Tamper protection in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection features, such as antivirus protection, and includes detection of, and response to tampering attempts. Tamper protection is available to customers ranging from consumers to enterprise organizations. If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.
Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.
Note: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.
In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:
Note: Tamper protection does not break your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.
Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.
Environment |
Tamper protection state |
Methods to manage tamper protection |
Microsoft 365 E5/ Education A5 - New Tenants
|
On by default |
- Microsoft Endpoint Manager: Intune for Windows 10 devices onboarded to Microsoft Defender for Endpoint (Defender for Endpoint)
- Microsoft Endpoint Manager: Configuration Manager Tenant attach for Windows Server 2016 & 2019 and Windows 10
- Microsoft 365 Defender portal (security.microsoft.com): under advanced feature settings for endpoints (global setting)
|
Microsoft 365 E5/ Education A5 - Existing Tenants |
Off by default, but customers can opt-in |
As mentioned in the recent blog, Hunting down LemonDuck and LemonCat attacks, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.
Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.
Make sure tamper protection is turned on.
Let us know what you think! Post a comment and give us your feedback!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.