Datto RMM - Cagservice.exe being flagged as malicious by Antivirus Software due to a Microsoft Defender Definition update misclassifying the executable

The Kaseya R&D team confirmed with Microsoft counterparts that the issue was caused by misclassification of the 15.0 Datto RMM version's cagservice.exe in a recent security intelligence update for Microsoft Defender Antivirus and other Microsoft antimalware.

This issue was fixed in the security intelligence update version 1.451.15.0, and the issue should no longer occur as long as the device is on this definition version or later.

Microsoft currently does not offer an automated way to revert the quarantining of a file, therefore manual action is required to bring affected devices back online in Datto RMM.

We recommend our partners to ensure that devices are updated with security intelligence version 1.451.15.0 or later to avoid the agent being falsely flagged as malicious by Microsoft antimalware.

Users can use the below commands and instructions to ensure that the latest security intelligence update is installed on the device to prevent the behavior:

Updating the security intelligence version:
- PowerShell: Update-MpSignature
- Command Prompt (CMD): MpCmdRun.exe -SignatureUpdate

After running the update, users can verify the installed version with the following command:
- Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated

The R&D team continues to work with Microsoft counterparts on a path to restore the erroneously quarantined assets, and restore RMM connectivity to affected devices.

In collaboration with Microsoft, an update has been made to Microsoft Defender Antivirus and other Microsoft antimalware's security intelligence to prevent these false positive alerts on the cagservice.exe for devices running Microsoft antimalware solutions.

Devices running security intelligence version 1.451.15.0 and above have the updated detection logic. If you receive an alert for the cagservice.exe and your device is on version 1.451.15.0 and above, please reach out to our support team so we can continue to troubleshoot the issue.

The Kaseya R&D Team is now investigating how to restore devices taken offline by the quarantine of the cagservice.exe.

The RMM agent underwent an update, causing some devices with antivirus software, mainly Microsoft Defender for Endpoint, to alert on the update behavior and quarantine "cagservice.exe". This alert has been identified as a false positive.

To prevent these alerts on Microsoft Defender for Endpoint for this new RMM agent, please follow these steps:

1. Go to the Security Portal
2. Go to Settings
3. Go to Endpoints
4. Under "Rules" click on "Indicators"
5. Under the file hashes, add the indicator with the SHA256 Hash: "91774f1195ba7042293bba1152afc334052d6c235a90e715f8c5c5fc8f27b089", and set the expiration to never, and the action to "Allow"
6. Allow time for the indicator to sync to endpoints.

For more information on these steps, please see this Microsoft article: https://learn.microsoft.com/en-us/defender-endpoint/indicator-manage?source=recommendations

The Kaseya R&D team is continuing to investigate this issue.

We are aware of a problem where the Datto RMM's "cagservice.exe" is being flagged as malicious by some antivirus software, causing it to be quarantined.

The Kaseya R&D Team are investigating the issue.

Subscribe to the Kaseya Status Page for up-to-date information at https://status.kaseya.com/