From c093e7f8a4de6482f51f22554559a4ee29f9fa65 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 13:25:18 -0700 Subject: [PATCH] memory: ACG's own MSP stack (ScreenConnect/Splashtop/Syncro/Datto RMM+EDR/GuruRMM) - not foreign agents Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude/memory/MEMORY.md | 1 + .claude/memory/reference_acg_msp_stack.md | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 .claude/memory/reference_acg_msp_stack.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index dd523c9..fdb0592 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -88,3 +88,4 @@ - [Cascades CA phased rollout](project_cascades_ca_phased_rollout.md) — Caregiver CA policies scoped to SG-Caregivers-Pilot, expand by dept; PATCH excludeGroups, never delete the all-users-MFA policy. - [Cascades caregiver pilot cleanup](project_cascades_pilot_cleanup.md) — Remove pilot accounts (pilot.test@, howard.enos@) at the end of the caregiver bypass pilot. - [Proposal: centralize config in identity.json](proposal_identity_centralization.md) — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented. +- [ACG MSP tool stack](reference_acg_msp_stack.md) — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active). diff --git a/.claude/memory/reference_acg_msp_stack.md b/.claude/memory/reference_acg_msp_stack.md new file mode 100644 index 0000000..911e276 --- /dev/null +++ b/.claude/memory/reference_acg_msp_stack.md @@ -0,0 +1,20 @@ +--- +name: reference_acg_msp_stack +description: ACG's own MSP tool stack — do not flag these as foreign/threat agents on managed machines +metadata: + type: reference +--- + +Arizona Computer Guru's own MSP management/security stack. When found on an ACG-managed endpoint these are **expected ACG tooling**, NOT a prior MSP's leftovers or a threat — do not treat as a security finding. + +Confirmed by Mike (2026-05-29): +- **ConnectWise Control / ScreenConnect** — remote access +- **Splashtop** (SOS/Streamer) — remote access +- **Syncro** (Kabuto agent) — PSA / RMM + +Also part of the stack (seen on ACG-managed machines incl. Birth Biologic + Rednour; confirm if ever in doubt): +- **Datto RMM** (CagService/Aemagent) +- **Datto EDR / Datto AV** — the managed AV. Note: when Datto AV is the active AV, **Windows Defender real-time protection is OFF by design** (Windows disables Defender when a 3rd-party AV registers) — that is expected, not a gap. +- **GuruRMM** — ACG's own RMM (the agent doing the monitoring) + +Relevance: the onboarding diagnostic ([[reference_gururmm_api]] / `.claude/scripts/onboarding-diagnostic.ps1`) currently flags these as CRITICAL "foreign management/remote-access agent" — a known false positive being tuned (allowlist them as INFO; downgrade Defender-off when a managed AV is present). The genuine prior-MSP-leftover scenario still matters for *non-ACG* remote tools (Ninja, Atera, Kaseya, TeamViewer, LogMeIn, AnyDesk, etc.).