Datto EDR and Datto AV FAQs
The following topics address questions commonly asked by our customers and answered by our Product Management team.
NOTE If your question is not answered here, please contact Kaseya Support for further assistance.
Datto EDR


Datto EDR customers have access to live forensics and continuous host monitoring built into a single cloud-based platform. Our ASSESS, MONITOR, and RESPOND methodologies enable quick identification of and response to Advanced Persistent Threats (APTs), ransomware, and other malware (file-based or fileless) in your environment, regardless of the locality (including remote or distributed networks).
We refer to this comprehensive solution as Real-Time Security (RTS).

We focus heavily on ensuring that the agent does not degrade the functionality of the endpoint on which it is running. To minimize overhead on the host, its process runs at a lower priority. The agent will use slightly more storage space; however, the overall impact is minimal.

The resource requirements of RTS are extremely low.
Resource | Usage |
CPU |
3% or below |
Memory | 10 MB or less |
Network | 10 - 100 bytes per second |
Disk I/O | 5 - 25 kilobytes per second |


You can place assets in monitored and scheduled locations. Doing so enables you to establish your security stance based on your needs. If assets must be monitored, place them in a monitored group, and if they need to have less focus, place them in a group to be scanned on a schedule.


EDR is designed as an early warning system against malware and other types of malicious attacks. It does not block or quarantine detected threats. It aids in preventing the spread of a malicious campaign being executed against your environment by enabling you with a very fast infection-to-detection-to-response and kill cycle.
Datto AV

Datto AV will operate from within the Datto EDR platform, featuring a similar UI, license and management workflows, and centralized configuration options.

It provides automated quarantine protection and heuristic analysis for real-time threat detection. It also includes anti-tamper protection, ensuring that the Datto AV process cannot be maliciously killed.

The Datto AV agent checks for updates every two hours, ensuring it is always up to date with the latest signatures. You can initiate scans directly from the Datto EDR portal and choose between full or quick scans based on applicable policies.

Yes, Datto AV can be sold as a standalone solution, and it does not require packaging with EDR. However, combining it with EDR can provide a more robust security solution and a more compelling end-user security narrative.

Customers access both Datto EDR and Datto AV through the EDR console. Depending on your subscription, you'll have one of the following experiences:
-
If you're subscribed to Datto EDR only, all Datto AV features will be unavailable.
-
If you're subscribed to Datto AV only, all Datto EDR functions will be inaccessible.
-
If you're subscribed to both Datto EDR and Datto AV, the features of both products will be available.
For more information, refer to Datto EDR and Datto AV access control.

No, end users will not see any pop-up notifications from Datto AV. However, RMM solutions will be aware of Datto AV's presence and status on the device.

A new license type called Datto AV will be visible in the Account section of the EDR Admin page. The details appearing here include entries for contract expiration dates and the number of hosts for which licenses are purchased.

No. Having both the Datto AV and Windows Defender antivirus products installed on the same endpoint can cause performance issues. When installing Datto AV on a workstation, Windows Defender is disabled automatically. When installing Datto AV on Windows Server, Windows Defender should be uninstalled automatically. If the Datto AV agent is not able to uninstall Windows Defender, see the article Removing Windows Defender when installing Datto AV.

Yes, Datto AV can scan the Outlook database for threats, ensuring that the contents of emails and attachments are checked for malware.

"Scan Archives" means that Datto AV can scan compressed and packaged file types commonly used for installers and documents.

Datto AV supports a wide range of archive file types, including, but not limited to, the following:
-
ARJ, ZIP, GZIP, TAR, and 7-Zip
-
Self-extracting archives
-
UUE and XXE
-
LZH and LHA
-
Various mailbox formats and the Squid cache format
- Image file types such as ISO and WIM

Customize Archive Scanning enables you to specify how many levels deep (archives within archives) the scan should go. You can adjust the setting up to 1,000 levels deep.

You can limit the number of files to scan within an archive and the size of each file. The default file size limit is 1 MB per file, with the maximum allowed being INT_64 bytes, accommodating a vast upper limit.

Datto AV's network drive scanning capability includes all local drives on a PC (such as C:\ or D:\) and any mapped network drives within the local network (such as F:\ to Z:\). As a result, the platform ensures comprehensive scanning coverage beyond the local machine.

Yes, once you restore an item from the console, Datto AV will exclude it from future antivirus scans.

Restoring an item adds it to Datto AV's internal exemption list. The object will not trigger subsequent alerts.

Yes, when adding exclusions for files, folders, or processes, you must enter the full path. Paths are not case-sensitive.

The files that were quarantined by the disabled or deleted AV policy will be removed and cannot be restored because the database that maps the quarantined files to the original folders were removed as well.