Datto incident

Datto RMM - Vidal - Cagservice.exe being flagged as malicious by Antivirus Software

Major Ongoing View vendor source →

Datto is currently experiencing a major incident affecting Vidal (US East), which began 4h ago. The vendor's full update timeline is below.

Started
May 20, 2026, 04:28 PM UTC
Resolved
Ongoing
Duration
● 3h 52m
Detected by Pingoru
May 20, 2026, 04:28 PM UTC

Affected components

Vidal (US East)

Update timeline

  1. investigating May 20, 2026, 04:28 PM UTC

    We are aware of a problem where the Datto RMM's "cagservice.exe" is being flagged as malicious by some antivirus software, causing it to be quarantined. The Kaseya R&D Team are investigating the issue. Subscribe to the Kaseya Status Page for up-to-date information at https://status.kaseya.com/

  2. investigating May 20, 2026, 07:05 PM UTC

    The RMM agent underwent an update, causing some devices with antivirus software, mainly Microsoft Defender for Endpoint, to alert on the update behavior and quarantine "cagservice.exe". This alert has been identified as a false positive. To prevent these alerts on Microsoft Defender for Endpoint for this new RMM agent, please follow these steps: 1. Go to the Security Portal 2. Go to Settings 3. Go to Endpoints 4. Under "Rules" click on "Indicators" 5. Under the file hashes, add the indicator with the SHA256 Hash: "91774f1195ba7042293bba1152afc334052d6c235a90e715f8c5c5fc8f27b089", and set the expiration to never, and the action to "Allow" 6. Allow time for the indicator to sync to endpoints. For more information on these steps, please see this Microsoft article: https://learn.microsoft.com/en-us/defender-endpoint/indicator-manage?source=recommendations The Kaseya R&D team is continuing to investigate this issue.