Protect your organization from the effects of tampering

Tampering is the general term used to describe attackers attempts to impair the effectiveness of Microsoft Defender for Endpoint. The ultimate goal of attackers isn't to affect just one device, but rather to achieve their objective such as launching a ransomware attack. As such, the anti-tampering capabilities of Microsoft Defender for Endpoint extend beyond preventing tampering of a single device to detecting attacks and minimizing their impact.

Applies to:

Organization wide tamper resiliency is built on Zero Trust

The foundation for defending against tampering is following a Zero Trust model.

In order to provide an effective defense against tampering, devices must be healthy.

Note

On Windows devices, Microsoft Defender Antivirus can be managed by using Group Policy, Windows Management Instrumentation (WMI), and PowerShell cmdlets. However, those methods are more susceptible to tampering than by using Microsoft Intune, Configuration Manager, or Microsoft Defender for Endpoint Security Configuration Management. If you're using Group Policy, we recommend disabling local overrides for Microsoft Defender Antivirus settings and disabling local list merging.

You can view health status for Microsoft Defender Antivirus health and sensors in the device health reports in Microsoft Defender for Endpoint.

Preventing tampering on a single device

Attackers use various tampering techniques to disable Microsoft Defender for Endpoint on a single device. These techniques are prevented differently on different operating systems.

Control OS Technique Families
Tamper protection Windows - Terminating/suspending processes
- Stopping/pausing/suspending services
- Modifying registry settings including exclusions
- Manipulating/hijacking DLLs
- Manipulation/modification of the file system
- Agent integrity
Tamper protection Mac - Terminating/suspending processes
- Manipulation/modification of the file system
- Agent integrity
Attack surface reduction rules Windows Kernel drivers (see Block abuse of exploited vulnerable signed drivers)
Windows Defender Application Control (WDAC) Windows Kernel drivers (see Microsoft vulnerable driver blocklist)

Understanding the different ways to prevent driver based tampering on Windows

One of the most common tampering techniques is to use a vulnerable driver to gain access to the kernel. This driver is often wrapped in an easy to deploy tool, but the underlying technique is the same.

In order to prevent a driver based tampering on a single device, the device needs to be configured to block the loading of that driver before the attack.

Microsoft provides several ways to keep devices well protected and up to date against driver based tampering.

Broadest protection - Microsoft vulnerable driver blocklist

The blocklist is updated with each new major release of Windows, typically 1-2 times per year. Microsoft will occasionally publish future updates through regular Windows servicing. With Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices, but requires either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode to be active.

See Microsoft vulnerable driver blocklist.

For devices that don't meet those requirements, this list of drivers can be blocked by using Windows Defender Application Control policy.

See Vulnerable Driver blocklist XML.

Faster updates - Block exploited vulnerable and signed drivers ASR rule

This list of drivers blocked by the exploited and vulnerable drivers get updated more frequently than the recommended drivers blocklist. ASR rules can run in audit mode first to ensure that there's no impact before applying the rule in block mode.

See Block abuse of exploited vulnerable signed drivers rule.

Block other drivers - Windows Defender Application Control (WDAC)

Attackers might attempt to use drivers that aren't blocked by either the recommended driver blocklist or an ASR rule. In this case, customers can protect themselves by using WDAC to create a policy to block

WDAC also provides an audit mode to help understand the impact of applying the policy in block mode to avoid accidentally impacting legitimate use.

Preventing tampering via Microsoft Defender Antivirus exclusions on Windows

A common technique used by attackers is to make unauthorized changes to anti-virus exclusions. Tamper protection prevents such attacks from occurring when all of the following conditions are met:

For more information, see Tamper protection for antivirus exclusions.

Attackers can be preventing from discovering existing antivirus exclusions by enabling HideExclusionsFromLocalAdmin.

Detecting potential tampering activity in the Microsoft Defender portal

When tampering is detected, an alert is raised. Some of the alert titles for tampering are:

  • Attempt to bypass Microsoft Defender for Endpoint client protection
  • Attempt to stop Microsoft Defender for Endpoint sensor
  • Attempt to tamper with Microsoft Defender on multiple devices
  • Attempt to turn off Microsoft Defender Antivirus protection
  • Defender detection bypass
  • Driver-based tampering attempt blocked
  • Image file execution options set for tampering purposes
  • Microsoft Defender Antivirus protection turned off
  • Microsoft Defender Antivirus tampering
  • Modification attempt in Microsoft Defender Antivirus exclusion list
  • Pending file operations mechanism abused for tampering purposes
  • Possible Antimalware Scan Interface (AMSI) tampering
  • Possible remote tampering
  • Possible sensor tampering in memory
  • Potential attempt to tamper with MDE via drivers
  • Security software tampering
  • Suspicious Microsoft Defender Antivirus exclusion
  • Tamper protection bypass
  • Tampering activity typical to ransomware attacks
  • Tampering with Microsoft Defender for Endpoint sensor communication
  • Tampering with Microsoft Defender for Endpoint sensor settings
  • Tampering with the Microsoft Defender for Endpoint sensor

If the Block abuse of exploited vulnerable signed drivers attack surface reduction rule is triggered, the event is viewable in the ASR Report and in Advanced Hunting

If Windows Defender Application Control (WDAC) is enabled, the block and audit activity can be seen in Advanced Hunting.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.