Antivirus detection - Legacy UI
It is vital for our partners that Datto RMM provides accurate information about their managed endpoints' antivirus status. Datto RMM's universal antivirus detection allows an endpoint to report the name and status of its antivirus product.
The antivirus information is presented on the device summary page under the Status section in the legacy UI and in the Summary and System cards in the New UI. The data is also used in monitoring, filters and columns, on the site summary page and in reports in the legacy UI and New UI, and in a widget in the New UI.
Antivirus status
On Windows workstations, Datto RMM polls the Security Center information from the WMI to ascertain the antivirus suite that is installed. If no antivirus is present, Windows Defender will automatically engage to protect Windows as a service devices.
Datto RMM then uses its own native detection methods to ascertain what antivirus is installed, with its findings taking precedence over WMI results. On Windows Servers, this is the main source of information because Windows Security Center and its related WMI namespace are not available on Windows Server operating systems. From here, the antivirus status can be overridden using an override file. Refer to Antivirus status override file.
The protection level is based on whether the antivirus product is detected, running, and/or up to date. The order of protection level (from highest to lowest) is defined in the following way:
Detected | Running | Up to Date | Antivirus Status |
---|---|---|---|
Running and up to date | |||
Running and not up to date | |||
Not running | |||
Not running | |||
Not detected |
NOTE A device's antivirus status is updated every 60 seconds if it's different from the previous status.
NOTE Updates older than three days are considered out of date.
Antivirus products
Datto RMM stores one antivirus product offering the highest level of protection per device. The table below lists the antivirus products that are natively detected by Datto RMM on Windows or macOS devices. The table also contains information on whether the product can be downloaded as a pre-packaged component from the ComStore, as well as a link to the vendor's website for more information about the antivirus solution.
IMPORTANT This table is only relevant in cases where the antivirus product cannot be intuited via the WMI (for example, on Windows Servers or non-Windows devices). Windows workstations should identify the antivirus product without needing bespoke support.
Antivirus Product | Windows | macOS | ComStore | Note | Product Information |
---|---|---|---|---|---|
Avast Antivirus (from Windows 7 onward) |
|
Avast | |||
Avast Business Antivirus (from Windows Server 2012 onward) |
|
Avast | |||
Bitdefender Endpoint Security Tools |
|
Bitdefender | |||
Bitdefender Internet Security |
|
Bitdefender | |||
CrowdStrike Falcon |
For devices running Windows 7+ or Windows Server 2016+. |
CrowdStrike Falcon | |||
ESET Endpoint Antivirus |
|
ESET | |||
F-Secure Protection Service for Business |
For devices running Windows 7+ or Windows Server 2012+. |
F-Secure | |||
Kaspersky Endpoint Security |
|
Kaspersky | |||
Kaspersky Security for Windows Server (from Windows Server 2012 onward) |
|
Kaspersky | |||
McAfee Endpoint Security |
|
McAfee | |||
McAfee Total Protection |
|
McAfee | |||
McAfee VirusScan Enterprise |
|
McAfee | |||
Microsoft Security Essentials |
For devices running Windows 7+ or Windows Server 2012+. |
Microsoft | |||
Panda Endpoint Protection |
|
Panda | |||
SentinelOne | • For Windows devices running Windows 7+ or Windows Server 2012+. • macOS detection only works if the ComStore monitor component is running. |
SentinelOne | |||
Sophos Intercept X | macOS detection only works if the ComStore monitor component is running. | Sophos | |||
Symantec Endpoint Protection |
|
Symantec | |||
System Center Endpoint Protection (On Windows 7 and Windows Server 2012. On Windows Server 2016, it is detected as Windows Defender Antivirus.) |
|
Microsoft | |||
Trend Micro Worry-Free Business Security |
|
Trend Micro | |||
Webroot SecureAnywhere |
|
Webroot | |||
Windows Defender Antivirus (from Windows 8 onward) |
|
Microsoft |
NOTE For more information about the integrations with Webroot SecureAnywhere Endpoint Protection and Endpoint Security by Bitdefender, refer to Antivirus Product.
NOTE Datto RMM only supports the antivirus suites listed above. If, for example, a server variant is not listed, it is not supported.
Antivirus status override file
In the case of macOS and Linux devices, or when the antivirus product is not natively detected, you can create a JSON file to report the name of your antivirus product and whether it's running and up to date. The JSON file must be in the following format:
{"product":"Override Antivirus","running":true,"upToDate":true}
Store the file in the following location:
Operating System | Location |
---|---|
Windows | %ProgramData%\CentraStage\AEMAgent\antivirus.json |
macOS | /usr/local/share/CentraStage/AEMAgent/antivirus.json |
Linux | /usr/local/share/CentraStage/AEMAgent/antivirus.json |
You can then write a custom component monitor to monitor the file location and receive the data that it reports. If the Datto RMM Agent detects a change, it will pass the information to the web interface where it will be available for the device summary and the site summary pages, filters, reports, and monitors as well.
IMPORTANT Ensure that any variables used in the override file are formatted correctly, as the parsing of the JSON file is case-sensitive. In PowerShell for example, if you use a variable of format $true or $false rather than the string "true" or "false", the override will fail since the returned values of $true and $false equate to “True” and “False” (capital initials), respectively.
IMPORTANT The override file must not be older than seven days. If the file was last modified more than seven days ago, it will be deleted.
Antivirus engine log entries
The antivirus engine log entries are found in the following location:
Operating System | Location |
---|---|
Windows | %ProgramData%\CentraStage\AEMAgent\DataLog\aemagent.log |
macOS | usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log |
Linux | usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log |
For more information, refer to Agent log files.
Antivirus Status Monitor
The Antivirus Status Monitor can alert when no antivirus product has been detected or when it is not up to date or not running. Refer to Antivirus Status Monitor in the legacy UI or Antivirus Status monitor in the New UI.
Antivirus filters and columns
You can choose the Antivirus Product and Antivirus Status columns from the column chooser in any device list. Additionally, the same filter criteria are available when creating a filter.
Site summary, reporting, Antivirus Status widget
In the legacy UI, the antivirus data is also used on the site summary page under the Device Status section and in various reports. For more information about reports, refer to Report scheduler - Legacy UI in the legacy UI and Reports in the New UI. The New UI offers a widget that shows a breakdown of your devices' antivirus status. Refer to Antivirus Status.