First thing's first – AV detection is a monitor so don't try to audit the device as a troubleshooting step, as it likely won't change anything
You can find AV checks in the logs by searching "built" or "antivirus" within AEMAgent.log. They will look similar to the below:
12.7.0.1113|2024-02-02T14:09:20.030-05|INFO|POLL|{ "logcontext": "Monitoring.Program", "membername": "handler", "httpStatusCode": 200, "definitionName": "AntiVirus", "monitorId": "BUILT-IN", "json": "{\"avProduct\":\"Carbon Black Cloud\",\"avUpToDate\":true,\"avRunning\":true,\"avSource\":\"SecurityCenter\",\"scDisplayName\":\"Carbon Black Cloud\",\"scProductExe\":\"%ProgramFiles%\\\\Confer\\\\RepWAV.exe\",\"scReportingExe\":\"C:\\\\Program Files\\\\Confer\\\\RepWSC.exe\",\"scProductExeDescription\":\"Carbon Black Cloud Sensor AV Remediation x64\",\"scProductExeVersion\":\"3.6.0.2076\",\"scProductExeProductName\":\"Carbon Black Cloud Sensor\",\"scProductExeProductVersion\":\"3.6.0.2076\",\"scReportingExeDescription\":\"Carbon Black Cloud Sensor Security Center Service x64\",\"scReportingExeVersion\":\"3.6.0.2076\",\"scReportingExeProductName\":\"Carbon Black Cloud Sensor\",\"scReportingExeProductVersion\":\"3.6.0.2076\",\"scRunning\":true,\"scUpToDate\":true}" }
Useful things to note:
- Make sure the "definitionName" is "Antivirus" and POLL is present in the log entry to be sure you're actually looking at an AV check. "Antivirus" comes up in other log entries that may not be relevant
- If no AV is found, you will see "DELETE" as the reading, indicating nothing was found and the agent is telling the platofrm to delete any prior AV info
- Note the "avSource" section. This will read one of three things:
- Defined – This means a natively detected AV was found and the info is being pulled via our native detection logic. Review detection specifics for each product, as the detection method differs. https://docs.rmm.datto.net/rmm/projects/agent/uav/
- SecurityCenter – This means we didn't find any natively detected AV and instead read what Windows Security Center said. Review this link for how this is done: https://internal-kb.datto.com/rmm/Content/rmm/KB440000010001.html?Highlight=security%20center
- Override – This means the av information is being read directly from an AV override file that is placed in ProgramData, typically from a component monitor in RMM. Override info: https://rmm.datto.com/help/en/Content/3NEWUI/AntivirusDetection.htm?Highlight=override#Antivirus_status_override_file
- The order of detection is override first, then native detection, then security center
- Server OS's do not typically have Security center, so if AV detection is working on many devices but not finding anything on servers, this could be because the AV is not natively detected and is only reporting on the working devices because of Security Center