Carbon Black Cloud: What are the Mac TamperBehavior events?
Article ID: 285118
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What do the different Tamper Behavior items mean coming from the Mac Sensors?
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.3.3.35 and Higher
- Apple macOS: All Supported Versions
Resolution
| Tamper Behavior | Attempted Activity |
|---|---|
| “TamperBehavior1” | attempt to disable the sensor services with launchd |
| “TamperBehavior2" | attempt to disable / unload KEXT driver |
| “TamperBehavior3” | attempt to terminate/kill sensor processes |
| “TamperBehavior4" | attempt for in memory attacks / memory scraping / code injection |
| “TamperBehavior11” | attempt to modify / delete sensor files |
Additional Information
Other tamper protection violations will be blocked, but are not currently reported to Console. This may change in future Sensor versions.
Feedback
Yes
No
Powered by
