Protect your organization from the effects of tampering
Tampering is the general term used to describe attackers attempts to impair the effectiveness of Microsoft Defender for Endpoint. The ultimate goal of attackers isn't to affect just one device, but rather to achieve their objective such as launching a ransomware attack. As such, the anti-tampering capabilities of Microsoft Defender for Endpoint extend beyond preventing tampering of a single device to detecting attacks and minimizing their impact.
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Business
Organization wide tamper resiliency is built on Zero Trust
The foundation for defending against tampering is following a Zero Trust model.
- Follow the best practice of least privilege. See Access control overview for Windows.
- Configure Conditional Access policies to keep untrusted users and devices isolated.
In order to provide an effective defense against tampering, devices must be healthy.
- Onboard devices to Defender for Endpoint.
- Make sure security intelligence and antivirus updates are installed.
- Managed devices centrally, such as by Microsoft Intune, Microsoft Defender for Endpoint Security Configuration Management, or Configuration Manager.
Note
On Windows devices, Microsoft Defender Antivirus can be managed by using Group Policy, Windows Management Instrumentation (WMI), and PowerShell cmdlets. However, those methods are more susceptible to tampering than by using Microsoft Intune, Configuration Manager, or Microsoft Defender for Endpoint Security Configuration Management. If you're using Group Policy, we recommend disabling local overrides for Microsoft Defender Antivirus settings and disabling local list merging.
You can view health status for Microsoft Defender Antivirus health and sensors in the device health reports in Microsoft Defender for Endpoint.
Preventing tampering on a single device
Attackers use various tampering techniques to disable Microsoft Defender for Endpoint on a single device. These techniques are prevented differently on different operating systems.
| Control | OS | Technique Families |
|---|---|---|
| Tamper protection | Windows | - Terminating/suspending processes - Stopping/pausing/suspending services - Modifying registry settings including exclusions - Manipulating/hijacking DLLs - Manipulation/modification of the file system - Agent integrity |
| Tamper protection | Mac | - Terminating/suspending processes - Manipulation/modification of the file system - Agent integrity |
| Attack surface reduction rules | Windows | Kernel drivers (see Block abuse of exploited vulnerable signed drivers) |
| Windows Defender Application Control (WDAC) | Windows | Kernel drivers (see Microsoft vulnerable driver blocklist) |
Understanding the different ways to prevent driver based tampering on Windows
One of the most common tampering techniques is to use a vulnerable driver to gain access to the kernel. This driver is often wrapped in an easy to deploy tool, but the underlying technique is the same.
In order to prevent a driver based tampering on a single device, the device needs to be configured to block the loading of that driver before the attack.
Microsoft provides several ways to keep devices well protected and up to date against driver based tampering.
Broadest protection - Microsoft vulnerable driver blocklist
The blocklist is updated with each new major release of Windows, typically 1-2 times per year. Microsoft will occasionally publish future updates through regular Windows servicing. With Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices, but requires either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode to be active.
See Microsoft vulnerable driver blocklist.
For devices that don't meet those requirements, this list of drivers can be blocked by using Windows Defender Application Control policy.
See Vulnerable Driver blocklist XML.
Faster updates - Block exploited vulnerable and signed drivers ASR rule
This list of drivers blocked by the exploited and vulnerable drivers get updated more frequently than the recommended drivers blocklist. ASR rules can run in audit mode first to ensure that there's no impact before applying the rule in block mode.
See Block abuse of exploited vulnerable signed drivers rule.
Block other drivers - Windows Defender Application Control (WDAC)
Attackers might attempt to use drivers that aren't blocked by either the recommended driver blocklist or an ASR rule. In this case, customers can protect themselves by using WDAC to create a policy to block
WDAC also provides an audit mode to help understand the impact of applying the policy in block mode to avoid accidentally impacting legitimate use.
Preventing tampering via Microsoft Defender Antivirus exclusions on Windows
A common technique used by attackers is to make unauthorized changes to anti-virus exclusions. Tamper protection prevents such attacks from occurring when all of the following conditions are met:
- The device is managed by Intune; and
- The device has Disable Local Admin Merge enabled.
For more information, see Tamper protection for antivirus exclusions.
Attackers can be preventing from discovering existing antivirus exclusions by enabling HideExclusionsFromLocalAdmin.
Detecting potential tampering activity in the Microsoft Defender portal
When tampering is detected, an alert is raised. Some of the alert titles for tampering are:
- Attempt to bypass Microsoft Defender for Endpoint client protection
- Attempt to stop Microsoft Defender for Endpoint sensor
- Attempt to tamper with Microsoft Defender on multiple devices
- Attempt to turn off Microsoft Defender Antivirus protection
- Defender detection bypass
- Driver-based tampering attempt blocked
- Image file execution options set for tampering purposes
- Microsoft Defender Antivirus protection turned off
- Microsoft Defender Antivirus tampering
- Modification attempt in Microsoft Defender Antivirus exclusion list
- Pending file operations mechanism abused for tampering purposes
- Possible Antimalware Scan Interface (AMSI) tampering
- Possible remote tampering
- Possible sensor tampering in memory
- Potential attempt to tamper with MDE via drivers
- Security software tampering
- Suspicious Microsoft Defender Antivirus exclusion
- Tamper protection bypass
- Tampering activity typical to ransomware attacks
- Tampering with Microsoft Defender for Endpoint sensor communication
- Tampering with Microsoft Defender for Endpoint sensor settings
- Tampering with the Microsoft Defender for Endpoint sensor
If the Block abuse of exploited vulnerable signed drivers attack surface reduction rule is triggered, the event is viewable in the ASR Report and in Advanced Hunting
If Windows Defender Application Control (WDAC) is enabled, the block and audit activity can be seen in Advanced Hunting.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for