diff --git a/clients/ace-portables/reports/2026-03-31-malware-incident-report.html b/clients/ace-portables/reports/2026-03-31-malware-incident-report.html new file mode 100644 index 0000000..d54d6fd --- /dev/null +++ b/clients/ace-portables/reports/2026-03-31-malware-incident-report.html @@ -0,0 +1,559 @@ + + + + + +Security Incident Report - Ace Portables - 31 March 2026 + + + +
+ + +
+
+ Arizona ComputerGuru +
Security Incident Report
+
+
+ Report Reference: ACE-SEC-2026-0331
+ Date: 31 March 2026
+ Prepared for: Ace Portables +
+
+ + +
+
+ +
+
+

ALL SYSTEMS VERIFIED CLEAN

+

Both workstations have been scanned, verified, and are actively protected by enterprise-grade endpoint security. No active threats detected.

+
+
+ + +
+ + +
+
Executive Summary
+

+ Ace Portables contacted AZ Computer Guru LLC after their financial institution requested verification that company workstations were free of malware. Upon investigation, we determined that the previously installed antivirus software (McAfee) had silently expired, leaving the machines unprotected. +

+

+ We removed the expired McAfee installation and deployed Bitdefender GravityZone, an enterprise-grade Endpoint Detection and Response (EDR) platform, across both company workstations. During the initial security scan, Bitdefender detected and automatically deleted a malicious browser extension containing a Trojan on one machine. Both machines have been fully scanned and are confirmed clean with no active threats. +

+
+ + +
+
Incident Timeline
+
+
+
Prior to Engagement
+
McAfee antivirus subscription silently expired, leaving workstations without active endpoint protection.
+
+
+
Engagement Initiated
+
Ace Portables contacted AZ Computer Guru LLC at the request of their bank to verify workstation security.
+
+
+
Remediation
+
Expired McAfee software removed. Bitdefender GravityZone EDR deployed on both workstations (DESKTOP-DV7I10S, DESKTOP-U317856).
+
+
+
25 March 2026, 11:15
+
Bitdefender detected and automatically deleted a Trojan (Trojan.GenericKD.77292516) within a malicious Microsoft Edge browser extension on one workstation.
+
+
+
31 March 2026
+
Full scans completed on both machines. Both verified clean. This report issued.
+
+
+
+ + +
+
Threat Details
+
+
+
Threat Classification
+
Trojan.GenericKD.77292516
+
+
+
Threat Type
+
Malware (Trojan)
+
+
+
Detection Date
+
25 March 2026, 11:15
+
+
+
Action Taken
+
Automatically Deleted
+
+
+
Affected Component
+
Microsoft Edge Browser Extension (background.js)
+
+
+
Extension ID
+
cfacibcmkcdppnkgennk...blmp
+
+
+
File SHA-256 Hash
+
B3F83B5EC4CFED5D93561B86B5A124FA88D2EA35491011D32CCDA3E385C036E1
+
+
+
+ + +
+
Workstation Scan Results
+

Both Ace Portables workstations were enrolled in Bitdefender GravityZone and scanned. Current status as of 31 March 2026:

+
+ + + + + + + + + + + + + + + + + + + + + + + +
Machine NameTypeManagementSecurity Status
DESKTOP-DV7I10SPhysical MachineManagedNo Issues
DESKTOP-U317856Physical MachineManagedNo Issues
+
+ + +
+
Remediation Actions Taken
+
    +
  • Removed expired antivirus software — McAfee, which had silently expired, was fully uninstalled from both workstations.
    • +
  • Deployed enterprise endpoint protection — Bitdefender GravityZone EDR was installed and configured on both machines, providing real-time threat monitoring, behavioral analysis, and automated response.
    • +
  • Malicious extension deleted — The Trojan-infected browser extension was automatically detected and removed by Bitdefender during the initial scan.
    • +
  • Extension blocked globally — The malicious extension has been added to our managed blocklist, preventing it from being installed on any endpoint under our management.
    • +
  • Full system scans completed — Comprehensive antimalware scans were run on both workstations. Both returned clean results with no further threats detected.
    • +
  • Password reset recommended — The affected user was advised to change passwords for all accounts accessed via the browser, prioritising financial and email accounts.
    • +
+
+ + +
+
Ongoing Protection
+

Both Ace Portables workstations are now continuously protected by Bitdefender GravityZone, which provides:

