Protecting endpoints with Datto Antivirus (AV)

NAVIGATION  Policies

SECURITY   Datto AV subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access

Datto AV is an antivirus solution introduced by Kaseya. By leveraging our vast threat intelligence resources aggregated from tens of millions of endpoints over the last 20 years, it delivers compact, robust, and reliable malware protection to your endpoints.

This article provides an overview of our Datto AV solution. It describes key features and benefits, provides compatibility information, and answers questions frequently asked by our customers.

NOTE  To understand the differences between EDR and antivirus solutions, refer to What is Endpoint Detection and Response (EDR)? and Achieving complete endpoint security with antivirus and Datto EDR.

Overview

Datto AV is a top-tier antivirus solution with round-the-clock access to threat intelligence from tens of millions of endpoint deployments, ensuring advanced threat detection and swift response capabilities through seamless integration with Datto EDR, Datto RMM, and RocketCyber.

Key features and benefits

Datto AV delivers high-performance antivirus for endpoints and reliability from vast endpoint experience, backed by trusted brands with world-class cybersecurity recognition. It delivers the following key features and benefits:

  • Rapid adoption: To reduce adoption time and deliver rapid response capabilities, Datto AV uses Datto EDR's streamlined and intuitive UI workflows. Datto AV's reporting, response, and management features appear alongside the components that existing EDR subscribers know and trust.

  • Highly customizable: With Datto AV, you gain access to extensive personalization options that enable you to define exactly where, when, and how it seeks out and responds to threats.

  • No bloat: Datto AV is a component of the lightweight Datto Endpoint Security agent. If you're a Datto EDR customer, there's no additional software to install on your managed endpoints.

  • Extensive reach: Your customers will feel secure in the knowledge that their critical business infrastructure is being protected by an antivirus solution that safeguards hundreds of millions of global users.

  • Real-time protection: Datto AV is always scanning, 24 hours a day, seven days a week, 365 days a year. If a threat enters your environment, there's no wait for the next scan to pick it up. In addition, when paired with Datto EDR, you can respond to emergent threats even before they become known in any malware database.

  • Automatic quarantine & remediation: Effectively identify and remove malware, restoring systems to a secure state with minimal user intervention.

  • AMSI integration: Amplify malware detection across applications, scripts, and processes, turning Datto EDR + Datto AV into a comprehensive anti-malware solution.

  • AI-powered efficiency: A lightweight AI machine learning engine ensures powerful protection without compromising system performance.

  • Advanced unpacking capabilities: Datto AV is compatible with hundreds of runtime packers and obfuscators, plus a wide range of archive formats for thorough malware detection.

  • Strong self-defense: Datto AV employs Anti-Tamper technology to safeguard against unauthorized modifications to its processes, registry keys, and files.

  • Enhanced by Windows: Operating as a Microsoft AM-PPL (AntiMalware-ProtectedProcessLight), Datto AV is protected against malicious actions, such as terminating the process.

  • Additional security layer: Specialized protection drivers reinforce Datto AV's defense, permitting access to its components only for verified, trusted applications.

  • Consistent updates: Datto AV automatically updates its security signatures every two hours, ensuring continuous protection.

  • Non-disruptive: Updates occur seamlessly, maintaining active protection without any service interruptions.

  • Direct and secure downloads: Updates are directly downloaded from Avira's secure servers, requiring no extra infrastructure on your end.

Requirements

  • You must have an active Datto AV subscription.
  • The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.

Supported operating systems

To leverage Datto AV in your environment, protected endpoints must meet or exceed the following compatibility requirements.

Operating system

  • Windows 7 Service Pack 1 (SP1) or higher

  • Windows Server 2008 R2 Service Pack 1 (SP1) or higher

IMPORTANT  Support for these platforms is limited to detection engine and malware pattern updates only. The Universal C Runtime and SHA-2 Code Signing Support updates are required for Windows updates.

