azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d975c1b44648c88f397a8b67ed63049ac8c2b61
claudetools/clients/cascades-tucson/docs/security/antivirus.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

3.1 KiB
Raw Blame History

Endpoint Security / Antivirus

Current State (In Transition)

  • Current Product: Datto EDR (part of Datto RMM suite)
  • Status: Migrating away — Datto RMM being replaced by SyncroRMM
  • Datto EDR will need to be replaced when migration completes
  • HIPAA: §164.308(a)(5) requires security awareness and §164.312(a) requires access control. EDR/AV is a critical control for protecting PHI on staff workstations that access ALIS and file shares.

Available Options Through Syncro

  • Bitdefender GravityZone — available, Howard does NOT prefer this
  • Emsisoft — available through Syncro

Recommended: Huntress + SentinelOne (via Syncro)

See notes section for full recommendation.

Deployment Status (audit 2026-03-20)

  • Total Endpoints: 19 (1 server + 18 workstations)
  • Datto AV: 17 machines (enabled and up to date on most)
  • Bitdefender + Datto AV (conflict): RECEPTIONIST-PC — dual AV running
  • COMODO AV (disabled): MDIRECTOR-PC — Windows Defender active instead
  • McAfee LiveSafe (bloatware): LAPTOP-E0STJJE8 — conflicts with Datto
  • Malwarebytes (alongside Datto): CRYSTAL-PC, MAINTENANCE-PC
  • Windows Defender active: MDIRECTOR-PC (only machine using Defender as primary)

Issues

Machine Issue
RECEPTIONIST-PC Bitdefender + Datto AV both running — pick one
LAPTOP-E0STJJE8 McAfee LiveSafe + WebAdvisor installed — remove
MDIRECTOR-PC COMODO AV disabled, stale — remove
LAPTOP-DRQ5L558 Multiple Datto AV instances, mixed enabled/disabled
LAPTOP-E0STJJE8 Multiple Datto AV instances, mixed enabled/disabled

Previous MSP Software (on ALL machines — remove)

  • Splashtop Streamer — on every machine
  • Datto RMM agent — on CS-SERVER (at minimum)
  • N-able Take Control — on some machines (stopped/stuck services)

Notes

Antivirus Recommendation for Syncro Integration

Best option: Huntress + SentinelOne

SentinelOne (Singularity)

  • Native Syncro integration (built-in, deploy from Syncro)
  • Full autonomous EDR — detects AND responds without human intervention
  • Rollback capability (ransomware recovery)
  • Consistently top-rated in independent AV tests
  • Per-agent MSP pricing available
  • Much stronger detection engine than Bitdefender GZ or Emsisoft

Huntress (Managed Threat Detection)

  • Native Syncro integration
  • Managed by Huntress SOC team — they investigate alerts FOR you
  • Catches what traditional AV misses (persistent footholds, LOLbins, lateral movement)
  • Lightweight agent runs alongside any AV
  • Built specifically for MSPs
  • 24/7 human threat hunters review detections before alerting you

Why both?

  • SentinelOne = prevention + automated response (replaces Datto EDR)
  • Huntress = detection + managed investigation (adds a layer Datto EDR never had)
  • Together they cover the full kill chain with minimal MSP effort
  • Both have one-click deploy through Syncro

If only one: SentinelOne alone is a strong standalone choice and integrates directly with Syncro's policy management. It's a significant upgrade over Datto EDR, Bitdefender GZ, and Emsisoft in both detection quality and automation.

Reference in New Issue View Git Blame Copy Permalink