+
    +
  • Real-time file system protection — On-access scanning of all files as they are opened, created, or modified.
    • +
  • Advanced Threat Control — Behavioral monitoring that detects suspicious process activity in real time.
    • +
  • Network Attack Defense — Protection against network-based exploits and lateral movement attempts.
    • +
  • Web Threat Protection — Blocks access to known malicious, phishing, and fraudulent websites.
    • +
  • Anti-Exploit Technology — Detects and prevents exploitation of software vulnerabilities.
    • +
  • Centralised Management — All endpoints are monitored and managed through the GravityZone console by AZ Computer Guru LLC, ensuring policies and definitions remain current.
    • +
+
+ +
+ + +
+

+ Both Ace Portables workstations have been verified clean and are now actively protected by enterprise-grade endpoint security. The previously unprotected state caused by the expired McAfee subscription has been fully resolved. The detected Trojan was automatically removed before any confirmed data exfiltration occurred, and preventative measures are in place to block future threats. +

+

+ Should the bank require any additional information, technical logs, or further clarification, please do not hesitate to contact us using the details below. +

+
+ +
+ + +
+
+

Arizona ComputerGuru LLC

+

7437 E. 22nd St, Tucson, AZ 85710

+

Phone: (520) 304-8300

+

Web: azcomputerguru.com

+
+
+

This report is confidential and intended solely for the use of Ace Portables and their financial institution.

