What is Tamper Protection?

Issue

I noticed that I have the ability to change the Tamper Protection Level in my sensor groups settings. What will this provide?

Environment

VMware Carbon Black EDR server (7.4+)

VMware Carbon Black EDR sensor (7.2+)

Resolution

What is Tamper Protection?

It is a feature which protects the Windows EDR sensor against any outside attempts to stop EDR services, modify the sensor's binaries, disk artifacts, or configuration.

Essentially, manipulation of sensor services now requires an override password which can be acquired by navigating to the Sensor Group settings and then Advanced > Tamper Override Password.

Enabling Tamper Protection

• Pivot to your VMware CB EDR console.
• Go to the Sensor Management page.
• Select the Sensor Group that will have the feature enabled and click the gear icon.
• Go to Advanced > Tamper Protection Level.
• Select Protection from the drop-down.

Tamper Protection is only supported on Windows endpoints that are running sensor version 7.2.0 or later and certain versions of Windows 10 (desktop) and Windows Server:

• Windows 10 v1703 or higher
• Windows Server v1709 or higher

Endpoints running older versions of Windows (Windows 7, 8, 8.1; Windows Server 2008 R2, Server 2012, Server 2016) will show a status of Detect.

Disabling Tamper Protection

• From an elevated command prompt, execute the following commands:
  cd C:\Windows\CarbonBlack
cbedrcli.exe <tamper_override_password> 
  (replace the syntax above with the actual password)
• Once the command has been successfully executed, tamper protection will be lifted for one hour.