Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Tamper protection now generally available for Microsoft Defender ATP customers
Published Oct 14 2019 08:53 AM 46.4K Views
Microsoft

Attackers relentlessly up their game in bypassing security, either by using evasive techniques or, in the case of sophisticated threats like the fileless campaign Nodersok or the banking Trojan Trickbot, by attempting to disable Windows Defender Antivirus. Attackers go after real-time protection settings like OnAccessProtection policies, try to stop the Windows Defender Antivirus service, or attempt to turn off behavior monitoring and script scanning. In essence, attackers try to break the shield and take down the features that effectively work at stopping them.

 

One of the innovative ways in which we have hardened our solutions against these kinds of attacks is through tamper protection, a new feature designed to protect against malicious and unauthorized changes to security features, ensuring that endpoint security doesn’t go down. Earlier this year, we rolled out this feature to Windows Insiders and have been working closely with customers on developing the capability.

 

Today, we are excited to announce that tamper protection is now generally available!

 

Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features. Here are some examples of services and settings that are protected from modification, either by local admins or by malicious applications:

 

  1. Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next generation protection and should rarely, if ever, be disabled
  2. Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before-seen malware within seconds
  3. IOAV (IE Downloads and Outlook Express Attachments initiated), which handles the detection of suspicious files from the Internet
  4. Behavior monitoring, which works with real-time protection to analyze and determine whether active processes are behaving in a suspicious or malicious way, and then blocks them
  5. Security intelligence updates, which Windows Defender Antivirus uses to detect the latest threats

 

The development of this feature is a result of our extensive research into the evolving threat landscape and attack patterns, along with consistent engagement with and feedback from customers and partners. The lack of visibility of tampering attempts at various levels can make it difficult to mitigate sophisticated threats. Customer feedback on deployment and other aspects of the feature were critical in our journey towards today’s GA. Here’s what some of these customers say about tamper protection:

 

“Tamper protection is a critical feature for us as we need to defend Microsoft Defender ATP to ensure that malicious actions are not going around our security platforms. While complex behind the scenes, Microsoft has made it extremely easy for us to configure and deploy through Microsoft Intune and allow our SecOps team visibility into any potential tampering events so we can further investigate and remediate.” – Rich Lilly, Partner | Associate Director, Netrixllc

 

“Microsoft’s new tamper protection feature ensures that Lexipol endpoints remain secured and in compliance by protecting against both malicious and accidental changes to Microsoft Defender ATP’s security settings. With Microsoft Intune, managed endpoints outside of the corporate VPN can be reached with ease and the inclusion of tamper protection settings in Microsoft Intune policies has greatly simplified the deployment of this critical security feature. The combination of tamper protection and Microsoft Intune increases Lexipol’s security posture while reducing the complexity of monitoring for compliance.”  – Patrick Sudderth, Director of Information Technology, Lexipol

 

Enabling tamper protection for enterprises through Microsoft Intune

 

Tamper protection can be deployed and managed centrally – and securely – through Microsoft Intune, similar to how other endpoint security settings are managed. The feature can be enabled for the entire organization, or through device and user groups.

 

Intune.png

 

We designed deployment to be secure. We partnered with Microsoft Intune to build a secure channel to light up this feature. In this release, any changes to the tamper protection state may only be made through Microsoft Intune, not through any other methods like group policy, registry key, or WMI. Integration with other management channels will be prioritized based on customer demand.

 

When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it’s sent to endpoints. The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control. With the right level of reporting, security operations teams are empowered to detect any irregularities.

 

Flow.png

 

 

 

Once the feature is enabled by administrators, users will see tamper protection turned on:

tp_ent.PNG

 

 

To learn more, see Protect security settings with tamper protection.

 

Reporting and hunting for tampering attempts across organizations

 

When a tampering attempt is detected on endpoints, an alert is raised in Microsoft Defender Security Center. Using the rich endpoint and detection response capabilities in Microsoft Defender ATP, security operations teams can investigate and resolve these attempts.

 

alert.png

 

 

 

Tampering attempts typically indicate bigger cyberattacks where threat actors change security settings as a way to persist and stay undetected. With reporting and advanced hunting capabilities in Microsoft Defender ATP, security operations teams can hunt for tampering attacks in organizations. This empowers SecOps to detect such attacks, investigate using the rich tooling provided by Microsoft Defender ATP, and respond to and stop cyberattacks.

 

We’re also working on reporting device status on Threat and Vulnerability Management. This feature will be available in near future.

 

Tamper protection enabled by default for home users

 

For home users, tamper protection will be enabled by default to automatically increase defenses against attacks. We’re currently turning on the feature gradually; some customers will start seeing the setting on their devices. Customers can use the Windows Security app to review or change tamper protection settings and turn the feature on manually.

 
 

consumer.PNG

 

 

We believe it’s critical for customers, across home users and commercial customers, to turn on tamper protection to ensure that essential security solutions are not circumvented. We will continue working on this feature, including building support for older Windows versions. We’ll announce these enhancements when they become available, so watch the Microsoft Defender ATP community. In the meantime, enable tamper protection today and give us feedback.

