Tamper protection in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection features, such as antivirus protection, and includes detection of, and response to tampering attempts. Tamper protection is available to customers ranging from consumers to enterprise organizations. If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.

Why tamper protection is so important

Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.

Note: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.

What to expect when tamper protection is enabled

In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:

• Disabling virus and threat protection
• Disabling real-time protection
• Turning off behavior monitoring
• Disabling antivirus (such as IOfficeAntivirus (IOAV))
• Disabling cloud-delivered protection
• Removing security intelligence updates
• Change threat severity actions (config name: ThreatSeverityDefaultAction)
• Disable script scanning (config name: DisableScriptScanning)

Note: Tamper protection does not break your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.

Methods to manage tamper protection

Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.

An example of tamper protection in action

As mentioned in the recent blog, Hunting down LemonDuck and LemonCat attacks, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.

Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.

Next steps

Make sure tamper protection is turned on.

• If you’re part of your organization’s security team, turn on tamper protection for your organization. See Protect security settings with tamper protection.
• If tamper protection is turned on for some, but not all endpoints, consider turning it on tenant wide. You can do this using the Microsoft 365 Defender portal. See Manage tamper protection for your organization.

Let us know what you think! Post a comment and give us your feedback!