Tamper Protection Not Being Enforced
search cancel

Tamper Protection Not Being Enforced

book

Article ID: 286479

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Tamper Protection not being enforced
  • Able to stop/disable the App Control service
  • Able to modify App Control files

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Resolution

There are multiple ways that Tamper Protection can be disabled or even weakened. Global Settings can be overridden by per-Policy settings, which can be overridden by per-Agent settings. To determine which combination of settings may be interfering with Tamper Protection:

  1. Log in to the Console and navigate to /support.php > Advanced Configuration:
    • Verify Enable Agent Uninstall is unchecked.
    • Verify Disable Tamper Protection is unchecked.
  2. Open a command prompt or use Terminal to issue the relevant commands to check for weakened Tamper Protection:
    • Windows:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalPassword
      dascli configprops filter *allow_u*
    • macOS:
      cd /Applications/Bit9/Tools/
      ./b9cli --password GlobalPassword
      ./b9cli --configprops | grep "allow_u"
    • Linux:
      cd /opt/bit9/bin
      ./b9cli --password GlobalPassword
      ./b9cli --configprops | grep "allow_u"
    • If allow_uninstall=1 is returned:
      • Verify the Enable Agent Uninstall option is unchecked in Step 1.
      • Verify an existing Agent Config for allow_uninstall=1 does not exist.
    • If allow_upgrade=1 is returned:
  3. Issue the following commands to check for disabled Tamper Protection:
    dascli password GlobalPassword
    dascli configprops filter *disable_self*
    
    • If disable_self_protect=1 is returned:
  4. After completing any/all changes, verify the Agent shows as Connected & Up to Date in Assets > Computers.

If the issue persists please open a case with Support and provide the Agent Historical Logs from a machine.

Additional Information

  • An Agent Config ending with =0 indicates the configuration is disabled.
  • An Agent Config ending with =1 indicates the configuration is enabled.