Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
Symptoms
- Tamper Protection not being enforced
- Able to stop/disable the App Control service
- Able to modify App Control files
Cause
- Tamper Protection being disabled
- Agent configurations disabling tamper protection
- Custom rules bypassing tamper protection
Resolution
There are multiple ways that Tamper Protection can be disabled or weakened. Global Settings can be overridden by per-Policy settings, which can be overridden by per-Agent settings. To determine which combination of settings may be interfering with Tamper Protection:
- Log in to the Console and navigate to /support.php > Advanced Configuration:
- Verify Enable Agent Uninstall is unchecked.
- Verify Disable Tamper Protection is unchecked.
- Open a command prompt and issue the following commands to check for weakened Tamper Protection:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalPassword
dascli configprops filter *allow_u*
- If allow_uninstall=1 is returned:
- Verify the Enable Agent Uninstall option is unchecked in Step 1.
- Verify an existing Agent Config for allow_uninstall=1 does not exist.
- If allow_upgrade=1 is returned:
- Issue the following commands to check for disabled Tamper Protection:
dascli password GlobalPassword
dascli configprops filter *disable_self*
- If disable_self_protect=1 is returned:
- After completing any/all changes, verify the Agent shows as Connected & Up to Date in Assets > Computers.
If the issue persists please open a case with Support and provide the
Agent Historical Logs from a machine.
Additional Notes
- An Agent Config ending with =0 indicates the configuration is disabled.
- An Agent Config ending with =1 indicates the configuration is enabled.
Related Content
