At around 2 PM EST, Kaseya published on their website an important notice to immediately shut down VSA servers due to a malicious threat in its recent update. According to Kaseya, one of the first things that the attacker does is shut off Administrative access to the VSA. This threat has been identified with ThreatLocker, and we can confirm that these files are not in our Built-In definition for Kaseya VSA.

View in Browser The ThreatLocker Built-In Application definitions cover the components needed to run the RMM software on your machines; RMM scripts are not included in this Built-In Application. To permit a script to run in your environment, you will need to permit it separately from the RMM Built-In itself.   ThreatLocker does not recommend creating rules to whitelist scripts from your RMM to run automatically. In the event your RMM gets compromised, then you would have a Policy that permits all scripts coming from your RMM to run.

 View in Browser In Datto, set up a new Custom Device Filter. Name your custom filter in the 'Name' textbox. In our example below, we have named it Windows - ThreatLocker. Under 'Select devices that match the following criteria, from the first dropdown box choose a custom field and rename it something that makes sense to you.   Then choose 'Does not contain' in the next dropdown.  In the last box, you can type ThreatLockerOff (all one word).

View in browser Download the XML file Download the latest version of our uninstall script here  Notes: The computer needs to have Tamper Mode disabled and needs to be in monitor only mode to uninstall  For information on disabling Tamper Protection please review our article here: Disable Tamper Protection Importing the Files In Kaseya VSA, navigate to "Agent Procedures" > "Schedule /Create" Under the "Private" folder, select the "

View in Browser When launching remote applications through Citrix as opposed to the entire desktop, occasionally the ThreatLocker Tray can cause the session to remain active. This results in Citrix or Remote Desktop Service failing to disconnect after closing an application. If you experience this issue, manually setting the following Windows Registry Keys should resolve it. Editing the Windows Registry to Remediate RDP Failure to Disconnect Issue

View in browser Download the Script Files Extract the XML file and import it into Automate through the desktop client. In Automate, select System > General > Import> XML Expansion Once imported, the script can be found in scripts under Software > ThreatLocker Once updated, save the script and it is ready to run. Notes: The computer needs to have Tamper Mode disabled and monitor mode enabled to uninstall For more information, please review our article Uninstalling the ThreatLocker Agent

View in Browser RMMs are very powerful and useful tools. Providing a centralized location for managing and administering multiple endpoints across multiple businesses, if compromised, an attacker can gain access to your clients' data and then potentially exfiltrate that data. Cyber attacks are becoming more and more prevalent, and RMMs are a hot target, providing attackers the keys to your kingdom.    ThreatLocker recommends applying Ringfencing boundaries to your RMM policy to restrict its access to your protected files.

Overview  This article will cover how to setup monitoring ThreatLockerService through Kaseya VSA.  Assign Event Set  Under Agent Monitoring on the left-hand side menu, select ‘Event Log Alerts’  Check the box for the applicable Machine.Group ID  In the Assign Event Set tab:  Select event log type: Application  Check the box for Information   Define events to match or ignore: < New Event Set >   In the popup window, enter the Event Set Name and click ‘New’  Under the Source Filter, type ‘ThreatLockerService’, click ‘Add’, click ‘Deploy’, and then click ‘Close’