Environment
- EDR Server: All Supported Versions
Objective
How is Tamper Detection or Tamper Protection enabled within EDR.
Resolution
- To enable Tamper Detection or Tamper Protection
- Login to the EDR Console with a user having an Analyst role or greater.
- Enable 'Tamper Detection' or 'Tamper Protection' within the Sensor Group > Settings > Advanced > Tamper Protection Level.
- For Global Tamper Alerts enable the Cb Tamper Detection feed.
Note: The Cb Tamper Detection feed alerts on all sensor groups regardless of Tamper settings.
- For Tamper alerts per sensor group.
- Disable the Cb Tamper Detection feed.
- Create watchlist for specific sensor groups - example below:
Additional Notes
- Tamper Protection prevents users, or local admins, from:
* Starting/stopping the CB Windows sensor services
* Modifying the C:\Windows\CarbonBlack files; Users have no access
* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys
* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll
* Modifying CarbonBlack registry keys
- “Tamper Protection” can be turned on / off via server UI.
- “Tamper Protection” can be turned on / off directly from the endpoint should the CB EDR Windows sensor lose comms with the server ("CbEDRCLI.exe")
Related Content
