Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Makes Tamper Protection in Defender ATP Generally Available

Microsoft is now providing all of its Defender ATP (Advanced Threat Protection) customers with tamper protection, which is meant to prevent unauthorized changes to security features.

Microsoft is now providing all of its Defender ATP (Advanced Threat Protection) customers with tamper protection, which is meant to prevent unauthorized changes to security features.

The feature was launched as a hardening solution to prevent attacks where malicious applications or threat actors attempt to disable Windows Defender Antivirus, modify real-time protection settings, or attempt to stop behavior monitoring and script scanning.

Tamper protection in Microsoft Defender ATP was meant to prevent such malicious and unauthorized changes, so that endpoint security systems can keep users safe.

Initially rolled out to Windows Insider users earlier this year, tamper protection is now generally available, Microsoft announced on Monday.

“Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features,” Shweta Jha of the Microsoft Defender ATP team, explains.

Services and settings protected from modification include real-time protection (core antimalware scanning feature), cloud-delivered protection (targets never-before-seen malware), IOAV (handles detection of suspicious files from the Internet), behavior monitoring (analyzes active processes for suspicious or malicious behavior), and security intelligence updates.

Tamper protection, Jha notes, is the result of Microsoft’s research into the threat landscape and attack patterns, and also takes advantage of feedback from customers and partners. The company believes that visibility into tampering attempts at various levels becomes key in mitigating sophisticated threats.

Advertisement. Scroll to continue reading.

“Customer feedback on deployment and other aspects of the feature were critical in our journey towards today’s GA,” Jha says.

Tamper protection can be deployed and managed through Microsoft Intune in a manner similar to other endpoint security settings. Admins can enable the feature for the entire organization, or through device and user groups.

Deployment, Jha says, was designed to be secure, and changes to the tamper protection state can only be made through Microsoft Intune. Based on demand, Microsoft will integrate the feature with other management channels.

As soon as it is enabled in Microsoft Intune, the tamper protection policy is digitally signed in the backend and its validity is checked at the endpoint.

When a tampering attempt is detected, an alert is raised in Microsoft Defender Security Center, and security operations teams can investigate and resolve the issue. According to Microsoft, such tampering attempts are indicators of larger cyber-attacks, where threat actors try to achieve persistence and evade detection.

Tamper protection will be enabled by default for home users, but Microsoft is turning the feature on only gradually. The Windows Security app will allow customers to review or change tamper protection settings and to enable the feature manually.

“We believe it’s critical for customers, across home users and commercial customers, to turn on tamper protection to ensure that essential security solutions are not circumvented. We will continue working on this feature, including building support for older Windows versions,” Jha concludes.

Related: Microsoft Adds Live Response Capabilities to Defender ATP

Related: Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...