Tamper protection effectively locks Microsoft Defender Antivirus to its safe, default settings and prevents your security settings from being modified via programs and techniques such as using Registry Editor or PowerShell cmdlets to alter settings on your Windows device, modifying settings with PowerShell cmdlets, and changing or deleting security settings using Group Policy. Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. You may want to see the following related guides: How to enable Smart App Control and Reputation-Based Protection in Windows 11, how to enable or disable Reputation-Based Protection on Windows 10 and Windows 11, and how to enable or disable Core Isolation Memory Integrity in Windows 10 and Windows 11
Tamper protection is available for devices that are running one of the following versions of Windows:
- Windows 10 and 11 (including Enterprise multi-session)
- Windows Server, version 1803 or later (Windows Server 2019, Windows Server 2022)
- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)
Why should we have the Tamper Resistant Enabled for Microsoft Defender?
Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. During these kinds of cyber-attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, install malware, or otherwise exploit your data, identity, and devices.
Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behaviour monitoring
- Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
- Disabling cloud-delivered protection
- Removing security intelligence updates
- Disabling automatic actions on detected threats
- Suppressing notifications in the Windows Security app
- Disabling scanning of archives and network files
By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on.
Having tamper protection is one of the most critical tools in your fight against ransomware. This article applies to the following below. But we will be focusing on Microsoft Defender Antivirus.
Here is an example of tamper protection in action. As discussed previously, Tamper protection prevents robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.
Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.
Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now. If you wish to learn more about Microsoft Microsoft Defender for Endpoint, please see the Microsoft Tech community documentation. In this guide, our focus is on Microsoft Defender Antivirus
How to enable Microsoft Defender Anti Virus Tamper protection
To enable Tamper Protection, press the Windows key to open the Start menu, then type Windows Security and select the result that best matches your search. Here is part 1 of this guide: how to turn on Windows 10 Tamper Protection for Microsoft Defender.
You may be prompted to enable Tamper Protection. To enable it, simply click “Turn On.” If not, click the “Virus & threat protection” icon.
Click the “Manage Settings” link under Virus & threat protection settings.
Locate the Tamper Protection option and toggle it from “Off” to “On.”
To enable Tamper Protection via Windows registry, Microsoft Office 365 Defender Portal, and Microsoft Endpoint Manager, kindly follow to get the notification when the articles are created.
Note: If you use a 3rd party anti-malware solution, you do not have to configure this option, and it will not be available to you. You can enable periodic scanning if you wish.
Tamper Protection on macOS
Tamper protection in macOS helps prevent unwanted changes to security settings from being made by unauthorized users. Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS. This capability also helps important security files, processes, and configuration settings from being tampered with.
Tamper protection on macOS is only supported on macOS version Big Sur (11) or later. Since I use a different Anti-Virus solution for my macOS, I will not be discussing how this applies to the macOS platform in detail. I will be discussing these steps in the future.
Note: You can configure the tamper protection mode by providing the mode name as enforcement-level. The mode change will apply immediately, and if the JAMP is used during the initial configuration, you will need to update the configuration using JAMF as well.
You can set tamper protection in the following modes as discussed below:
|Disabled –||Tamper protection is completely off (this is the default mode after installation)|
|Audit –||Tampering operations are logged, but not blocked|
|Block –||Tamper protection is on, tampering operations are blocked|
In the Audit Mode, the following actions are logged.
- Actions to uninstall Defender for Endpoint agent is logged (audited)
- Editing/modification of Defender for Endpoint files are logged (audited)
- Creation of new files under Defender for Endpoint location is logged (audited)
- Deletion of Defender for Endpoint files is logged (audited)
- Renaming of Defender for Endpoint files is logged (audited)
In block mode, the following actions are blocked from taking place. Kindly use the command to manually enable the block mode for tamper protection on your macOS.
sudo mdatp config tamper-protection enforcement-level --value block
You can verify the result by using the command below. For JAMP and Intune configuration, we will be discussing this in the future. Kindly stay tuned by subscribing or following us.
Note: If you use manual configuration to enable tamper protection, you can also disable tamper protection manually at any time. For example, you can revoke Full Disk Access from Defender in System Preferences manually. You must use MDM instead of manual configuration to prevent a local admin from doing that.
The image above is an example of the system message that will be prompted in the event that a malicious user or an intruder attempts to perform any of the following actions.
- Actions to uninstall Defender for Endpoint agent is blocked
- Editing/modification of Defender for Endpoint files are blocked
- Creation of new files under Defender for Endpoint location is blocked
- Deletion of Defender for Endpoint files is blocked
- Renaming of Defender for Endpoint files is blocked
- Commands to stop the agent fail
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.