Environment

• EDR Sensor: 7.2.2

Question

Answer

• Even when the Tamper Level is set to None there are areas of the registry that are still monitored for activity and will block and report tamper events
• In order to implement powershell event collection the Windows sensor leverages Microsoft AMSI
• As a result certain registry values and keys are unconditionally protected to make a best effort at preventing malicious behavior
• If these registry values are manipulated those attempts will be blocked and tamper events will be sent to the server
• Even though the sensor group may be configured with tamper disabled these events will still be consumed and if the tamper feed is enabled they will be rendered properly