EDR: How to Get Started with Tamper Protection?
search cancel

EDR: How to Get Started with Tamper Protection?


Article ID: 285649


Updated On:


Carbon Black EDR (formerly Cb Response)


How can Tamper Protection be enabled and what is the impact on the endpoints?


  • EDR Server:  7.4 and higher
  • EDR Windows Sensor: 7.2 and higher
  • Windows 10 v1703 (Desktop) and higher
  • Windows Server 2016 v1709 (Windows build 15163) and higher


  • Tamper Protection can be enabled per-group in the EDR Console > Sensors >  Edit Group Settings > Advanced.  Modify the Tamper Protection Level to Protection, Detection or Disable.  
  • No performance impact on the endpoints.
  • In Protect mode the following files are protected:
* Starting/stopping the CB Windows sensor services
* Modifying the C:\Windows\CarbonBlack files; Users have no access
* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys
* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll
* Modifying CarbonBlack registry keys

Additional Information

  • Review the knowledge base article EDR: Which Sensor directories need exclusion from third-party anti-virus scans to make sure that the latest Carbon Black EDR Windows sensor exclusions are in place before enabling Tamper Protection. 
  • Minimum requirements are Windows 10 v1703 (Desktop) or Windows Server 2016 v1709 (Windows build 15163).   Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection.
  • Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR Tamper Protection enforcement is in place.
  • Download and review Engineering Overview of Tamper Protection document:  https://transfer.vmware.com/download?domain=carbonblack&id=d3c24998d3f442bc8e9dcd202652d7e9&out=zip
  • Review Managing Sensors > Tamper Protection of Windows Sensors in the 7.7 User Guide or higher for details on configuration fields for the new Tamper Protection Feature.


Windows EDR “Tamper Protection” Overview.pdf get_app
Windows EDR CLI Tool Overview.pdf get_app