- Antivirus Status is a monitor – is AEMAgent running correctly? (do you see recent "last reading" values in the monitor section of the device?)
- Do not immediately assume the status is coming from WMI/Security Center and run the "clear WMI entries" component – This will only work for one of the 3 detection methods (see below):
- What detection source are we using? Check AEMAgent.log and look for avSource
12.9.0.1367|2024-04-22T01:16:35.348-04|INFO|POLL|{ "logcontext": "Monitoring.Program", "membername": "handler", "httpStatusCode": 200, "definitionName": "AntiVirus", "monitorId": "BUILT-IN", "json": "{\"avProduct\":\"Endpoint Security\",\"avUpToDate\":true,\"avRunning\":true,\"avSource\":\"Defined\"}" }
- Defined = Native Detection
- Security Center = Security Center
- Override = Override file
- If it's using Native detection, check the detection criteria and see if this is true on the device – use agent browser to remotely check
- If the source is override, do we know how the file is being placed/updated there? The most common reason for an override to be in place is a component monitor (perhaps one they didn't know of)
- If the source is override and they're aware of the monitor that is updating it, is that component script incorrectly writing the wrong running/up-to-date status to the file?
- If it's using Security Center, check what Security Center actually reports via command
- If the component is Bitdefender, see leadership about handing a ticket over to Bitdefender. It may be Bitdefenders script failing to discern status correctly before posting it to the override file