How can Tamper Protection be enabled and what is the impact on the endpoints?

• Carbon Black EDR Server:  7.4 and higher
• Carbon Black EDR Windows Sensor: 7.2 and higher
• Windows 10 v1703 (Desktop) and higher
• Windows Server 2016 v1709 (Windows build 15163) and higher

• Tamper Protection can be enabled per-group in the EDR Console > Sensors >  Edit Group Settings > Advanced.  Modify the Tamper Protection Level to Protection, Detection or Disable.  
• No performance impact on the endpoints.
• In Protect mode the following files are protected:

* Starting/stopping the CB Windows sensor services
* Modifying the C:\Windows\CarbonBlack files; Users have no access
* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys
* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll
* Modifying CarbonBlack registry keys

• Review the knowledge base article Which Sensor directories need exclusion from third-party anti-virus scans to make sure that the latest Carbon Black EDR Windows sensor exclusions are in place before enabling Tamper Protection. 
• Minimum requirements are Windows 10 v1703 (Desktop) or Windows Server 2016 v1709 (Windows build 15163).   Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection.
• Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR Tamper Protection enforcement is in place.
• Review Managing Sensors > Tamper Protection of Windows Sensors in the 7.7 User Guide or higher for details on configuration fields for the new Tamper Protection Feature.