Microsoft announced today that support for the Windows 10 Tamper Protection feature has been added to Microsoft Defender ATP Threat & Vulnerability Management for additional info on exposed machines in their organization.
"Now, within the security recommendations section of Threat & Vulnerability Management (TVM), SecOps and security administrators can see a recommendation to turn on tamper protection and then be able to learn more about the recommendation and act on it," Microsoft says.
"This provides security teams greater visibility into how many machines don’t have this feature turned on, the ability to monitor changes over time, and a process to turn on the feature."
TVM was released in public preview in the Microsoft Defender ATP portal in April 2019 and it provides admins and SecOps teams with real-time endpoint detection and response (EDR) insights related to machine vulnerability context during incident investigations, endpoint vulnerabilities, as well as built-in remediation processes.
Microsoft initially announced the addition of tamper protection to Microsoft Defender ATP for enterprise customers back in March 2019.
Tamper Protection is a Windows 10 security feature introduced in Version 1903 that prevents malware and threat actors from disabling or changing security settings designed to stop them from compromising devices or infiltrating a network.
Available to more Windows 10 home and enterprise users
The feature is now available in more Windows 10 versions including 1709, 1803, 1809, 1903, and 1909, the latest release.
While home users are allowed to toggle Tamper Protection via the "Virus & threat protection" tab in the Windows Security settings area, for enterprise users the feature can also be "managed centrally through the Intune management portal."
Even though enterprise users can also enable Tamper Protection using the same method as home users, administrators part of an org's security team can also toggle it on from Microsoft Intune in the Microsoft 365 Device Management portal.
With the help of Intune, organizations' SecOps teams and admins can enable Tamper Protection for the entire org, or based on device types or user groups by going to Device Configuration – Profiles > Create profile > Endpoint protection as shown below.
Blocks security bypasses
Being supported in Microsoft Defender ATP Threat & Vulnerability Management provides SecOps teams and administrators with an overview of the machines that have Tamper Protection turned on, the possibility to toggle it on where needed, and to keep a close eye on changes over time.
Saying that Tamper Protection is an important tool to prevent security bypasses is an understatement seeing that dangerous malware like TrickBot, GootKit, and the Nodersok Trojans have been observed by security researchers in the past while trying to bypass Windows Defender to gain persistence on compromised devices.
Having Tamper Protection enabled on a Windows 10 device will however automatically block or reset any attempts to change Windows Defender or Windows Security settings, thus thwarting malicious attempts to circumvent Windows' built-in security protection.
"To see tamper protection status from within TVM, go to the security recommendations page and search for tamper," Microsoft explains.
"In the list of results, you can select Turn on Tamper Protection. It opens up a flyout screen so you can learn more about it and you can see export option from the flyout screen to get the exposed device list."
Digging into tampering attempts
"Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected," Microsoft explains.
When attackers (malware or malicious local user) tries to mess with Windows Security or Windows Defender settings on systems with Tamper Protection turned on, an alert will be automatically raised in the organization's Microsoft Defender Security Center.
This allows security administrators to examine these incidents more closely to see what machines are potentially being targeted on the org's network and to take remediation measures if needed.
"Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts," Microsoft adds.
To enable Tamper Protection for your organization you must have appropriate permissions as a global admin, security admin, or be assigned to your org's security operations team.
Your organization must also meet all of these requirements:
• Your organization must have Microsoft Defender ATP E5 (this is included in Microsoft 365 E5).
• Your organization uses Intune to manage devices. (Intune licenses are required; this is included in Microsoft 365 E5)
• Your Windows machines must be running Windows 10 OS 1709, 1803, 1809 or later.
• You must be using Windows security with security intelligence updated to version 1.287.60.0 (or above).
• Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above).
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now