Carbon Black Cloud: What are the Mac TamperBehavior events?
search cancel

Carbon Black Cloud: What are the Mac TamperBehavior events?

book

Article ID: 285118

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What do the different Tamper Behavior items mean coming from the Mac Sensors?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.3.3.35 and Higher
  • Apple macOS: All Supported Versions

Resolution

Tamper BehaviorAttempted Activity
“TamperBehavior1”attempt to disable the sensor services with launchd
“TamperBehavior2"attempt to disable / unload KEXT driver
“TamperBehavior3”attempt to terminate/kill sensor processes
“TamperBehavior4"attempt for in memory attacks / memory scraping / code injection
“TamperBehavior11”attempt to modify / delete sensor files

Additional Information

Other tamper protection violations will be blocked, but are not currently reported to Console. This may change in future Sensor versions.