 

 

Shweta Jha (@shwetajha_MS)
Microsoft Defender ATP team

19 Comments
Deleted
Not applicable

is it possible to enable "Tamper Protection" using GPO?

Copper Contributor

What about using TP to block the installation of 3rd party AV so that they don't take over the security system.
Stuff such as Avast or AVG should be blocked from taking over.

Copper Contributor

Very cool. Will be activating this in my environment

Microsoft

@Deleted currently the only management channel we have is using Microsoft Intune. Tamper Protection is not exposed as GPO, reg key or any other management channel. The feature is kept this way to ensure tamper protection can only be enabled/disabled from centralized management portal in secure and authorized way. 

Microsoft

@Kvikku_1508 - Great, do please let me know if you need any help. Will look forward to hear back from you.

Microsoft

@Pylot_Light - that's a great point. We are working with 3rd party partnership eco-system to ensure only AM, PPL signed AV can register with  Windows Security App. That way we will be able to allow only legit AV on your system. Currently tamper protection is not blocking 3rd party AV registration with Windows Security App. 

Deleted
Not applicable
Okay so, I care about security, I understand the value, I accept why it is implemented the way it is, I think it's overall a positive move. However, I see a big issue i'm not seeing a real solution to. Say I get 200 new Windows 10 machines, they will come Windows Defender and Tamper Protection enabled out the box, so far so good. Lets understand and accept the context that I do not have Intune, I don't plan to use Intune, instead like most businesses I rely on group policy and powershell to manage the 200 devices, so far so good. If i try to use powershell or group policy to disable windows defender it wont have any effect. That i accept, its not supported, you're protecting me, windows is a service, tamper protection protects me even from bad admins, good good good and good. However! Windows Defender PUA (potentially unwanted application) protection is disabled by default, Network Protection (like system wide smart screen) is disabled by default, ASR (attack surface reduction) rules are disabled by default. So I go off and do my little powershell thing to enable those defender features on those 200 machines. (Set-MpPreference -PUAProtection Enabled Set-MpPreference -EnableNetworkProtection Enabled Set-MpPreference -AttackSurfaceReductionRules_Ids blah blah blah) I then wanna check that its worked as intended so I do a Get-MpPreference and they'll report back that those features are enabled as I configured them, everything is fine right? wrong! Tamper Protection means PUA/network/ASR protections are still disabled even when powershell reports they are now turned on. The only way i can be sure is to physically connect to the machine and run evaluations to check the features are functioning, and they are not functioning, despite the fact that Get-MpPreference implies otherwise. Is it really the case, that i have to go to every single one of these 200 machines, turn off tamper protection, enable PUA protection, enable network protection, enable ASR rules, and then turn tamper protection back on? Thats really what i have to do to enable these basic security features? One by one on all 200 machines? and then i still cant check remotely on a regular basis if they are on because the powershell is a lie? There's the view that defender isn't that good, and i tell people it is good, and the thing holding it back is mainly that PUA detection is off by default, unlike every other AV on the market (thats how malwarebytes got its fame, its not actually better). My advice to those people is to turn on PUA protection on via group policy or powershell, and consider turning on network protection, implementing the ASR rules. But now doing so will have no effect, because tamper protection blocks them. and even worse, group policy and powershell both imply to administrators that the features are enabled and running, when they're actually completely disabled! I'm all for tamper protection, but forcing me to use intune just to enable PUA protection is terrible! and what about home users? why is there no option for PUA protection in the security centre gui???? Tamper protection has been around since April, i've used it, the documentation was originally brief and incorrect (might still be), i've learnt it was what broke these security features from being enabled, i assumed it'd be getting fixed in 19h2 or 20h1. Now you're saying no, its not being fixed, but instead its being rolled out and turned on by default so basic critical features such as blocking known malicious software and known malicious websites are now prevented from being enabled by the people that need the protection the most?? I mean no disrespect at all but I simply cannot log into all 200 computers one by one to disable tamper protection (which i want enabled) to enable security features that should be on by default. Does nobody else see this as a massive issue?? It seems like one step forward and two steps back. And holding back basic functionality and using it to shill Azure AD and Intune is the exact opposite of market leadership, or "advanced threat protection". Please please address this, and i apologise for my impolite tone and general rant, it is not intended at anybody specifically. (PS I genuine wish Microsoft followed through with important projects like nano server and REFS that were thrown to one side because despite being the future turns out you can save money for a couple quarters by giving up and screwing stakeholders. This seems like one of those things.)
Brass Contributor

Hello,

 

Will firewall rules be added to tamper protection?  Currently network protection and cloud protection can be disabled via a dropper using a powershell command to firewall the process's.  I reported this but it was seen as a non-issue.  Personally I think it's akin to the antivirus whitelist attack as most new virus's are blocked by these two.

