Mystery device records

It can be alarming to see unexplained devices appearing in your sites without you running the Datto RMM Agent installer on them; however, this is rarely cause for alarm. In the vast majority of cases, mystery device records are caused by antivirus and anti-malware suites uploading the Agent installer to automated testing labs for evaluation.

A common feature of modern anti-malware suites is the ability to upload files of obscure origin to offsite, automated testing facilities for heuristic malware behavior checks. This automatic process can be triggered by the Datto RMM Agent installer's first execution. Since every Agent installer is keyed to a particular site, each installer has a different file hash, making blanket detection by the anti-malware products impossible. Therefore, detection incidents can be frequent when you are starting a new site if you have not configured allowlisting rules in your anti-malware product.

IMPORTANT  Datto RMM Agent installers are digitally signed by Datto Inc.; however, older Agent installers may be signed by Autotask International Holdings Limited or CentraStage Ltd.

The Datto RMM Agent creates a device record in the web interface as part of the installation process. This seamless integration of new Agents makes deployment of new devices into Datto RMM as simple as possible. However, this simplicity can have unintended consequences. Occasionally, a device from an antivirus testing rig will execute the Agent installer to check for viruses, and in doing so, create a device record for itself. These devices are not typically connected for more than a few seconds before the device is destroyed, resulting in little to no audit data appearing for the devices in question.

While it is possible to make broad assumptions, anti-malware vendors do not make naming conventions for their testing devices public, making identification of these devices for an Administrator difficult. Typical signs of an anti-malware vendor testing device include, but are not limited to, the following:

  • The hostname of the device contains a person's name, generic wording, or an atypical naming scheme.
  • EXAMPLE  "CWS," "John," "Wilbert," "Cuckoo," or "ABC"

  • The IP address of the device is outside the scope of typical devices in the site. If you look up the external IP address, you may find it is registered to Microsoft, Amazon Web Services, or a security software provider.
  • The device has little to no audit data. Although, sometimes, the device can perform a full audit.
  • The device is online only at the time of creation and does not come back online.
  • The hardware specification of the device appears to be low or running only the required minimum for the operating system that it shows is installed.
  • Generic usernames are displayed.
  • EXAMPLE  "Johndoe," "Administrator," or "User"

NOTE  Even if your enterprise's anti-malware software does not include or use a dedicated offsite testing facility, you or a colleague may have uploaded the Datto RMM Agent installer for your site to an online antivirus comparison tool to check it for false positives before installing it. Anyone with access to your Agent installers has this ability. A common antivirus comparison tool is VirusTotal.

While testing devices are harmless, they can clutter your sites. To prevent this, you can enable device approval (device sandboxing) for your Datto RMM account. Sandboxing prevents devices you have not yet given explicit site access to from communicating with the platform. For more information, refer to Device approval.