Microsoft releases Tamper Protection for Windows Defender

The new feature 'locks down' the antivirus, preventing malware from making changes to core settings

Microsoft's Tamper Protection feature for Windows Defender is now generally available for enterprise and consumers after a pre-release in May 2019's Windows 1903.

The feature aims to prevent malware from altering the settings in Windows Defender that could make a system more vulnerable to attacks, such as disabling behaviour monitoring.

It will also prevent malware from disabling virus and threat protection, cloud-delivered protection, real-time protection and prevent the removal of security intelligence updates.

Traditionally, these kinds of actions could be completed through methods such as registry editing, PowerShell commands, and through group policies.

Microsoft said that a lack of visibility when it comes to tampering attempts can make it difficult to spot and mitigate threats, so an automatic way of securing against harmful methods will further protect Microsoft Defender ATP customers.

Tamper Protection will be enabled by default for Windows Home users, and the rollout will be delivered in stages.

Enterprise system administrators must use Microsoft Intune to enable it across an organisation's computer suite. The company says this is done for security reasons - no other method of changing Defender such as group policy or registry key can be used.

"When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it's sent to endpoints," said Microsoft. "The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control.

"With the right level of reporting, security operations teams are empowered to detect any irregularities."

When something malicious attempts to change the settings in Windows Defender, a threat alert will be sent to enterprise customers' Microsoft Defender ATP security centre for further analysis.

"Tamper protection is a critical feature for us as we need to defend Microsoft Defender ATP to ensure that malicious actions are not going around our security platforms," said Rich Lilly, partner/associate director at Netrixllc.

"While complex behind the scenes, Microsoft has made it extremely easy for us to configure and deploy through Microsoft Intune and allow our SecOps team visibility into any potential tampering events so we can further investigate and remediate."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021