How is Tamper Detection or Tamper Protection enabled within EDR.

• EDR Server: All Supported Versions

• To enable Tamper Detection or Tamper Protection
  1. Login to the EDR Console with a user having an Analyst role or greater.
  2. Enable 'Tamper Detection' or 'Tamper Protection' within the Sensor Group > Settings  > Advanced > Tamper Protection Level.
• For Global Tamper Alerts enable the Cb Tamper Detection feed.

• For Tamper alerts per sensor group.
  1. Disable the Cb Tamper Detection feed.
  2. Create watchlist for specific sensor groups - example below:

     • group:"Sensor Group Name" AND tampered:true

       
        

• Tamper Protection prevents users, or local admins, from:

* Starting/stopping the CB Windows sensor services

* Modifying the C:\Windows\CarbonBlack files; Users have no access

* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys

* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll

* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll

* Modifying CarbonBlack registry keys

• “Tamper Protection” can be turned on / off via server UI.
• “Tamper Protection” can be turned on / off directly from the endpoint should the CB EDR Windows sensor lose comms with the server ("CbEDRCLI.exe")
• If App Control is also installed we recommend only using EDR Tamper Protection as mentioned here.