Files
claudetools/.claude/memory/reference_datto_edr_detection_behavior.md
Howard Enos cf960d1b2a sync: auto-sync from HOWARD-HOME at 2026-06-25 20:23:53
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 20:23:53
2026-06-25 20:24:23 -07:00

2.6 KiB

name, description, metadata
name description metadata
reference_datto_edr_detection_behavior How Datto EDR (azcomp4587) actually detects/reports, and AV-suppression gotchas — verified live on RMM-TEST-MACHINE
type
reference

Verified live 2026-06-25/26 on RMM-TEST-MACHINE (EDR agent b98b3ba0-..., group [TEST] RMM-TEST-MACHINE, org Arizona Computer Guru) via the datto-edr skill + /rmm.

Alert sourceType taxonomy (how to tell WHICH engine fired):

  • av = Datto AV signature hit (e.g. Eicar-Test-Signature). On-access/RTP.
  • rule = Datto EDR detection — reputation/analyst rule on the forensic scan (e.g. Generic Malware (Reputation - High Severity), description "Malware detected by endpoint protection").
  • Both land in the same Alerts collection and surface identically via edr.py detections.

Datto EDR is reputation-based, NOT structural. A synthetic "looks suspicious" artifact (Run-key/scheduled task launching hidden -EncodedCommand powershell) is collected by the forensic scan but scored BENIGN → no alert (powershell.exe is signed/clean). To get an EDR detection you need a real reputation hit: wire a known-bad file as the executable of an autostart (Run-key/scheduled task) so the survey collects + hashes it. EICAR-as-autostart works → high-sev rule alert. A loose file on disk is NOT scanned by the EDR forensic survey (it only walks execution/persistence artifacts).

AV-suppression gotchas (to isolate EDR on an endpoint):

  • Datto AV is tamper-protected: Stop-Service EndpointProtectionService2 -Force is refused ("cannot be stopped"); can't disable from the endpoint. Supported path = console policy (AV disabled / path-exclusion) — console-only, like policy assignment.
  • Disabling Datto AV in the policy uninstalls the AV component on the box (services EndpointProtectionService/...2 go absent; HUNTAgent EDR stays). Platform dattoAvEnabled flips to False at the console first; the on-box apply lags a few minutes.
  • Removing Datto AV makes Windows Defender auto-reactivate (Security Center turns it back on when no 3rd-party AV registered). Then Defender RTP quarantines EICAR AND its AMSI blocks any PowerShell script containing the literal EICAR string ("script contains malicious content"). Build EICAR from char codes so the literal never appears in the script; disable Defender RTP (or path-exclude) too.
  • After testing: restore Defender RTP (Set-MpPreference -DisableRealtimeMonitoring $false) and re-enable Datto AV in the console policy.

Skill: reference_syncro_rmm_api_gui_only is the analogous "management is GUI/console-only" constraint. See .claude/skills/datto-edr/.