Environment
- EDR Windows Sensor: 7.2 and higher
- Windows 10 v1703 (Desktop) and higher
- Windows Server 2016 v1709 (Windows build 15163) and higher
Objective
How to disable tamper protection locally on the Windows sensor
Resolution
Console
- Log into the console
- Go to the sensors page
- Click the group that the sensor resides in
- Select the edit icon
- Expand the Advanced tab and find the "Tamper Overrride Password"
- Click show to get the current. Also check for the history of passwords if this sensor has not connected since the last password change
Sensor Side
- Open CMD as an Administrator
- Run the following command with the password obtained above
C:\Windows\CarbonBlack\CbEDRCLI.exe <override_password>
Related Content