  • Windows 10 or higher

  • Windows Server 2016 or higher
CPU

Intel x86 32-bit or 64-bit dual-core processor (minimum); dual-core 1.6 GHz processor or higher (recommended)
Memory (RAM)

2 GB (minimum); 4 GB (recommended)
Disk space 2 GB (minimum); 5 GB (recommended)
Notes macOS support is planned for Q2 2024, and Linux support is planned for Q3 2024.

How it works

Datto AV delivers its monitoring and protection services via the lightweight Endpoint Security agent. Once you've deployed the agent to your managed systems, you'll create customized policies that define how Datto AV should analyze and respond to threats at the organization, location, and device level. You can enable or disable unique protection, scanning, and exclusion settings. When integrated with Datto EDR, Datto AV provides robust detection of and protection against known and emerging threats.

For more information about how to configure policies, refer to Working with the Policies page.

You'll find your Datto AV settings on the Policies page. Clicking the name of a Datto AV policy opens its Edit Policy page. From this location, the following configuration options are available.

NOTE   This policy is only available to users with an active Datto AV subscription.

Details
Field name Definition

Type

The type of policy

Name

The name of the policy

Description

The extended description of the policy's purpose, functions, and any other pertinent information

Real-time Protection Scan
Feature name Definition
Enable Real-time Protection Scans

Click to enable or disable continuous threat scans on protected endpoints
Scan Archives

Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed
Customize Archive Scanning

Limit Number Of Nested Zip Folders To

Restricts scans of archives within archives to the given value

Limit Number Of Files To

Do not analyze more than this number of files within the archive

Limit File Size To (In MB)

Exclude analysis of archived files greater than the designated limit

Network Drives
Feature name Definition

Scan storage devices on local networks

Enable to scan any mapped network drives within the local network (such as F:\ to Z:\)

Scanning exclusions
Feature name Definition
Exclude Folders

Excludes specific folders, files, and processes from scanning
Exclude Files
Excluded Processes

Scheduled File Scan Settings
Feature name Definition
Scan All File Types

Scans all files on the host
Scan Recommended File Types Only

Scans the following file types: 386, ?HT*, ACAD, ACM, ADE, ADP, ANI, APK, APP, ASD, ASF, ASP, ASX, AU3, AWX, AX, BAS, BAT, BIN, BOO, CDF, CHM, CLASS, CMD, CNV, COM, CPL, CPX, CRT, CSH, CSS, CSV, DEX, DLL, DLO, DO*, DRV, DWG, EMF, EML, EXD, EXE*, FAS, FLT, FOT, HLP, HT*, INF, INI, INS, ISP, J2K, JAR, JFF, JFI, JFIF, JIF, JMH, JNG, JOB, JP2, JPE, JPEG, JPG, JS*, LNK, LSP, MD?, MOD, MPP, MPT, MS?, NWS, OBJ, OCX, OLB, ONE, OSD, OV?, PCD, PDF, PDR, PGM, PHP, PIF, PKG, PL*, PNG, POT*, PPAM, PPS*, PPT*, PRC, PRG, PROJ, PS1, PSH, PWZ, PY, PYC, PYD, R0?, R1?, R2?, RAR, REG, RPL, RTF, SBF, SCF, SCR, SCRIPT, SCT, SH, SHA, SHB, SHS, SIS, SLD?, SPL, SWF, SYS, TLB, TSP, TTF, URL, VB?, VCS, VLM, VXD, VXO, WIZ, WLL, WMA, WMD, WMF, WMS, WMV, WMZ, WPC, WSC, WSF, WSH, WWK, XAR, XL*, XML, XXX, ZIP, and files with no extensions
Scan Archives

Includes or excludes archive files from analysis during scans; when included, archive types such as ARJ, ZIP, GZIP, TAR, RAR, self-extracting ZIP, self-extracting ARJ, UUE and XXE compressed files, 7-Zip, LZH/LHA, packaged image files that come with installers, PDFs, and more will be analyzed
Mailbox Formats When selected, includes analysis of BSD, MBOX, MBX, PMM, PMI, CNM, PST, OST, and Squid cache files in the scheduled scan
Disk Image Formats When selected, includes analysis of ISO 9660 and WIM files in the scheduled scan
Limit Number Of Nested Zip Folders To Restricts scans of archives within archives to the given value
Exclude Folders Excludes the designated files and folders from analysis during scans
Exclude Files

Schedule Full Scan
Definition

Schedules a thorough check of the entire system and sequentially scans all files on all hard drives, removable storage media and, if selected, network drives.