Microsoft

@mbhmirc - thanks for bringing this up. Yes, adding firewall rules under TP is on our roadmap. Stay tuned... :smile:

Brass Contributor

@Shweta Jha Great, will this be in 1903/1909 or the next build?  I assume there is no possibility of back port to 1809?

Microsoft

@mbhmirc our current focus is to provide support for down-level OS versions. We will look into adding firewall settings as protected settings under tamper protection early next year and our goal would be to support it for down-level OS versions as well.

Copper Contributor

Hello

Is an activated Microsoft Defender ATP E5 required for managing Tamper Protection over Intune?  We run Intune and SCCM Endpoint Protection without ATP Option - I suppose in this case we will get the home user version - but would it be possible in such case to manage ON/OFF over Intune on co-managed devices? 

Thanks a lot for the feedback.

Copper Contributor

365 E5 has it, home users has it but not 365 business.  Please rectify so 365 business retains its high security ability by closing this hole

Copper Contributor

@enspireditaa_01Hello, what is about O365 E3? Do they get tamper protection? Thanks for the update.

Copper Contributor

@petrifo i believe this may also be missing from e3 as I have only seen home users and e5 listed as supporting

Microsoft

@petrifo, tamper protection for E3 devices is on our roadmap, you will be able to manage it from Microsoft Intune and SCCM based co managed devices when it is available. 

Copper Contributor

@Shweta JhaThank you very much for this answer. So, we will wait for enhancing E3 with this feature.

Copper Contributor

Hi, I was reporting strange behavior from several PC's I owned in the last year that I now know are part of the "nodersok"/"divergent" attack. The fileless malware seems to be storing info on the SPI on Intel machines & the UEFI on AMD based ones. Nothing gets rid of it. BIOS reflashing, new HDD, even have gotten motherboards with this infection built into it somehow. I've tried different installation media, since my initial install of Windows 10 came from upgrading from Windows 7 Ultimate & I've tried DVD/flash drive versions, however, the infection persists. Downloading the latest version results in the download of the insider preview with the latest Enterprise apps installed but non-functional to the user & it disables Windows Defender completely, yet it shows no warnings, redirects Windows Update, etc. Something to note is that it uses a UNIX OS behind Windows 10, which runs as a "virtual machine". The registry shows a blank BCD, there's tons of hidden SID's with admin capabilities, Windows version is showing NT 6.0 or Windows Server 2016, it keeps a record of every install, even when running a RAM disk with no HDD, as I am now(Hiren's PE).

 Looking at web page source will show various local individuals using multiple affiliate programs for pay-per-click. It runs a cell phone relay, can infect other PC's with ransomware or this same hack, running Linux you can see that it monitors your shopping, local stores security cams, cash register terminals, etc. For me it is very local, found within a 25mi. radius, every PC at 2 Walmarts are infected, the Landsford library is infected, it ruined 6 PC's of mine, this Ideapad 320 bought new from Walmart in 8/2018 came infected. 

 So how do I get rid of this? Buying a new laptop didn't work, new PC components didn't work, replacing all peripherals didn't work, meaning this is "out in the wild" more than we think. Sure, now it seems preventable if you can find a clean machine to start with. What do the multitudes already deeply infected do? I can buy another Windows 10 flash media, however this seems to hop onto flash drives in a 4-5MB inaccessible area it creates on plug in. A hacker contacted me via console to inform me it is written in "C" & that an "ancestor" is required. There are no legit Azure accounts tied to this machine or any others I had. This version of "nodersok" is cross platform. It installs on any version of Windows, Linux, Unix, Slackware, Ubuntu, Mac, even Android (my phone, mom's phone & my Vizio smart TV from 2014 all have this hidden partition on an embedded chip). 

 To run Windows Defender's newest version I need to be able to install Windows properly or the non-malware disables most of it, like the APT part. Another "heads up" on this is the earliest file footprint goes back to 2008, XP/Vista. Further exam reveals it started in this area (18218,18235) around 2012 as the beginning of this being used locally. This can "touch" files, change what you see on screen, has full AI when not connected to any internet. I found drivers for a "BDA tuner", HAM radio receivers, OOB transmitter drivers, GPRS modem, so much it's unreal. I have 20 + years in PC's & this is the nastiest thing I've run across. Looking at the UEFI files, there's about 3MB of non-sense out of a 5MB partition that is locked as RO for me. Somehow I made it so the C&C cannot overwrite the SPI anymore. All the local attacker's IMEI's, MAC's, IP's are stuck in that area permanently. 

 Sorry for the long post. This info is critical to solving the issue of this latest threat. Hopefully, someone can lend me a code to rid this thing of the current infection. Otherwise I can foresee a massive shutdown of all infected PC's like happened years back (500,000 I think).  I am a member of CERT & have reported this to proper authorities as well. Any help is greatly appreciated.

 

Copper Contributor

Hi Team,

I want to disable Tamper protection for induvial device using Intune, Thanks

Version history
Last update:
‎Sep 24 2020 05:35 PM
Updated by: