We could like to assess the risk of disabling anti-tamper permanently. What does it entail when anti-tamper is off?

Release : 15.x

Component : DLP Endpoint Prevent

Details on the setting AgentTamperProtection.ENABLE_AGENT_ TAMPER_PROTECTION.int:

This setting enables tamper protection on the DLP Endpoint Agent

A setting of 0 disables all tamper protection.

A setting of 1 prevents the agent and the watchdog files from being deleted or modified.

A setting of 2 prevents the agent and the watchdog services from being stopped.

A setting of 3 prevents the agent and the watchdog files and services from being deleted, modified or stopped.

A setting of 4 prevents the agent and the watchdog services from being deleted from the operating-system registry.

A setting of 7 enables file, service, and registry protection.

History and Feature Description of MAC anti tamper and Risk involved with permanently switching to zero (not recommended to have anti tamper set to zero permanently from Symantec DLP team as it gives endpoint users ability to disable DLP agent so risk of data exfiltration without DLP agent protection)

History: - Feature was introduced for MAC in DLP 15.0 (released Sept 2017) to have parity with feature already in place on windows

Snippet from DLP 15.0 what’s new guide (sept 2017 release, note 15.0.x is EOSL but feature has stayed in current supported versions of DLP 15.7.x and 15.8.x)

Topic Title: Support for Mac agent tamper protection

Summary of Change: This new topic states that the version 15 agent installed on Mac endpoints has enhanced tamper protection support to prevent endpoint users from disabling the agent.

Feature Description

Similar to Windows agent tamper proofing, Mac agent tamper proofing prevents endpoint users from deleting or disabling the Mac agent. The feature prevents endpoint users with root access from killing the edpa process using external commands, for example "kill," and "pkill." Also, the feature prevents the launchctl unload command from unloading, stopping, or removing the edpa process.

The feature prevents endpoint users from performing the following EDPA file changes:

-Replace the existing binary

-Rename the EDPA file in the agent installation directory

-Delete folders or files in the agent installation directory

-Change file or folder permissions in the agent installation directory

With the introduction of tamper protection for the Mac agent (from DLP 15.0 Sept 2017), the agent does not require an uninstall password. The tamper-proofing support automatically re-creates the EDPA file if a user moves it to the trash. The DLP admin uses the uninstall tool to uninstall the agent ($sudo ./uninstall_agent).

The AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int advanced agent setting has the same effect on Mac agents as it does on Windows (o/s feature parity)