Jump to content
Rafe Spaulding

Antivirus Tile - Priority?? Manually Change?

Recommended Posts

Hey guys, I have a consistent irritation with the Antivirus Tile. Typically, we use Webroot as our anti-virus solution for many clients. But some agents report MSE or Windows Defender as their Anti-virus solution as opposed to Webroot which we wish to display in our reports (Customers purchased it, we wanna see it). I have verified all paths, software installed, Webroot installation is correct. Is there any way to prioritize which solution is displayed in the Antivirus Tile? Is there a manual way to modify the Tile data to reflect the solution we wish to be displayed? How are each of you dealing with the Antivirus Tile irritation?

Share this post


Link to post
Share on other sites

We never had issues until we installed the "Windows Defender 10" config from the updated solution this spring, and since then it seems like it takes overnight for PCs to correctly detect Bitdefender GZ is installed and running, despite the process/def file/etc being correct.  Until then it detects Defender 10 with the service not running, because duh it shouldn't be.  There are also problems with the Defender 10 config, but support says Defender isn't supported (https://product.connectwise.com/communities/5/topics/14284-fix-windows-defender-10-antivirus-definition).

You can always delete virus configs from the Dashboard...?

In direct answer to your question I don't know if there is a way to force one detection over the other, for instance if it goes "in order" somehow and stops at the first detected.

Share this post


Link to post
Share on other sites

This is what CW Support told us to do - seemed to help.

 

Hello Colin,

Thanks for contacting ConnectWise Automate.

I see that you are having an issue where your agents are showing MSE as being the antivirus installed instead of Webroot. To fix this, you will want to do the following :

1. Go to System > Configuration > Dashboard > Config > Configuration > Virus Scan
2. Select MSE from the list and click the "Export Selected" button
3. Save the file where you can access it later
4. Select MSE from the list again, right click it and click Delete
5. Once MSE has been deleted, go to System > General > Import > SQL File
6. Select that file from step 4 and click OK
7. Click OK on the prompt that follows

What the above steps does is it moves the virus scanner to the bottom of the list so it won't be detected first. You can perform the same steps on any virus scanner you want to move to the bottom of the list.

Once the above steps have been completed, wait 24 hours and see if the agents detect Webroot.

Please let me know if you have any further questions or concerns.

Thanks again for contacting ConnectWise Automate and have a great day,

-Nick P
Technical Support Analyst
Need immediate assistance?


 

  • Thanks 1

Share this post


Link to post
Share on other sites

Hi Colin,

Thank you for replying about removing and re-adding the MSE. I have done this and after using the command 'resend everything' the tile went back to Windows Defender. I also removed the Windows Defender SQL files and put them back in as well. At first it removed Windows Defender from the AV tile, but then had no antivirus showing as running at all as a service. I was just wondering if you knew anything of why this may be? All my PC's have Webroot running, so just don't understand why it is not being picked up.

I only have this issue for a handful of PC's. All the others have picked up Webroot with no issue on the AV tile. I have also been in contact with Connectwise Automate themselves and they offered no support on this issue, other than what you have said above.

Thanks in advance.

Edited by EllaHood

Share this post


Link to post
Share on other sites

The AV detection process works basically exactly like this: (I hate partial information, so I reviewed the code actually used to choose the AV ID from LTService version 190.225 (19 Patch 8))

  1. Loop through AV Detection types in ascending order by ID, when done go to Step 10.
  2. Evaluate the OS Type setting. If the target OS specified doesn't match the current machine OS, Go to Step 1.
  3. Evaluate the Program Location path. Is it a valid file? If not, Go to Step 1.
  4. Evaluate the Definition Location. If it is blank, go to Step 1.
    1. Is it a valid file? Extract the timestamp as the Definition Date and go to Step 5.
    2. Is it a valid folder? Extract the timestamp as the Definition Date and go to Step 5.
    3. Use the "Date Mask" regex pattern to extract the Definition Date from the Definition Location value. If nothing was extracted, go to Step 1.
  5. Evaluate the Version Check value. If it is blank, go to Step 6.
    1. Is Version Mask blank? Go to Step 1.
    2. Is Version Check a file? Capture the file version as the Version Check value.
    3. Does the Version Mask pattern match the Version Check value? If not, Go to Step 1.
  6. We now have a complete "AV" profile to test.
    1. Is this the first AV ID candidate? Go to Step 7.
    2. Is the Definition Date equal to or newer than the last found AV ID? If not, Go to Step 1.
  7. The current AV ID becomes the currently "Chosen" AV ID.
  8. Evaluate the AP Process. (Split on ":" if found and loop). Does it match a process that is running? If not running, AV Running is set to False, Go to Step 1.
  9. The current AV ID is added to a list of running AV IDs. AV Running is set to True. Go To Step 1.
  10. Check the list of Running AVs (built in Step 9). If 1 or less were found, go to Step 14.
  11. Loop through the Running AV IDs. When done, go to Step 14.
  12. Does the Definition Location contain "Windows Defender"? Go to Step 11.
  13. The current AV ID becomes the currently "Chosen" AV ID. Go to Step 11.
  14. Is the "Chosen" AV AP Process value blank or does it end with "*"? Go to Step 17.
  15. Is the WMI Class \root\SecurityCenter2:AntiVirusProduct found? Set AV Running to the state indicated by the "ProductState" attribute and Go to Step 17.
  16. Is the WMI Class \root\SecurityCenter:AntiVirusProduct found? Set AV Running to the state indicated by the "onAccessScanningEnabled" attribute and Go to Step 17.
  17. Report the Chosen AV ID, and the AV Running State.

When two AV definitions are compared, the first one tested (lowest ID) has the advantage, but it will still lose to another AV match with a newer signature date. And if multiple running AV products are found, one of them will be picked over a "newer" product that wasn't running. In general the first chosen Running AV with the newest definitions will be the one returned, and the AV Running state will be based on matching the process name or what Windows Security Center is indicating. (I think I summarized that right..)

If your Primary AV product definitions get a day behind, a secondary AV could suddenly be the reported AV. In my experience, outdated AV definitions are the most common reason for Windows Defender to show up even when you know you have another AV product in place. If it's definition date is newer, it will be reported as the active AV product.

 

  • Like 1

Share this post


Link to post
Share on other sites

If it helps, we took the approach of just deleting the Defender definitions. We use sophos, so if only Defender is there and not sophos, then we consider that as missing AV. 

  • Haha 1

Share this post


Link to post
Share on other sites
11 hours ago, DarrenWhite99 said:

If your Primary AV product definitions get a day behind, a secondary AV could suddenly be the reported AV.

Interesting and thanks for the details.  Does your comment still fit if Defender is "disabled" because the other a/v is installed?  It seems like in that scenario Defender should still have a loer priority?  The overnight redetection (resend config, reboot, agent restart, etc. doesn't seem to work) could be explained by an a/v update, although Bitdefender checks hourly.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...