Last Modified Date7/6/2021 1:33 PM
** Update Note : this was updated on July 6th following an update to the script provided by Kaseya on July 5th at 5:30pm
Following the attack on Kaseya VSA (July 2021), See Article Here, our partners have been asking for help to mitigate or detect the vulnerability.
N-central and RMM have the ability to detect whether the Kaseya agent is installed, and report on it. This can be used as a first line. Kaseya has also created 2 scripts, one to be run on the VSA itself and one to be run on the endpoints. We have taken the endpoint scripts and slightly modified it to make it work within N-central and RMM as monitoring items (See our other article for N-able RMM). This now allows everyone using our platforms to run the script from Kaseya and get alerted if it detects any potential issues.
We recommend that you review the link to the article from Kaseya, and come back to this page often as we will publish updates to the article or the AMP file as needed, based on what Kaseya and the experts recommends.
Custom Service / Script Check
Windows Third Party Apps
Windows 8/8.1;Windows 10;Windows Server 2012 / 2012R2;Windows Server 2016;Windows Server 2019
Compatible with N-Central
N-Central minimum version
Compatible with RMM
To use it in N-central, upload the AMP file to N-central, then create a custom service.
Note that if the devices are not using Kaseya, the monitoring will return a pass state, since the vulnerability seems to be targeted around Kaseya agents.
The policy will output 4 fields. an ''issues count'', a ''certs found'', a ''files found'' and an encryption status
On the Issues count output, threshold 0 = normal, -10000 to -1 is warning, and 1 to 100000 is failed. This will warn you if any file or cert is detected.
On the cert and file outputs, threshold on whether the output contains “PASS”. If it does not contain pass, have it go failed.
On the Encryption status check, threshold on whether the output contains “PASS”. If it does not contain pass, have it go failed.
kaseya vsa advisory security cve revil ransomware