Datto EDR and Datto AV FAQs
The following topics address questions commonly asked by our customers and answered by our Product Management team.
NOTE If your question is not answered here, please contact Kaseya Support for further assistance.
Datto EDR
Security, agent performance, and overhead
What is Datto EDR's Real-Time Security (RTS)?
Datto EDR customers have access to live forensics and continuous host monitoring built into a single cloud-based platform. Our ASSESS, MONITOR, and RESPOND methodologies enable quick identification of and response to Advanced Persistent Threats (APTs), ransomware, and other malware (file-based or fileless) in your environment, regardless of the locality (including remote or distributed networks).
We refer to this comprehensive solution as Real-Time Security (RTS).
Enabling Real-Time Security
Datto EDR subscribers can enable Real-Time Security on one or all of their devices. All endpoints that you intend to monitor in this manner must reside in "Monitored" locations in EDR. As a result, you may need to relocate some devices to other locations if they are not all to be monitored with RTS. For more information, refer to Creating and managing organizations, locations, and devices.
Due to the enhanced capabilities of RTS, and more efficient use of the asset's resources, you do not need to schedule regular scans. However, if you wish, you can still do so.
To enable Real-Time Security, perform the following steps:
-
In the top navigation menu of your instance, click Organizations.
-
The All Organizations page will load. Click the name of the client organization you'd like to view.
-
The Organization details page opens.
-
Select a location by clicking its name.
-
The Location details page opens.
-
At the top of the page, click the
icon. -
Select Monitor from the menu that opens.
-
Select any extensions you would like to have running on the monitored endpoints, and note the scheduled time that the daily analysis will take place independent of RTS monitoring.
-
Click Enable Monitoring.
-
The Datto Endpoint Security agent will deploy to all endpoints in the location. The following conditions will apply to monitored devices:
-
Any processes started will be stored and uploaded every 15 minutes, including any embedded shell scripts.
-
A daily differential forensic analysis will upload modules, autostarts, and other artifacts not found within the last 30 days. You can customize the time of the daily analysis at
> Admin > Settings > Location Monitoring.
-
For more information about how RTS interacts with your devices, review our How does RTS impact the overall performance and usage of the agent? and What impact will it have on processor, memory, or network utilization? topics.
How does RTS impact the overall performance and usage of the agent?
We focus heavily on ensuring that the agent does not degrade the functionality of the endpoint on which it is running. To minimize overhead on the host, its process runs at a lower priority. The agent will use slightly more storage space when RTS is enabled; however, the overall impact is minimal.
What impact will it have on processor, memory, or network utilization?
The resource requirements of RTS are extremely low.
| Resource | Usage |
| CPU |
3% or below |
| Memory | 10 MB or less |
| Network | 10 - 100 bytes per second |
| Disk I/O | 5 - 25 kilobytes per second |
Monitoring and scheduling
Will I be able to monitor and schedule point-in-time forensic scans?
You can place assets in monitored and scheduled locations. Doing so enables you to establish your security stance based on your needs. If assets must be monitored, place them in a monitored group, and if they need to have less focus, place them in a group to be scanned on a schedule.
Can an asset be monitored and scheduled?
You are allowed to have an asset in both a monitored and a scheduled location; however, an asset can be in one and only one monitored group.
Will monitored hosts still have forensic scans?
Monitored hosts have the benefit of being monitored and can have detailed differential scans conducted on a frequent basis. If a host is assigned to a monitored location, there is no need to also scan the host. The forensic scan of the host will take place as part of the location monitoring.
Protection and prevention
Does EDR prevent or protect from attacks?
EDR is designed as an early warning system against malware and other types of malicious attacks. It does not block or quarantine detected threats. It aids in preventing the spread of a malicious campaign being executed against your environment by enabling you with a very fast infection-to-detection-to-response and kill cycle.
Datto AV
How does Datto AV integrate with EDR (Endpoint Detection and Response)?
Datto AV will operate from within the Datto EDR platform, featuring a similar UI, license and management workflows, and centralized configuration options.
What kind of protection does Datto AV offer?
It provides automated quarantine protection and heuristic analysis for real-time threat detection. It also includes anti-tamper protection, ensuring that the Datto AV process cannot be maliciously killed.
How does Datto AV handle updates and scanning?
The Datto AV agent checks for updates every two hours, ensuring it is always up to date with the latest signatures. You can initiate scans directly from the Datto EDR portal and choose between full or quick scans based on applicable policies.
Can Datto AV be purchased separately from EDR?
Yes, Datto AV can be sold as a standalone solution, and it does not require packaging with EDR. However, combining it with EDR can provide a more robust security solution and a more compelling end-user security narrative.
How does access and licensing work for Datto AV?
Customers access both Datto EDR and Datto AV through the EDR console. Depending on your subscription, you'll have one of the following experiences:
-
If you're subscribed to Datto EDR only, all Datto AV features will be available.
-
If you're subscribed to Datto AV only, all Datto EDR functions will be inaccessible.
-
If you're subscribed to both Datto EDR and Datto AV, the features of both products will be available.
For more information, refer to Datto EDR and Datto AV access control.
Will end users see notifications from Datto AV on their devices?
No, end users will not see any pop-up notifications from Datto AV. However, RMM solutions will be aware of Datto AV's presence and status on the device.
How will customers know they have Datto AV when they log in to the EDR console?
A new license type called Datto AV will be visible in the Account section of the EDR Admin page. The details appearing here include entries for contract expiration dates and the number of hosts for which licenses are purchased.
Does Datto AV scan Outlook or other email clients?
Yes, Datto AV can scan the Outlook database for threats, ensuring that the contents of emails and attachments are checked for malware.
What does "Scan Archives" refer to in Datto AV?
"Scan Archives" means that Datto AV can scan compressed and packaged file types commonly used for installers and documents.
Which kinds of archive types are supported by Datto AV for scanning?
Datto AV supports a wide range of archive file types, including, but not limited to, the following:
-
ARJ, ZIP, GZIP, TAR, and 7-Zip
-
Self-extracting archives
-
UUE and XXE
-
LZH and LHA
-
Various mailbox formats and the Squid cache format
- Image file types such as ISO and WIM
What is meant by Customize Archive Scanning in Datto AV?
Customize Archive Scanning enables you to specify how many levels deep (archives within archives) the scan should go. You can adjust the setting up to 1,000 levels deep.
How does Datto AV manage the scanning of large archives?
You can limit the number of files to scan within an archive and the size of each file. The default file size limit is 1 MB per file, with the maximum allowed being INT_64 bytes, accommodating a vast upper limit.
When Datto AV mentions scanning network drives, what is included?
Datto AV's network drive scanning capability includes all local drives on a PC (such as C:\ or D:\) and any mapped network drives within the local network (such as F:\ to Z:\). As a result, the platform ensures comprehensive scanning coverage beyond the local machine.
If an item is detected by the antivirus but I restore it from the console, will it be excluded from future antivirus scans?
Yes, once you restore an item from the console, Datto AV will exclude it from future antivirus scans.
After restoring an item from the console, will it trigger alerts in the next antivirus scan?
Restoring an item adds it to Datto AV's internal exemption list. The object will not trigger subsequent alerts.
Do I need to enter the full path for file exclusions?
Yes, when adding exclusions for files, folders, or processes, you must enter the full path. Paths are not case-sensitive.
What happens to the files that were quarantined by an AV policy that is disabled or deleted?
The files that were quarantined by the disabled or deleted AV policy will be removed and cannot be restored because the database that maps the quarantined files to the original folders were removed as well.
