EDR: Why do Tamper Detection alerts trigger when opening Task Manager?
Article ID: 292491
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why are alerts for Tamper Detection triggered when Task Manager is opened?
Environment
- EDR Console
- EDR Sensor: All Supported Versions
Resolution
This is expected behavior. Taskmgr.exe will scan all processes in detection mode and report an alert. This prevents anyone from getting access to cb.exe.
Additional Information
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Enable-Tamper-Detection/ta-p/92496
https://community.carbonblack.com/t5/Knowledge-Base/EDR-Server-Why-are-Sensor-Updates-Creating-Tamper-Detection/ta-p/70801
https://community.carbonblack.com/t5/Knowledge-Base/EDR-Server-Why-are-Sensor-Updates-Creating-Tamper-Detection/ta-p/70801
Feedback
Yes
No
Powered by
