Endpoint Security overview

Datto RMM offers centralized, policy-based configuration and deployment of various endpoint security technologies. Refer to Endpoint Security policy.

Types of Endpoint Security policy configurations

• Datto Endpoint Security (recommended): Deploy the Datto Endpoint Security agent through an Endpoint Security policy to start analyzing activity on the targeted endpoints. Through this configuration, Datto Endpoint Detection and Response (EDR) monitors and neutralizes threats in real time, Datto Antivirus (AV) provides strong protection against viruses and malware, and Datto Ransomware Detection (managed through Datto EDR) detects and mitigates ransomware attacks to protect your data. Refer to Datto Endpoint Security.
  

NOTE  For optimal performance, we recommend enabling only this configuration in an Endpoint Security policy.

This configuration requires the Datto Endpoint Security Integration in Datto RMM. Refer to Datto Endpoint Security Integration.


• Ransomware Detection: Deploy the standalone Datto RMM Ransomware Detection engine through an Endpoint Security policy to start analyzing file activity on the targeted endpoints. Refer to Ransomware Detection.
  

NOTE  For optimal performance, rather than enabling standalone Datto RMM Ransomware Detection, we recommend enabling only Datto Endpoint Security and deploying Ransomware Detection through your instance of Datto EDR/Datto AV.

• Managed Windows Defender Antivirus: Conduct centralized management for the antimalware engine built into Windows OS. Refer to Managed Windows Defender Antivirus.
  

View a comprehensive status of all security solutions for a device with the ability to drill into the details of a managed antivirus product. Refer to Security in Device summary.

When viewing a list of devices, the following fields are available: AV Product, AV Status, EDR Install Date, EDR Status, Managed Antivirus, and RWD Status. Refer to Column Chooser - Devices.

View detailed diagnostic information and recommendations for specific security threats. Refer to Endpoint Security alerts: diagnostic information.

These actions allow you to respond to security threats. When standalone Ransomware Detection or Datto Endpoint Security is active, a device can be isolated (and reverted from isolation) directly from the Security card. Refer to Security in Device summary.

Widgets displaying the Ransomware Detection status, Datto EDR status, and Managed Windows Defender status of your devices are available from the Widget Library. Refer to Ransomware Status, Datto EDR, and Managed Windows Defender Status. An Alerts Over Time widget, an Alerts by Category (Open) widget, and a Security Threats widget are also available from the Widget Library. All of these widgets are included in the pre-made Datto Endpoint Security Dashboard, available from the Dashboard Library. Refer to Dashboards toolbar.

This status is available only if the Datto Endpoint Security Integration is enabled for your Datto RMM account. Refer to Datto Endpoint Security Integration.

This status appears in the following locations:

• Device summary page: Datto EDR field in the Security card. Refer to Security in Device summary.
• List of devices: EDR Status column. Refer to EDR Status in Column Chooser - Devices.
• Dashboard: Datto EDR widget. Refer to Datto EDR in Widget Library.

The device(s) must be targeted by an Endpoint Security policy with the Datto Endpoint Security configuration. Refer to Datto Endpoint Security in Endpoint Security policy.

