Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.3.3.35 and Higher
- Apple macOS: All Supported Versions
Question
What do the different Tamper Behavior items mean coming from the Mac Sensors?
Answer
| Tamper Behavior | Attempted Activity |
|---|
| “TamperBehavior1” | attempt to disable the sensor services with launchd |
| “TamperBehavior2" | attempt to disable / unload KEXT driver |
| “TamperBehavior3” | attempt to terminate/kill sensor processes |
| “TamperBehavior4" | attempt for in memory attacks / memory scraping / code injection |
| “TamperBehavior11” | attempt to modify / delete sensor files |
Additional Notes
Other tamper protection violations will be blocked, but are not currently reported to Console. This may change in future Sensor versions.
