Version

Bit9 Agent 7.0.1 and higher.

Topic

This document provides information on what triggers tamper protection events on Mac systems.

Q/A

Question

On a Mac system, what can trigger the default tamper protection events?

Answer

There are a number of items that can trigger tamper protection; any attempt to modify a Bit9 file (binary, plist file or anything in the Bit9 data directory), any ptrace of the b9daemon or any attempt to kill the daemon, any attempt to remove a Bit9 file, and any attempt to rename a Bit9 file.

There are also a few fringe cases where we will block requests for permission. I.E. process Z asks for permission to perform action X on Bit9 file Y, even if process Z had no intention of performing action X.