Protecting endpoints with Datto Antivirus (AV)
NAVIGATION Policies
SECURITY Datto AV subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access
Datto AV is an antivirus solution introduced by Kaseya. By leveraging our vast threat intelligence resources aggregated from tens of millions of endpoints over the last 20 years, it delivers compact, robust, and reliable malware protection to your endpoints.
This article provides an overview of our Datto AV solution. It describes key features and benefits, provides compatibility information, and answers questions frequently asked by our customers.
NOTE To understand the differences between EDR and antivirus solutions, refer to What is Endpoint Detection and Response (EDR)? and Achieving complete endpoint security with antivirus and Datto EDR.
Overview
Datto AV is a top-tier antivirus solution with round-the-clock access to threat intelligence from tens of millions of endpoint deployments, ensuring advanced threat detection and swift response capabilities through seamless integration with Datto EDR, Datto RMM, and RocketCyber.
Key features and benefits
Datto AV delivers high-performance antivirus for endpoints and reliability from vast endpoint experience, backed by trusted brands with world-class cybersecurity recognition. It delivers the following key features and benefits:
Simple management and peace of mind
-
Rapid adoption: To reduce adoption time and deliver rapid response capabilities, Datto AV uses Datto EDR's streamlined and intuitive UI workflows. Datto AV's reporting, response, and management features appear alongside the components that existing EDR subscribers know and trust.
-
Highly customizable: With Datto AV, you gain access to extensive personalization options that enable you to define exactly where, when, and how it seeks out and responds to threats.
-
No bloat: Datto AV is a component of the lightweight Datto Endpoint Security agent. If you're a Datto EDR customer, there's no additional software to install on your managed endpoints.
-
Extensive reach: Your customers will feel secure in the knowledge that their critical business infrastructure is being protected by an antivirus solution that safeguards hundreds of millions of global users.
Advanced detection and protection
-
Real-time protection: Datto AV is always scanning, 24 hours a day, seven days a week, 365 days a year. If a threat enters your environment, there's no wait for the next scan to pick it up. In addition, when paired with Datto EDR, you can respond to emergent threats even before they become known in any malware database.
-
Automatic quarantine & remediation: Effectively identify and remove malware, restoring systems to a secure state with minimal user intervention.
-
AMSI integration: Amplify malware detection across applications, scripts, and processes, turning Datto EDR + Datto AV into a comprehensive anti-malware solution.
-
AI-powered efficiency: A lightweight AI machine learning engine ensures powerful protection without compromising system performance.
-
Advanced unpacking capabilities: Datto AV is compatible with hundreds of runtime packers and obfuscators, plus a wide range of archive formats for thorough malware detection.
Robust anti-tamper protection
-
Strong self-defense: Datto AV employs Anti-Tamper technology to safeguard against unauthorized modifications to its processes, registry keys, and files.
-
Enhanced by Windows: Operating as a Microsoft AM-PPL (AntiMalware-ProtectedProcessLight), Datto AV is protected against malicious actions, such as terminating the process.
-
Additional security layer: Specialized protection drivers reinforce Datto AV's defense, permitting access to its components only for verified, trusted applications.
Up-to-date and secure
-
Consistent updates: Datto AV automatically updates its security signatures every two hours, ensuring continuous protection.
-
Non-disruptive: Updates occur seamlessly, maintaining active protection without any service interruptions.
-
Direct and secure downloads: Updates are directly downloaded from Avira's secure servers, requiring no extra infrastructure on your end.
Requirements
- You must have an active Datto AV subscription.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
IMPORTANT Verify that your endpoints meet the minimum hardware and operating system requirements. Refer to the article Hardware and operating system requirements
| Operating system | |
| CPU | |
| Memory (RAM) | |
| Disk space | 2 GB (minimum); 4 GB (recommended) |
How it works
Datto AV delivers its monitoring and protection services via the lightweight Endpoint Security agent. Once you've deployed the agent to your managed systems, you'll create customized policies that define how Datto AV should analyze and respond to threats at the organization, location, and device level. You can enable or disable unique protection, scanning, and exclusion settings. When integrated with Datto EDR, Datto AV provides robust detection of and protection against known and emerging threats.
