Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Disable/Enable Tamper Protection

App Control: How to Disable/Enable Tamper Protection

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Objective

To enable/disable Tamper Protection on the App Control Agent(s).

Resolution

Disabling Tamper Protection will allow modification of the folders & files the Agent relies upon, disabling, or even uninstallation of the Agent. Tamper Protection should only be disabled temporarily. Always verify Tamper Protection is re-enabled

To manage Tamper Protection on all Agents (Global):

  1. Navigate to https://YourAppControlServerName/support.php
  2. Go to the "Advanced Configuration" tab
  3. Under "Agent Configuration" select the box next to "Disable Tamper Protection"
  4. Click "Update" at the bottom of the page
  5. To re-enable tamper protection un-check the box and click "Update" again.

To manage Tamper Protection on a specific Policy:

  1. Navigate to https://YourAppControlServerName/agent_config.php
  2. Add a Filter to the View for > Value > contains > disable_self_protect=
  3. Edit this Config to enable it, by changing the value from disable_self_protect=0 to disable_self_protect=1
  4. Use the below fields:
    • Property Name: Leave Default
    • Host Id (0 For All): 0 (Only 1 Host ID may be entered if choosing a specific device, otherwise All (0) should be used)
    • Value: disable_self_protect=1  *ensure that there are no spaces before or after the value that is typed*
    • Macros: Leave blank
    • Platforms: Leave default
    • Status: Enabled
    • Create for: Selected Policies > relevant Policies
  5. To re-enable Tamper Protection, disable or delete the above Agent Config. Changing the value to disable_self_protect=0 will also work.

To manage Tamper Protection on a single Agent using the Console:

  1. Navigate to Assets > Computers > relevant Computer.
  2. On the Computer Details page > right-hand side > Advanced > Disable Tamper Protection.
  3. To re-enable: navigate to the same location and choose "Enable Tamper Protection"

To manage Tamper Protection on a single Windows Agent, using the command prompt:

  1. Open a command prompt and issue the following commands:
    cd "C:\Program Files (x86)\Bit9\Parity Agent\"
    dascli password GlobalCLIPassword
    dascli tamperprotect 0
    
    -- To re-enable, authenticate with the Agent and use the command:
    dascli tamperprotect 1

To manage Tamper Protection on a single macOS Agent, using Terminal:

  1. Open a Terminal window and issue the following commands:
    cd /Applications/Bit9/tools
    ./b9cli --password GlobalCLIPassword
    ./b9cli --tamperprotect 0
    
    -- To re-enable, authenticate with the Agent and use the command:
    ./b9cli --tamperprotect 1

To manage Tamper Protection on a single Linux Agent, using Terminal:

  1. Open a Terminal window and issue the following commands:
    cd /opt/bit9/bin
    ./b9cli --password GlobalCLIPassword
    ./b9cli --tamperprotect 0
    
    -- To re-enable, authenticate with the Agent and use the command:
    ./b9cli --tamperprotect 1

Additional Notes

  • Tamper Protection is designed to prevent unauthorized modification to the Agent or the directories & files it relies upon.
  • By default the Agent is configured to use the Agent Config, "disable_self_protect=0".
  • Policy settings override Global settings, Agent settings override Policy settings. This means if Tamper Protection is enabled for the Policy but disabled Globally, the Agent will honor the Policy setting.

Labels (1)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎07-16-2018
Views:
11623
Contributors