Antivirus detection

It is vital for our partners that Datto RMM provides accurate information about their managed endpoints' antivirus status. Datto RMM's universal antivirus detection allows an endpoint to report the name and status of its antivirus product.

The antivirus information is presented on the Device Summary page under the Status section in the current UI and in the Software card in the New UI. The data is also used in monitoring, filters and columns, on the Site Summary page and in reports in the current UI, and in a widget in the New UI.

Antivirus status

On Windows workstations, Datto RMM polls the Security Center information from the WMI to ascertain the antivirus suite that is installed. If no antivirus is present, Windows Defender will automatically engage to protect Windows-as-a-Service devices.

Datto RMM then uses its own native detection methods to ascertain what antivirus is installed, with its findings taking precedence over WMI results. On servers, this is the main source of information.

The protection level is based on whether the antivirus product is detected, running, and/or up to date. The order of protection level (from highest to lowest) is defined in the following way:

Detected Running Up to Date Antivirus Status
Running and up to date
Running and not up to date
Not running
Not running
    Not detected

NOTE  A device's antivirus status is updated every 60 seconds if it's different from the previous status.

NOTE  Updates older than three days are considered out of date.

Antivirus products

Datto RMM stores one antivirus product offering the highest level of protection per device. The table below lists the antivirus products that are natively detected by Datto RMM on Windows or macOS devices. The table also contains information on whether the product can be downloaded as a pre-packaged component from the ComStore, as well as a link to the vendor's website for more information about the antivirus solution.

Antivirus Product Windows macOS ComStore Note Product Information
Avast Antivirus (from Windows 7 onward)    


Avast Business Antivirus (from Windows Server 2012 onward)    


Bitdefender Endpoint Security Tools  


Bitdefender Internet Security    


ESET Endpoint Antivirus  


F-Secure Protection Service for Business    

For devices running Windows 7+ or Windows Server 2012+.

Kaspersky Endpoint Security


Kaspersky Security for Windows Server (from Windows Server 2012 onward)    


McAfee Endpoint Security    


McAfee Total Protection    


McAfee VirusScan Enterprise    


Panda Endpoint Protection    


SentinelOne     For devices running Windows 7+ or Windows Server 2012+. SentinelOne
Sophos Antivirus macOS detection only works if the ComStore monitor component is running. Sophos
Symantec Endpoint Protection    


System Center Endpoint Protection (On Windows 7 and Windows Server 2012. On Windows Server 2016, it is detected as Windows Defender Antivirus.)    


Trend Micro Worry-Free Business Security  


Trend Micro
Webroot SecureAnywhere


Windows Defender Antivirus (from Windows 8 onward)    



NOTE  For more information about the component-based integrations with Webroot SecureAnywhere Endpoint Protection and Endpoint Security by Bitdefender, refer to Software.

NOTE  Datto RMM only supports the antivirus suites listed above. If, for example, a server variant is not listed, it is not supported.

Antivirus status override file

In the case of macOS and Linux devices, or when the antivirus product is not natively detected, you can use an antivirus status override file to update the device's antivirus status. The file must be JSON in the following format:

{"product":"Override Antivirus","running":true,"upToDate":true}

Create the file and store it in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\antivirus.json
macOS /usr/local/share/CentraStage/AEMAgent/antivirus.json
Linux /usr/local/share/CentraStage/AEMAgent/antivirus.json

You can write a custom component monitor to perform the necessary checks and update the override file. The Datto RMM Agent monitors the override file location and if it detects a change, it will pass the information to the Web Portal where it will be available for the Device Summary and the Site Summary pages, filters, reports, and monitors as well.

IMPORTANT  Ensure that any variables used in the override file are formatted correctly, as the parsing of the JSON file is case-sensitive. In PowerShell for example, if you use a variable of format $true or $false rather than the string "true" or "false", the override will fail since the returned values of $true and $false equate to “True” and “False” (capital initials), respectively.

IMPORTANT  The override file must not be older than seven days. If the file was last modified more than seven days ago, it will be deleted.

Antivirus engine log entries

The antivirus engine log entries are found in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\DataLog\aemagent.log
macOS usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log
Linux usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log

Antivirus Status Monitor

The Antivirus Status Monitor can alert when no antivirus product has been detected or when it is not up to date or not running. Refer to Antivirus Status Monitor in the current UI or Antivirus Status monitor in the New UI.

Antivirus filters and columns

You can choose the Antivirus Product and Antivirus Status columns from the column chooser in any device list. Additionally, the same filter criteria are available when creating a filter.

Site Summary, reporting, Antivirus Status widget

In the current UI, the antivirus data is also used on the Site Summary page under the Device Status section and in various reports. For more information about reports, refer to Report scheduler. The New UI offers a widget that shows a breakdown of your devices' antivirus status. Refer to Antivirus Status.