Tamper Protection Not Being Enforced

search cancel

Tamper Protection Not Being Enforced

book

Article ID: 286479

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Tamper Protection not being enforced
Able to stop/disable the App Control service
Able to modify App Control files

Environment

App Control Agent: All Supported Versions
App Control Console: All Supported Versions

Resolution

There are multiple ways that Tamper Protection can be disabled or even weakened. Global Settings can be overridden by per-Policy settings, which can be overridden by per-Agent settings. To determine which combination of settings may be interfering with Tamper Protection:

Log in to the Console and navigate to /support.php > Advanced Configuration:
- Verify Enable Agent Uninstall is unchecked.
- Verify Disable Tamper Protection is unchecked.
Open a command prompt or use Terminal to issue the relevant commands to check for weakened Tamper Protection:
- Windows:
```
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli configprops filter *allow_u*
```
- macOS:
```
cd /Applications/Bit9/Tools/
./b9cli --password GlobalPassword
./b9cli --configprops | grep "allow_u"
```
- Linux:
```
cd /opt/bit9/bin
./b9cli --password GlobalPassword
./b9cli --configprops | grep "allow_u"
```
- If allow_uninstall=1 is returned:
  - Verify the Enable Agent Uninstall option is unchecked in Step 1.
  - Verify an existing Agent Config for allow_uninstall=1 does not exist.
- If allow_upgrade=1 is returned:
  - Verify an existing Agent Config for allow_upgrade=1 does not exist.
Issue the following commands to check for disabled Tamper Protection:
```
dascli password GlobalPassword
dascli configprops filter *disable_self*
```
- If disable_self_protect=1 is returned:
  - Verify the Disable Tamper Protection option is unchecked in Step 1.
  - Verify an existing Agent Config for disable_self_protect=1 does not exist.
  - Verify additional methods to disable Tamper Protection do not exist.
After completing any/all changes, verify the Agent shows as Connected & Up to Date in Assets > Computers.

If the issue persists please open a case with Support and provide the Agent Historical Logs from a machine.

Additional Information

An Agent Config ending with =0 indicates the configuration is disabled.
An Agent Config ending with =1 indicates the configuration is enabled.

Feedback

thumb_up Yes

thumb_down No