IMPORTANT  Full scans are lengthy processes that require considerable OS resources. They can impact performance on servers and other high utilization systems. We recommend performing a full scan no more than once a week for most systems.

Schedule Quick Scan
Definition

Schedules a scan that examines running processes and the locations most likely to contain malware, such as registry keys, system drivers, and known Windows startup folders. Together with real-time protection, a quick scan helps provide strong protection against malware. In most cases, a quick scan is sufficient and is the option we recommend for scheduled scans.

To learn how to create and manage policies, refer to Adding or editing rules and Named policies.

FAQs

The following topics address questions commonly asked by our customers and answered by our Product Management team.

Datto AV will operate from within the Datto EDR platform, featuring a similar UI, license and management workflows, and centralized configuration options.

It provides automated quarantine protection and heuristic analysis for real-time threat detection. It also includes anti-tamper protection, ensuring that the Datto AV process cannot be maliciously killed.

The Datto AV agent checks for updates every two hours, ensuring it is always up to date with the latest signatures. You can initiate scans directly from the Datto EDR portal and choose between full or quick scans based on applicable policies.

Yes, Datto AV can be sold as a standalone solution, and it does not require packaging with EDR. However, combining it with EDR can provide a more robust security solution and a more compelling end-user security narrative.

Customers access both Datto EDR and Datto AV through the EDR console. Depending on your subscription, you'll have one of the following experiences:

  • If you're subscribed to Datto EDR only, all Datto AV features will be availability.

  • If you're subscribed to Datto AV only, all Datto EDR functions will be inaccessible.

  • If you're subscribed to both Datto EDR and Datto AV, the features of both products will be available.

For more information, refer to Datto EDR and Datto AV access control.

No, end users will not see any pop-up notifications from Datto AV. However, RMM solutions will be aware of Datto AV's presence and status on the device.

A new license type called Datto AV will be visible in the Account section of the EDR Admin page. The details appearing here include entries for contract expiration dates and the number of hosts for which licenses are purchased.

Yes, Datto AV can scan the Outlook database for threats, ensuring that the contents of emails and attachments are checked for malware.

"Scan Archives" means that Datto AV can scan compressed and packaged file types commonly used for installers and documents.

Datto AV supports a wide range of archive file types, including, but not limited to, the following:

  • ARJ, ZIP, GZIP, TAR, and 7-Zip

  • Self-extracting archives

  • UUE and XXE

  • LZH and LHA

  • Various mailbox formats and the Squid cache format

  • Image file types such as ISO and WIM

Customize Archive Scanning enables you to specify how many levels deep (archives within archives) the scan should go. You can adjust the setting up to 1,000 levels deep.

You can limit the number of files to scan within an archive and the size of each file. The default file size limit is 1 MB per file, with the maximum allowed being INT_64 bytes, accommodating a vast upper limit.

Datto AV's network drive scanning capability includes all local drives on a PC (such as C:\ or D:\) and any mapped network drives within the local network (such as F:\ to Z:\). As a result, the platform ensures comprehensive scanning coverage beyond the local machine.

Yes, once you restore an item from the console, Datto AV will exclude it from future antivirus scans.

Restoring an item adds it to Datto AV's internal exemption list. The object will not trigger subsequent alerts.

Yes, when adding exclusions for files, folders, or processes, you must enter the full path. Paths are case-sensitive.

Next steps

Ready to start your Datto AV deployment? Refer to our Getting Started with Datto Antivirus (AV) and Deploying the Datto Endpoint Security agent articles.