logo

Knowledge Base

Access official resources from Carbon Black experts

Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Disable/Enable Tamper Protection

App Control: How to Disable/Enable Tamper Protection

Environment

  • App Control 7.x and Higher

Objective

To disable tamper protection on agent(s).

Resolution

Disabling Tamper Protection will allow the uninstall of our agent and/or tampering of our files- causing our agent to not function properly. Always confirm tamper protection is re-enabled

To disable/enable tamper protection on a single agent using the console:

  1. Navigate to Assets>Computers.
  2. Click the  "View Details" button next to the computer in question
  3. On the right hand side under the "Advanced" section, Click "Disable Tamper Protection"
  4. To re-enable navigate to the same location and choose "Enable Tamper Protection"

To disable tamper protection on a single agent using CMD:

  1. Open an admin CMD prompt
  2. Navigate to the parity agent directory (usually c:\program files (x86)\bit9\parity agent)
  3. Type the below commands: 
dascli password InsertCliPasswordHere

dascli tamperprotect 0 

-- To re-enable type:

dascli tamperprotect 1

To disable tamper protection on a specific policy (Version 8.x only):

  1. Navigate to https://YourAppControlServerName/agent_config.php
  2. Add a Filter to the View for > Value > contains > disable_self_protect=
  3. Edit this Config to enable it, by changing the value from disable_self_protect=0 to disable_self_protect=1
  4. Use the below fields:
    • Property Name: Leave Default
    • Host Id (0 For All): 0 (Only 1 Host ID may be entered if choosing a specific device, otherwise All (0) should be used)
    • Value: disable_self_protect=1  *ensure that there are no spaces before or after the value that is typed*
    • Macros: Leave blank
    • Platforms: Leave default
    • Status: Enabled
    • Create for: Selected Policies> Choose policy or policies required
  5. To re-enable tamper protection, disable or delete the above agent config. Changing the value to disable_self_protect=0 will also work.

To disable tamper protection on all agents:

  1. Navigate to https://YourAppControlServerName/support.php
  2. Go to the "Advanced Configuration" tab
  3. Under "Agent Configuration" select the box next to "Disable Tamper Protection"
  4. Click "Update" at the bottom of the page
  5. To re-enable tamper protection un-check the box and click "Update" again.

Additional Notes

  • Tamper protection blocks attempts to write to the App Control application directory or change App Control Agent files on client computers.
  • There is a default policy that has the settings of "disable_self_protect=0". Ensure this agent config is disabled, or it will override any custom agent configs as described above.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
ncozad
Creation Date:
‎07-16-2018
Views:
9810
Contributors
logo