Determine What Process is Triggering Tamper Protection
search cancel

Determine What Process is Triggering Tamper Protection

book

Article ID: 288536

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agents are reporting Events in the Console similar to:

Agent tampering prevented (DOMAIN\PCNAME). Modification of 'c:\programdata\bit9\parity agent\parity.exe' by 'NT AUTHORITY\SYSTEM' was blocked because of tamper protection.
Modification (Change Value) of registry '\\?\globalroot\registry\machine\system\controlset001\services\parity\failureactionsonnoncrashfailures' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Cause

An application is attempting to scan or modify one or more files/folders that the Agent relies upon. The Agent uses Tamper Protection to protect against unauthorized modification of these files.

Resolution

Determine what process is triggering these Events and add the necessary exclusions to that product:

  1. Log in to the Console and navigate to Reports > Events and apply the following:
    • Saved Views: (none)
    • Filters:
      • Subtype > is: Tamper Protection
      • Source > is: <Relevant Computer>
      • Apply
    • Columns:
      • Process
      • Process Name
      • Apply
    • Adjust the Max Age accordingly.
  2. Add the Agent Exclusions to the product(s) that are triggering Tamper Protection.

If the Events persist, the relevant 3rd party vendor may need to be contacted to determine how to properly exclude the Agent from their scanner.

Additional Information

  • Tamper Protection is designed to protect the Agent or Server from unauthorized modification.
  • Failure to add Agent Exclusions could lead to Unanalyzed Blocks or other instability issues.