So, we discovered that several unknown computers were listed in our customers organizations. Computers who not should be there. We could see that they were online for a few minutes only to never go online again. We thought we were hacked somehow. Kaseya support was contacted but could not help us.
We have now found out ourselves why this is happening. It is Microsoft Advanced Threat Protection. This is what happens.
Sometimes we need to send out the download link to Kaseya Agent to customers with e-mail.
The link is discovered by MS ATP and automatically starts two virtual computers in Azure. One Windows 7 and one Windows 10. They download the file and executes it to analyze if there is something dangerous in it - and the Kaseya Agent of course – automatically check both computers in to the customers organization in our VSA - stealing two licenses. Since the licenses cost a lot of money, this is not good for us. At least once a week we must manually clean our VSA of these agents.
Kaseya support was told of this. If the Kaseya Agent exe-file was signed, this would probably not be an issue.
Does someone else also having this problem? Is there a workaround?
I have seen exactly the same happening on our VSA.
As soon as a new agent checks in I get notified by mail so I can delete the agents as needed.
Is there a way to exclude or set an exemption from the detections?
The VSA has some options in place where one can limit the number of agents which check-in to respective organizations. There is also a policy option within your system tab in which only agents from certain certain networks can check-in; dependent per organization.
Tommy.Hagelin - We saw that a few weeks ago and we wondered about those agents. Since we had only a few machines and the incident didn't repeat itself, we just ignored it. I did discuss it with Kaseya in December, but at that time this wasn't known to them.
Good to know what's going on, thanks for reporting this. We try to stay away from Microsoft security products as much as possible. We don't trust Microsoft unless we have to and their security options tend to be mediocre.....
We cannot limit the number of clients in organizations (over 200 orgs) becuase we cannot say how many clients should be installed. There is always some new employee somewhere or a computer need reinstalling etc. By limiting numbers per organisation this will be overwhelming quite fast and not a solution.
We cannot set up over 200 allowed networks to check in, partly because this also will be non-manageable and if someone uses the computer at say a hotel, this will be denyed to check in if not entered as allowed network.
This was also suggested by Kaseya support.
The only thing possible afaik would be to have the agent exe-file signed. We also send out links to our Webroot-exe and that one passes the ATP without problems (it also checks in when executed). The reason for this (we think) is that that file is signed. Kaseya Agent exe-file is not signed.
Also another thing that could work is to have some kind och captcha-solution on the exe-file or download-page.