Log in

How can we help?

  1. Atera Support
  2. Atera MSP
  3. Atera Pro Tips
Help Center

    Whitelist Atera in Windows Defender

    This article describes:

     

    Whitelist the Atera Agent

    To whitelist the Atera agent in Windows Defender, run the following commands in PowerShell with Admin rights. You can run the commands locally using PowerShell ISE (integrated scripting environment).

    Add-MpPreference -ExclusionPath "C:\Program Files\Atera Networks\AteraAgent" -Force
Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Atera Networks\AteraAgent" -Force
Add-MpPreference -ExclusionProcess "AteraAgent.exe" -Force

    As a preventative measure, you can upload the commands in Atera and run them on your agents. This will stop Windows Defender from flagging and removing the Atera Agent.
    Note: Make sure to run the commands as System, and to select the right file type, .ps1

    See Create or Upload Scripts for more information on uploading a script to Atera.

     

    Restore Atera Agent from Quarantine

    If Atera was quarantined, you'll need to restore Atera and its services.

    Run the following command using CMD (.bat) with Admin rights.

    64-bit machine:

    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "HackTool:Win32/RemoteAdmin" -path "C:\Program Files\ATERA Networks\AteraAgent"

    32-bit machine:

    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "HackTool:Win32/RemoteAdmin" -path "C:\Program Files (x86)\ATERA Networks\AteraAgent"

    For more information on restoring files from quarantine, see this article by Microsoft.

    Note: In case restoring the Atera agent is not possible, a full cleanup and reinstallation of the agent should be done (see below).

     

    Reinstall the Atera Agent

    Run the script below in PowerShell ISE with Admin rights to do a full cleanup of the Atera Agent.

