App Control: Tamper Protection Not Being Enforced

search cancel

App Control: Tamper Protection Not Being Enforced

book

Article ID: 286479

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Tamper Protection not being enforced
Able to stop/disable the App Control service
Able to modify App Control files

Environment

App Control Agent: All Supported Versions
App Control Console: All Supported Versions

Cause

Tamper Protection being disabled
Agent configurations disabling tamper protection
Custom rules bypassing tamper protection

Resolution

There are multiple ways that Tamper Protection can be disabled or weakened. Global Settings can be overridden by per-Policy settings, which can be overridden by per-Agent settings. To determine which combination of settings may be interfering with Tamper Protection:

Log in to the Console and navigate to /support.php > Advanced Configuration:
- Verify Enable Agent Uninstall is unchecked.
- Verify Disable Tamper Protection is unchecked.
Open a command prompt and issue the following commands to check for weakened Tamper Protection:
```
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli configprops filter *allow_u*
```
- If allow_uninstall=1 is returned:
  - Verify the Enable Agent Uninstall option is unchecked in Step 1.
  - Verify an existing Agent Config for allow_uninstall=1 does not exist.
- If allow_upgrade=1 is returned:
  - Verify an existing Agent Config for allow_upgrade=1 does not exist.
Issue the following commands to check for disabled Tamper Protection:
```
dascli password GlobalPassword
dascli configprops filter *disable_self*
```
- If disable_self_protect=1 is returned:
  - Verify the Disable Tamper Protection option is unchecked in Step 1.
  - Verify an existing Agent Config for disable_self_protect=1 does not exist.
  - Verify additional methods to disable Tamper Protection do not exist.
After completing any/all changes, verify the Agent shows as Connected & Up to Date in Assets > Computers.

If the issue persists please open a case with Support and provide the Agent Historical Logs from a machine.

Additional Information

An Agent Config ending with =0 indicates the configuration is disabled.
An Agent Config ending with =1 indicates the configuration is enabled.

Feedback

thumb_up Yes

thumb_down No