Status	Status Color	Description	Specifications
Active	Green	The Datto EDR service is running and active. In the applied Endpoint Security policy, the Threat Detection monitor in the Datto Endpoint Security configuration is functioning as expected to target the device(s).	The Datto EDR Agent (HUNTAgent) service is running (as indicated in Task Manager or Services.msc). The Datto EDR status JSON file has been updated in the last three minutes. The Datto EDR status JSON file indicates a correct and functional state (dattoEdr property = true).
Isolated	Red	Datto EDR has isolated the device or number of devices from the network in attempt to stop suspected ransomware processes and prevent further spread of the infection to other devices. To learn about device isolation in Datto EDR, refer to Ransomware monitoring options in the Datto EDR Help system. To return devices to a normal state after they have been isolated, you can run the Host Isolation Restore extension on the Alerts page in Datto EDR. Doing so will revert any isolation that has occurred on a device and return its ability to contact the internet and other devices on the network. For instructions, refer to Responding to alerts and Leveraging collection and response extensions in the Datto EDR Help system. NOTE  Isolating a device via Datto RMM does not produce the Isolated status. If the device is isolated through the Security card on the device summary page or through the Ransomware monitor in Datto RMM, its status will change to Needs Attention.	The Datto EDR Agent (HUNTAgent) service is running (as indicated in Task Manager or Services.msc). The Datto EDR status JSON file has been updated in the last three minutes. The Datto EDR status JSON file indicates host isolation (Isolated property = true).
Needs Attention	Orange	The Datto EDR service has stopped, or a Datto EDR agent update has failed. As an initial troubleshooting step, we recommend running the Datto EDR Maintenance [WIN] component, available from the ComStore, to help diagnose problems. Refer to ComStore. NOTE  Isolating a device through the Security card on the device summary page or through the Ransomware monitor in Datto RMM results in this status.	This is the default status if a Datto Endpoint Security configuration is present but none of the other status rules apply.
Not Installed	Gray	The Datto EDR agent is not installed on the device(s).	The Datto EDR agent is absent.
No EDR Policy	Yellow	The Datto EDR service is running, but no Datto EDR policy is applied to the device(s). Review the device(s) in your instance of Datto EDR to apply a policy and protect the device(s). Refer to the policies overview in the Datto EDR Help system.	The Datto EDR Agent (HUNTAgent) service is running (as indicated in Task Manager or Services.msc). The Datto EDR status JSON file has been updated in the last three minutes. The Datto EDR status JSON file indicates no policy is applied (dattoEdr property = false).
No RMM Policy	Gray	An Endpoint Security policy with the Datto Endpoint Security configuration is not configured for the device(s). Apply the policy to enable monitoring.	This is the default status if a Datto Endpoint Security configuration is missing.

This status appears in the following locations:

• Device summary page: Ransomware Detection field in the Security card. Refer to Security in Device summary.
• List of devices: RWD Status column. Refer to RWD Status in Column Chooser - Devices.
• Dashboard: Ransomware Status widget. Refer to Ransomware Status in Widget Library.

NOTE  This status only applies to the inbuilt Datto RMM Ransomware Detection, not the Datto EDR Ransomware Detection. Refer to Standalone Datto RMM Ransomware Detection.

Status	Status Color	Description	Specifications
Active	Green	The device is targeted by Ransomware Detection and the agent is sending back data, which occurs in any of the following scenarios: The device is targeted by a Datto RMM Ransomware monitor at the device level, from a Monitoring policy, or from an Endpoint Security policy with Ransomware Detection enabled. For information about standalone Datto RMM Ransomware Detection, refer to Standalone Datto RMM Ransomware Detection. The Datto Endpoint Security Integration is enabled in Datto RMM, the device is targeted by an Endpoint Security policy with Datto Endpoint Security enabled and Ransomware Detection not enabled in Datto RMM, and the device is targeted by a Ransomware Detection policy in your Datto EDR/AV portal. Refer to Understanding Datto EDR's ransomware detection and Ransomware policy in the Datto EDR Help system. This security configuration is recommended for optimal performance. The Datto Endpoint Security Integration is enabled in Datto RMM, the device is targeted by an Endpoint Security policy with both Datto Endpoint Security and Ransomware Detection enabled in Datto RMM, and the device is not targeted by a Ransomware Detection policy in your Datto EDR/AV portal. To prevent conflicts, this security configuration is not recommended. NOTE  If you are using the Datto Endpoint Security Integration in Datto RMM (recommended), you should deploy Ransomware Detection through Datto EDR/AV. In doing so, the Ransomware Detection status for devices targeted by the Datto Endpoint Security configuration in an Endpoint Security policy will show as Active in Datto RMM.	The RWDWrapper service is running (as indicated in Task Manager or Services.msc). The Datto EDR status JSON file has been updated in the last three minutes. The Datto EDR status JSON file indicates a correct and functional state (ransomwareDetection property = true). or The Datto RMM Ranswomare monitor is present.
Inactive	Gray	Ransomware Detection is not targeting the device(s).
Pending	Yellow	Ransomware Detection is targeting the device(s), but the Ransomware Detection status is pending until the agent begins sending back data.

This status appears in the following locations:

• Device summary page: Managed Windows Defender field in the Security card. Refer to Security in Device summary.
• List of devices: Managed Antivirus column. Refer to Managed Antivirus in Column Chooser - Devices.
• Dashboard: Managed Windows Defender Status widget. Refer to Managed Windows Defender Status in Widget Library.

The device(s) must be targeted by an Endpoint Security policy with the Managed Windows Defender Antivirus configuration. Refer to Managed Windows Defender Antivirus in Endpoint Security policy.

Statuses

• Enforced
  Status color: green
• Inactive
  Status color: gray