Datto RMM - Syrah, Vidal - 15.0.1 Cagservice.exe being flagged as malicious (Rapidstop) by Microsoft Defender for Endpoint

Incident Report for Kaseya Inc

Monitoring

A fix has been implemented and we are monitoring the results.

The Kaseya R&D team confirmed with Microsoft counterparts that the issue was caused by misclassification of the 15.0 Datto RMM version's cagservice.exe in a recent security intelligence update for Microsoft Defender Antivirus and other Microsoft antimalware.

This issue was fixed in the security intelligence update version 1.453.344.0, and the issue should no longer occur as long as the device is on this definition version or later. Microsoft currently does not offer an automated way to revert the quarantining of a file, therefore manual action is required to bring affected devices back online in Datto RMM.

We recommend our partners to ensure that devices are updated with security intelligence version 1.453.344.0 or later to avoid the agent being falsely flagged as malicious by Microsoft antimalware.

Users can use the below commands and instructions to ensure that the latest security intelligence update is installed on the device to prevent the behavior:
Updating the security intelligence version:
- PowerShell: Update-MpSignature
- Command Prompt (CMD): MpCmdRun.exe -SignatureUpdate

After running the update, users can verify the installed version with the following command:
- Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated
Posted Jun 29, 2026 - 18:47 EDT

Identified

The issue has been identified and a fix is being implemented.
Posted Jun 29, 2026 - 15:36 EDT

Update

We are continuing to investigate this issue.
Posted Jun 29, 2026 - 12:07 EDT

Investigating

We are aware of a problem where Datto RMM's 15.0.1 Cagservice.exe is being flagged as malicious (Rapidstop) by Microsoft Defender for Endpoint.

The Kaseya R&D Team are investigating this issue.

Subscribe to the Kaseya Status Page for up-to-date information at https://status.kaseya.com/
Posted Jun 29, 2026 - 12:02 EDT
This incident affects: Datto RMM (Syrah (APAC), Vidal (US East)).