Carbon Black Cloud: What are the Mac TamperBehavior events?
book
Article ID: 285118
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What do the different Tamper Behavior items mean coming from the Mac Sensors?
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.3.3.35 and Higher
- Apple macOS: All Supported Versions
Resolution
Tamper Behavior | Attempted Activity |
---|
“TamperBehavior1” | attempt to disable the sensor services with launchd |
“TamperBehavior2" | attempt to disable / unload KEXT driver |
“TamperBehavior3” | attempt to terminate/kill sensor processes |
“TamperBehavior4" | attempt for in memory attacks / memory scraping / code injection |
“TamperBehavior11” | attempt to modify / delete sensor files |
Additional Information
Other tamper protection violations will be blocked, but are not currently reported to Console. This may change in future Sensor versions.
Feedback
thumb_up
Yes
thumb_down
No