+
+

Report Ref: ACE-SEC-2026-0331

+

Date Issued: 31 March 2026

+
+
+ +
+ + diff --git a/clients/ace-portables/reports/2026-03-31-malware-incident-report.md b/clients/ace-portables/reports/2026-03-31-malware-incident-report.md new file mode 100644 index 0000000..57b0d99 --- /dev/null +++ b/clients/ace-portables/reports/2026-03-31-malware-incident-report.md @@ -0,0 +1,106 @@ +# Security Incident Report - Malware Detection and Remediation + +**Prepared by:** AZ Computer Guru LLC +**Prepared for:** Ace Portables +**Date:** 31 March 2026 +**Report Reference:** ACE-SEC-2026-0331 + +--- + +## Executive Summary + +On 25 March 2026, our endpoint protection platform detected and automatically removed a malicious browser extension from a workstation belonging to Ace Portables. The threat was identified, quarantined, and deleted without user intervention. Additional preventative measures have been implemented across the managed environment to prevent recurrence. + +--- + +## Incident Details + +| Field | Detail | +|-------|--------| +| **Date of Detection** | 25 March 2026, 11:15 | +| **Affected Machine User** | John | +| **Threat Classification** | Trojan.GenericKD.77292516 | +| **Threat Type** | Malware (Trojan) | +| **Affected File** | `background.js` (browser extension component) | +| **File Location** | Microsoft Edge browser extension directory | +| **Extension ID** | cfacibcmkcdppnkgennkfaepplpkblmp | +| **File SHA256 Hash** | B3F83B5EC4CFED5D93561B86B5A124FA88D2EA35491011D32CCDA3E385C036E1 | + +--- + +## Detection and Response + +### Detection + +The threat was identified by **Bitdefender GravityZone**, our enterprise endpoint detection and response (EDR) platform, during a scheduled on-demand scan task. The malicious file was a JavaScript component (`background.js`) operating within a Microsoft Edge browser extension. + +### Automated Response + +Bitdefender GravityZone automatically took the following action upon detection: + +- **Action Taken:** File deleted +- **Detection Module:** Antimalware (On-Demand Scan) +- **Result:** Threat successfully removed from the system + +### Additional Remediation Steps + +The following manual remediation steps were performed by AZ Computer Guru LLC: + +1. **Extension removal verified** - Confirmed the malicious browser extension was fully removed from Microsoft Edge, including all associated files and registry entries. +2. **Extension blocked at policy level** - The malicious extension (ID: `cfacibcmkcdppnkgennkfaepplpkblmp`) has been added to the GravityZone extension blocklist, preventing installation across all managed endpoints company-wide. +3. **Full system scan completed** - A comprehensive antimalware scan was conducted on the affected workstation to confirm no additional threats or residual malicious components remain. +4. **Browser data review** - Edge browser settings were reviewed and restored to safe defaults where necessary. +5. **Password reset recommended** - The affected user was advised to change passwords for all accounts accessed via the browser as a precautionary measure, with priority given to financial and email accounts. + +--- + +## Current System Status + +**The affected workstation is confirmed CLEAN and free of malware.** Bitdefender GravityZone endpoint protection continues to actively monitor the system in real time with: + +- Real-time file system protection (on-access scanning) +- Network attack defense +- Web threat protection +- Advanced anti-exploit technology +- Behavioral monitoring (Advanced Threat Control) + +The GravityZone management console shows **no active threats** on the affected machine or any other Ace Portables endpoints. + +--- + +## Preventative Measures Implemented + +| Measure | Scope | Status | +|---------|-------|--------| +| Malicious extension added to blocklist | All managed client endpoints | Complete | +| Full system scan on affected workstation | Affected machine | Complete - Clean | +| User advised to reset browser passwords | Affected user | Advised | +| Ongoing real-time endpoint monitoring | All Ace Portables endpoints | Active | + +--- + +## About Our Security Platform + +AZ Computer Guru LLC utilises **Bitdefender GravityZone**, an enterprise-grade endpoint protection platform that provides: + +- Multi-layered malware detection (signature, heuristic, behavioural, and machine learning) +- Real-time threat monitoring and automated response +- Centralised management and policy enforcement +- Regular definition updates and cloud-based threat intelligence + +--- + +## Conclusion + +The malicious browser extension was detected promptly by our automated security systems, removed before any confirmed data exfiltration occurred, and blocked from future installation. The affected workstation has been verified clean and continues to be actively protected. No further action is required at this time. + +Should the bank require any additional information, technical logs, or clarification, please do not hesitate to contact us. + +--- + +**AZ Computer Guru LLC** +Managed IT Services Provider + +--- + +*This report is confidential and intended solely for the use of Ace Portables and their financial institution.* diff --git a/clients/ace-portables/reports/logo-light.png b/clients/ace-portables/reports/logo-light.png new file mode 100644 index 0000000..3608e52 Binary files /dev/null and b/clients/ace-portables/reports/logo-light.png differ diff --git a/projects/msp-tools/guru-rmm/dashboard/src/api/client.ts b/projects/msp-tools/guru-rmm/dashboard/src/api/client.ts index 71794c1..4b72940 100644 --- a/projects/msp-tools/guru-rmm/dashboard/src/api/client.ts +++ b/projects/msp-tools/guru-rmm/dashboard/src/api/client.ts @@ -113,7 +113,7 @@ export interface Command { agent_id: string; command_type: string; command_text: string; - status: "pending" | "running" | "completed" | "failed"; + status: "pending" | "running" | "completed" | "failed" | "cancelled"; exit_code: number | null; stdout: string | null; stderr: string | null; @@ -219,6 +219,11 @@ export const commandsApi = { api.post(`/api/agents/${agentId}/command`, command), list: () => api.get("/api/commands"), get: (id: string) => api.get(`/api/commands/${id}`), + cancelCommand: (id: string) => + api.post<{ status: string; message: string }>(`/api/commands/${id}/cancel`), + deleteCommand: (id: string) => api.delete(`/api/commands/${id}`), + clearCommandHistory: () => + api.delete<{ deleted: number; message: string }>("/api/commands"), }; export const clientsApi = { diff --git a/projects/msp-tools/guru-rmm/dashboard/src/pages/History.tsx b/projects/msp-tools/guru-rmm/dashboard/src/pages/History.tsx index a69dc44..65a82c3 100644 --- a/projects/msp-tools/guru-rmm/dashboard/src/pages/History.tsx +++ b/projects/msp-tools/guru-rmm/dashboard/src/pages/History.tsx @@ -1,6 +1,17 @@ -import { useQuery } from "@tanstack/react-query"; +import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query"; import { Link, useParams, useNavigate } from "react-router-dom"; -import { RefreshCw, CheckCircle, XCircle, Clock, Loader2, ArrowLeft, Terminal } from "lucide-react"; +import { + RefreshCw, + CheckCircle, + XCircle, + Clock, + Loader2, + ArrowLeft, + Terminal, + Trash2, + Ban, + StopCircle, +} from "lucide-react"; import { commandsApi, Command } from "../api/client"; import { Card, CardContent } from "../components/Card"; import { Button } from "../components/Button"; @@ -28,6 +39,11 @@ function StatusBadge({ status }: { status: Command["status"] }) { label: "Failed", className: "bg-rose-500/10 text-rose-400 border-rose-500/30", }, + cancelled: { + icon: Ban, + label: "Cancelled", + className: "bg-amber-500/10 text-amber-500 border-amber-500/30", + }, }; const { icon: Icon, label, className, spin } = config[status] as { @@ -62,12 +78,63 @@ function formatRelativeTime(dateString: string): string { } export function History() { + const queryClient = useQueryClient(); + const { data: commands = [], isLoading, refetch } = useQuery({ queryKey: ["commands"], queryFn: () => commandsApi.list().then((res) => res.data), refetchInterval: 10000, }); + const cancelMutation = useMutation({ + mutationFn: (id: string) => commandsApi.cancelCommand(id), + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ["commands"] }); + }, + onError: (error: Error) => { + alert(`Failed to cancel command: ${error.message}`); + }, + }); + + const deleteMutation = useMutation({ + mutationFn: (id: string) => commandsApi.deleteCommand(id), + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ["commands"] }); + }, + onError: (error: Error) => { + alert(`Failed to delete command: ${error.message}`); + }, + }); + + const clearHistoryMutation = useMutation({ + mutationFn: () => commandsApi.clearCommandHistory(), + onSuccess: (res) => { + queryClient.invalidateQueries({ queryKey: ["commands"] }); + const data = res.data; + if (data.deleted === 0) { + alert("No finished commands to clear."); + } + }, + onError: (error: Error) => { + alert(`Failed to clear history: ${error.message}`); + }, + }); + + const handleClearHistory = () => { + const finishedCount = commands.filter( + (cmd) => cmd.status === "completed" || cmd.status === "failed" || cmd.status === "cancelled" + ).length; + + if (finishedCount === 0) { + alert("No finished commands to clear."); + return; + } + + if (window.confirm(`Clear ${finishedCount} finished command(s) from history?`)) { + clearHistoryMutation.mutate(); + } + }; + return (
{/* Header */} @@ -76,15 +143,30 @@ export function History() {

