To whitelist the Atera agent in Windows Defender, run the following commands in PowerShell with Admin rights. You can run the commands locally using PowerShell ISE (integrated scripting environment).
Add-MpPreference -ExclusionPath "C:\Program Files\Atera Networks\AteraAgent" -Force Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Atera Networks\AteraAgent" -Force Add-MpPreference -ExclusionProcess "AteraAgent.exe" -Force
As a preventative measure, you can upload the commands in Atera and run them on your agents. This will stop Windows Defender from flagging and removing the Atera Agent.
Note: Make sure to run the commands as System, and to select the right file type, .ps1
See Create or Upload Scripts for more information on uploading a script to Atera.
Restore Atera Agent from Quarantine
If Atera was quarantined, you'll need to restore Atera and its services.
Run the following command using CMD (.bat) with Admin rights.
64-bit machine:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "HackTool:Win32/RemoteAdmin" -path "C:\Program Files\ATERA Networks\AteraAgent"
32-bit machine:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "HackTool:Win32/RemoteAdmin" -path "C:\Program Files (x86)\ATERA Networks\AteraAgent"
For more information on restoring files from quarantine, see this article by Microsoft.
Note: In case restoring the Atera agent is not possible, a full cleanup and reinstallation of the agent should be done (see below).
Reinstall the Atera Agent
Run the script below in PowerShell ISE with Admin rights to do a full cleanup of the Atera Agent.
#Start Script
Function Get-UninstallCodes ([string]$DisplayName) {
'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall' | ForEach-Object {
Get-ChildItem -Path $_ -ErrorAction SilentlyContinue | ForEach-Object {
If ( $(Get-ItemProperty -Path $_.PSPath -Name 'DisplayName' -ErrorAction SilentlyContinue) -and ($(Get-ItemPropertyValue -Path $_.PSPath -Name 'DisplayName' -ErrorAction SilentlyContinue) -eq $DisplayName) ) {
$str = (Get-ItemPropertyValue -Path $_.PSPath -Name 'UninstallString')
$UninstallCodes.Add($str.Substring(($str.Length - 37),36)) | Out-Null
}
}
}
}Function Get-ProductKeys ([string]$ProductName) {
Get-ChildItem -Path 'HKCR:Installer\Products' | ForEach-Object {
If ( $(Get-ItemProperty -Path $_.PSPath -Name 'ProductName' -ErrorAction SilentlyContinue) -and ($(Get-ItemPropertyValue -Path $_.PSPath -Name 'ProductName' -ErrorAction SilentlyContinue) -eq $ProductName) ) {
$ProductKeys.Add($_.PSPath.Substring(($_.PSPath.Length - 32))) | Out-Null
}
}
}Function Get-ServiceStatus ([string]$Name) { (Get-Service -Name $Name -ErrorAction SilentlyContinue).Status }Function Stop-RunningService ([string]$Name) {
If ( $(Get-ServiceStatus -Name $Name) -eq "Running" ) { Write-Output "Stopping : ${Name} service" ; Stop-Service -Name $Name -Force }
}Function Remove-StoppedService ([string]$Name) {
$s = (Get-ServiceStatus -Name $Name)
If ( $s ) {
If ( $s -eq "Stopped" ) {
Write-Output "Deleting : ${Name} service"
Start-Process "sc.exe" -ArgumentList "delete ${Name}" -Wait
}
} Else { Write-Output "Not Found: ${Name} service" }
}Function Stop-RunningProcess ([string]$Name) {
$p = (Get-Process -Name $_ -ErrorAction SilentlyContinue)
If ( $p ) { Write-Output "Stopping : ${Name}.exe" ; $p | Stop-Process -Force }
Else { Write-Output "Not Found: ${Name}.exe is not running"}
}Function Remove-Path ([string]$Path) {
If ( Test-Path $Path ) {
Write-Output "Deleting : ${Path}"
Remove-Item $Path -Recurse -Force
} Else { Write-Output "Not Found: ${Path}" }
}Function Get-AllExeFiles ([string]$Path) {
If ( Test-Path $Path ) {
Get-ChildItem -Path $Path -Filter *.exe -Recurse | ForEach-Object { $ExeFiles.Add($_.BaseName) | Out-Null }
}
}# Mount HKEY_CLASSES_ROOT registry hive
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null#######
# START: Information gathering
######## Get MSI package codes from the uninstall key
$UninstallCodes = New-Object System.Collections.ArrayList
'AteraAgent', 'Splashtop for RMM', 'Splashtop Streamer' | ForEach-Object { Get-UninstallCodes -DisplayName $_ }# Get product keys from the list of installed products
$ProductKeys = New-Object System.Collections.ArrayList
'AteraAgent', 'Splashtop for RMM', 'Splashtop Streamer' | ForEach-Object { Get-ProductKeys -ProductName $_ }# Define all the directories we'll need to cleanup at the end of this script
$Directories = @(
"${Env:ProgramFiles}\ATERA Networks",
"${Env:ProgramFiles(x86)}\ATERA Networks",
"${Env:ProgramFiles}\Splashtop\Splashtop Remote\Server",
"${Env:ProgramFiles(x86)}\Splashtop\Splashtop Remote\Server",
"${Env:ProgramFiles}\Splashtop\Splashtop Software Updater",
"${Env:ProgramFiles(x86)}\Splashtop\Splashtop Software Updater",
"${Env:ProgramData}\Splashtop\Splashtop Software Updater"
)# Get all possible relevant exe files so we can make sure they're closed later on
$ExeFiles = New-Object System.Collections.ArrayList
"${Env:ProgramFiles}\ATERA Networks" | ForEach-Object { Get-AllExeFiles -Path $_ }# Define a list of services we need to stop and delete (if necessary)
$ServiceList = @(
'AteraAgent',
'SplashtopRemoteService',
'SSUService'
)# Define a list of registry keys we'll delete
$RegistryKeys = @(
'HKLM:SOFTWARE\ATERA Networks',
'HKLM:SOFTWARE\Splashtop Inc.',
'HKLM:SOFTWARE\WOW6432Node\Splashtop Inc.'
)#######
# END: Information gathering
######## Uninstall each MSI package code in $UninstallCodes
$UninstallCodes | ForEach-Object { Write-Output "Uninstall: ${_}" ; Start-Process "msiexec.exe" -ArgumentList "/X{${_}} /qn" -Wait }# Stop services if they're still running
$ServiceList | ForEach-Object { Stop-RunningService -Name $_ }# Terminate all relevant processes that may still be running
$ExeFiles.Add('reg') | Out-Null
$ExeFiles | ForEach-Object { Stop-RunningProcess $_ }# Delete services if they're still present
$ServiceList | ForEach-Object { Remove-StoppedService -Name $_ }# Delete products from MSI installer registry
$ProductKeys | ForEach-Object { Remove-Path -Path "HKCR:Installer\Products\${_}" }# Unmount HKEY_CLASSES_ROOT registry hive
Remove-PSDrive -Name HKCR# Delete registry keys
$RegistryKeys | ForEach-Object { Remove-Path -Path $_ }# Delete remaining directories
#Write-Host "Waiting for file locks to be freed" ; Start-Sleep -Seconds 4
$Directories | ForEach-Object { Remove-Path -Path $_ }
#End of Script
After running the script on the device, the Atera agent can be installed again. For more information, see Install an agent on a Windows OS device