endpoint Security agent will deploy to all endpoints in the location. The following conditions will apply to monitored devices:

   • Any processes started will be stored and uploaded every 15 minutes, including any embedded shell scripts.

   • A daily differential forensic analysis will upload modules, autostarts, and other artifacts not found within the last 30 days. You can customize the time of the daily analysis at > Admin > Settings > Location Monitoring.

For more information about how RTS interacts with your devices, review our How does RTS impact the overall performance and usage of the agent? and What impact will it have on processor, memory, or network utilization? topics.

We focus heavily on ensuring that the agent does not degrade the functionality of the endpoint on which it is running. To minimize overhead on the host, its process runs at a lower priority. The agent will use slightly more storage space when RTS is enabled; however, the overall impact is minimal.

The resource requirements of RTS are extremely low.

You can place assets in monitored and scheduled locations. Doing so enables you to establish your security stance based on your needs. If assets must be monitored, place them in a monitored group, and if they need to have less focus, place them in a group to be scanned on a schedule.

You are allowed to have an asset in both a monitored and a scheduled location; however, an asset can be in one and only one monitored group.

Monitored hosts have the benefit of being monitored and can have detailed differential scans conducted on a frequent basis. If a host is assigned to a monitored location, there is no need to also scan the host. The forensic scan of the host will take place as part of the location monitoring.

EDR is designed as an early warning system against malware and other types of malicious attacks. It does not block or quarantine detected threats. It aids in preventing the spread of a malicious campaign being executed against your environment by enabling you with a very fast infection-to-detection-to-response and kill cycle.