We noticed that some unknown devices were added to Syncro to various sites. They all have the same device name but different serial numbers and are all on VMWare. The public IP is an IP from France and we are in Canada.
This will in fact be due to antivirus. They won’t log it as a threat (because it’s not). What happens is if you leave an installer on a machine AV will pick it up and check it against it’s DB. It likely won’t have a huge record of it, so it takes it, uploads it to a sandbox, and detonates it to test it. When nothing is found, it kills and and leaves it be. There isn’t anything it needs to notify you about.
The detonation piece is what will cause the device to show up in your Syncro instance, because it’s a legit install with a legit installer. You can almost always identify these devices because they often be named (Susie’s Computer, etc.), and they will always appear offline, because the machines are killed immediately after detonation.
So long story short, you have two options. Don’t leave installers on machines, or, you can enable asset approval which requires you to accept the device before it shows up in your Syncro instance. The latter won’t stop devices from showing up in the approval section, but it will prevent them from being active devices in your Syncro instance