Kaseya incident

Datto RMM - Vidal - Cagservice.exe being flagged as malicious by Antivirus Software

Major Ongoing View vendor source →

Kaseya is currently experiencing a major incident, which began 7h ago. The vendor's full update timeline is below.

Started
May 20, 2026, 04:28 PM UTC
Resolved
Ongoing
Duration
● 7h 7m
Detected by Pingoru
May 20, 2026, 04:28 PM UTC

Update timeline

  1. investigating May 20, 2026, 04:28 PM UTC

    We are aware of a problem where the Datto RMM's "cagservice.exe" is being flagged as malicious by some antivirus software, causing it to be quarantined. The Kaseya R&D Team are investigating the issue. Subscribe to the Kaseya Status Page for up-to-date information at https://status.kaseya.com/

  2. investigating May 20, 2026, 07:05 PM UTC

    The RMM agent underwent an update, causing some devices with antivirus software, mainly Microsoft Defender for Endpoint, to alert on the update behavior and quarantine "cagservice.exe". This alert has been identified as a false positive. To prevent these alerts on Microsoft Defender for Endpoint for this new RMM agent, please follow these steps: 1. Go to the Security Portal 2. Go to Settings 3. Go to Endpoints 4. Under "Rules" click on "Indicators" 5. Under the file hashes, add the indicator with the SHA256 Hash: "91774f1195ba7042293bba1152afc334052d6c235a90e715f8c5c5fc8f27b089", and set the expiration to never, and the action to "Allow" 6. Allow time for the indicator to sync to endpoints. For more information on these steps, please see this Microsoft article: https://learn.microsoft.com/en-us/defender-endpoint/indicator-manage?source=recommendations The Kaseya R&D team is continuing to investigate this issue.

  3. investigating May 20, 2026, 10:51 PM UTC

    In collaboration with Microsoft, an update has been made to Defender for Endpoint's security intelligence to prevent these false positive alerts on the cagservice.exe for devices running Microsoft's Defender for Endpoint. Devices running security intelligence version 1.451.15.0 and above have the updated detection logic. If you receive an alert for the cagservice.exe and your device is on version 1.451.150 and above, please reach out to our support team so we can continue to troubleshoot the issue. The Kaseya R&D Team is now investigating how to restore devices taken offline by the quarantine of the cagservice.exe.