We are pleased to announce that Microsoft Defender for Endpoint's tamper protection feature, previously available in Public Preview, is now generally available on macOS devices and will be rolling out over the next few days.
Ensure that you are running Microsoft Defender for Endpoint for macOS version 101.75.90 or later, available through Microsoft AutoUpdate, to use the capability.
What is Tamper protection?
Tamper protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security.
What does this mean for me?
This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability.
In audit mode, you will notice the following events will be logged (audited):
Actions to uninstall Defender for Endpoint agent
Deletion/renaming/modification of Defender for Endpoint files
The creation of new files under Defender for Endpoint installation locations
While in Audit mode, TP signals can be viewed via Advanced Hunting and in local on-device logs. No tampering alerts are raised in the Security Center while in Audit mode. Alerts are raised in the portal only in block mode.
To observe tampering events in the portal, you can use the following query in Advanced Hunting:
DeviceInfo | where OSPlatform == 'macOS' | join kind=rightsemi ( DeviceEvents | where ActionType contains "TamperingAttempt" ) on DeviceId
Figure 1: The following screenshot demonstrates querying for Tampering events via advanced hunting
If you want to check the status of the feature on a single device, you can run the command “mdatp health”. Look for the tamper_protection field, it will display “audit”, “block” or “disabled” according to your configuration.
The logs can also be found locally on the device. Tampering events are logged in: “Library/Logs/Microsoft/mdatp/microsoft_defender_core*.log”
How can I start benefitting from this new capability?
You can leverage the audit mode (default mode) to get a sense of how the feature detects actions that are indicative of tampering attempts. Later this year, we will offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not specifically made a choice to either enable (block mode) or disable the capability.
If you decide to turn the feature on and move it to block mode, logging of each suspected tampering action will be complemented with its actual blocking and a corresponding alert in the security center portal. To turn the feature off entirely you can disable Tamper Protection.