EDR: How to Enable Tamper Detection or Tamper Protection
search cancel

EDR: How to Enable Tamper Detection or Tamper Protection

book

Article ID: 285235

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How is Tamper Detection or Tamper Protection enabled within EDR.

Environment

  • EDR Server: All Supported Versions

Resolution

  • To enable Tamper Detection or Tamper Protection
    1. Login to the EDR Console with a user having an Analyst role or greater.
    2. Enable 'Tamper Detection' or 'Tamper Protection' within the Sensor Group > Settings  > Advanced > Tamper Protection Level.
  • For Global Tamper Alerts enable the Cb Tamper Detection feed.
                Note: The Cb Tamper Detection feed alerts on all sensor groups regardless of Tamper settings.
  • For Tamper alerts per sensor group.
    1. Disable the Cb Tamper Detection feed.
    2. Create watchlist for specific sensor groups - example below:
      • group:"Sensor Group Name" AND tampered:true

         

Additional Information

  • Tamper Protection prevents users, or local admins, from:
* Starting/stopping the CB Windows sensor services

* Modifying the C:\Windows\CarbonBlack files; Users have no access

* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys

* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll

* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll

* Modifying CarbonBlack registry keys
  • “Tamper Protection” can be turned on / off via server UI.
  • “Tamper Protection” can be turned on / off directly from the endpoint should the CB EDR Windows sensor lose comms with the server ("CbEDRCLI.exe")