Tamper Protection prevents malware from disabling Microsoft Defender AV
Microsoft Defender, the anti-malware component of Microsoft Windows, has been equipped with a new protective feature called Tamper Protection, which should prevent malware from disabling it.
The feature will be rolled out to Windows 10 users and enabled by default for home users. Enterprise administrators will be able to enable it for endpoints via Intune (the Microsoft 365 Device Management portal).
About Tamper Protection
“Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features,” Microsoft explains.
When the feature is turned on, it prevents malware from disabling virus and threat protection, real-time and cloud-delivered protection, turning off behavior monitoring and removing security intelligence updates.
“Tamper Protection essentially locks Microsoft Defender and prevents your security settings from being changed through apps and methods like these: configuring settings in Registry Editor on your Windows machine, changing settings through PowerShell cmdlets, editing or removing security settings through group policies, and so on.”
Protection for enterprise endpoints
While home users will be able to switch Tamper Protection off via the Windows Security app if they are have administrator permissions on their computer, enterprise users won’t be able to do that.
Tamper Protection will be available to organizations that have Microsoft Defender ATP E5 (i.e., Microsoft 365 E5), but only for endpoints that run Windows 10 1903 or later and have specific security intelligence updates and anti-malware platform and anti-malware engine versions.
Administrators will be able to configure the feature in Intune for the entire organization, specific devices or user groups. Once the protection is turned on by an admin (global admin, security admin, or security operations), local admins will not be able to change or modify Tamper Protection settings on their devices.
“In this release, any changes to the tamper protection state may only be made through Microsoft Intune, not through any other methods like group policy, registry key, or WMI. Integration with other management channels will be prioritized based on customer demand,” Shweta Jha, a senior program manager with the Microsoft Defender ATP team, explained.
“When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it’s sent to endpoints. The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control. With the right level of reporting, security operations teams are empowered to detect any irregularities.”
Tampering attempts on endpoints – either by malware or users – will be flagged and shown in Microsoft Defender Security Center (the Microsoft Defender ATP portal) and should help security operation teams to detect, investigate and stop attacks in progress.