memory: ACG's own MSP stack (ScreenConnect/Splashtop/Syncro/Datto RMM+EDR/GuruRMM) - not foreign agents
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
20
.claude/memory/reference_acg_msp_stack.md
Normal file
20
.claude/memory/reference_acg_msp_stack.md
Normal file
@@ -0,0 +1,20 @@
|
||||
---
|
||||
name: reference_acg_msp_stack
|
||||
description: ACG's own MSP tool stack — do not flag these as foreign/threat agents on managed machines
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
Arizona Computer Guru's own MSP management/security stack. When found on an ACG-managed endpoint these are **expected ACG tooling**, NOT a prior MSP's leftovers or a threat — do not treat as a security finding.
|
||||
|
||||
Confirmed by Mike (2026-05-29):
|
||||
- **ConnectWise Control / ScreenConnect** — remote access
|
||||
- **Splashtop** (SOS/Streamer) — remote access
|
||||
- **Syncro** (Kabuto agent) — PSA / RMM
|
||||
|
||||
Also part of the stack (seen on ACG-managed machines incl. Birth Biologic + Rednour; confirm if ever in doubt):
|
||||
- **Datto RMM** (CagService/Aemagent)
|
||||
- **Datto EDR / Datto AV** — the managed AV. Note: when Datto AV is the active AV, **Windows Defender real-time protection is OFF by design** (Windows disables Defender when a 3rd-party AV registers) — that is expected, not a gap.
|
||||
- **GuruRMM** — ACG's own RMM (the agent doing the monitoring)
|
||||
|
||||
Relevance: the onboarding diagnostic ([[reference_gururmm_api]] / `.claude/scripts/onboarding-diagnostic.ps1`) currently flags these as CRITICAL "foreign management/remote-access agent" — a known false positive being tuned (allowlist them as INFO; downgrade Defender-off when a managed AV is present). The genuine prior-MSP-leftover scenario still matters for *non-ACG* remote tools (Ninja, Atera, Kaseya, TeamViewer, LogMeIn, AnyDesk, etc.).
|
||||
Reference in New Issue
Block a user