Tag Archive: Tamper protection

One thing that threat actors commonly do when getting a foothold on a device, is to try to disable Defender services and adding exclusions for their tools which they plan to execute.

For the Defender services, we have had Tamper Protection for some time, but that did not cover exclusions.

Requirements

For Tamper Protection to cover exclusions, the following requirements must be met:

• Devices are running Windows Defender platform 4.18.2211.5 or later
  • Use Advanced Hunting or the following report to see the status of version
    https://security.microsoft.com/devicehealth?viewid=oldavhealthreport
• DisableLocalAdminMerge is enabled
  • https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp
• Tamper protection is deployed through Intune, and devices are managed by Intune only
• Microsoft Defender Antivirus exclusions are managed in Microsoft Intune
• Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices
  • https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune?view=o365-worldwide#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device
    

Verifying and troubleshooting

The registry value TPExclusions which is in the HKLM\SOFTWARE\Microsoft\Windows Defender\Features key shows a value of 1 if protected and 0 if not protected. Please note that you cannot change the registry value to protect the exclusions, it’s for information and not configuration

While we talk about Antivirus policies…

We would like to share this as well since it’s something we see when we do Defender assessments, it’s unfortunately very common that these settings are wrong

And for

Happy Hunting!