Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Make sure Tamper Protection is turned on

OludeleOgunrinde's avatar
Aug 28, 2021

Tamper protection in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection features, such as antivirus protection, and includes detection of, and response to tampering attempts. Tamper protection is available to customers ranging from consumers to enterprise organizations. If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.

 

Why tamper protection is so important

Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.

 

Note: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.

 

What to expect when tamper protection is enabled

In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates
  • Change threat severity actions (config name: ThreatSeverityDefaultAction)
  • Disable script scanning (config name: DisableScriptScanning)

 

Note: Tamper protection does not break your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.

 

Methods to manage tamper protection

Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.

 

Environment  

Tamper protection state   

Methods to manage tamper protection

 

 

 

 

Microsoft 365 E5/ Education A5 - New Tenants 

 

 

 

 

On by default   

- Microsoft Endpoint Manager: Intune for Windows 10 devices onboarded to Microsoft Defender for Endpoint (Defender for Endpoint)

 

- Microsoft Endpoint Manager: Configuration Manager Tenant attach for Windows Server 2016 & 2019 and Windows 10  

 

- Microsoft 365 Defender portal (security.microsoft.com): under advanced feature settings for endpoints (global setting)  

 

  

Microsoft 365 E5/ Education A5 - Existing Tenants  

Off by default, but customers can opt-in  

 

An example of tamper protection in action

As mentioned in the recent blog, Hunting down LemonDuck and LemonCat attacks, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.

 

 

 

Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.

 

Next steps

Make sure tamper protection is turned on.

 

Let us know what you think! Post a comment and give us your feedback!

 

 

 

 

 

 

 

 

 

 

 

 

Updated Aug 30, 2021
Version 3.0