History

Command execution log

- +
+ + +
{/* History List */} @@ -103,12 +185,14 @@ export function History() { ) : (
{commands.map((cmd: Command) => ( - -
+

@@ -118,18 +202,49 @@ export function History() { {cmd.command_type} | Agent: {cmd.agent_id.slice(0, 8)}...

-
-
-

- {formatRelativeTime(cmd.created_at)} -

- {cmd.exit_code !== null && ( -

- exit: {cmd.exit_code} + +

+
+

+ {formatRelativeTime(cmd.created_at)}

- )} + {cmd.exit_code !== null && ( +

+ exit: {cmd.exit_code} +

+ )} +
+ {/* Action buttons */} +
+ {(cmd.status === "pending" || cmd.status === "running") && ( + + )} + +
- +
))}
)} @@ -142,6 +257,7 @@ export function History() { export function HistoryDetail() { const { id } = useParams<{ id: string }>(); const navigate = useNavigate(); + const queryClient = useQueryClient(); const { data: commands = [], isLoading } = useQuery({ queryKey: ["commands"], @@ -150,6 +266,27 @@ export function HistoryDetail() { const command = commands.find((cmd: Command) => cmd.id === id); + const cancelMutation = useMutation({ + mutationFn: (cmdId: string) => commandsApi.cancelCommand(cmdId), + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ["commands"] }); + }, + onError: (error: Error) => { + alert(`Failed to cancel command: ${error.message}`); + }, + }); + + const deleteMutation = useMutation({ + mutationFn: (cmdId: string) => commandsApi.deleteCommand(cmdId), + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ["commands"] }); + navigate("/history"); + }, + onError: (error: Error) => { + alert(`Failed to delete command: ${error.message}`); + }, + }); + if (isLoading) { return (
@@ -199,6 +336,33 @@ export function HistoryDetail() { {formatDate(command.created_at)}

