Home > Remote Monitoring > Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.

Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.

Recently I switched from using two separate endpoint AV solutions (ESET and Webroot) to using Windows 10 Defender and Huntress labs scanning agent. The cost difference was significant enough and have found that Huntress has found infections that previous AV software missed/didn’t report on.

In order to make this all happen successfully, one needs to uninstall the AV endpoints (ESET/Webroot/Sentinel1,others) first. My Datto RMM had several uninstallers built-in and I even added some that went through and purged the Endpoint from registry after doing a manual uninstall of the endpoint using the MSI file on the systems. The problem arose when looking at the devices in my RMM console, the display still showed either Endpoint as the primary AV product. Subsequent calls to ESET, Webroot and others, proved that re-installing and re-uninstalling had no effect.

I even tried deleting the RMM agent from system and re-installing figuring it as something in the RMM agent software – NOPE!

I connected via Chat to Datto community and the engineer there suggested I run this powershell command: Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

Results showed this:

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}”
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : XXXXX
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1A
CF46}”
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Thu, 17 Mar 2022 18:24:07 GMT
PSComputerName : XXXXX

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00F440}”
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : ODIN
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00
F440}”
displayName : ESET Security = > this is what showed in the RMM Console.
instanceGuid : {885D845F-AF19-0124-FECE-FFF49D00F440}
pathToSignedProductExe : C:\Program Files\ESET\ESET Security\ecmds.exe
pathToSignedReportingExe : C:\Program Files\ESET\ESET Security\ekrn.exe
productState : 266240
timestamp : Tue, 14 Sep 2021 19:43:46 GMT
PSComputerName : XXXXXX

The Datto support tech then said to run same powershell command but with delete option to delete all wmi objects for the Security Center:

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

The result cleared all objects for Security Center and in the RMM console, the computers showed Windows Defender – the required result. No reboots necessary.

Hope this proves helpful for those with similar types of RMM console trouble when switching AV products.

Categories: Remote Monitoring
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: