Datto EDR: Real-Time Security, Monitored Target Groups, and FAQs

ALERT LEGACY ARTICLE: The content in this article is no longer updated and is available for reference purposes only. Features and workflows described may be deprecated, significantly changed, or no longer supported.

Environment

Datto EDR

Description

Important Service Note related to RTS

With the release of the Real-Time Security features in Datto EDR the historically allowlisted file names have changed. These can be reviewed in the a related article located here.

What is Datto EDR's Real-Time Security?

RTS (Real-Time Security) is Real-Time Monitoring and Detection of threats in an environment. Datto EDR combines live forensics with continuous host monitoring into a single cloud-based platform which enables quick identification, investigation, and response to advance attacks regardless of the locality (meaning, including remote and/or distributed networks).

The combination of Datto EDR's ASSESS, MONITOR and RESPOND ensures quick identification, response and resolution of APTs (Advanced Persistent Threats), ransomware and other malware (including fileless).

Enabling Real-Time Security

All of Datto EDR's customers have the ability to enable Real-Time Security on one or all of their licensed assets. All assets that are to be monitored with Real-Time Security must reside in a Monitored Target Group in Datto EDR. This means that at time enablement, some assets may need to be relocated to other Target Groups if all assets in a Target Group are not to be monitored with Real-Time Security.

Due to the enhanced capabilities of RTS, and more efficient use of the asset's resources, there is no longer a reason to schedule scans on a recurring basis. That functionality, however, remains as well.

To enable Real-Time Security, navigate to the Target Group which contains the Assets to be monitored. Once there, simply click on the button labeled Not Monitored. Doing so will install an agent on that machine. (See FAQ regarding Permanent and Temporary agents).

Select any extensions you would like to have running on the asset, and note the specified time for the Deep Forensic Scans independent of the Real-Time Security Monitoring before clicking Enable Monitoring.

Note: The setting for the differential FSA can be modified to suit your needs under the Account Settings in the Admin Panel.

To confirm that Real-Time Security is enabled, the Not Monitored button will change to Monitored and turn blue. This is also the button used should you want to change the settings back to an unmonitored state. You will also notice that the Agent Icon changed from Grey to Blue next to the individual assets.


Unmonitored Agent	Monitored Agent

Frequently Asked Questions

How will RTS impact the overall performance and usage of the agent?

Datto EDR focuses heavily on ensuring the agent does not impact the operational functionality of the host it is running on. The agent runs at a lower priority so the agent does not starve the host. Since we are monitoring the host with RTS, there will be slightly more space used by the Agent from a storage perspective; however, the footprint is minimal.

What impact will it have on processor/memory/network utilization?

Overall performance characteristics of RTS are extremely low. Sub 3% CPU Utilization on average, 10MB of memory (and below), 10-100 Bytes/Sec of network usage, 5-25kb/sec of Disk I/O.

Will I be able to monitor and schedule point-in-time forensic scans?

Assets can be in monitored and scheduled target groups. This allows you to establish your security stance based on your needs. If assets must be monitored, place them in a monitored group and if they need to have less focus, place them in a group to be scanned on a schedule.

Can an asset be monitored and scheduled?

You are allowed to have an asset in both a monitored and a scheduled target group; however, an asset can be in ONE AND ONLY ONE monitored group.

Will monitored hosts still have forensic scans?

Monitored hosts have the benefit of being monitored AND ALSO have detailed differential scans conducted on a frequent basis.Â If a host is assigned to a monitored target group there is really no need to also scan the host, it will happen regardless as this is part of what is built into a monitored target group.

Does Datto EDR prevent or protect from attacks?

While Datto EDR does not directly block or quarantine malware, the platform does provide a very fast infection-to-detection-to-respond and kill cycle. This means that from the time of initial detection, to when you are able to respond using Datto EDR - Datto EDR would aid in preventing the spread of a malicious campaign being executed against your environment.

Will I be required to install agents when monitored is enabled?

No, once you enable a target group to be Monitored, Datto EDR will handle the migration from a temporary agent (or agentless) to agent for you. It is important to note that once a target group is marked to be Monitored it will have an agent permanently installed - but this is automatic.

Will I still have an agentless option if I just want to use scanning?

Yes, when you schedule a scan you will have the option to set the agent deployment method to be temporary (dissolvable agent) or installed.Â The default option will be to temporarily install the agent so that it is dissolved if / when the host is rebooted.

Antivirus and allowlisting considerations for RTS Capable instances

With the release of the Real-Time Security features in Datto EDR the historically allowlisted file names have changed. These can be located in the a related article at Endpoint allowlisting and antivirus considerations for the Endpoint Security agent.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.