EDR: Why Do I Still Receive Tamper Alerts When Tamper Protection is Not Enabled?
book
Article ID: 288275
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Receiving Tamper Alerts when Tamper Protection is not Enabled
Environment
EDR Sensor: 7.2.2
Resolution
Even when the Tamper Level is set to None there are areas of the registry that are still monitored for activity and will block and report tamper events
In order to implement powershell event collection the Windows sensor leverages Microsoft AMSI
As a result certain registry values and keys are unconditionally protected to make a best effort at preventing malicious behavior
If these registry values are manipulated those attempts will be blocked and tamper events will be sent to the server
Even though the sensor group may be configured with tamper disabled these events will still be consumed and if the tamper feed is enabled they will be rendered properly