App Control: Why are we receiving tamper protection alerts when data backups run on an endpoint?
Article ID: 284842
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why does the App control agent produce tamper alerts when backups occur on endpoints?
Environment
- App Control (formerly CB Protection) agent: All supported versions
- Commvault Backup and Recovery: All versions
- All data backup solutions
Resolution
- This is due to the agent tamper protection feature being enabled on the App Control Agent
- An agent that has tamper protection enabled blocks any active scanner from opening its directories for any reason
- Tamper Protection is "Protection" against agent uninstall be it accidently, or maliciously, resulting in compromising security of an endpoint
- The alert is to warn the App Control admin that something in the environment is tampering with the agent and to investigate the cause
Additional Information
- All security software using active scanning technology and tamper protection will alert on attempted access to its directories. This can occur with any brand of backup software
- Backup applications running on an endpoint with an App Control agent can experience performance issues as well. It is necessary to add the backup solutions recommended AV exclusions to the App Control agent
- Technical Support is not able to assist in adding these exclusions to the App Control agent, this is a function of our Professional Services team
- If assistance is required applying the recommended backup application exclusions in App Control please Open a Support Case and let us know you would like to engage Professional Services along with a description for the requested service and a support agent will submit that request for you
Feedback
Yes
No
Powered by
