Datto RMM: Why are mystery device records appearing in my sites without me running the Agent installer?

Follow

Question

Why are mystery Datto RMM device records appearing in my sites without me running the Agent installer?

Environment

  • Datto RMM

Answer

Software suites that defend against malware run Agent installers to analyze them.

It can be very alarming to suddenly see unexplained devices appearing in your sites. However, this is rarely cause for alarm. In the vast majority of cases, mystery device records are caused by antivirus and anti-malware suites uploading Agent installers to automated testing labs for evaluation.

Why does this happen?

A common feature of modern anti-malware suites is the ability to upload files of obscure origin to offsite, automated testing facilities for heuristic malware behavior checks. This automatic process can be triggered by the Agent installer's first execution. Since every Agent installer is keyed to a particular site, each installer has a different file hash, making blanket detection impossible. Therefore, detection incidents can be frequent when you are starting a new site if you have not configured whitelisting rules in your anti-malware products.

All Datto RMM Agent installers are digitally signed by CentraStage Ltd. or by Autotask International Holdings Limited.

What is the process?

When the Agent installer runs, it creates a site device record for the machine running the installation. This adaptability is a virtue of the product, and no further interaction is necessary from the end-user. However, this means that a testing device can unintentionally create a record as a result of being scanned for viruses. Testing devices are not normally connected for a long time (they should only connect for a few seconds before uninstalling the Agent), resulting in little to no audit data appearing for the devices in question. Datto has not observed testing devices connecting to the platform more than once.

How can I recognize an anti-malware vendor's testing device?

While it is possible to make broad assumptions, anti-malware vendors do not make naming conventions for their testing devices public, making identification of these devices for an Administrator difficult.

Typical signs of an anti-malware vendor testing device are:

  • Hostname containing the string "CWS", "Wilbert", "Cuckoo" and "ABC"
  • Device running Windows XP
  • IP address outside of scope of typical site devices
  • Little to no audit data
  • Generic user name like "Johndoe", "Administrator", and "User"

What if I know my anti-malware software doesn't do this?

Even if your enterprise's anti-malware software does not include or use a dedicated offsite testing facility, it is possible that you or a colleague may have uploaded the Agent installer for your site to an online antivirus comparison tool to check it for false-positives before installing it. Anyone with access to your Agent installers has this ability.

A common antivirus comparison tool is VirusTotal (external link).

Is there anything I can do to protect my Datto RMM account?

These devices are harmless, but they can clutter your dashboard. To prevent this, enable device sandboxing from your Account Settings. 

Sandboxing blocks devices you have not yet given explicit site access to from communicating with the platform. It will also highlight those devices in blue to simplify management. For more information, review our New device approval article.


Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Community Forum or get live help.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Datto Homepage