Carbon Black Cloud: Are Sensor Tamper Protection Events Reported in the Console?
search cancel

Carbon Black Cloud: Are Sensor Tamper Protection Events Reported in the Console?

book

Article ID: 290397

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Are attempts to tamper with the Sensor (e.g. delete Sensor files, stop services, etc.) reported in the Console as Events or Alerts?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions

Resolution

No, Tamper Protection is silently enforced and does not generate any Alerts or Events in the Console.

Additional Information

  • Alarms related to tamper attempts are stored locally by the Sensor in C:\ProgramData\CarbonBlack\Logs\SensorAlarms.log, though details are limited to the tampering process and target file.
  • Running third-party security applications (e.g. antivirus, real-time scanner, vulnerability scanner, etc.) concurrently with the Sensor without proper Exclusions can trigger Tamper Protection alarms and cause unexpected blocks or interoperability/performance issues.
Powered by Wolken Software