Datto incident
Datto RMM - v15.0 Cagservice.exe being flagged as malicious by Antivirus Software due to a Microsoft Defender Definition update misclassifying the executable
Datto experienced a major incident on May 20, 2026 affecting Pinotage (EU1) and Merlot (EU2) and 1 more component, lasting 12d 11h. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- investigating May 20, 2026, 04:28 PM UTC
We are aware of a problem where the Datto RMM's "cagservice.exe" is being flagged as malicious by some antivirus software, causing it to be quarantined. The Kaseya R&D Team are investigating the issue. Subscribe to the Kaseya Status Page for up-to-date information at https://status.kaseya.com/
- investigating May 20, 2026, 07:05 PM UTC
The RMM agent underwent an update, causing some devices with antivirus software, mainly Microsoft Defender for Endpoint, to alert on the update behavior and quarantine "cagservice.exe". This alert has been identified as a false positive. To prevent these alerts on Microsoft Defender for Endpoint for this new RMM agent, please follow these steps: 1. Go to the Security Portal 2. Go to Settings 3. Go to Endpoints 4. Under "Rules" click on "Indicators" 5. Under the file hashes, add the indicator with the SHA256 Hash: "91774f1195ba7042293bba1152afc334052d6c235a90e715f8c5c5fc8f27b089", and set the expiration to never, and the action to "Allow" 6. Allow time for the indicator to sync to endpoints. For more information on these steps, please see this Microsoft article: https://learn.microsoft.com/en-us/defender-endpoint/indicator-manage?source=recommendations The Kaseya R&D team is continuing to investigate this issue.
- investigating May 20, 2026, 10:51 PM UTC
In collaboration with Microsoft, an update has been made to Defender for Endpoint's security intelligence to prevent these false positive alerts on the cagservice.exe for devices running Microsoft's Defender for Endpoint. Devices running security intelligence version 1.451.15.0 and above have the updated detection logic. If you receive an alert for the cagservice.exe and your device is on version 1.451.150 and above, please reach out to our support team so we can continue to troubleshoot the issue. The Kaseya R&D Team is now investigating how to restore devices taken offline by the quarantine of the cagservice.exe.
- identified May 21, 2026, 09:35 AM UTC
The R&D team continues to work with Microsoft counterparts on a path to restore the erroneously quarantined assets, and restore RMM connectivity to affected devices.
- monitoring May 21, 2026, 03:40 PM UTC
The Kaseya R&D team confirmed with Microsoft counterparts that the issue was caused by misclassification of the 15.0 Datto RMM version's cagservice.exe in a recent security intelligence update for Microsoft Defender Antivirus and other Microsoft antimalware. This issue was fixed in the security intelligence update version 1.451.15.0, and the issue should no longer occur as long as the device is on this definition version or later. While our team works with Microsoft to understand if automatic remediation for devices where the quarantining occurred is feasible, we suggest manual intervention in order to bring affected devices online in Datto RMM. We recommend our partners to ensure that devices are updated with security intelligence update version 1.451.15.0 or later to avoid the agent being falsely flagged as malicious by Microsoft antimalware.
- resolved Jun 02, 2026, 10:29 AM UTC
With the general availability of the 15.0 release version of Datto RMM, we're resolving this informational post.