For more information about how to configure policies, refer to Working with the Policies page.
Datto Antivirus (AV) configuration options
You'll find your Datto AV settings on the Policies page. Clicking the name of a Datto AV policy opens its Edit Policy page. From this location, the following configuration options are available.
NOTE This policy is only available to users with an active Datto AV subscription.
| Details | |
|---|---|
| Field name | Definition |
|
The type of policy |
|
|
Name |
The name of the policy |
| Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
| Real-time Protection Scan | ||
|---|---|---|
| Feature name | Definition | |
| Enable Real-time Protection Scans |
Click to enable or disable continuous threat scans on protected endpoints |
|
| Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
|
| Customize Archive Scanning |
Limit Number Of Nested Zip Folders To |
Restricts scans of archives within archives to the given value |
|
Limit Number Of Files To |
Do not analyze more than this number of files within the archive |
|
|
Limit File Size To (In MB) |
Exclude analysis of archived files greater than the designated limit |
|
| Network Drives | |
|---|---|
| Feature name | Definition |
|
Scan storage devices on local networks |
Enable to scan any mapped network drives within the local network (such as F:\ to Z:\) |
| Behavioral Detection | |
|---|---|
| Feature name | Definition |
|
Enable behavior based malware detection |
When active, leverages Datto EDR's advanced behavioral analysis and heuristics to identify malicious activity through detection of suspicious file and process activity on the protected host |
| Scanning exclusions | |
|---|---|
| Feature name | Definition |
| Exclude Folders |
Excludes specific folders, files, and processes from scanning |
| Exclude Files | |
| Excluded Processes | |
| Scheduled File Scan Settings | |
|---|---|
| Feature name | Definition |
| Scan All File Types |
Scans all files on the host |
| Scan Recommended File Types Only |
Scans the following file types: 386, ?HT*, ACAD, ACM, ADE, ADP, ANI, APK, APP, ASD, ASF, ASP, ASX, AU3, AWX, AX, BAS, BAT, BIN, BOO, CDF, CHM, CLASS, CMD, CNV, COM, CPL, CPX, CRT, CSH, CSS, CSV, DEX, DLL, DLO, DO*, DRV, DWG, EMF, EML, EXD, EXE*, FAS, FLT, FOT, HLP, HT*, INF, INI, INS, ISP, J2K, JAR, JFF, JFI, JFIF, JIF, JMH, JNG, JOB, JP2, JPE, JPEG, JPG, JS*, LNK, LSP, MD?, MOD, MPP, MPT, MS?, NWS, OBJ, OCX, OLB, ONE, OSD, OV?, PCD, PDF, PDR, PGM, PHP, PIF, PKG, PL*, PNG, POT*, PPAM, PPS*, PPT*, PRC, PRG, PROJ, PS1, PSH, PWZ, PY, PYC, PYD, R0?, R1?, R2?, RAR, REG, RPL, RTF, SBF, SCF, SCR, SCRIPT, SCT, SH, SHA, SHB, SHS, SIS, SLD?, SPL, SWF, SYS, TLB, TSP, TTF, URL, VB?, VCS, VLM, VXD, VXO, WIZ, WLL, WMA, WMD, WMF, WMS, WMV, WMZ, WPC, WSC, WSF, WSH, WWK, XAR, XL*, XML, XXX, ZIP, and files with no extensions |
| Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
| Mailbox Formats | When selected, includes analysis of BSD, MBOX, MBX, PMM, PMI, CNM, PST, OST, and Squid cache files in the scheduled scan |
| Disk Image Formats | When selected, includes analysis of ISO 9660 and WIM files in the scheduled scan |
| Limit Number Of Nested Zip Folders To | Restricts scans of archives within archives to the given value |
| Exclude Folders | Excludes the designated files and folders from analysis during scans |
| Exclude Files | |
| Schedule Full Scan | |
|---|---|
| Definition | |
|
Schedules a thorough check of the entire system and sequentially scans all files on all hard drives, removable storage media and, if selected, network drives. IMPORTANT Full scans are lengthy processes that require considerable OS resources. They can impact performance on servers and other high utilization systems. We recommend performing a full scan no more than once a week for most systems. |
| Schedule Quick Scan | |
|---|---|
| Definition | |
|
Schedules a scan that examines running processes and the locations most likely to contain malware, such as registry keys, system drivers, and known Windows startup folders. Together with real-time protection, a quick scan helps provide strong protection against malware. In most cases, a quick scan is sufficient and is the option we recommend for scheduled scans. |
To learn how to create and manage policies, refer to Adding or editing rules and Named policies.
