Disable Tamper Protection On The Windows Sensor
search cancel

Disable Tamper Protection On The Windows Sensor

book

Article ID: 288009

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

To disable tamper protection on the Windows sensor

Environment

  • EDR Windows Sensor: 7.2 and higher
  • Windows 10 v1703 (Desktop) and higher
  • Windows Server 2016 v1709 (Windows build 15163) and higher

Resolution

Method 1 : Via The Console

  1. Log into the console
  2. Go to the sensors page
  3. Click the group that the sensor resides in
  4. Select the edit icon
  5. Expand the Advanced tab and find the "Tamper Override Password" 
  6. Click show to get the current. Also check for the history of passwords if this sensor has not connected since the last password change

Method 2: Via Admin CMD Prompt

  1. Open CMD as an Administrator
  2. Run the following command with the password obtained above
    C:\Windows\CarbonBlack\CbEDRCLI.exe <override password>