logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Determine What Process is Triggering Tamper Protection

App Control: Determine What Process is Triggering Tamper Protection

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Symptoms

Events in the Console similar to: 
Agent tampering prevented (DOMAIN\PCNAME). Modification of 'c:\programdata\bit9\parity agent\cache.chk-journal' by 'NT AUTHORITY\SYSTEM' was blocked because of tamper protection.

Cause

An application is attempting to scan or modify one or more files/folders that the Agent relies upon. The Agent uses Tamper Protection to protect against unauthorized modification of these files.

Resolution

Determine what process is triggering these Events and add the necessary exclusions to that product:

  1. Log in to the Console and navigate to Reports > Events:
    • Click Show Filters > Subtype > is: Tamper Protection > Apply.
    • Click Show Columns > Process > Apply.
    • Adjust the Max Age accordingly.
  2. Add the Agent Exclusions to the product(s) that are triggering Tamper Protection.

Additional Notes

Failure to add Agent Exclusions could lead to Unanalyzed Blocks or other instability issues.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
953
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.