FAQs
The following topics address questions commonly asked by our customers and answered by our Product Management team.
How does Datto AV integrate with EDR (Endpoint Detection and Response)?
Datto AV will operate from within the Datto EDR platform, featuring a similar UI, license and management workflows, and centralized configuration options.
What kind of protection does Datto AV offer?
It provides automated quarantine protection and heuristic analysis for real-time threat detection. It also includes anti-tamper protection, ensuring that the Datto AV process cannot be maliciously killed.
How does Datto AV handle updates and scanning?
The Datto AV agent checks for updates every two hours, ensuring it is always up to date with the latest signatures. You can initiate scans directly from the Datto EDR portal and choose between full or quick scans based on applicable policies.
Can Datto AV be purchased separately from EDR?
Yes, Datto AV can be sold as a standalone solution, and it does not require packaging with EDR. However, combining it with EDR can provide a more robust security solution and a more compelling end-user security narrative.
How does access and licensing work for Datto AV?
Customers access both Datto EDR and Datto AV through the EDR console. Depending on your subscription, you'll have one of the following experiences:
-
If you're subscribed to Datto EDR only, all Datto AV features will be available.
-
If you're subscribed to Datto AV only, all Datto EDR functions will be inaccessible.
-
If you're subscribed to both Datto EDR and Datto AV, the features of both products will be available.
For more information, refer to Datto EDR and Datto AV access control.
Will end users see notifications from Datto AV on their devices?
No, end users will not see any pop-up notifications from Datto AV. However, RMM solutions will be aware of Datto AV's presence and status on the device.
How will customers know they have Datto AV when they log in to the EDR console?
A new license type called Datto AV will be visible in the Account section of the EDR Admin page. The details appearing here include entries for contract expiration dates and the number of hosts for which licenses are purchased.
Does Datto AV scan Outlook or other email clients?
Yes, Datto AV can scan the Outlook database for threats, ensuring that the contents of emails and attachments are checked for malware.
What does "Scan Archives" refer to in Datto AV?
"Scan Archives" means that Datto AV can scan compressed and packaged file types commonly used for installers and documents.
Which kinds of archive types are supported by Datto AV for scanning?
Datto AV supports a wide range of archive file types, including, but not limited to, the following:
-
ARJ, ZIP, GZIP, TAR, and 7-Zip
-
Self-extracting archives
-
UUE and XXE
-
LZH and LHA
-
Various mailbox formats and the Squid cache format
- Image file types such as ISO and WIM
What is meant by Customize Archive Scanning in Datto AV?
Customize Archive Scanning enables you to specify how many levels deep (archives within archives) the scan should go. You can adjust the setting up to 1,000 levels deep.
How does Datto AV manage the scanning of large archives?
You can limit the number of files to scan within an archive and the size of each file. The default file size limit is 1 MB per file, with the maximum allowed being INT_64 bytes, accommodating a vast upper limit.
When Datto AV mentions scanning network drives, what is included?
Datto AV's network drive scanning capability includes all local drives on a PC (such as C:\ or D:\) and any mapped network drives within the local network (such as F:\ to Z:\). As a result, the platform ensures comprehensive scanning coverage beyond the local machine.
If an item is detected by the antivirus but I restore it from the console, will it be excluded from future antivirus scans?
Yes, once you restore an item from the console, Datto AV will exclude it from future antivirus scans.
After restoring an item from the console, will it trigger alerts in the next antivirus scan?
Restoring an item adds it to Datto AV's internal exemption list. The object will not trigger subsequent alerts.
Do I need to enter the full path for file exclusions?
Yes, when adding exclusions for files, folders, or processes, you must enter the full path. Paths are not case-sensitive.
Next steps
Ready to start your Datto AV deployment? Refer to our Getting Started with Datto Antivirus (AV) and Deploying the Datto Endpoint Security agent articles.
