Protecting endpoints with Datto Antivirus (AV)
NAVIGATION Policies
SECURITY Datto AV subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access
Datto AV is an antivirus solution introduced by Kaseya. By leveraging our vast threat intelligence resources aggregated from tens of millions of endpoints over the last 20 years, it delivers compact, robust, and reliable malware protection to your endpoints.
This article provides an overview of our Datto AV solution. It describes key features and benefits, provides compatibility information, and answers questions frequently asked by our customers.
NOTE To understand the differences between EDR and antivirus solutions, refer to What is Endpoint Detection and Response (EDR)? and Achieving complete endpoint security with antivirus and Datto EDR.
Overview
Datto AV is a top-tier antivirus solution with round-the-clock access to threat intelligence from tens of millions of endpoint deployments, ensuring advanced threat detection and swift response capabilities through seamless integration with Datto EDR, Datto RMM, and RocketCyber.
Key features and benefits
Datto AV delivers high-performance antivirus for endpoints and reliability from vast endpoint experience, backed by trusted brands with world-class cybersecurity recognition. It delivers the following key features and benefits:
-
Rapid adoption: To reduce adoption time and deliver rapid response capabilities, Datto AV uses Datto EDR's streamlined and intuitive UI workflows. Datto AV's reporting, response, and management features appear alongside the components that existing EDR subscribers know and trust.
-
Highly customizable: With Datto AV, you gain access to extensive personalization options that enable you to define exactly where, when, and how it seeks out and responds to threats.
-
No bloat: Datto AV is a component of the lightweight Datto Endpoint Security agent. If you're a Datto EDR customer, there's no additional software to install on your managed endpoints.
-
Extensive reach: Your customers will feel secure in the knowledge that their critical business infrastructure is being protected by an antivirus solution that safeguards hundreds of millions of global users.
-
Real-time protection: Datto AV is always scanning, 24 hours a day, seven days a week, 365 days a year. If a threat enters your environment, there's no wait for the next scan to pick it up. In addition, when paired with Datto EDR, you can respond to emergent threats even before they become known in any malware database.
-
Automatic quarantine & remediation: Effectively identify and remove malware, restoring systems to a secure state with minimal user intervention.
-
AMSI integration: Amplify malware detection across applications, scripts, and processes, turning Datto EDR + Datto AV into a comprehensive anti-malware solution.
-
AI-powered efficiency: A lightweight AI machine learning engine ensures powerful protection without compromising system performance.
-
Advanced unpacking capabilities: Datto AV is compatible with hundreds of runtime packers and obfuscators, plus a wide range of archive formats for thorough malware detection.
-
Strong self-defense: Datto AV employs Anti-Tamper technology to safeguard against unauthorized modifications to its processes, registry keys, and files.
-
Enhanced by Windows: Operating as a Microsoft AM-PPL (AntiMalware-ProtectedProcessLight), Datto AV is protected against malicious actions, such as terminating the process.
-
Additional security layer: Specialized protection drivers reinforce Datto AV's defense, permitting access to its components only for verified, trusted applications.
-
Consistent updates: Datto AV automatically updates its security signatures every two hours, ensuring continuous protection.
-
Non-disruptive: Updates occur seamlessly, maintaining active protection without any service interruptions.
-
Direct and secure downloads: Updates are directly downloaded from Avira's secure servers, requiring no extra infrastructure on your end.
Requirements
- You must have an active Datto AV subscription.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
IMPORTANT Verify that your endpoints meet the minimum hardware and operating system requirements. Refer to the article Hardware and operating system requirements
How it works
Datto AV delivers its monitoring and protection services via the lightweight Endpoint Security agent. Once you've deployed the agent to your managed systems, you'll create customized policies that define how Datto AV should analyze and respond to threats at the organization, location, and device level. You can enable or disable unique protection, scanning, and exclusion settings. When integrated with Datto EDR, Datto AV provides robust detection of and protection against known and emerging threats.
For more information about how to configure policies, refer to Working with the Policies page.
You'll find your Datto AV settings on the Policies page. Clicking the name of a Datto AV policy opens its Edit Policy page. From this location, the following configuration options are available.
NOTE This policy is only available to users with an active Datto AV subscription.
Details | |
---|---|
Field name | Definition |
The type of policy |
|
Name |
The name of the policy |
Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
Real-time Protection Scan | ||
---|---|---|
Feature name | Definition | |
Enable Real-time Protection Scans |
Click to enable or disable continuous threat scans on protected endpoints |
|
Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
|
Archive Scanning Criteria Maximums |
Limit number of nested zip folders is 1 |
Restricts scans of archives within archives to the given value |
Limit number of files is 25 |
Do not analyze more than this number of files within the archive |
|
Maximum file size is 1MB |
Exclude analysis of archived files greater than the designated limit |
NOTE With Archive Scanning enabled, Datto AV may scan any archived file/folder that is equal to or less than the scanning criteria maximums.
