Antivirus management

It is vital for our partners that Datto RMM provides accurate information about their managed endpoints' antivirus status. Datto RMM's universal antivirus detection allows an endpoint to report the name and status of its antivirus product. The antivirus information is presented on the Device Summary page under the Status section. The data is also used in monitoring, filters and columns, on the Site Summary page, and in reports.

Antivirus products

Datto RMM stores one antivirus product offering the highest level of protection per device. The table below lists the antivirus products that are natively detected by Datto RMM on Windows or macOS devices. The table also contains information on whether the product can be downloaded as a pre-packaged component from the ComStore, as well as a link to the vendor's website for more information about the antivirus solution.

Antivirus Product Windows macOS ComStore More Information
Avast Antivirus (from Windows 7 onward)     Avast
Avast Business Antivirus (from Windows Server 2012 onward)     Avast
Bitdefender Endpoint Security     Bitdefender
ESET Endpoint Antivirus   ESET
Kaspersky Endpoint Security Kaspersky
Kaspersky Security for Windows Server (from Windows Server 2012 onward)     Kaspersky
McAfee Endpoint Security     McAfee
McAfee VirusScan Enterprise     McAfee
Panda Endpoint Protection     Panda
Sophos Antivirus     Sophos
Symantec Endpoint Protection     Symantec
System Center Endpoint Protection (On Windows 7 and Windows Server 2012. On Windows Server 2016, it is detected as Windows Defender Antivirus.)     Microsoft
Trend Micro Worry-Free Business Security     Trend Micro
Webroot SecureAnywhere Webroot
Windows Defender Antivirus (from Windows 8 onward)     Microsoft

Please note that Datto RMM only supports the antivirus suites listed above. If a server variant, for example, is not listed, it is not supported.

When no antivirus product is detected on workstations running Windows Vista and above, the Agent will use the Windows Security Center information. Windows Server does not support this facility.

Antivirus status

The protection level is based on whether the antivirus product is detected, running, and/or up to date. The order of protection level (from highest to lowest) is defined in the following way:

Detected Running Up-to-Date Antivirus Status
Running & up-to-date
Running & not up-to-date
Not running
Not running
    Not detected

A device's antivirus status is updated every 60 seconds if different from the previous status.

Updates older than three days are considered out of date.

Antivirus status override file

In the case of macOS and Linux devices or when the antivirus product is not natively detected, you can use an antivirus status override file to update the device's antivirus status. The file must be JSON in the following format:

{"product":"Override Antivirus","running":true,"upToDate":true}

Create the file and store it in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\antivirus.json
macOS /usr/local/share/CentraStage/AEMAgent/antivirus.json
Linux /usr/local/share/CentraStage/AEMAgent/antivirus.json

You can write a custom component monitor to perform the necessary checks and update the override file. The Datto RMM Agent monitors the override file location and if it detects a change, it will pass the information to the Web Portal where it will be available for device and site summary, filters, reports, and alerting as well.

Ensure that any variables used in the override file are formatted correctly, as the parsing of the JSON file is case-sensitive. In PowerShell, for example, if you use a variable of format $true or $false rather than the string "true" or "false", the override will fail since the returned values of $true and $false equate to “True” and “False” (capital initials), respectively.

The override file must not be older than seven days. If the file was last modified more than seven days ago, it will be deleted.

Antivirus engine log entries

The antivirus engine log entries are found in the following location:

Operating System Location
Windows %ProgramData%\CentraStage\AEMAgent\DataLog\aemagent.log
macOS usr/local/share/CentraStage/AEMAgent/DataLog\aemagent.log
Linux usr/local/share/CentraStage/AEMAgent/DataLog\aemagent.log

Antivirus Status Monitor

The Antivirus Status Monitor can alert when no antivirus product has been detected or when it is not up to date or not running. Refer to Antivirus Status Monitor.

Antivirus filters and columns

You can choose the Antivirus Product and Antivirus Status columns from the column chooser in any device list. Additionally, the same filter criteria are available when creating a filter.

Site Summary and reporting

The antivirus data is also used on the Site Summary page under the Device Status section, and in various reports. For more information about reports, refer to Report scheduler.


Need to troubleshoot this? Open the Datto Knowledge Base.
Want to talk about it? Head on over to our Community Forum!
Forward this topic to others.
Provide feedback for the Documentation team