EDR: Why Do I Still Receive Tamper Alerts When Tamper Protection is Not Enabled?
search cancel

EDR: Why Do I Still Receive Tamper Alerts When Tamper Protection is Not Enabled?

book

Article ID: 288275

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Receiving Tamper Alerts when Tamper Protection is not Enabled

Environment

  • EDR Sensor: 7.2.2

Resolution

  • Even when the Tamper Level is set to None there are areas of the registry that are still monitored for activity and will block and report tamper events
  • In order to implement powershell event collection the Windows sensor leverages Microsoft AMSI
  • As a result certain registry values and keys are unconditionally protected to make a best effort at preventing malicious behavior
  • If these registry values are manipulated those attempts will be blocked and tamper events will be sent to the server
  • Even though the sensor group may be configured with tamper disabled these events will still be consumed and if the tamper feed is enabled they will be rendered properly
Powered by Wolken Software