Microsoft Makes Tamper Protection in Defender ATP Generally Available

Microsoft is now providing all of its Defender ATP (Advanced Threat Protection) customers with tamper protection, which is meant to prevent unauthorized changes to security features.

The feature was launched as a hardening solution to prevent attacks where malicious applications or threat actors attempt to disable Windows Defender Antivirus, modify real-time protection settings, or attempt to stop behavior monitoring and script scanning.

Tamper protection in Microsoft Defender ATP was meant to prevent such malicious and unauthorized changes, so that endpoint security systems can keep users safe.

Initially rolled out to Windows Insider users earlier this year, tamper protection is now generally available, Microsoft announced on Monday.

“Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features,” Shweta Jha of the Microsoft Defender ATP team, explains.

Services and settings protected from modification include real-time protection (core antimalware scanning feature), cloud-delivered protection (targets never-before-seen malware), IOAV (handles detection of suspicious files from the Internet), behavior monitoring (analyzes active processes for suspicious or malicious behavior), and security intelligence updates.

Tamper protection, Jha notes, is the result of Microsoft’s research into the threat landscape and attack patterns, and also takes advantage of feedback from customers and partners. The company believes that visibility into tampering attempts at various levels becomes key in mitigating sophisticated threats.

“Customer feedback on deployment and other aspects of the feature were critical in our journey towards today’s GA,” Jha says.

Tamper protection can be deployed and managed through Microsoft Intune in a manner similar to other endpoint security settings. Admins can enable the feature for the entire organization, or through device and user groups.

Deployment, Jha says, was designed to be secure, and changes to the tamper protection state can only be made through Microsoft Intune. Based on demand, Microsoft will integrate the feature with other management channels.

As soon as it is enabled in Microsoft Intune, the tamper protection policy is digitally signed in the backend and its validity is checked at the endpoint.

When a tampering attempt is detected, an alert is raised in Microsoft Defender Security Center, and security operations teams can investigate and resolve the issue. According to Microsoft, such tampering attempts are indicators of larger cyber-attacks, where threat actors try to achieve persistence and evade detection.

Tamper protection will be enabled by default for home users, but Microsoft is turning the feature on only gradually. The Windows Security app will allow customers to review or change tamper protection settings and to enable the feature manually.

“We believe it’s critical for customers, across home users and commercial customers, to turn on tamper protection to ensure that essential security solutions are not circumvented. We will continue working on this feature, including building support for older Windows versions,” Jha concludes.

Related: Microsoft Adds Live Response Capabilities to Defender ATP

Related: Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available