Jul 05 2021
Please note: This is not a issue, just a question/discussion regarding if tamper protection actually would have helped.
Trying to figure out how tamper protection would have assisted in the case of Kaseya VSA attacks going on.
Right now i've tried to run the script for disabling the following features with powershell, both with local admin rights and with system rights, without any success:
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
In my case, this confirms that if tamper protection and managed settings through CM/Intune/gPO's would have blocked the script from disabling core features in Defender for Endpoint / Defender.
Am i missing something out?