Why are mystery Datto RMM device records appearing in my sites without me running the Agent installer?
- Datto RMM
Software suites that defend against malware run Agent installers to analyze them.
It can be very alarming to suddenly see unexplained devices appearing in your sites. However, this is rarely cause for alarm. In the vast majority of cases, mystery device records are caused by antivirus and anti-malware suites uploading Agent installers to automated testing labs for evaluation.
- Why does this happen?
- What is the process?
- How can I recognize an anti-malware vendor's testing device?
- What if I know my anti-malware software doesn't do this?
- Is there anything I can do to protect my Datto RMM account?
Why does this happen?
A common feature of modern anti-malware suites is the ability to upload files of obscure origin to offsite, automated testing facilities for heuristic malware behavior checks. This automatic process can be triggered by the Agent installer's first execution. Since every Agent installer is keyed to a particular site, each installer has a different file hash, making blanket detection impossible. Therefore, detection incidents can be frequent when you are starting a new site if you have not configured whitelisting rules in your anti-malware products.
What is the process?
When the Agent installer runs, it creates a site device record for the machine running the installation. This adaptability is a virtue of the product, and no further interaction is necessary from the end-user. However, this means that a testing device can unintentionally create a record as a result of being scanned for viruses. Testing devices are not normally connected for a long time (they should only connect for a few seconds before uninstalling the Agent), resulting in little to no audit data appearing for the devices in question. Datto has not observed testing devices connecting to the platform more than once.
How can I recognize an anti-malware vendor's testing device?
While it is possible to make broad assumptions, anti-malware vendors do not make naming conventions for their testing devices public, making identification of these devices for an Administrator difficult.
Typical signs of an anti-malware vendor testing device are:
- Hostname containing the string "CWS", "Wilbert", "Cuckoo" and "ABC"
- Device running Windows XP
- IP address outside of scope of typical site devices
- Little to no audit data
- Generic user name like "Johndoe", "Administrator", and "User"
What if I know my anti-malware software doesn't do this?
Even if your enterprise's anti-malware software does not include or use a dedicated offsite testing facility, it is possible that you or a colleague may have uploaded the Agent installer for your site to an online antivirus comparison tool to check it for false-positives before installing it. Anyone with access to your Agent installers has this ability.
Is there anything I can do to protect my Datto RMM account?
These devices are harmless, but they can clutter your dashboard. To prevent this, enable device sandboxing from your Account Settings.
Sandboxing blocks devices you have not yet given explicit site access to from communicating with the platform. It will also highlight those devices in blue to simplify management. For more information, review our New device approval article.