Network Drives | |
---|---|
Feature name | Definition |
Scan storage devices on local networks |
Enable to scan any mapped network drives within the local network (such as F:\ to Z:\) |
Behavioral Detection | |
---|---|
Feature name | Definition |
Enable behavior based malware detection |
When active, leverages Datto EDR's advanced behavioral analysis and heuristics to identify malicious activity through detection of suspicious file and process activity on the protected host |
Scanning exclusions | |
---|---|
Feature name | Definition |
Exclude Folders |
Excludes specific folders, files, and processes from scanning |
Exclude Files | |
Excluded Processes |
Scheduled File Scan Settings | |
---|---|
Feature name | Definition |
Scan All File Types |
Scans all files on the host |
Scan Recommended File Types Only |
Scans the following file types: 386, ?HT*, ACAD, ACM, ADE, ADP, ANI, APK, APP, ASD, ASF, ASP, ASX, AU3, AWX, AX, BAS, BAT, BIN, BOO, CDF, CHM, CLASS, CMD, CNV, COM, CPL, CPX, CRT, CSH, CSS, CSV, DEX, DLL, DLO, DO*, DRV, DWG, EMF, EML, EXD, EXE*, FAS, FLT, FOT, HLP, HT*, INF, INI, INS, ISP, J2K, JAR, JFF, JFI, JFIF, JIF, JMH, JNG, JOB, JP2, JPE, JPEG, JPG, JS*, LNK, LSP, MD?, MOD, MPP, MPT, MS?, NWS, OBJ, OCX, OLB, ONE, OSD, OV?, PCD, PDF, PDR, PGM, PHP, PIF, PKG, PL*, PNG, POT*, PPAM, PPS*, PPT*, PRC, PRG, PROJ, PS1, PSH, PWZ, PY, PYC, PYD, R0?, R1?, R2?, RAR, REG, RPL, RTF, SBF, SCF, SCR, SCRIPT, SCT, SH, SHA, SHB, SHS, SIS, SLD?, SPL, SWF, SYS, TLB, TSP, TTF, URL, VB?, VCS, VLM, VXD, VXO, WIZ, WLL, WMA, WMD, WMF, WMS, WMV, WMZ, WPC, WSC, WSF, WSH, WWK, XAR, XL*, XML, XXX, ZIP, and files with no extensions |
Scan Archives |
Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed |
Mailbox Formats | When selected, includes analysis of BSD, MBOX, MBX, PMM, PMI, CNM, PST, OST, and Squid cache files in the scheduled scan |
Disk Image Formats | When selected, includes analysis of ISO 9660 and WIM files in the scheduled scan |
Limit Number Of Nested Zip Folders is 1 | Restricts scans of archives within archives to the given value |
Exclude Folders | Excludes the designated files and folders from analysis during scans |
Exclude Files |
Schedule Full Scan | |
---|---|
Definition | |
Schedules a thorough check of the entire system and sequentially scans all files on all hard drives, removable storage media and, if selected, network drives. IMPORTANT Full scans are lengthy processes that require considerable OS resources. They can impact performance on servers and other high utilization systems. We recommend performing a full scan no more than once a week for most systems. |
Schedule Quick Scan | |
---|---|
Definition | |
Schedules a scan that examines running processes and the locations most likely to contain malware, such as registry keys, system drivers, and known Windows startup folders. Together with real-time protection, a quick scan helps provide strong protection against malware. In most cases, a quick scan is sufficient and is the option we recommend for scheduled scans. |
To learn how to create and manage policies, refer to Adding or editing rules and Named policies.
FAQs
The following topics address questions commonly asked by our customers and answered by our Product Management team.
Datto AV will operate from within the Datto EDR platform, featuring a similar UI, license and management workflows, and centralized configuration options.
It provides automated quarantine protection and heuristic analysis for real-time threat detection. It also includes anti-tamper protection, ensuring that the Datto AV process cannot be maliciously killed.
The Datto AV agent checks for updates every two hours, ensuring it is always up to date with the latest signatures. You can initiate scans directly from the Datto EDR portal and choose between full or quick scans based on applicable policies.
Yes, Datto AV can be sold as a standalone solution, and it does not require packaging with EDR. However, combining it with EDR can provide a more robust security solution and a more compelling end-user security narrative.
Customers access both Datto EDR and Datto AV through the EDR console. Depending on your subscription, you'll have one of the following experiences:
-
If you're subscribed to Datto EDR only, all Datto AV features will be available.
-
If you're subscribed to Datto AV only, all Datto EDR functions will be inaccessible.
-
If you're subscribed to both Datto EDR and Datto AV, the features of both products will be available.
For more information, refer to Datto EDR and Datto AV access control.
No, end users will not see any pop-up notifications from Datto AV. However, RMM solutions will be aware of Datto AV's presence and status on the device.
A new license type called Datto AV will be visible in the Account section of the EDR Admin page. The details appearing here include entries for contract expiration dates and the number of hosts for which licenses are purchased.
Yes, Datto AV can scan the Outlook database for threats, ensuring that the contents of emails and attachments are checked for malware.
"Scan Archives" means that Datto AV can scan compressed and packaged file types commonly used for installers and documents.
Datto AV supports a wide range of archive file types, including, but not limited to, the following:
-
ARJ, ZIP, GZIP, TAR, and 7-Zip
-
Self-extracting archives
-
UUE and XXE
-
LZH and LHA
-
Various mailbox formats and the Squid cache format
- Image file types such as ISO and WIM
Customize Archive Scanning enables you to specify how many levels deep (archives within archives) the scan should go. You can adjust the setting up to 1,000 levels deep.
You can limit the number of files to scan within an archive and the size of each file. The default file size limit is 1 MB per file, with the maximum allowed being INT_64 bytes, accommodating a vast upper limit.
Datto AV's network drive scanning capability includes all local drives on a PC (such as C:\ or D:\) and any mapped network drives within the local network (such as F:\ to Z:\). As a result, the platform ensures comprehensive scanning coverage beyond the local machine.
Yes, once you restore an item from the console, Datto AV will exclude it from future antivirus scans.
Restoring an item adds it to Datto AV's internal exemption list. The object will not trigger subsequent alerts.
Yes, when adding exclusions for files, folders, or processes, you must enter the full path. Paths are not case-sensitive.
The files that were quarantined by the disabled or deleted AV policy will be removed and cannot be restored because the database that maps the quarantined files to the original folders were removed as well.
Next steps
Ready to start your Datto AV deployment? Refer to our Getting Started with Datto Antivirus (AV) and Deploying the Datto Endpoint Security agent articles.