Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.
Recently I switched from using two separate endpoint AV solutions (ESET and Webroot) to using Windows 10 Defender and Huntress labs scanning agent. The cost difference was significant enough and have found that Huntress has found infections that previous AV software missed/didn’t report on.
In order to make this all happen successfully, one needs to uninstall the AV endpoints (ESET/Webroot/Sentinel1,others) first. My Datto RMM had several uninstallers built-in and I even added some that went through and purged the Endpoint from registry after doing a manual uninstall of the endpoint using the MSI file on the systems. The problem arose when looking at the devices in my RMM console, the display still showed either Endpoint as the primary AV product. Subsequent calls to ESET, Webroot and others, proved that re-installing and re-uninstalling had no effect.
I even tried deleting the RMM agent from system and re-installing figuring it as something in the RMM agent software – NOPE!
I connected via Chat to Datto community and the engineer there suggested I run this powershell command: Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Results showed this:
__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}”
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : XXXXX
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1A
CF46}”
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Thu, 17 Mar 2022 18:24:07 GMT
PSComputerName : XXXXX
__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00F440}”
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : ODIN
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00
F440}”
displayName : ESET Security = > this is what showed in the RMM Console.
instanceGuid : {885D845F-AF19-0124-FECE-FFF49D00F440}
pathToSignedProductExe : C:\Program Files\ESET\ESET Security\ecmds.exe
pathToSignedReportingExe : C:\Program Files\ESET\ESET Security\ekrn.exe
productState : 266240
timestamp : Tue, 14 Sep 2021 19:43:46 GMT
PSComputerName : XXXXXX
The Datto support tech then said to run same powershell command but with delete option to delete all wmi objects for the Security Center:
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}
The result cleared all objects for Security Center and in the RMM console, the computers showed Windows Defender – the required result. No reboots necessary.
Hope this proves helpful for those with similar types of RMM console trouble when switching AV products.
JVH Consulting's Blog 