+
+ {(command.status === "pending" || command.status === "running") && ( + + )} + +
{/* Command Info */} diff --git a/projects/msp-tools/guru-rmm/server/src/api/commands.rs b/projects/msp-tools/guru-rmm/server/src/api/commands.rs index 35fd6f5..34df06e 100644 --- a/projects/msp-tools/guru-rmm/server/src/api/commands.rs +++ b/projects/msp-tools/guru-rmm/server/src/api/commands.rs @@ -160,3 +160,100 @@ pub async fn get_command( Ok(Json(command)) } + +/// Delete a single command by ID +/// Requires authentication. +pub async fn delete_command( + State(state): State, + _user: AuthUser, + Path(command_id): Path, +) -> Result { + let deleted = db::delete_command(&state.db, command_id) + .await + .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?; + + if deleted { + Ok(StatusCode::NO_CONTENT) + } else { + Err((StatusCode::NOT_FOUND, "Command not found".to_string())) + } +} + +/// Cancel response payload +#[derive(Debug, Serialize)] +pub struct CancelCommandResponse { + pub status: String, + pub message: String, +} + +/// Cancel a pending or running command +/// Requires authentication. +pub async fn cancel_command( + State(state): State, + _user: AuthUser, + Path(command_id): Path, +) -> Result, (StatusCode, String)> { + let command = db::get_command_by_id(&state.db, command_id) + .await + .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))? + .ok_or((StatusCode::NOT_FOUND, "Command not found".to_string()))?; + + match command.status.as_str() { + "completed" | "failed" | "cancelled" => { + return Err(( + StatusCode::BAD_REQUEST, + "Command already finished".to_string(), + )); + } + "running" => { + // Update status in DB + db::cancel_command(&state.db, command_id) + .await + .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?; + + // Optionally try to send a cancel signal via WebSocket + let agents = state.agents.read().await; + if agents.is_connected(&command.agent_id) { + let cancel_msg = ServerMessage::Error { + code: "command_cancelled".to_string(), + message: format!("Command {} has been cancelled", command_id), + }; + let _ = agents.send_to(&command.agent_id, cancel_msg).await; + } + } + _ => { + // Pending or any other status - just update DB + db::cancel_command(&state.db, command_id) + .await + .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?; + } + } + + Ok(Json(CancelCommandResponse { + status: "cancelled".to_string(), + message: "Command cancelled".to_string(), + })) +} + +/// Clear history response payload +#[derive(Debug, Serialize)] +pub struct ClearHistoryResponse { + pub deleted: u64, + pub message: String, +} + +/// Bulk clear finished commands (completed, failed, cancelled) +/// Requires authentication. +pub async fn clear_command_history( + State(state): State, + _user: AuthUser, +) -> Result, (StatusCode, String)> { + let count = db::delete_finished_commands(&state.db) + .await + .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?; + + Ok(Json(ClearHistoryResponse { + deleted: count, + message: format!("Cleared {} commands from history", count), + })) +} diff --git a/projects/msp-tools/guru-rmm/server/src/api/mod.rs b/projects/msp-tools/guru-rmm/server/src/api/mod.rs index 52fc492..852ae7f 100644 --- a/projects/msp-tools/guru-rmm/server/src/api/mod.rs +++ b/projects/msp-tools/guru-rmm/server/src/api/mod.rs @@ -56,8 +56,9 @@ pub fn routes() -> Router { .route("/metrics/summary", get(metrics::get_summary)) // Commands .route("/agents/:id/command", post(commands::send_command)) - .route("/commands", get(commands::list_commands)) - .route("/commands/:id", get(commands::get_command)) + .route("/commands", get(commands::list_commands).delete(commands::clear_command_history)) + .route("/commands/:id", get(commands::get_command).delete(commands::delete_command)) + .route("/commands/:id/cancel", post(commands::cancel_command)) // Legacy Agent (PowerShell for 2008 R2) .route("/agent/register-legacy", post(agents::register_legacy)) .route("/agent/heartbeat", post(agents::heartbeat)) diff --git a/projects/msp-tools/guru-rmm/server/src/db/commands.rs b/projects/msp-tools/guru-rmm/server/src/db/commands.rs index 68b25d6..5ac20c9 100644 --- a/projects/msp-tools/guru-rmm/server/src/db/commands.rs +++ b/projects/msp-tools/guru-rmm/server/src/db/commands.rs @@ -161,3 +161,25 @@ pub async fn delete_command(pool: &PgPool, id: Uuid) -> Result 0) } + +/// Cancel a command - set status to 'cancelled' and set completed_at +pub async fn cancel_command(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> { + sqlx::query( + "UPDATE commands SET status = 'cancelled', completed_at = NOW() WHERE id = $1", + ) + .bind(id) + .execute(pool) + .await?; + Ok(()) +} + +/// Delete all completed, failed, and cancelled commands (bulk clear) +/// Returns the count of deleted rows. +pub async fn delete_finished_commands(pool: &PgPool) -> Result { + let result = sqlx::query( + "DELETE FROM commands WHERE status IN ('completed', 'failed', 'cancelled')", + ) + .execute(pool) + .await?; + Ok(result.rows_affected()) +}