Antivirus detection - Legacy UI

It is vital for our partners that Datto RMM provides accurate information about their managed endpoints' antivirus status. Datto RMM's universal antivirus detection allows an endpoint to report the name and status of its antivirus product.

The antivirus information is presented on the device summary page under the Status section in the legacy UI and in the Summary and System cards in the New UI. The data is also used in monitoring, filters and columns, on the site summary page and in reports in the legacy UI and New UI, and in a widget in the New UI.

Antivirus status

On Windows workstations, Datto RMM polls the Security Center information from the WMI to ascertain the antivirus suite that is installed. If no antivirus is present, Windows Defender will automatically engage to protect Windows as a service devices.

Datto RMM then uses its own native detection methods to ascertain what antivirus is installed, with its findings taking precedence over WMI results. On Windows Servers, this is the main source of information because Windows Security Center and its related WMI namespace are not available on Windows Server operating systems. From here, the antivirus status can be overridden using an override file. Refer to Antivirus status override file.

The protection level is based on whether the antivirus product is detected, running, and/or up to date. The order of protection level (from highest to lowest) is defined in the following way:

Detected Running Up to Date Antivirus Status
Running and up to date
Running and not up to date
Not running
Not running
    Not detected

NOTE  A device's antivirus status is updated every 60 seconds if it's different from the previous status.

NOTE  Updates older than three days are considered out of date.

Antivirus products

Datto RMM stores one antivirus product offering the highest level of protection per device. The table below lists the antivirus products that are natively detected by Datto RMM on Windows or macOS devices. The table also contains information on whether the product can be downloaded as a pre-packaged component from the ComStore, as well as a link to the vendor's website for more information about the antivirus solution.

IMPORTANT  This table is only relevant in cases where the antivirus product cannot be intuited via the WMI (for example, on Windows Servers or non-Windows devices). Windows workstations should identify the antivirus product without needing bespoke support.

Antivirus Product Windows macOS ComStore Note Product Information
Avast Antivirus (from Windows 7 onward)    

 

Avast
Avast Business Antivirus (from Windows Server 2012 onward)    

 

Avast
Bitdefender Endpoint Security Tools  

 

Bitdefender
Bitdefender Internet Security    

 

Bitdefender
CrowdStrike Falcon    

For devices running Windows 7+ or Windows Server 2016+.

CrowdStrike Falcon
ESET Endpoint Antivirus  

 

ESET
F-Secure Protection Service for Business    

For devices running Windows 7+ or Windows Server 2012+.

F-Secure
Kaspersky Endpoint Security

 

Kaspersky
Kaspersky Security for Windows Server (from Windows Server 2012 onward)    

 

Kaspersky
McAfee Endpoint Security    

 

McAfee
McAfee Total Protection    

 

McAfee
McAfee VirusScan Enterprise    

 

McAfee
Microsoft Security Essentials    

For devices running Windows 7+ or Windows Server 2012+.

Microsoft
Panda Endpoint Protection    

 

Panda
SentinelOne • For Windows devices running Windows 7+ or Windows Server 2012+.
• macOS detection only works if the ComStore monitor component is running.
SentinelOne
Sophos Intercept X macOS detection only works if the ComStore monitor component is running. Sophos
Symantec Endpoint Protection    

 

Symantec
System Center Endpoint Protection (On Windows 7 and Windows Server 2012. On Windows Server 2016, it is detected as Windows Defender Antivirus.)    

 

Microsoft
Trend Micro Worry-Free Business Security  

 

Trend Micro
Webroot SecureAnywhere

 

Webroot
Windows Defender Antivirus (from Windows 8 onward)    

 

Microsoft

NOTE  For more information about the integrations with Webroot SecureAnywhere Endpoint Protection and Endpoint Security by Bitdefender, refer to Antivirus Product.

NOTE  Datto RMM only supports the antivirus suites listed above. If, for example, a server variant is not listed, it is not supported.

Antivirus status override file

In the case of macOS and Linux devices, or when the antivirus product is not natively detected, you can create a JSON file to report the name of your antivirus product and whether it's running and up to date. The JSON file must be in the following format:

{"product":"Override Antivirus","running":true,"upToDate":true}

Store the file in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\antivirus.json
macOS /usr/local/share/CentraStage/AEMAgent/antivirus.json
Linux /usr/local/share/CentraStage/AEMAgent/antivirus.json

You can then write a custom component monitor to monitor the file location and receive the data that it reports. If the Datto RMM Agent detects a change, it will pass the information to the web interface where it will be available for the device summary and the site summary pages, filters, reports, and monitors as well.

IMPORTANT  Ensure that any variables used in the override file are formatted correctly, as the parsing of the JSON file is case-sensitive. In PowerShell for example, if you use a variable of format $true or $false rather than the string "true" or "false", the override will fail since the returned values of $true and $false equate to “True” and “False” (capital initials), respectively.

IMPORTANT  The override file must not be older than seven days. If the file was last modified more than seven days ago, it will be deleted.

Antivirus engine log entries

The antivirus engine log entries are found in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\DataLog\aemagent.log
macOS usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log
Linux usr/local/share/CentraStage/AEMAgent/DataLog/aemagent.log

For more information, refer to Agent log files.

Antivirus Status Monitor

The Antivirus Status Monitor can alert when no antivirus product has been detected or when it is not up to date or not running. Refer to Antivirus Status Monitor in the legacy UI or Antivirus Status monitor in the New UI.

Antivirus filters and columns

You can choose the Antivirus Product and Antivirus Status columns from the column chooser in any device list. Additionally, the same filter criteria are available when creating a filter.

Site summary, reporting, Antivirus Status widget

In the legacy UI, the antivirus data is also used on the site summary page under the Device Status section and in various reports. For more information about reports, refer to Report scheduler - Legacy UI in the legacy UI and Reports in the New UI. The New UI offers a widget that shows a breakdown of your devices' antivirus status. Refer to Antivirus Status.