    #Start Script
    Function Get-UninstallCodes ([string]$DisplayName) {
        'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall' | ForEach-Object {
            Get-ChildItem -Path $_ -ErrorAction SilentlyContinue | ForEach-Object {
                If ( $(Get-ItemProperty -Path $_.PSPath -Name 'DisplayName' -ErrorAction SilentlyContinue) -and ($(Get-ItemPropertyValue -Path $_.PSPath -Name 'DisplayName' -ErrorAction SilentlyContinue) -eq $DisplayName) ) {
                    $str = (Get-ItemPropertyValue -Path $_.PSPath -Name 'UninstallString')
                    $UninstallCodes.Add($str.Substring(($str.Length - 37),36)) | Out-Null
                }
            }
        }
    }Function Get-ProductKeys ([string]$ProductName) {
        Get-ChildItem -Path 'HKCR:Installer\Products' | ForEach-Object {
            If ( $(Get-ItemProperty -Path $_.PSPath -Name 'ProductName' -ErrorAction SilentlyContinue) -and ($(Get-ItemPropertyValue -Path $_.PSPath -Name 'ProductName' -ErrorAction SilentlyContinue) -eq $ProductName) ) {
                $ProductKeys.Add($_.PSPath.Substring(($_.PSPath.Length - 32))) | Out-Null
            }
        }
    }Function Get-ServiceStatus ([string]$Name) { (Get-Service -Name $Name -ErrorAction SilentlyContinue).Status }Function Stop-RunningService ([string]$Name) {
        If ( $(Get-ServiceStatus -Name $Name) -eq "Running" ) { Write-Output "Stopping : ${Name} service" ; Stop-Service -Name $Name -Force }
    }Function Remove-StoppedService ([string]$Name) {
        $s = (Get-ServiceStatus -Name $Name)
        If ( $s ) {
            If ( $s -eq "Stopped" ) {
                Write-Output "Deleting : ${Name} service"
                Start-Process "sc.exe" -ArgumentList "delete ${Name}" -Wait
            }
        } Else { Write-Output "Not Found: ${Name} service" }
    }Function Stop-RunningProcess ([string]$Name) {
        $p = (Get-Process -Name $_ -ErrorAction SilentlyContinue)
        If ( $p ) { Write-Output "Stopping : ${Name}.exe" ; $p | Stop-Process -Force }
        Else { Write-Output "Not Found: ${Name}.exe is not running"}
    }Function Remove-Path ([string]$Path) {
        If ( Test-Path $Path ) {
            Write-Output "Deleting : ${Path}"
            Remove-Item $Path -Recurse -Force
        } Else { Write-Output "Not Found: ${Path}" }
    }Function Get-AllExeFiles ([string]$Path) {
        If ( Test-Path $Path ) {
            Get-ChildItem -Path $Path -Filter *.exe -Recurse | ForEach-Object { $ExeFiles.Add($_.BaseName) | Out-Null }
        }
    }# Mount HKEY_CLASSES_ROOT registry hive
    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null#######
    # START: Information gathering
    ######## Get MSI package codes from the uninstall key
    $UninstallCodes = New-Object System.Collections.ArrayList
    'AteraAgent', 'Splashtop for RMM', 'Splashtop Streamer' | ForEach-Object { Get-UninstallCodes -DisplayName $_ }# Get product keys from the list of installed products
    $ProductKeys = New-Object System.Collections.ArrayList
    'AteraAgent', 'Splashtop for RMM', 'Splashtop Streamer' | ForEach-Object { Get-ProductKeys -ProductName $_ }# Define all the directories we'll need to cleanup at the end of this script
    $Directories = @(
        "${Env:ProgramFiles}\ATERA Networks",
        "${Env:ProgramFiles(x86)}\ATERA Networks",
        "${Env:ProgramFiles}\Splashtop\Splashtop Remote\Server",
        "${Env:ProgramFiles(x86)}\Splashtop\Splashtop Remote\Server",
        "${Env:ProgramFiles}\Splashtop\Splashtop Software Updater",
        "${Env:ProgramFiles(x86)}\Splashtop\Splashtop Software Updater",
        "${Env:ProgramData}\Splashtop\Splashtop Software Updater"
    )# Get all possible relevant exe files so we can make sure they're closed later on
    $ExeFiles = New-Object System.Collections.ArrayList
    "${Env:ProgramFiles}\ATERA Networks" | ForEach-Object { Get-AllExeFiles -Path $_ }# Define a list of services we need to stop and delete (if necessary)
    $ServiceList = @(
        'AteraAgent',
        'SplashtopRemoteService',
        'SSUService'
    )# Define a list of registry keys we'll delete
    $RegistryKeys = @(
        'HKLM:SOFTWARE\ATERA Networks',
        'HKLM:SOFTWARE\Splashtop Inc.',
        'HKLM:SOFTWARE\WOW6432Node\Splashtop Inc.'
    )#######
    # END: Information gathering
    ######## Uninstall each MSI package code in $UninstallCodes
    $UninstallCodes | ForEach-Object { Write-Output "Uninstall: ${_}" ; Start-Process "msiexec.exe" -ArgumentList "/X{${_}} /qn" -Wait }# Stop services if they're still running
    $ServiceList | ForEach-Object { Stop-RunningService -Name $_ }# Terminate all relevant processes that may still be running
    $ExeFiles.Add('reg')  | Out-Null
    $ExeFiles | ForEach-Object { Stop-RunningProcess $_ }# Delete services if they're still present
    $ServiceList | ForEach-Object { Remove-StoppedService -Name $_ }# Delete products from MSI installer registry
    $ProductKeys | ForEach-Object { Remove-Path -Path "HKCR:Installer\Products\${_}" }# Unmount HKEY_CLASSES_ROOT registry hive
    Remove-PSDrive -Name HKCR# Delete registry keys
    $RegistryKeys | ForEach-Object { Remove-Path -Path $_ }# Delete remaining directories
    #Write-Host "Waiting for file locks to be freed" ; Start-Sleep -Seconds 4
    $Directories | ForEach-Object { Remove-Path -Path $_ }
    #End of Script

    After running the script on the device, the Atera agent can be installed again. For more information, see Install an agent on a Windows OS device

     

     

    Still have a question? Contact us
    Dragos Tulbure

    Related articles